Mass. Privacy Law: Are You Compliant?

BankInfoSecurity: Monday, March 1, was the deadline for entities doing business in Massachusetts to comply with a tough new state law designed to safeguard residents' personal information. ... The new law, Massachusetts identity theft regulations, 201 Code of Massachusetts Regulations 17.00, applies to any individual, company or organization that handles personal information in connection with employment or the sale of goods or services. Under the law, Massachusetts will require any entity that stores or transmits residents' personal information to encrypt the data when it's stored on portable devices or transmitted via the Internet. ... The state's goal is to stop data breaches that in the last two years exposed the personal information of more than 1.05 million people in Massachusetts.

Read more ...

Military Announces New Social Media Policy

New York Times: Many months behind schedule, the Department of Defense on Friday issued a new policy that, on the surface, seems likely to expand access to popular social networking sites like YouTube, Facebook and Twitter by troops using military computers. ... The new policy, which can be found here, says that the default policy of the department will be to allow access to social networking sites from the military’s non-classified computer network, known by its acronym, NIPRNET (for Non-classified Internet Protocol Router Network.)

Read more ...

Organiser of Darkmarket fraud website jailed

BBC: A man who created a website trading in stolen financial information linked to tens of millions of pounds in losses has been jailed for nearly five years. ... Renukanth Subramaniam, 33, founded Darkmarket, a "Facebook for fraudsters" where criminals could buy and sell credit card details and bank log-ins. ... The site was shut down in 2008 after an FBI agent infiltrated it, leading to more than 60 arrests worldwide.

Read more ...

Intel admits it is under constant attack from hackers

ComputerWeekly: Intel regularly faces cyber attacks by intellectual property thieves and malicious hackers, the chip maker's latest report to the US Securities and Exchange Commission reveals. ... The company admits that one recent and sophisticated incident occurred in January 2010 and that such attacks are sometimes successful.

Read more ...

N.Y. Firm Faces Bankruptcy from $164,000 E-Banking Loss

KrebsOnSecurity: A New York marketing firm that as recently as two weeks ago was preparing to be acquired now is facing bankruptcy from a computer virus infection that cost the company more than $164,000.

Read more ...

China's military warns Washington, denies hacking

Washington Post: BEIJING (Reuters) - China's military warned the United States on Thursday to "speak and act cautiously" to avoid reigniting tensions between the two powers, denying the People's Liberation Army played a part in Internet hacking.

Read more ...

IT Firm Loses $100,000 to Online Bank Fraud

KrebsOnSecurity: A New Hampshire-based IT consultancy lost nearly $100,000 this month after thieves broke into the company’s bank accounts with the help of 10 co-conspirators across the United States.

Read more ...

Intel Was Attacked at the Same Time as Google

New York Times: Intel said that it was a victim of a “sophisticated” cyber-attack that occurred around the same time as the much-publicized attack on Google and other companies. ... Intel, which disclosed the January attack in a regulatory filing on Monday, played down the connection to the attacks on Google. ... But a person familiar with the investigation into the attacks said that Intel was part of the same wave of attacks that affected Google and more than 30 other companies.

Read more ...

Widespread Data Breaches Uncovered by FTC Probe. FTC Warns of Improper Release of Sensitive Consumer Data on P2P File-Sharing Networks.

FTC: The Federal Trade Commission has notified almost 100 organizations that personal information, including sensitive data about customers and/or employees, has been shared from the organizations’ computer networks and is available on peer-to-peer (P2P) file-sharing networks to any users of those networks, who could use it to commit identity theft or fraud. The agency also has opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks. ... “Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk. For example, we found health-related information, financial records, and drivers’ license and social security numbers--the kind of information that could lead to identity theft,” said FTC Chairman Jon Leibowitz. “Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure. Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”

Read more ...

Symantec 2010 State of Enterprise Security Study Shows Frequent, Effective Attacks on Worldwide Business

CNN Money: 75 Percent of Organizations Have Suffered a Cyber Attack Losing an Average of $2 Million Annually. ... Symantec Corp. (NASDAQ: SYMC) today released the findings of its global 2010 State of Enterprise Security study. The study found that 42 percent of organizations rate security their top issue. This isn't a surprise, considering that 75 percent of organizations experienced cyber attacks in the past 12 months. These attacks cost enterprise businesses an average of $2 million per year. ... organizations reported that enterprise security is becoming more difficult due to understaffing, new IT initiatives that intensify security issues and IT compliance issues. The study is based on surveys of 2,100 enterprise CIOs, CISOs and IT managers from 27 countries in January 2010.

