USA Today: Cybercrooks stalk small businesses that bank online

A rising swarm of cyber-robberies targeting small firms, local governments, school districts, churches and non-profits has prompted an extraordinary warning. The American Bankers Association and the FBI are advising small and midsize businesses that conduct financial transactions over the Internet to dedicate a separate PC used exclusively for online banking.

Read more ...

Apple issues security updates for Mac OS X

What's happening: Apple this week pushed an update for Leopard and Snow Leopard systems that plugs a large number of security holes in Apple's version of Java, a package installed by default on those Mac OS X systems that enables a number of multimedia Web applications.

The new Java version fixes at least 14 vulnerabilities in the version designed for OS X 10.6 systems; the package put together for 10.5 Macs corrects more than two dozen security flaws. Mac users can grab the patches via Software Update or from Apple Downloads.

What to do: Patch your Mac.

**********************************
Apple issues security updates for Mac OS X

GSM Cell Phone Encryption Broken

What's happening: At a conference in Berlin, German security researcher Karsten Nohl demonstrated a way to break system encryption to listen to conversations on GSM-based mobile phones. The encryption algorithm and variants of it are used to ensure the privacy of 80% of mobile calls.

What it means: Expect cell phone providers to strengthen GSM encryption algorithms.

What to do: While the fallout from this demonstration is not likely to put you at special risk, it is always a good idea to be circumspect in what you say on a mobile phone call.

**********************************
Cellphone Encryption Code Is Divulged

Cloud Computing Security

What's happening: Cloud computing is fast becoming the next great computer event. Why manage your own PCs, servers and programs when you can rent them online. And while cloud computing promises improved bang for scarce IT bucks, it is not without information security challenges. The linked article from MIT Technology Review explores some of the security challenges of cloud computing.

What to do: Look before you leap. Sort out the answers to critical security questions: How is your information being secured? What security is the cloud vendor responsible for and what are you responsible for? Does the cloud vendor meet your regulatory and legal security obligations, such as HIPAA or PCI DSS? Is your information available to move should you want or need to do so, or if you are required to produce it under subpoena? Don't settle for vague 'salesman' type answers. Ask to see documentation. As this article from MIT Technology Review writes: "Information technology's next grand challenge will be to secure the cloud--and prove we can trust it."

**********************************
From MIT Technology Review ... Security in the Ether

Howard Schmidt - Information Systems Security Association (ISSA) Board President - becomes US cybersecurity coordinator

What's happening: Howard Schmidt, president and CEO of the Information Security Forum (ISF) has been appointed White House Cybersecurity Coordinator by President Obama. As the new cybersecurity czar, he will have regular access to President Obama and serve as a key member of the National Security Staff. Schmidt has over 40 years of experience in government, business and law enforcement. He is in his second term as President of the Board of the not-for-profit Information Systems Security Association (ISSA), the world's foremost association for information systems security professionals.

What it means: President Obama last May became the first head-of-state of a major industrial nation to make a strong commitment to winning the battle to secure cyberspace. By appointing Schmidt as his Cybersecurity Coordinator, the President has given the job to a proven leader able to work with both government and industry. Schmidt helped develop the "National Strategy to Secure Cyberspace" which promotes "a comprehensive national awareness program to empower all Americans - businesses, the general workforce, and the general population - to secure their own parts of cyberspace." The plan recognizes that everyone must take responsibility for securing their own systems, that it takes the village to protect the village, that an unprotected computer puts even protected computers at risk.

What to do: Read our paper from the ISSA Journal "Creating the Information Security Village." Look for opportunities to do your part to "secure the village" including encouraging your IT and information security staff to become active in ISSA and other information security organizations.

**********************************
White House Picks New Cyber Coordinator

Hackers exploit Adobe Reader flaw via comic strip syndicate

What's happening: Cybercriminals broke into an online comic strip syndication service Thursday, embedding malicious code that sought to exploit a newly discovered security flaw in Adobe Reader and Acrobat.

What it means: Visitors to websites serving comics from King Features are at risk of having their PCs taken over by malware on the websites designed to exploit the recently discovered flaw in Acrobat Reader. Most antivirus programs will fail to detect the malware attack.

More strategically, the story illustrates the imagination and creativity that cybercriminals bring to their work. Like lions in the jungle, cybercriminals are on the prowl, looking for any sign of weakness they can exploit.

What to Do: Tactically: disable Javascript as described in our previous blog post. Be on the alert for a patch from Adobe. Implement an intrusion detection and prevention system.

Strategically: Make sure you're staying ahead of the cybercriminals as the risk of falling behind continues to grow.

**********************************
Hackers exploit Adobe Reader flaw via comic strip syndicate

Web Attack on Twitter Demonstrates Deep Internet Risk

What's happening: Users going to Twitter Friday morning arrived instead at a site for the “Iranian Cyber Army.” The online attack was the result of the most basic of security breaches: someone got the password to enter the master directory of Twitter’s Internet addresses (Twitter's master DNS or Domain Name Server) and redirected users to the “Iranian Cyber Army" site instead.

What it means: There are two levels of meaning here. The obvious level is that social network sites continue to demonstrate that they have yet to get system security under adequate management control.

At a deeper level, consider that users were redirected from Twitter to the “Iranian Cyber Army" site. What if it weren't Twitter but your favorite eCommerce site and instead of being sent to the “Iranian Cyber Army" site you were presented with a site that looked identical to the site you thought you were going to—except that it stole your credit card information or installed malware on your computer.

And what if it's not your favorite eCommerce site but your own company's web site. And now every visitor going to your web site is at risk that malware will be installed on their computer.

What to do: Keep computers patched. Run an intrusion detection and prevention program instead of basic anti-virus. To protect your company's web site, make absolutely positively certain that IT staff is securely managing the master passwords to your company's DNS.

**********************************
Web Attack on Twitter Is Third Assault This Year

Hackers target unpatched Adobe Reader, Acrobat flaw

What's happening: Adobe Systems Inc. said Monday it is investigating reports that attackers are exploiting a previously unidentified security hole in its Acrobat and PDF Reader software to break into vulnerable computers.

What to Do: The exploit only works when users have Javascript enabled in Adobe Acrobat/Reader.To disable Javascript, click "Edit," then "Preferences" and then "Javascript," and uncheck "Enable Acrobat Javascript." Stay tuned for an update patch from Adobe.

**********************************
Hackers target unpatched Adobe Reader, Acrobat flaw

Viruses That Leave Victims Red in the Facebook

What's happening: Malware is spreading through Web sites like Facebook and Twitter. After stealing a Member's screen name and password, these malicious programs are coded to automatically send spam messages to the Member's friends and followers. Unsuspecting friends have been asked for money, have been directed to web-sites where malware is installed on their computers, and have had their user-names and passwords to online bank accounts stolen.

What it means: Social networks continue to be the wild wild west of the internet.

What to do: Stay vigilant. Be suspicious. Report suspected problems. And use a strong hard-to-break password.

**********************************
Viruses That Leave Victims Red in the Facebook

In Shift, U.S. Talks to Russia on Internet Security

What's happening: The United States, Russia and a United Nations arms control committee have begun talks aimed at strengthening Internet security and limiting military use of cyberspace.

What it means: Nations must protect cyberspace as the strategic national asset it has become. As attacks on Latvia and Georgia have illustrated, a nation can be crippled by a methodical cyber-attack. Along with strong defenses, international treaties are a necessary pillar in any effective cyberspace security solution.

What to do: Stay tuned. This is just the beginning. There's still a lot of hard work ahead.

**********************************
In Shift, U.S. Talks to Russia on Internet Security

Security Alert: Check your Facebook 'privacy' settings now

What's happening: Facebook has made major changes that may allow complete strangers to see your personal photos and videos, date of birth, family relationships, and other sensitive information.

What it means: Unless you act to control who gets to see your private information, Facebook may let anyone see it, friend or foe alike.

What to Do: Follow the advice of Washington Post's Brian Krebs in the blog link below.

