Monday, August 31, 2009

Keeping Your Site Out of Hackers' Clutches

What's happening: Industry statistics (and our own experience) continue to demonstrate that the vast majority of websites lack proper security controls. Cybercriminals are turning these inadequately-secured websites into traps for unwary visitors. Unwary visitors can get their computers "owned" by these criminals even if they're running traditional antivirus / anti-spyware solutions.

What it means: If you have a website, you have a legal and moral responsibility to secure that site.

Visitors to websites must exercise great caution to keep from getting their computer "owned" by cyberthieves. Once cybercriminals "own" a computer, they can steal user-ids / passwords and other sensitive information, send spam, display pop-up ads, etc.

What to do: Management must ensure organizational websites are properly designed, implemented, tested and maintained.

Users should consider running Firefox with the NoScript add-in and replacing their antivirus/anti-spyware solution with a modern intrusion detection / prevention one.

**********************************

Wall Street Journal:

A growing number of small companies are falling prey to hackers.

Attackers are increasingly infiltrating small businesses' Web sites and using them to quietly drop malicious programs, typically designed to steal personal financial information, onto the computers of visitors, security experts say. Some are also digging around in databases for valuable information or trying to capture e-commerce customers' credit-card numbers.

http://online.wsj.com/article/SB125175147081773767.html

Friday, August 28, 2009

Hacker to Plead Guilty in Major Identity Theft Case

Washington Post: Computer hacker Albert Gonzalez accused of masterminding one of the largest cases of identity theft in U.S. history agreed Friday to plead guilty and serve up to 25 years in federal prison.

Albert Gonzalez of Miami was charged with conspiracy, wire fraud and aggravated identity theft in federal courts in New York and Boston. Court documents filed in federal court in Boston indicate that the 28-year-old agreed to plead guilty to 19 counts and to have the two cases combined in federal court in Massachusetts.

http://www.washingtonpost.com/wp-dyn/content/article/2009/08/28/AR2009082803779.html

Thursday, August 27, 2009

Facebook Moves to Improve Privacy and Transparency

What's happening: Social networking sites have become a veritable goldmine for cybercriminals. Many online thefts from business bank accounts start when an employee innocently clicks on a link in an email from Facebook or another of the social network sites.

What it means: While it's good that Facebook is beginning to tighten up their privacy, this post is a warning to everyone that social engineering sites are breeding grounds for cyber-fraud.

What to do: See our discussion with Terry Corbell about the dangers of social networking sites and what management needs to do about it.

**********************************

New York Times: Facebook announced on Thursday that it planned to change the site to give users more privacy and control over their personal information. http://bits.blogs.nytimes.com/2009/08/27/facebook-moves-to-improve-privacy-and-transparency/?scp=1&sq=facebook%20moves&st=cse

IBM Online Threat Report: Trust No One

From ChannelWeb's Rick Whiting: http://www.crn.com/security/219500277;jsessionid=LU4KR1SCVNOGRQE1GHOSKH4ATMY32JVN

Security threats on the Internet, including a 508 percent increase in the number of malicious Web links, have created "an unprecedented state of Web insecurity," according to a report from IBM.

The X-Force 2009 Mid-Year Trend and Risk Report, issued Wednesday, said that security threats to Web surfers are no longer limited to "malicious domains or untrusted Web sites" and now include dangerous content on legitimate Internet sites. The result is "an unprecedented state of Web insecurity as Web client, server and content threats converge to create an untenable risk landscape," according to the report.

"The trends highlighted by the report seem to indicate that the Internet has finally taken on the characteristics of the Wild West, where no one is to be trusted," said X-Force director Kris Lamb, in a statement about the report. "There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware. We've reached a tipping point where every Web site should be viewed as suspicious and every user is at risk."

Wednesday, August 26, 2009

Defying Experts, Rogue Computer Code Still Lurks

New York Times: Conficker, uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. With more than five million of these zombies now under its control — government, business and home computers in more than 200 countries — this shadowy computer has power that dwarfs that of the world’s largest data centers. http://www.nytimes.com/2009/08/27/technology/27compute.html?_r=2&emc=eta1

Tuesday, August 25, 2009

Confidential Bank Industry Memo Warns Eastern European cyber gangs stealing millions from small to mid-sizes businesses through online banking fraud

What's happening: The Financial Services Information Sharing and Analysis Center (FS-ISAC) — a banking industry association is warning member banks of a serious cybertheft problem targeted towards small and medium sized businesses.

What it means: Banks have finally begun to acknowledge that there is a cybercrime problem. Hello!

What to do: Management must be prepared to get on top of this problem themselves. The bank's don't have the problem fixed. Implement a strong security management program. Check bank transactions daily. Consider a separate PC used only for on-line banking. Train staff. Check your cyber-insurance. Be prepared to sue your bank.