Read more ...

U.S. pinpoints code writer behind Google attack: report

Washington Post: BEIJING (Reuters) - U.S. government analysts believe a Chinese man with government links wrote the key part of a spyware programme used in hacker attacks on Google last year, the Financial Times reported on Monday.

Read more ...

Hacking Inquiry Puts China’s Elite in New Light

New York Times: With its sterling reputation and its scientific bent, Shanghai Jiaotong University has the feel of an Ivy League institution.

The university has alliances with elite American ones like Duke and the University of Michigan. And it is so rich in science and engineering talent that Microsoft and Intel have moved into a research park directly adjacent to the school.

But Jiaotong, whose sprawling campus here has more than 33,000 students, is facing an unpleasant question: is it a base for sophisticated computer hackers?

Read more ...

Schools in China say they weren't behind hacking

Washington Post: SHANGHAI -- Two prominent schools in China dispute allegations that hacking attacks on Google and other firms originated from them, a report said Saturday.... The New York Times reported late Thursday that security investigators traced the hacking to computers at Shanghai Jiaotong University and Lanxiang Vocational School in China.

Read more ...

CVS Caremark Settles FTC Charges that It Failed to Protect Medical and Financial Privacy of Customers and Employees; CVS Pharmacy Also Pays $2.25 Million Fine to DHS

FTC: CVS Caremark has agreed to settle Federal Trade Commission charges that it failed to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers and employees, in violation of federal law. In a separate but related agreement, the company’s pharmacy chain also has agreed to pay $2.25 million to resolve Department of Health and Human Services allegations that it violated the Health Insurance Portability and Accountability Act (HIPAA). ... "This is a case that will restore appropriate privacy protections to tens of millions of people across the country," said William E. Kovacic, Chairman of the Federal Trade Commission. "It ... sends a strong message to other organizations that possess consumers' protected personal information. They are required to secure consumers' private information."

Read more ...

Microsoft Confirms: Got Bluescreen? Check for Rootkits

KrebsOnSecurity: Microsoft confirmed today that the recent spate of Windows XP crashes and blue-screens experienced by people who installed this month’s batch of security updates were found mainly on systems that were already infected with a rootkit, a tool designed to hide malware infestations on host computers.

Read more ...

Broad New Hacking Attack Detected

Wall Street Journal: Hackers in Europe and China successfully broke into computers at nearly 2,500 companies and government agencies over the last 18 months in a coordinated global attack that exposed vast amounts of personal and corporate secrets to theft, according to a computer-security company that discovered the breach. ... The damage from the latest cyberattack is still being assessed, and affected companies are still being notified. But data compiled by NetWitness, the closely held firm that discovered the breaches, showed that hackers gained access to a wide array of data at 2,411 companies, from credit-card transactions to intellectual property.

Read more ...

Thanks to Jason Stahl for sending this.

Large Worldwide Cyber Attack Is Uncovered

AP: More than 75,000 computer systems at nearly 2,500 companies in the United States and around the world have been hacked in what appears to be one of the largest and most sophisticated attacks by cyber criminals discovered to date, according to a northern Virginia security firm. ... The attack, which began in late 2008 and was discovered last month, targeted proprietary corporate data, e-mails, credit-card transaction data and login credentials at companies in the health and technology industries in 196 countries, according to Herndon, Va.-based NetWitness.

Read more ...

2 China Schools Said to Be Tied to Online Attacks

New York Times: SAN FRANCISCO — A series of online attacks on Google and dozens of other American corporations have been traced to computers at two educational institutions in China, including one with close ties to the Chinese military, say people involved in the investigation. ... They also said the attacks, aimed at stealing trade secrets and computer codes and capturing e-mail of Chinese human rights activists, may have begun as early as April, months earlier than previously believed. Google announced on Jan. 12 that it and other companies had been subjected to sophisticated attacks that probably came from China.

Read more ...