**********************************
Check your Facebook 'privacy' settings now

Zeus crimeware appears to be using Amazon's EC2 as command and control server

What's happening: Security researchers have intercepted a variant of the Zeus crimeware using Amazon’s EC2 services for command and control purposes of its botnet. Cybercriminals appear to be using Amazon’s RDS managed database hosting service as an alternative control domain in case they lose access to the primary domain. ScanSafe reports that in the past 3 years, it has recorded 80 unique malware incidents involving amazon, with 45 in 2009 compared to 35 total in 2007 and 2008 combined

What it means: This story illustrates the inherent challenge of securing the internet and with it, all the corporate and personal information in our computers and servers that is accessible via the internet. Amazon has every reason to get security perfect; yet they don't. No one can. Perfect information systems security is as impossible as perfect security of any kind. So long as we have information in our systems that someone else wants, there will be risk.

What to do: Follow the advice of Wall Street journalist Meryl Rukeyser who said "The secret of success lies not in avoiding risk but in managing it." (Meryl Rukeyser was Wall Street Week's Louis Rukeyser's father and a periodic guest on the show in the 1980s.)

**********************************
Zeus crimeware using Amazon's EC2 as command and control server

Brian Krebs, Washington Post Journalist, Named Cybercrime Hero by Cisco

What's happening: Cisco's 2009 Annual Security Report names Brian Krebs, Washington Post journalist, as winner of its Cybercrime Hero.

The report writes: Kudos to Brian Krebs, who reports on computer security issues in his Security Fix blog on the website of The Washington Post. Krebs has spent a significant amount of time researching and reporting on banking Trojans like Zeus and Clampi and exposing how they operate.

In the fall of 2009, Krebs published a series of articles about the online “bank jobs” conducted by the sophisticated malware that Zeus and Clampi distribute. Through his extensive research and reporting, Krebs managed to discover a great deal about these Trojans. The tactics and routines associated with the malware—and the significant number of businesses and individual users who have been affected by it—would likely impress even some of the most successful bank thieves in history.

Krebs has taken time not only to report on these dangerous threats, but also to provide readers with practical and easy-to-understand advice about how not to fall victim to such scams.

What it means: Congratulations to Krebs for his award. The information security community has a friend in Krebs. One can only hope that a Pulitzer follows.

**********************************
Cisco names Security Fix author 'cybercrime hero'

Critical updates for Adobe Flash, Microsoft Windows

What's happening: Microsoft released six software updates on Tuesday to fix at least a dozen security vulnerabilities in Windows, Internet Explorer, Windows Server and Microsoft Office. Adobe also issued security updates to its ubiquitous Flash Player and its Adobe AIR software. Updates are available for Windows, Linux and Mac versions of these programs.

What to Do: Patch your systems.

**********************************
Critical updates for Adobe Flash, Microsoft Windows

Cisco Publishes 2009 Annual Security Report

What's happening: Cisco Security Intelligence Operations announces the Cisco 2009 Annual Security Report. The updated report includes information about 2009 global threats and trends, as well as security recommendations for 2010.

Report Highlight: Online criminals have taken advantage of the large social media following, exploiting users' willingness to respond to messages that are supposedly from people they know and trust.

What to Do: Review the report and strengthen defenses accordingly.

**********************************
Cisco 2009 Annual Security Report

La. firm sues Capital One after losing thousands in online bank fraud

What's happening: An electronics testing firm in Louisiana is suing its bank, Capital One, alleging that the financial institution was negligent when it failed to stop hackers from transferring nearly $100,000 out of its account earlier this year.

What it means: Another victim of online bank fraud does battle with its bank over who's responsible.

What to do: Follow our earlier recommendations. Manage your own security. Check your insurance. Send your attorney a copy of our paper "An Emerging Information Security Minimum Standard of Due Care."

**********************************
La. firm sues Capital One after losing thousands in online bank fraud

Phishers angling for Web site administrators

What's happening: Cybercriminals have launched a massive phishing campaign to trick webmasters into giving up the credentials needed to administer their Web sites. Experts say the attackers are attempting to build a distributed network of hacked sites through which to distribute malicious software.

What it means: Cybercriminals have learned that they can take control of a PC by loading malicious software on a web site visited by the PCs users. This malware then infects the PCs of visitors, often bypassing corporate firewalls and antivirus software.

What to do: If you administer a web site and fell for this phishing scheme, contact your hosting provider and change your password. You also need to review your Web site content for any recent unauthorized changes.

**********************************
Phishers angling for Web site administrators

Health Net healthcare data breach affects1.5 million

What's happening: Health Net announced that it is investigating a healthcare data security breach that resulted in the loss of patient data, affecting 1.5 million customers.The Woodland Hills, Calif.-based managed healthcare provider said the lost files, a mixture of medical data, Social Security numbers and other personally identifiable information, were collected over the past seven years and contained on a portable external hard drive, which was lost six months ago. The company said the healthcare data was not encrypted containing data on 446,000 Connecticut patients.

What it means: This loss illustrates some of the challenges of securely managing sensitive information. Who — if anyone — authorized sensitive information to be stored on a portable—easy-to-lose—hard drive? Why was the drive not encrypted? Why did it take the company 6 months to to notify anyone? What will this cost them? What will they learn from it?

What to do: Stay vigilant. Every business is at risk that what happened to Health Net can happen to it.

**********************************
Health Net healthcare data breach affects1.5 million

Is Your Smartphone Eavesdropping on Your Converstaions?

What's happening: In late October, Indonesian developer Sheran Gunasekera released mobile-phone software that can help someone eavesdrop on your conversations.The free application, called PhoneSnoop, can be downloaded onto your BlackBerry, remotely turn on the microphone, and listen to conversations held in proximity to the device.

What it means: PhoneSnoop and the similar FlexiSPY are two of a growing number of applications that can be downloaded onto a smartphone without a user's knowledge. Smartphones and the growing number of people using them are becoming a bigger target for unauthorized and potentially harmful software, including worms, viruses, and spyware that tracks a user's Web activity.

What to Do: Configure your smartphone so apps can be downloaded and installed only with your approval. Make sure IT staff is staying on top of this growing threat.

**********************************
Smartphones: A bigger target for security threats

UK Police Reveal Arrests Over Zeus Banking Malware

What's happening: British police said Wednesday they've made the first arrests in Europe of two people for using Zeus, a malicious software program often used in sophisticated online bank fraud. When installed on a PC, Zeus can send spam, steal financial or other data or conduct a distributed denial-of-service attack against other computers. Machines infected with Zeus are essentially a botnet.

What it means: While it's good to get these two cybercriminals off the street, the total effect is like taking a glass of water out of the ocean.

What to do: Celebrate that these two are in jail. Then go back to protecting sensitive business and family information.The battle is far from over.

**********************************
Two held in global PC fraud probe

Phishing Alert: “Rejected ACH Transaction.”

What's happening: NACHA – The Electronic Payments Association has received reports that individuals and/or companies have received a fraudulent e-mail that has the appearance of having been sent from NACHA. See NACHA's press release below

What it means: Cybercriminals are attempting to lure unsuspecting businesses to a web site that will infect their computers with malware.

What to do: Don't fall victim to these phishing attacks. Always be suspicious. Ask yourself: "Does this email make sense?" Make sure technology defenses are in place in case you slip.

**********************************
NACHA Phishing Alert (11/12/2009) E-mail Claiming to be from NACHA

NACHA – The Electronic Payments Association has received reports that individuals and/or
companies have received a fraudulent e-mail that has the appearance of having been sent from
NACHA. See sample below.

The subject line of the e-mail states: “Rejected ACH Transaction.” The e-mail includes a link
which redirects the individual to a fake web page which appears like the NACHA Web site and
contains a link which is almost certainly executable virus with malware. Do not click on the link.
Both the e-mail and the related Web site are fraudulent.

Be aware that phishing e-mails frequently have links to Web pages that host malicious code and
software. Do not follow Web links in unsolicited e-mails from unknown parties or from parties with whom you do not normally communicate, or that appear to be known but are suspicious or
otherwise unusual.

NACHA itself does not process nor touch the ACH transactions that flow to and from
organizations and financial institutions. NACHA does not send communications to individuals or
organizations about individual ACH transactions that they originate or receive.

If malicious code is detected or suspected on a computer, consult with a computer security or
anti-virus specialist to remove malicious code or re-install a clean image of the computer system.
Always use anti-virus software and ensure that the virus signatures are automatically updated.
Ensure that the computer operating systems and common software applications security patches
are installed and current.

Be alert for different variations of fraudulent e-mails.