**********************************

Brian Krebs; Washington Post: A confidential alert sent on Friday by a banking industry association to its members warns that Eastern European cyber gangs are stealing millions of dollars from small to mid-sizes businesses through online banking fraud. Unfortunately, many victimized companies are reluctant to come forward out of fear of retribution by their bank.

http://voices.washingtonpost.com/securityfix/2009/08/businesses_reluctant_to_report.html

European Cyber-Gangs Target Small U.S. Firms

What's happening: Organized cybercriminals in Eastern Europe are stealing money from the bank accounts of businesses. Banks contend they are not responsible for the losses.

What it means: Cybercriminals are stealing money by exploiting human, technical and procedural weaknesses.

What to do: Management must be prepared to get on top of this problem by implementing a strong security management program. Check your cyber-insurance. Be prepared to sue your bank.

**********************************

Brian Krebs; Washington Post: Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions. http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html

Monday, August 24, 2009

Banking industry sees surge in cybercrime targeting small to mid-size business

Brian Krebs; Washington Post: An industry group representing some of nation's largest banks sent a private alert to its members last week warning about a surge in reported cybercrime targeting small to mid-sized business. The advisory, issued by the Financial Services Information Sharing and Analysis Center, recommends that commercial banking customers take some fairly rigorous steps to secure their online banking accounts.

http://voices.washingtonpost.com/securityfix/2009/08/tighter_security_measures_urge.html

Mac malware becoming more prevalent

As Apple Mac market share grows, hackers are increasingly seeing the value of hitting it with malware.http://www.itpro.co.uk/614293/mac-malware-becoming-more-prevalent

U.S. payment-card industry grapples with security

BOSTON (Reuters) - Fresh details of large-scale cyber attacks against data processor Heartland Payment Systems Inc and supermarket chain Hannaford Brothers show the challenges facing the efforts of the U.S. credit-card industry to upgrade security measures.

The financial stakes are getting higher. Fraud involving credit and debit cards reached $22 billion last year, up from $19 billion in 2007, according to California consulting firm Javelin Strategy & Research.

http://www.reuters.com/article/technologyNews/idUSTRE57N46F20090824

Saturday, August 22, 2009

Citadel's Stan Stahl quoted in LA Times on cybercrime

Stan was quoted Saturday in an LA Times article describing how easy it is for cybercriminals to steal money and information from businesses. Also quoted were Jason Lidow and Marc Maiffret of our strategic partner, The DigiTrust Group. The article followed white-hat hacker Maiffret as he easily took control of a business' information systems, gaining full access to social security numbers and other sensitive information. http://www.latimes.com/news/local/la-me-lazarus22-2009aug22,0,7246873.column

Thursday, August 20, 2009

Lawsuit Seeks End To Bank Cybercrime Secrecy

What's happening: News is surfacing that business bank accounts are being looted. Banks have traditionally been reluctant to share information about the problem for fear of damage to their reputation. A lawsuit has been filed in Virginia to force banks to turn over information they have that might serve to identify the criminals.

What it means: This is good news to the information security community. The more information we get from banks about the nature of the losses that their customers are suffering, the better able businesses will be to effectively defend themselves.

What to do: Stay tuned. Watch this trend. It could portend good news on the cybercrime front.

**********************************

Business bank accounts are being looted in a surge of cybercrime, leaving companies with serious losses. http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=219400896

Monday, August 17, 2009

TJX Hacker Indicted in Heartland, Hannaford Breaches

Brian Krebs; Washington Post: A federal grand jury has indicted three individuals for allegedly hacking into credit and debit card payment processing giant Heartland Payment Systems last year, as part of an investigation the Justice Department is calling the largest identity theft case ever prosecuted.

http://voices.washingtonpost.com/securityfix/2009/08/heartland_payment_systems_hack.html

Security Patch Catchup: Java, Safari & OS X

Brian Krebs; Washington Post: http://voices.washingtonpost.com/securityfix/2009/08/security_patch_catchup.html

Tuesday, August 11, 2009

Microsoft Fixes 19 Windows Security Flaws

What's happening: All software has vulnerabilities; weaknesses that cybercriminals exploit to break into computers. As software developers find these vulnerabilities, they release fixes for them.

What it means:
An unpatched system is the devil's playground.Cybercriminals gain access to computers by exploiting vulnerabilities in unpatched computers. Standard antivirus/antispyware protection may be ineffective against attacks.

What to do:
Management must make sure IT staff is diligently patching computers, not just Windows but all the software on the computer. Home computers also need to be patched. Consider replacing antivirus/antimalware with intrusion newer detection and prevention.

**********************************

Brian Krebs, Washington Post: http://voices.washingtonpost.com/securityfix/2009/08/microsoft_fixes_19_windows_sec.html