‘Time Bomb’ May Have Destroyed 800 Norfolk City PCs

KrebsOnSecurity: The City of Norfolk, Virginia is reeling from a massive computer meltdown in which an unidentified family of malicious code destroyed data on nearly 800 computers citywide. The incident is still under investigation, but city officials say the attack may have been the result of a computer time bomb planted in advance by an insider or employee and designed to trigger at a specific date.

Read more ...

Security Updates for Adobe Reader, Acrobat

KrebsOnSecurity: Adobe is urging users of its PDF Reader and Acrobat software to install an update that fixes a couple of critical security holes in the products. The patches come amid news that booby-trapped PDF files were responsible for roughly 80 percent of the exploits detected in the 4th quarter of 2009.

Read more ...

Dozens Of Defense Contractors, Agencies Hacked

Forbes Magazine: For anyone who has a security clearance and doesn't believe the U.S. faces a cyber-espionage crisis, Steven Shirley has 102 stories to share with you. ... That's the number of cases in which Shirley's team of Pentagon researchers discovered cyberspies breaching the networks of government agencies, defense contractors and other organizations with ties to the U.S. Department of Defense, gaining administrator-level access with the aim of stealing military secrets.

The Pentagon's forensics-focused Cyber Crime Center, where Shirley is executive director, found that between August 2007 and August 2009, 71 government agencies, contractors, universities and think tanks with connections to the U.S. military had been penetrated by foreign hackers, in some cases multiple times. In total, Shirley told Forbes, the center performed 116 investigations following spying breaches and found that in all but 14 of those cases the intruders had gained complete administrator-level access to the victim's network.
"There are some significant defense contractors among that number," Shirley says. "We can say that any company that's involved in high-technology research and development is a target for these adversaries."

According to Forbes, "military contractors General Dynamics and Northrop Grumman have both been successfully breached by cyberspies in the last two years, according to sources familiar with the security situations of those companies."

Read more ...

Hackers Steal $150,000 from Mich. Insurance Firm

KrebsOnSecurity: An insurance firm in Michigan lost nearly $150,000 this month as a result of a single computer virus infection.

Read more ...

China leads the world in hacked computers, McAfee study says

Washington Post: More private computers were commandeered by hackers for malicious purposes in China in the last quarter of 2009 than in any other country, including the United States, according to a new study by an Internet security company.

Read more ...

Rootkit May Be Culprit in Recent Windows Crashes

KrebsOnSecurity: There are indications that the system crashes and the dreaded blue screen of death (BSoD) that many Microsoft Windows users reported suffering after installing this week’s batch of security updates may be caused at least in part by malware infestations on the affected machines.

Read more ...

Critical Security Update for Adobe Flash Player

KrebsOnSecurity: Adobe Systems Inc. today released an updated version of its Flash Player software to fix two critical security holes in the ubiquitous Web browser plugin. Adobe also issued a security update for its Air software, a central component of several widely-used Web applications, such as Tweetdeck.

Read more ...

China Alarmed by Security Threat From Internet

New York Times: BEIJING — Deep inside a Chinese military engineering institute in September 2008, a researcher took a break from his duties and decided — against official policy — to check his private e-mail messages. Among the new arrivals was an electronic holiday greeting card that purported to be from a state defense office.

The researcher clicked on the card to open it. Within minutes, secretly implanted computer code enabled an unnamed foreign intelligence agency to tap into the databases of the institute in the city of Luoyang in central China and spirit away top-secret information on Chinese submarines.

Read more ...

How to Protect Yourself from the Internet Crime Wave by Dr. Stan Stahl

Thanks to my friend and colleague Joey Tamer for posting this article of mine on her blog. You can read it at information security blog post.

Joey provides strategic consulting to entrepreneurs in software, internet, technology and tech/media. Her Blog contains a wealth of information, not just for the entrepreneur but for anyone interested in strategy.

ID Theft: Don't Take It Personally

Forbes Magazine: Identity theft often feels less like a random act of fraud than a personal breach of a victim's secrets. But while consumers feel the sting from having their private data stolen, it's their banks that are increasingly picking up the bill.... That's one finding from an identity theft study released Wednesday by fraud analysis firm Javelin Research. The study, which surveyed around 5,000 Americans last year about their experiences with identity theft, calculated that ID fraud had cost around $54 billion in 2009, a significant jump from the $48 billion it estimated for 2008. That higher cost was driven by a greater number of fraud incidents that affected 11.2 million consumers in 2009, compared with 9.9 million in 2008.