= = = = = Sample E-mail = = = = = =

From: nacha.org [mailto:report@nacha.org]
Sent: Thursday, November 12, 2009 10:25 AM
To: Doe, John
Subject: Rejected ACH transaction, please review the transaction report
Dear bank account holder,
The ACH transaction, recently initiated from your bank account, was rejected by the Electronic
Payments Association. Please review the transaction report by clicking the link below:
Unauthorized ACH Transaction Report (this is the how the link is presented)
------------------------------------------------------------------
Copyright ©2009 by NACHA - The Electronic Payments Association
= = = = = = = = = = = = = = = = = = =

Hundreds of Facebook Groups Hacked

What's happening: A hacker, or group of hackers, has taken over up to 300 different Facebook groups.

What it means: Facebook has again shown that its security controls are inadequate to keeping hackers from misusing their network. Cybercriminals and other miscreants continue to have their way with social network sites. This puts the burden of security on end-users like you and me.

What to do: Don't assume Facebook is protecting your security. They can't. Take responsibility for protecting yourself.

**********************************
Hundreds of Facebook Groups Hacked

FBI Says Total On-Line Fraud Exceeds $100M and Continues to Grow

What's happening: The FBI has issued a new warning about the magnitude of online bank fraud. The amount lost so far now exceeds $100 Million.

What it means: The magnitude of the threat to business continues to increase as cyber-criminals continue to steal money from small and medium sized businesses, not-for-profits, and educational institutions.

What to do: Make sure all defenses are in place. Consult our guides for specific advice.

**********************************
From IDG News Service: FBI warns of $100M cyber-threat to small business

Cyberthieves are hacking into small- and medium-sized organizations every week and stealing millions of dollars in an ongoing scam that has moved about $100 million out of U.S. bank accounts, the FBI warned Tuesday.

It's now one of the top problems being addressed by the National Cyber Forensics and Training Alliance (NCFTA), which works with the FBI and industry to share information about cyberattacks, said NCFTA Executive Director Ron Plesco. "Every year there seems to be a trend and this has been the trend this year," he said.

There has been a "significant increase" in what's known as ACH (automated clearinghouse) fraud over the past few months, much of it targeting small businesses, municipal governments and schools, the FBI said in an alert posted to its Web site.

http://www.computerworld.com/s/article/9140308/FBI_warns_of_100M_cyber_threat_to_small_business?taxonomyId=142

IC3 Intelligence Note: Online Bank Fraud

What's happening: The Internet Crime Complaint Center (IC3) has released an Intelligence Note on the recent jump in online bank fraud. The report provides a good non-technical overview of what's going on and some of the things needed to deal with it.

What it means: Bad news is that online bank fraud is on the rise. The good news is that—by shining the spotlite on the problem—potential victims can take appropriate steps to better their odds.

What to do: Read the article. Forewarned is forearmed.

**********************************
IC3 Intelligence Note: Compromise Of User's Online Banking Credentials Targets Commercial Bank Accounts

Information Security Breach Surfaces at House Ethics Committee

What's happening: The House Ethics Committee announced that a document containing the names of more than two dozen members of Congress being investigated by the Committee—together with the status of the investigations—had surfaced on a part of the web known as "peer-to-peer."

What it means: The embarrassment to the Ethics Committee caused by the breach and the risk to the reputation of lawmakers resulting from it serve to illustrate the danger of peer-to-peer networks—used primarily for the illegal sharing of copyrighted material. Sensitive information can be all-too-easily sucked up into a peer-to-peer network becoming accessible to anyone on the same peer-to-peer. Cyber-criminals regularly troll peer-to-peer networks looking for sensitive information (like credit card numbers) that they can monetize. Peer-to-peer networks are very dangerous and serve no useful purpose in the business environment.

What to do: Management must outlaw peer-to-peer networks in the corporate environment and must make sure the network (including all remote computers) is regularly scanned for the presence of peer-to-peers. Users also need to be trained about the dangers of peer-to-peer networks and should be strongly discouraged from using them at home.

**********************************

New York Times: Ethics Inquiries Into Lawmakers Surface via Security Breach

WASHINGTON — The House ethics committee announced Thursday that it would begin full investigations into two House members ... but a security breach threatened to make public the names of many other members facing ethics inquiries.

http://www.nytimes.com/2009/10/30/us/politics/30ethics.html?_r=1&scp=5&sq=ethics%20committee&st=cse

Facebook users attacked with phony password reset emails

What's happening: Facebook users are receiving emails saying their passwords have been reset and instructing them to open an attachment containing their new passwords.

What it means: Users opening the attachment risk having their computers taken over by cyber-criminals.

What to do: Make sure the IT Department is blocking these messages at the spam filter. Alert staff to disregard these emails, both at work and at home, should they get through spam filters. Consider replacing your anti-malware solution with an intrusion detection and prevention system..

**********************************

Computer World: Massive bot attack spoofs Facebook password messages. 'Bredolab' Trojan rides fake reset messages, reaches at least 735,000 users

A massive bot-based attack has been hitting Facebook users, with nearly three-quarters of a million users receiving fake password reset messages, according to security researchers.

http://www.computerworld.com/s/article/9140058/Massive_bot_attack_spoofs_Facebook_password_messages?source=CTWNLE_nlt_security_2009-10-29

New Study Continues to Show Internet Becoming Increasingly Dangerous as Malware Infections Rise Rapidly

What's happening: According to the latest statistics, the number of web sites hosting malware—either intentionally or inadvertantly—continues to rise at an alarming rate.

What it means: This latest report confirms what IBM said in their "Online Threat Report" of last August. (See our blog post: IBM Online Threat Report: Trust No One)

What to do: Management needs to make sure their information systems security management program is up-to-date, with the defense-in-depth required to deal with these new threats.

**********************************

cnet News: Elinor Mills: Web-based malware infections rise rapidly, stats show

The number of Web sites hosting malicious software, either intentionally or unwittingly, is rising rapidly, according to statistics to be released on Tuesday from Dasient. More than 640,000 Web sites and about 5.8 million pages are infected with malware, according to Dasient, which was founded by former Googlers to offer services to help Web sites stay malware-free and off blacklists. That figure for infected pages is nearly double what Microsoft estimated in a report in April. Meanwhile, the Google blacklist of malware infected sites has more than doubled in the last year, registering as many as 40,000 new sites in one week.

http://news.cnet.com/8301-27080_3-10383512-245.html

FBI Issues Warning to Business in Light of Increase in Online Bank Theft

What's happening: Online bank theft by cyber-criminals has risen to the point that the FBI has taken the unusual step of issueing a public warning. According to Steve Chabinsky, deputy assistant director of the FBI's Cyber Division, "We don't believe there's cause for a crisis of confidence in online banking, but we want to make sure we message this early before this becomes a much larger problem. Our concern is that these numbers will grow if we don't educate people now to take precautions."

What it means: Lest there be any doubt, the risk of online bank theft is real. And it's growing. And right-now, the cyber-criminals are winning.

What to do: Review your information systems security management program and improve as needed.

**********************************
From Brian Krebs; Washington Post: FBI: Cyber crooks stole $40M from U.S. small, mid-sized firms

Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud, the FBI said this week.

http://voices.washingtonpost.com/securityfix/2009/10/fbi_cyber_gangs_stole_40mi.html

Citadel's Stan Stahl Talks About Cyber-Crime with Cindy Rakowitz

Listen to the interview at our web-site: www.citadel-information.com.

Adobe closes 29 vulnerabilities in Reader and Acrobat

What's happening: Adobe has closed the vulnerabilities announced on our Blog Post of Oct 9.

What it means: Once these patches are installed, computers will no longer be vulnerable to them.

What to do: Have IT staff install all patches in the corporate environment. Instruct staff to install the patches on home PCs .

**********************************

Information Week: Adobe Fixes 29 Flaws In Acrobat And Reader

Adobe released a fix for 29 vulnerabilities in its Acrobat and Acrobat Reader software, warning that the vulnerabilities could be exploited to cause crashes and to take control of the user's computer.

Adobe rates the update as "crtical" and warns that one of the vulnerabilities (CVE-2009-3459) is actively being exploited.

http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=220600883

Microsoft Plugs 34 Security Holes in Record-Setting "Patch Tuesday"

What's happening: Microsoft has released a record number of patches to address a host of Windows vulnerabilities.

What it means: These patches close 34 'security holes' through which cyber-criminals could gain access to computers running Windows.

What to do: Have IT staff install all patches in the corporate environment. Instruct staff to install the patches on home PCs .

**********************************
From Brian Krebs; Washington Post: Microsoft Issues Record Number of Security Updates

Microsoft Corp. on Tuesday issued an unprecedented number of updates to fix security problems in PCs powered by its Windows operating systems and other software: The software giant released patches to plug at least 34 security holes, the highest number of vulnerabilities it has ever addressed in a single month.

http://voices.washingtonpost.com/securityfix/2009/10/microsoft_releases_record_numb.html

Zero-Day Attacks Exploit Reader, Acrobat Vulnerabilities

What's happening: Adobe has issued an alert that cyber-criminals are exploiting several vulnerabilities in their Reader and Acrobat programs for which Adobe does not yet have patches.

What it means: Until these vulnerabilities are patched, users of Acrobat & Reader are at-risk of having cyber-criminals take control of their computers.

What to do: Inform staff to be wary of opening unexpected PDFs sent sent via email or PDFs downloaded from the internet. Alert IT staff to be prepared to install patches when they become available. Consider replacing your current anti-malware solution with a host intrusion prevention solution.

**********************************
From Brian Krebs; Washington Post: Adobe Warns of Critical Threat to Reader, Acrobat Users

Adobe Systems Inc. late Thursday issued an alert saying that hackers are exploiting a newly-discovered vulnerability in its free PDF Reader and Acrobat products to break into Microsoft Windows systems.

http://voices.washingtonpost.com/securityfix/2009/10/adobe_warns_of_critical_threat.html

Protecting Your Business from Social Networking Attacks

Sally, the accounting manager of Acme Enterprises, a medium-sized business, regularly checked her Facebook account while at work. One day she received an email. The email said that a long-lost friend, Bob, had added her as a friend in Facebook. There was a link in the email for Sally to follow to confirm the friend request. Sally clicked the link. Over the next week, cyber-thieves withdrew nearly $1,000,000 from her employers' bank account.

Welcome to the newest nastiest twist in cybercrime.

You see, the email wasn't from Bob and the link didn't go back to Facebook. Bob's on Facebook just like Sally is. That's how the cyber-thieves found them and discovered that they might know each other. That's also where they learned that Sally worked in the accounting department.

After that it was a simple matter to set the trap by sending Sally a friend request from Bob. "How great," thought Sally, "an email from Bob. Let me just follow this link and we can be friends again."

Link followed. Trojan horse installed. $1,000,000 stolen.

According to Breach Security, the number of web security incidents was up 30 percent in the first half of 2009. And social networking sites like Facebook, MySpace and Twitter were the target of 19% of all attacks, more than any other category. That's a big change from last year's report when government networks were the most often attacked and social networks weren't even on the list.

Making matters worse, many of these attacks succeed by taking advantage of missing patches and using obscure technology like "0-day exploits" that get past traditional antivirus and antispyware defenses.

As if that's not bad enough, businesses shouldn't expect their banks to cover losses. Regulation E of the Federal Deposit Insurance Corporation (FDIC) stipulates consumers are protected by cyber crime involving their banks. The FDIC regulation does not cover businesses, however.

Here are five things you can do to inoculate your business against social network attacks:

1. Prohibit use of social network sites from the office. These sites can be blocked at the corporate firewall. This can become particularly challenging if employees work remotely as it may not be feasible to block access to social networks from home computers. Making matters worse, Trojan horses are like communicable diseases and Sally's work-at-home computer can be infected from her son's. That's why the next four recommendations are so important.
2. In addition to antivirus / antispyware defenses, add advanced defenses like intrusion detection and prevention designed to block internet-based attacks like the link in Sally's email and 0-day exploits.
3. Your IT staff can block known internet-based attacks by comparing links against a database of known bad links like www.stopbadware.org/home/reportsearch.
4. Keep your systems patched. This means not just Windows patching but all your applications, those you know about - like Office and Adobe Reader - and those you might not even know about - like Flash and Java. This also includes your Macintosh computers as they are every-bit as vulnerability-prone as Windows PCs.
5. Finally, don't expect to rely on technology alone. Users are often the weakest link so it's very important to train them to detect the subtle signs of an attack so they can keep from becoming victims. They also need to be given guidance on what information is safe to put on a social networking site. Sally put a big bulls-eye on her back when she wrote that she works in Acme's accounting department.

There is no one thing you can do to keep from being victimized from a social network attack. Even doing all five of these isn't a guarantee, just like a flu shot doesn't guarantee you won't get the flu. But if you are diligent you can significantly affect the odds and this should be your objective.


Thanks to our friends at Lighthouse Consulting who were kind enough to publish this in their newsletter.

Cybercriminals breach payroll services firm, go after customers' computers

What's happening: After breaking into the computer systems of a payroll processing company, cybercriminals sent emails to the company's customers. Users who clicked on a link in the email had their computers taken over by the attacker resulting in the theft of their user-ids and passwords. According to the Post, the malware used to break into the payroll processing company is poorly detected by most anti-virus products.

What it means: First the top-echelon of cybercriminals has become very focused and targeted. While random attacks are still common, companies are increasingly coming under targeted attack. Second, we continue to see malware that's able to slip through anti-virus products. Third, phishing attacks are also becoming very targeted; emails used in this attack were addressed to recipients by name and included portions of their passwords.

What to do: This is another example of what we've already written. Senior management must proactively manage security of sensitive information through policies, awareness training, oversight of the IT security management function, etc. They should also strongly consider replacing their current ant-virus / anti-spyware product with an intrusion detection / prevention solution. Users must follow the mantra of an earlier blog: "Trust no one."

**********************************
From Brian Krebs; Washington Post: Hackers Breach Payroll Giant, Target Customers

Hackers last week apparently used stolen account information from a New Jersey company that provides online payroll services to target the firm's customers in a scheme to steal passwords and other information.

http://voices.washingtonpost.com/securityfix/2009/09/hackers_breach_payroll_giant_t.html

Cybercriminals rob not-for-profit healthcare providers

What's happening: Several not-for-profit health care providers have been hit with the same kind of online bank fraud that's affecting businesses and schools. Banks are resisting returning the stolen money claiming they follow "commercially reasonable practices."

What it means: Every organization must assume that they will come under attack and prepare accordingly. As our post from August 27 says: Trust No One.

What to do: Management must get on top of this problem. Train staff to recognize cybercrime danger signs. Tightly manage technology controls. Consider replacing anti-virus / anti-spyware solutions with intrusion detection / prevention solution. Check your cyber-insurance. Be prepared to sue your bank: Email your attorney our Guide: An Emerging Information Security Minimum Standard of Due Care.

**********************************
From Brian Krebs; Washington Post: Cyber Gangs Hit Healthcare Providers

Organized cyber thieves that have stolen millions from corporations and schools over the past few months recently defrauded several health care providers, including a number of non-profit organizations that cater to the disabled and the uninsured.

http://voices.washingtonpost.com/securityfix/2009/09/irs_scam_e-mail_could_be_costl.html

Cybercriminals use fake IRS emails to steal on-line banking credentials

What's happening: U.S.-CERT has issued an alert stating: "attacks arrive via an unsolicited email message and may contain a subject line of 'Notice of Underreported Income.' These messages may contain a link or attachment. If users click on this link or open the attachment, they may be infected with malicious code" designed to steal bank account credentials.

What it means: Users who fall for this scam are (1) giving control of their computers to cybercriminals; (2) exposing their organizations to online bank fraud.

What to do: Continue training users not to fall for phishing attacks. Take all the other steps to protect yourself from online bank theft that we've already discussed. Strongly consider replacing current ant-virus / anti-spyware product with an intrusion detection / prevention solution.

**********************************
From Brian Krebs; Washington Post: New IRS Scam E-mail Could Be Costly

The Department of Homeland Security's Computer Emergency Readiness Team is warning Internet users to be on guard against a convincing e-mail virus scam disguised as a message from auditors at the Internal Revenue Service. According to one victim interviewed by Security Fix, falling for the ruse could cost you or your employer tens of thousand of dollars.

http://voices.washingtonpost.com/securityfix/2009/09/irs_scam_e-mail_could_be_costl.html

Security of Online Banking Threatened by Defeat of Two-Factor Authentication

What's happening: Cybercriminals have learned how to steal money from business bank accounts even when bank security controls include second-factor authentication.