Read more ...

New Banking Trojan Discovered Targeting Businesses' Financial Accounts

dark READING: The infamous Zbot botnet that spreads the pervasive Zeus Trojan has been seen distributing a brand-new banking Trojan -- one that researchers say could serve as a lower-cost alternative to the popular Zeus and Clampi malware for cybercriminals.

Read more ...

13 Ways to Protect Your Windows PC

KrebsOnSecurity: Microsoft today released a baker’s dozen of software updates to fix twice as many vulnerabilities in its various Windows operating systems and other software. Translation: If you use any supported version of Windows, it’s time once again to update your PC.

Read more ...

Comerica Phish Foiled 2-Factor Protection; Bank Sued

KrebsOnSecurity: A metals supply company in Michigan is suing its bank for poor security practices after a successful phishing attack against an employee allowed thieves to steal more than half a million dollars last year.

Read more ...

Zeus Attack Spoofs NSA, Targets .gov and .mil

KrebsOnSecurity: Criminals are spamming the Zeus banking Trojan in a convincing e-mail that spoofs the National Security Agency. Initial reports indicate that a large number of government systems may have been compromised by the attack.

Read more ...

Consumer Electronics Company Agrees to Settle Data Security Charges; Breach Compromised Data of Hundreds of Consumers

FTC: An online seller of computer supplies and other consumer electronics has agreed to settle Federal Trade Commission charges that it violated federal law by failing to provide reasonable security to protect sensitive customer data. ... According to the FTC’s complaint, Compgeeks.com (Compgeeks), which operates the www.geeks.com Web site, and its parent company, Genica Corporation (Genica), collect sensitive information from consumers to obtain authorization for credit card purchases. ... In January 2008, media reports revealed a data breach at the company. It was later confirmed that hackers accessed the sensitive information of hundreds of consumers. ... The proposed settlement ... requires them to implement and maintain a comprehensive information-security program that includes administrative, technical, and physical safeguards. It also requires the companies to obtain, every other year for 10 years, an audit from a qualified, independent, third-party professional to ensure that the security program meets the standards of the order. In addition, the proposed settlement contains standard record-keeping provisions to allow the FTC to monitor compliance.

Read more ...

Hackers Try to Steal $150,000 from United Way

KrebsOnSecurity: Hackers broke into computer systems at a Massachusetts chapter of the United Way last month and attempted to make off with more than $150,000 from one of the nation’s largest charities.

Read more ...

U.S. 'Severely Threatened' By Cyber Attacks says Dennis C. Blair, Director of National Intelligence

Information Week: Testifying before the Senate Intelligence Committee on Tuesday, the top U.S. intelligence official warned that U.S. critical infrastructure is "severely threatened" and called the recent cyber attack on Google "a wake-up call to those who have not taken this problem seriously."... "Sensitive information is stolen daily from both government and private sector networks, undermining confidence in our information systems, and in the very information these systems were intended to convey," said Dennis C. Blair, Director of National Intelligence, in prepared remarks outlining the U.S. intelligence community's annual assessment of threats.

Read more ...

Twitter Asks Users To Reset Passwords After Possible Phishing Attack

Washington Post: Twitter is locking many users out of the system this morning, and sending them notices that they need to change their passwords in order to regain access to the service, due to concerns over a possible phishing attack.

Read more ...

A Tale of Two Victims

KrebsOnSecurity: When a computer virus infection at a business allows thieves to steal tens of thousands of dollars from the company’s commercial banking account, banks typically don’t reimburse the victim company. But the truth is, most banks make that decision on a case-by-case basis.

Read more ...

Hacking for Fun and Profit in China’s Underworld

New York Times: CHANGSHA, China — With a few quick keystrokes, a computer hacker who goes by the code name Majia calls up a screen displaying his latest victims. “Here’s a list of the people who’ve been infected with my Trojan horse,” he says, working from a dingy apartment on the outskirts of this city in central China. “They don’t even know what’s happened.”

Read more ...