What it means: Most banks and businesses believe online banking is safe when protected with what's known as 2nd-factor [or multi-factor] authentication. While second-factor authentication is a step-up over single-factor, it is still not fail-safe. Take a look at our blog posting about a $447,000 cybertheft from a company that uses second-factor authentication. The two stories below describe the ease with which cybercriminals are bypassing second-factor authentication. After bypassing inadequate protection of the IT infrastructure, the cybercriminals succeed by taken advantage of untrained unaware staff.

What to do: Management must get on top of this problem. Train staff to recognize cybercrime danger signs. Tightly manage technology controls. Consider replacing antvirus / antimalware solutions with intrusion detection / prevention solution. Check your cyber-insurance. Be prepared to sue your bank: Email our Guide: An Emerging Information Security Minimum Standard of Due Care to your attorney.

**********************************
From ZDNet: Modern banker malware undermines two-factor authentication

Once pitched as an additional layer of security for E-banking transactions, two-factor authentication is slowly becoming an easy to bypass authentication process, to which cybercriminals have successfully adapted throughout the last couple of years. http://blogs.zdnet.com/security/?p=4402

From MIT Technology Review: Real-Time Hackers Foil Two-Factor Security. One-time passwords are vulnerable to new hacking techniques. http://www.technologyreview.com/computing/23488/

Company sues bank after $588,000 stolen by cyberthieves

What's happening: Another corporate victim of cybertheft goes public; sues bank over sophisticated online bank heist

What it means: This is our 9th posting on online bank theft in the last month. It illustrates how the world of cybercrime has changed. Cybercriminals are targeting small and medium-size organizations, hacking into their computer systems and stealing money. Banks are reluctant to return the money, claiming that they are following "commercially reasonable" practices. In the case of the bank in the article, they appear not to have been following commercially reasonable practices. Even when banks are following commercially reasonable practices, that may not be sufficient; see our discussion of T. J. Hooper v. Northern Barge in our Guide An Emerging Information Security Minimum Standard of Due Care where Judge Learned Hand wrote: in most cases reasonable prudence is in fact common prudence; but strictly it is never its measure ... there are precautions so imperative that even their universal disregard will not excuse their omission.

What to do: Management must get on top of this problem. Check bank transactions daily. Train staff to recognize cybercrime danger signs. Tightly manage technology controls. Consider a separate PC used only for on-line banking. Check your cyber-insurance. Be prepared to sue your bank: Email our Guide: An Emerging Information Security Minimum Standard of Due Care to your attorney.

**********************************
From Brian Krebs; Washington Post: Maine Firm Sues Bank After $588,000 Cyber Heist

A construction firm in Maine is suing a local bank after cyber thieves stole more than a half million dollars from the company in a sophisticated online bank heist.

http://voices.washingtonpost.com/securityfix/2009/09/construction_firm_sues_bank_af.html

Cyberthieves using Twitter to sell fake antivirus software

What's happening: Cyberthieves are taking advantage of security weaknesses in Twitter to take sell them fake antivirus software

What it means: The Twitter situation corroborates IBM's recent study of web security in which they wrote: The result is "an unprecedented state of Web insecurity as Web client, server and content threats converge to create an untenable risk landscape," according to the report." See our blog posting http://citadelonsecurity.blogspot.com/2009/08/ibm-online-threat-report-trust-no-one.html.

What to do: Don't fall for online ads "scareware." Keep your systems patched -- not just Windows but Acrobat Reader, JAVA, Flash and all the other software on your PC. Keep Twitter, Facebook and other social sites out of the corporate environment. Consider replacing antvirus / antimalware solutions with intrusion detection / prevention solution.

**********************************
From Computerworld: Scammers auto-generate Twitter accounts to spread scareware.
They use bogus accounts, real tweets, to dupe people into installing fake antivirus software.

http://www.computerworld.com/s/article/9138361/Scammers_auto_generate_Twitter_accounts_to_spread_scareware?source=CTWNLE_nlt_security_2009-09-22

Adding Insult to Injury, Cybercrime Victims May Be Faced with Expensive "Breach Notification" Costs

What's happening: Cyberthieves stealing money from corporate bank accounts are also trigerring "breach disclosure" laws

What it means: At least 44 states plus the District of Columbia have "breach disclosure" laws requiring businesses and other organizations to notify consumers when they have reason to believe that private consumer information has been compromised. According to insurance industry studies, current "breach notification costs" exceed $200 for every person that has to be notified.

What to do: Take all the steps we've previously identified to keep from being a cybercrime victim. Delete sensitive private information of customers when it is no longer needed. As part of breach disclosure planning, know how to contact customers should you need to notify them of a breach. Talk to your insurance broker about breach-notification insurance.

**********************************

Brian Krebs: Washington Post:

Data Breach Highlights Role Of 'Money Mules'

On Friday, Brunswick, Maine-based heating and hardware firm Downeast Energy & Building Supply sent a letter notifying at least 850 customers that the company had suffered a data breach. Downeast sent the notice after discovering that hackers had broken in and stolen more than $200,000 from the company's online bank account.

The attack on Downeast Energy bears all the hallmarks of online thieves who have stolen millions from dozens of other businesses, schools and counties over the past several months. In every case, the thieves appeared more interested in quick cash than in pilfering their victims' customer databases. Nevertheless, the intrusions highlight an additional cost for victims of this type of crime: complying with state data breach notification laws.

http://voices.washingtonpost.com/securityfix/2009/09/money_mules_carry_loot_for_org.html?hpid=sec-tech

Like Generals, in Battle Against Cybercrime IT Staff Are Fighting Yesterday's War

What's happening: A new study from the respected SANS Institute finds that as IT departments have become better at defending against yesteday's cyberthreats, cybercriminals have moved on to a new generation of ever-more sophisticated attacks.

What it means: Sensitive corporate information — including access to the corporate coffers — is not being adequately protected.The security-software company McAfee estimated that companies around the world lost more than $1 trillion to cybercrime in 2008, .

What to do: Senior management must proactively manage the way IT staff manages network security. Review IT vulnerability management plans. Consider investing in a modern intrusion detection / prevention system. Since technology defenses alone are inadequate, make sure staff is trained to meet their security responsibilities and that they know cybercrime warning signals. Talk to your insurance broker about cybercrime insurance.

**********************************

Security Pros Are Focused on the Wrong Threats
By Riva Richmond
New York Times

Corporate information technology departments are prioritizing the wrong threats to their computer systems, focusing on old problems and leaving their companies open to a raft of new cyberattacks aiming at private customer and corporate information.

http://bits.blogs.nytimes.com/2009/09/15/security-pros-are-focused-on-the-wrong-threats/?hpw

Cyber Crooks Target Public & Private Schools

What's happening: It's not just businesses that are losing money to cybercriminals. This post shows that schools are also at risk. We can conclude, by inference, that not-for-profits are being hit as well. The news just hasn't surfaced.

What it means: Every small and medium size organization is at financial risk from cybercrime.

What to do: Management must get on top of this problem. Check bank transactions daily. Train staff to recognize cybercrime danger signs. Tightly manage technology controls. Consider a separate PC used only for on-line banking. Check your cyber-insurance. Be prepared to sue your bank: Email our Guide An Emerging Information Security Minimum Standard of Due Care to your attorney.


**********************************

Brian Krebs: Washington Post: A gang of organized cyber criminals that has stolen millions from businesses across the United States over the past month appears to have turned its sights on public schools and universities.

On the morning of Aug. 17, hackers who had broken into computers at the Sanford School District in tiny Sanford, Colorado initiated a batch of bogus transfers out of the school's payroll account. Each of the transfers was kept just below $10,000 to avoid banks' anti-money laundering reporting requirements, and went out to at least 17 different accomplices or "money mules" that the attackers had hired via work-at-home job scams.

http://voices.washingtonpost.com/securityfix/2009/09/cyber_mob_targets_public_priva.html?wprss=securityfix

Cyber Thieves Steal $447,000 From Wrecking Firm

What's happening: News continues to surface of businesses being hit by cybercriminals. This story is particularly bad in that the company and the bank had strong technology in-place (multifactor authentication) designed to prevent this kind of attack. Unfortunately, an employee missed a clear danger signal.

What it means: Cybercriminals can get by the best technology in the world when employees aren't sensitive to the danger signs.

What to do: Check bank transactions daily. Consider a separate PC used only for on-line banking. Train staff to recognize on-line danger signs. Check your cyber-insurance. Be prepared to sue your bank: email our Guide An Emerging Information Security Minimum Standard of Due Care to your attorney.


***********************************

Brian Krebs; Washington Post: Organized cyber thieves are increasingly looting businesses in heists that can net hundreds of thousands of dollars. ... In mid-July, computer crooks stole $447,000 from Ferma Corp., a Santa Maria, Calif.-based demolition company, by initiating a large batch of transfers from Ferma's online bank account to 39 "money mules," willing or unwitting accomplices who typically are ensnared via job search Web sites into bogus work-at-home schemes.

http://voices.washingtonpost.com/securityfix/2009/09/cyber_theives_steal_447000_fro.html#more

Updates Plug iPhone, QuickTime Security Holes

What's happening: All software has vulnerabilities; weaknesses that cybercriminals exploit to break into computers. As software developers find these vulnerabilities, they release fixes for them.

What it means: An unpatched system is the devil's playground.Cybercriminals gain access to computers by exploiting vulnerabilities in unpatched computers. Standard antivirus/antispyware protection may be ineffective against attacks.

What to do: Management must make sure IT staff is diligently patching computers, not just Windows but all the software on the computer. Home computers also need to be patched. Consider replacing antivirus/antimalware with intrusion newer detection and prevention.

***************************

Brian Krebs; Washington Post: Apple has shipped a security update to fix multiple vulnerabilities in the iPhone and iPod Touch. The company also pushed out a patch to plug security holes in Windows and Mac versions of its QuickTime media player ... The QuickTime update brings that software to version 7.6.4 and fixes at least four separate security problems. Apple users can grab the update via Software Update, while Windows users will need to use the bundled Apple Software Updates application. The iPhone and iPod Touch updates are only available through iTunes.

http://voices.washingtonpost.com/securityfix/2009/09/new_updates_plug_iphone_quickt.html

Critical bug infests newer versions of Microsoft Windows

What's happening: A vulnerability has been found in a critical portion of Microsoft Vista that Microsoft does not yet have a patch for.

What it means: Vulnerabilities not having patches are particularly serious because cybercriminals often target this known problem. Standard antivirus/antispyware protection may be ineffective against attacks.

What to do: Management must alert IT staff to get in-front of the problem and apply mitigating controls. Ask IT staff for guidance with home computers. Warn staff to be particularly alert to danger signals. Consider replacing antivirus/anti-spyware solutions with newer intrusion detection and prevention solutions.

**********************************

The Register: Microsoft has promised to patch a serious flaw in newer versions of its Windows operating system after hackers released exploit code that allows them to take complete control of the underlying machines. The flaw affects various versions of Windows Vista, 2008, and the release candidate version of Windows 7.

Marc Maiffret, director of professional services at our strategic partner The DigiTrust Group, is quoted in the article.

http://www.theregister.co.uk/2009/09/09/microsoft_windows_security_bug/

Microsoft Fixes Eight Security Flaws

What's happening: All software has vulnerabilities; weaknesses that cybercriminals exploit to break into computers. As software developers find these vulnerabilities, they release fixes for them.

What it means: An unpatched system is the devil's playground. Cybercriminals gain access to computers by exploiting vulnerabilities in unpatched computers. Standard antivirus/antispyware protection may be ineffective against attacks.

What to do: Management must make sure IT staff is diligently patching computers, not just Windows but all the software on the computer. Home computers also need to be patched. Consider replacing antivirus/antimalware with intrusion newer detection and prevention.

**********************************

Brian Krebs; Washington Post: Microsoft today pushed out software updates to plug at least eight critical security holes in computers powered by its various Windows operating systems. The patches are available through Windows Update or via Automatic Updates. ... The flaws were addressed in a bundle of five patches, each of which earned Microsoft's most dire "critical" rating, meaning they are serious enough that attackers could break into systems without any help from users.

http://voices.washingtonpost.com/securityfix/

Citadel's Stan Stahl talks about web security and mobile banking with Biz Coach, Terry Corbell

Read why I say: “cell phone on-line banking is a big NO!!!”

http://www.bizcoachinfo.com/archives/1399

Personal Privacy Threatened: How Secure Are Your Email Passwords?

Washington Post: When Elaine Cioni found out that her married boyfriend had other girlfriends, she became obsessed, federal prosecutors say. So she turned to YourHackerz.com. ... And for only $100, YourHackerz.com provided Cioni, then living in Northern Virginia, with the password to her boyfriend's AOL e-mail account, court records show.

Some Major Email Hacking Cases:
Sarah Palin
Dave Briggs
The Twitter Hack
Miley Cyrus
Paris Hilton
George Mason University Provost Peter N. Stearns

http://www.washingtonpost.com/wp-dyn/content/article/2009/09/06/AR2009090602238.html?wpisrc=newsletter

Hackers already exploiting IIS flaws

What's happening: A vulnerability has been found in a critical portion of Microsoft that affects the security of web sites

What it means: We often find IT staff miss patching these vulnerabilities.

What to do: Better safe than sorry. Readers should forward this post to their IT staff in case they missed it. Management should make sure IT staff have a rigorous vulnerability identification and management plan in place.

**********************************

Phil Muncaster; V3.co.uk: Microsoft has revealed that hackers are already exploiting newly disclosed vulnerabilities in its Internet Information Services (IIS) web server software.

http://www.v3.co.uk/v3/news/2248979/hackers-already-exploiting-iis

Hackers embed malicious links in websites about stars like Biel

What's happening: This post is a good illustration of just how dangerous the internet has become. Criminals put their own malicious computer programs on legitimate websites. These programs are designed to exploit unpatched vulnerabilities on the computers of visitors to the website. When a user accesses the website, the criminal's program is run and the user's computer is now under the control of the criminal.

What it means: Having taken control of the user's computer, the cybercriminal can steal bank account passwords, send spam, store hacker tools or do whatever else he wants. And the user may likely never know. Traditional antivirus / antispyware tools are often ineffective against these attacks.

What to do: Train staff to recognize danger signs. Diligently keep computers patched. Consider replacing antivirus / anti-spyware products with intrusion detection / prevention technology. Consider using Firefox running No-Script instead of Internet Explorer. Check your cyber-insurance. Be careful at home as well.

**********************************

USA Today: Anti-virus firm McAfee recently analyzed search results for queries using celebrity names on Google, Bing and Yahoo Search. This ranking shows the likelihood, in percentage terms, that someone doing a celebrity-related search will click on a bad link that could turn control of his or her computer over to an intruder.

http://www.usatoday.com/tech/news/2009-09-02-bad-links-hackers-stars-internet_N.htm

Court Allows Woman to Sue Bank for Lax Security After $26,000 Stolen by Hacker

What's happening: Banks continue to assert they are not responsible when cyberthieves show up at the online-teller-window with legitimate user-ids and passwords. This lawsuit will test that assertion.

What it means: Banks may be losing the shield they have been hiding behind that absolves them of responsibility for cybercrime.

What to do: Stay tuned as we watch the legal playing field evolve. Email our Guide An Emerging Information Security Minimum Standard of Due Care to your attorney.

**********************************

Threat Level; Wired Magazine: An Illinois district court has allowed a couple to sue their bank on the ... grounds that it may have failed to sufficiently secure their account, after an unidentified hacker obtained a $26,500 loan on the account using the customers’ user name and password. ... As initially reported by legal blogger, David Johnson, Marsha and Michael Shames-Yeakel sued Citizens Financial Bank in 2007 in the northern district of Illinois on several grounds, including a claim that the bank failed to provide state-of-the-art security measures to protect their account. ... Judge Pallmeyer stated that, “In light of Citizens’ apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access.”

http://www.wired.com/threatlevel/2009/09/citizens-financial-sued/

More Business Banking Victims Speak Out

What's happening: News continues to surface of businesses being hit by cybercriminals.

What it means: Cybercriminals are shooting fish in a barrel.

What to do: Management must get on top of this problem. Staff must be trained to recognize danger signs. Technology controls must be tightly managed. Check bank transactions daily. Consider a separate PC used only for on-line banking. Don't assume you're secure; our experience is that you are not. Check your cyber-insurance. Be prepared to sue your bank: Email our Guide An Emerging Information Security Minimum Standard of Due Care to your attorney.


**********************************

Brian Krebs; Washington Post: Since our story about Eastern European cyber crooks targeting small to mid-sized U.S. businesses ran last week, I've heard from a few more victims.

http://voices.washingtonpost.com/securityfix/2009/09/more_business_banking_victims.html

Apple Updates Java, Backdates Flash

Brian Krebs; Washington Post: Apple Thursday shipped an update to plug a slew of critical security holes in its version of Java for Leopard systems (OS X 10.5). In other Apple patch news, it appears those who have updated to the latest version of OS X -- 10.6/Snow Leopard -- received an insecure version of the Adobe Flash player. http://voices.washingtonpost.com/securityfix/2009/09/apple_updates_java_backdates_f.html

5 More Indicted in Probe of International Carding Ring

Threat Level; Wired Magazine: Five eastern European men were indicted in New York on Monday as part of an international ring allegedly responsible for at least $4 million in credit card theft.

The ring, which authorities dubbed the Western Express Cybercrime Group, operated between 2001 and 2007 and trafficked in at least 95,000 known stolen credit card numbers, including some belonging to victims in New York, where the case is being prosecuted by the Manhattan District Attorney’s office.

The ring allegedly operated an online carding forum called the International Association for the Advancement of Criminal Activity, where thieves trafficked in stolen credit card numbers and other information. The defendants also allegedly forged credit cards using stolen numbers, and turned them into cash with the unwitting help of eBay users.

http://www.wired.com/threatlevel/2009/09/westernexpress/

Blog Purpose: Assist Senior Management Secure Organization Against Cybercrime Threat

"The secret of success lies in managing risk, not ignoring it.”
Merrill Rukeyser

Cyberspace has become the new Wild Wild West. Cybercriminals roam at will. They steal our money. They steal our identities. They steal our business' intellectual property. They control our computers. They threaten our children. They even threaten our national defense.

In the earlier days of the internet, threats to information systems rarely drew the attention of senior management. The mantra of the day was firewall and anti-virus. And most of the time that was enough.

That’s changed. Just glance at four of our recent bloglines:
· Cyber Thieves Steal $447,000 From Wrecking Firm
· More Business Banking Victims Speak Out
· Eastern European cyber gangs stealing millions from small to mid-sizes businesses through online banking fraud

These aren’t the stories of pimply-faced 14-year olds proving their manhood by launching I Love You viruses on the still-pure internet. No. These are the stories of criminals stealing money from corporate bank accounts.

If this isn’t business at risk, we don’t know what is!

Senior management can no longer ignore the risk of cybercrime. The price of inattention has grown too high.

Senior management must take responsibility for managing the risk of cybercrime.

CitadelOnSecurity is all about how to do this.

Effectively managing cyber-risk requires understanding the cybercrime challenge. It requires knowing the information security management strategies and tactics required to meet this challenge. And it requires insightful leadership to integrate these strategies and tactics into the broader organizational culture.

It is the purpose of CitadelOnSecurity to provide you this understanding, knowledge and insight.

CitadelOnSecurity is organized into three main elements:

1. Cybercrime news stories categorized into topical elements for easy browsing. We post these stories because they say something important about the cybercrime threat and what’s required to successfully manage cyber-risk.
2. Citadel information security management guides designed to provide practical usable information and guidance on managing cyber-risk.
3. Citadel thought-pieces—like this one—designed to provide more of a big-picture perspective about information systems security.
   

There’s an old saying that when life gives you lemons, make lemonade. It’s no different with cybercrime.

The lemons of cybercrime provide the ingredients for competitive advantage. As the threat of cybercrime grows, consumers and businesses alike are increasingly insisting that the organizations they do business with take effective steps to manage the security of their information. This means that organizations with strong security management will have a competitive advantage over those that do not. Thus, investments in information security management have the opportunity to translate into a positive return on that investment. Sometimes good deeds are rewarded.

Stan Stahl, Ph.D.
President
Citadel Information Group

Keeping Your Site Out of Hackers' Clutches

What's happening: Industry statistics (and our own experience) continue to demonstrate that the vast majority of websites lack proper security controls. Cybercriminals are turning these inadequately-secured websites into traps for unwary visitors. Unwary visitors can get their computers "owned" by these criminals even if they're running traditional antivirus / anti-spyware solutions.

What it means: If you have a website, you have a legal and moral responsibility to secure that site.

Visitors to websites must exercise great caution to keep from getting their computer "owned" by cyberthieves. Once cybercriminals "own" a computer, they can steal user-ids / passwords and other sensitive information, send spam, display pop-up ads, etc.

What to do: Management must ensure organizational websites are properly designed, implemented, tested and maintained.

Users should consider running Firefox with the NoScript add-in and replacing their antivirus/anti-spyware solution with a modern intrusion detection / prevention one.

**********************************

Wall Street Journal:

A growing number of small companies are falling prey to hackers.

Attackers are increasingly infiltrating small businesses' Web sites and using them to quietly drop malicious programs, typically designed to steal personal financial information, onto the computers of visitors, security experts say. Some are also digging around in databases for valuable information or trying to capture e-commerce customers' credit-card numbers.

http://online.wsj.com/article/SB125175147081773767.html

Hacker to Plead Guilty in Major Identity Theft Case

Washington Post: Computer hacker Albert Gonzalez accused of masterminding one of the largest cases of identity theft in U.S. history agreed Friday to plead guilty and serve up to 25 years in federal prison.

Albert Gonzalez of Miami was charged with conspiracy, wire fraud and aggravated identity theft in federal courts in New York and Boston. Court documents filed in federal court in Boston indicate that the 28-year-old agreed to plead guilty to 19 counts and to have the two cases combined in federal court in Massachusetts.

http://www.washingtonpost.com/wp-dyn/content/article/2009/08/28/AR2009082803779.html

Facebook Moves to Improve Privacy and Transparency

What's happening: Social networking sites have become a veritable goldmine for cybercriminals. Many online thefts from business bank accounts start when an employee innocently clicks on a link in an email from Facebook or another of the social network sites.

What it means: While it's good that Facebook is beginning to tighten up their privacy, this post is a warning to everyone that social engineering sites are breeding grounds for cyber-fraud.

What to do: See our discussion with Terry Corbell about the dangers of social networking sites and what management needs to do about it.

**********************************

New York Times: Facebook announced on Thursday that it planned to change the site to give users more privacy and control over their personal information. http://bits.blogs.nytimes.com/2009/08/27/facebook-moves-to-improve-privacy-and-transparency/?scp=1&sq=facebook%20moves&st=cse

IBM Online Threat Report: Trust No One

From ChannelWeb's Rick Whiting: http://www.crn.com/security/219500277;jsessionid=LU4KR1SCVNOGRQE1GHOSKH4ATMY32JVN

Security threats on the Internet, including a 508 percent increase in the number of malicious Web links, have created "an unprecedented state of Web insecurity," according to a report from IBM.

The X-Force 2009 Mid-Year Trend and Risk Report, issued Wednesday, said that security threats to Web surfers are no longer limited to "malicious domains or untrusted Web sites" and now include dangerous content on legitimate Internet sites. The result is "an unprecedented state of Web insecurity as Web client, server and content threats converge to create an untenable risk landscape," according to the report.

"The trends highlighted by the report seem to indicate that the Internet has finally taken on the characteristics of the Wild West, where no one is to be trusted," said X-Force director Kris Lamb, in a statement about the report. "There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware. We've reached a tipping point where every Web site should be viewed as suspicious and every user is at risk."

Defying Experts, Rogue Computer Code Still Lurks

New York Times: Conficker, uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. With more than five million of these zombies now under its control — government, business and home computers in more than 200 countries — this shadowy computer has power that dwarfs that of the world’s largest data centers. http://www.nytimes.com/2009/08/27/technology/27compute.html?_r=2&emc=eta1

Confidential Bank Industry Memo Warns Eastern European cyber gangs stealing millions from small to mid-sizes businesses through online banking fraud

What's happening: The Financial Services Information Sharing and Analysis Center (FS-ISAC) — a banking industry association — is warning member banks of a serious cybertheft problem targeted towards small and medium sized businesses.

What it means: Banks have finally begun to acknowledge that there is a cybercrime problem. Hello!

What to do: Management must be prepared to get on top of this problem themselves. The bank's don't have the problem fixed. Implement a strong security management program. Check bank transactions daily. Consider a separate PC used only for on-line banking. Train staff. Check your cyber-insurance. Be prepared to sue your bank.

**********************************

Brian Krebs; Washington Post: A confidential alert sent on Friday by a banking industry association to its members warns that Eastern European cyber gangs are stealing millions of dollars from small to mid-sizes businesses through online banking fraud. Unfortunately, many victimized companies are reluctant to come forward out of fear of retribution by their bank.

http://voices.washingtonpost.com/securityfix/2009/08/businesses_reluctant_to_report.html

European Cyber-Gangs Target Small U.S. Firms

What's happening: Organized cybercriminals in Eastern Europe are stealing money from the bank accounts of businesses. Banks contend they are not responsible for the losses.

What it means: Cybercriminals are stealing money by exploiting human, technical and procedural weaknesses.

What to do: Management must be prepared to get on top of this problem by implementing a strong security management program. Check your cyber-insurance. Be prepared to sue your bank.

**********************************

Brian Krebs; Washington Post: Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions. http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html

Banking industry sees surge in cybercrime targeting small to mid-size business

Brian Krebs; Washington Post: An industry group representing some of nation's largest banks sent a private alert to its members last week warning about a surge in reported cybercrime targeting small to mid-sized business. The advisory, issued by the Financial Services Information Sharing and Analysis Center, recommends that commercial banking customers take some fairly rigorous steps to secure their online banking accounts.

http://voices.washingtonpost.com/securityfix/2009/08/tighter_security_measures_urge.html

Mac malware becoming more prevalent

As Apple Mac market share grows, hackers are increasingly seeing the value of hitting it with malware.http://www.itpro.co.uk/614293/mac-malware-becoming-more-prevalent

U.S. payment-card industry grapples with security

BOSTON (Reuters) - Fresh details of large-scale cyber attacks against data processor Heartland Payment Systems Inc and supermarket chain Hannaford Brothers show the challenges facing the efforts of the U.S. credit-card industry to upgrade security measures.

The financial stakes are getting higher. Fraud involving credit and debit cards reached $22 billion last year, up from $19 billion in 2007, according to California consulting firm Javelin Strategy & Research.

http://www.reuters.com/article/technologyNews/idUSTRE57N46F20090824

Citadel's Stan Stahl quoted in LA Times on cybercrime

Stan was quoted Saturday in an LA Times article describing how easy it is for cybercriminals to steal money and information from businesses. Also quoted were Jason Lidow and Marc Maiffret of our strategic partner, The DigiTrust Group. The article followed white-hat hacker Maiffret as he easily took control of a business' information systems, gaining full access to social security numbers and other sensitive information. http://www.latimes.com/news/local/la-me-lazarus22-2009aug22,0,7246873.column

Lawsuit Seeks End To Bank Cybercrime Secrecy

What's happening: News is surfacing that business bank accounts are being looted. Banks have traditionally been reluctant to share information about the problem for fear of damage to their reputation. A lawsuit has been filed in Virginia to force banks to turn over information they have that might serve to identify the criminals.

What it means: This is good news to the information security community. The more information we get from banks about the nature of the losses that their customers are suffering, the better able businesses will be to effectively defend themselves.

What to do: Stay tuned. Watch this trend. It could portend good news on the cybercrime front.

**********************************

Business bank accounts are being looted in a surge of cybercrime, leaving companies with serious losses. http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=219400896

Citadel's Stan Stahl talks about social network dangers with Biz Coach, Terry Corbell

5 Safety Measures to Thwart Mounting Social-Network Attacks: http://www.bizcoachinfo.com/archives/1252

TJX Hacker Indicted in Heartland, Hannaford Breaches

Brian Krebs; Washington Post: A federal grand jury has indicted three individuals for allegedly hacking into credit and debit card payment processing giant Heartland Payment Systems last year, as part of an investigation the Justice Department is calling the largest identity theft case ever prosecuted.

http://voices.washingtonpost.com/securityfix/2009/08/heartland_payment_systems_hack.html

Security Patch Catchup: Java, Safari & OS X

Brian Krebs; Washington Post: http://voices.washingtonpost.com/securityfix/2009/08/security_patch_catchup.html

Microsoft Fixes 19 Windows Security Flaws

What's happening: All software has vulnerabilities; weaknesses that cybercriminals exploit to break into computers. As software developers find these vulnerabilities, they release fixes for them.

What it means: An unpatched system is the devil's playground.Cybercriminals gain access to computers by exploiting vulnerabilities in unpatched computers. Standard antivirus/antispyware protection may be ineffective against attacks.

What to do: Management must make sure IT staff is diligently patching computers, not just Windows but all the software on the computer. Home computers also need to be patched. Consider replacing antivirus/antimalware with intrusion newer detection and prevention.

**********************************

Brian Krebs, Washington Post: http://voices.washingtonpost.com/securityfix/2009/08/microsoft_fixes_19_windows_sec.html

Security Updates for iPhone, Adobe Reader

Brian Krebs; Washington Post; http://voices.washingtonpost.com/securityfix/2009/08/security_updates_for_iphone_ad.html

Critical Update for Adobe Flash Player

Brian Krebs, Washington Post: http://voices.washingtonpost.com/securityfix/2009/07/critical_update_for_adobe_flas.html

Forty-Four Percent of US SMBs Admit to Falling Victim to Cybercrime, According to Latest Panda Security Survey

29 percent of US small and medium-sized businesses lack antispam, 22 percent have no antispyware and 16 percent operate without a firewall - 50 percent lost time or productivity as a result of being infected - 39 percent of respondents said either they or their employees have not received training about IT threats that could affect them. http://finance.yahoo.com/news/FortyFour-Percent-of-US-SMBs-prnews-2714742551.html?x=0&.v=1

Social Networking Sites Must Improve Their Security, Says Security Firm

IT security and data protection firm Sophos has called upon social networking websites such as Twitter and Facebook to do more to protect their millions of users, as new research is published examining the first six months of cybercrime in 2009.http://finance.yahoo.com/news/Web-20-Woe-Sophos-Threat-bw-957043460.html?x=0&.v=1

What CEOs Don't Know About Cybersecurity: A new study hints at how often cyberthreats aren't communicated to the boss.

Forbes Magazine: Being the chief executive has its privileges. And one of them may be a blissful ignorance of your company's data breach risks.

According to a study to be released Tuesday by the privacy-focused Ponemon Institute, companies' chief executives tend to value cybersecurity just as--if not more--highly than their executive colleagues. But ... the CEOs interviewed in Ponemon's survey seemed especially unconcerned about cybercrime as a source of data breaches. While 31% named stolen PCs or thumb drives as a source of data loss, only 3% cited malicious hackers as the top threat for their company's data security--about a fifth as many as the lower level employees who cited cybercriminals as the most important threat.

http://www.forbes.com/2009/07/13/poneman-cybersecurity-breaches-technology-security-poneman.html?partner=alerts

Taking On Small-Business Identity Theft

Business Week: It's a big problem that companies are loath to discuss. But California's amended identity theft laws show that offering protections to smaller companies on par with those for individuals helps tremendously.

http://www.businessweek.com/bwdaily/dnflash/content/jul2009/db2009079_858536.htm

An Emerging Information Security Minimum Standard of Due Care

This Guide is a revised version of a paper that first appeared in 2005 in Information Security Management Handbook, Fifth Edition, Volume 2.

The paper examines the emerging body of law surrounding an enterprise’s responsibility for securing information, together with the emerging body of information security management principles and practices for doing so. Seven key information security management elements are identified which we believe constitute an information security minimum standard of due care. Enterprises failing to implement these seven management elements could face significant legal exposure should they suffer a security breach resulting in damage to a 3rd-party.

The paper applies explores the application to information security of appellate rulings in several negligence cases to the questions of Duty of Care and Breach of Duty: Kline v. 1500 Massachusetts Avenue Apartment Corp, United States v. Carroll Towing Co, Texas & P.R v Behymer, T. J. Hooper v. Northern Barge and People Express Airlines v. Consolidated Rail Corp.

http://www.citadel-information.com/

Information Security Standard of Due Care

A very short overview of emerging information security laws, regulations and practitioner standards. http://www.citadel-information.com.