Wednesday, March 31, 2010

Spam Site Registrations Flee China for Russia

KrebsOnSecurity.com: A crackdown by the Chinese government on anonymous domain name registrations has chased spammers from Chinese registrars (.cn) to those that handle the registration of Russian (.ru) Web site names, new spam figures suggest. Yet, those spammy domains may soon migrate to yet another country, as Russia is set to enforce a policy similar to China’s beginning April 1. ... Chinese authorities called the move a crackdown on phishing and pornographic Web sites, but human rights and privacy groups marked it as yet another effort by Chinese leaders to maintain tight control over their corner of the Internet.

Read more at KrebsOnSecurity.com ...

More C-Level Involvement Needed in Cybersecurity, says ANSI

BusinessWeek: Organizations with top executives who aren't involved in cybersecurity decisions face a serious problem -- a major hit to their bottom lines, according to a report released Wednesday. ..."Many organizations see cybersecurity as solely an IT problem," said Karen Hughes, director of homeland security standards programs at the American National Standards Institute (ANSI), one of the major sponsors of the new report. "We are directing a wake-up call to executives nationwide. The message is, this is a very serious issue, and it's costing you a lot of money." ... The report, called "The Financial Management of Cyber Risk," recommends how C-level executives can implement cybersecurity risk management programs at their companies. Part of the goal is to get executives such as chief financial officers directly involved in cybersecurity efforts, said Larry Clinton, president of the Internet Security Alliance (ISA), the other major sponsor of the report.

Read more at Business Week ...

Separating April Fools’ From Fraud on the Web

NewYorkTimes: On the Internet, every day is April Fools’ Day. ... Thinking about how people get fooled on April 1 is a good way to prepare for the year-round attempts by swindlers to bamboozle the naïve, the witless and those who just aren’t paying close attention. In other words, all of us. ... The same themes run through the e-mail solicitations of Nigerian princes waiting to share their riches, messages by banks to type in your PIN or frantic pleas from Facebook friends trapped overseas without any money. ... How do you tell the real from the surreal today?

Read more at the New York Times ...

Tuesday, March 30, 2010

Online Thieves Take $205,000 Bite Out of Missouri Dental Practice

KrebsOnSecurity.com: Organized computer criminals yanked more than $200,000 out of the online bank accounts of a Missouri dental practice this month, in yet another attack that exposes the financial risks that small- to mid-sized organizations face when banking online. ... Eric Hudkins, the office manager and husband of one of the dentists at Smile Zone, said the money was taken in 11 different transfers, including three large wires.... Hudkins said he contacted the FBI, and that the agent he spoke with told him the FBI wouldn’t open a case on the theft unless it was over $500,000 in losses. ... Meanwhile, Smile Zone’s bank — Springfield, Mo. -based Great Southern Bank — maintains it is not responsible for the loss, according to Hudkins,


Read more at KrebsOnSecurity.com ...

Technology Coalition Seeks Stronger Privacy Laws

NewYorkTimes: A broad coalition of technology companies, including AT&T, Google and Microsoft, and advocacy groups from across the political spectrum said Tuesday that it would push Congress to strengthen online privacy laws to protect private digital information from government access. ... The group, calling itself the Digital Due Process coalition, said it wanted to ensure that as millions of people moved private documents from their filing cabinets and personal computers to the Web, those documents remained protected from easy access by law enforcement and other government authorities.

Read more at the New York Times ...

FBI: Business Can Help Fight Cybercrime by Reporting Breaches to Law Enforcement

One of the things helping cybercriminals is that organizations that have been hit don't often go to law enforcement. FBI director Robert Mueller acknowledged as much in a recent speech at last month's RSA Conference when he said that disclosing breaches to the FBI is the exception and not the rule today.The problem according to acting deputy assistant director for the FBI's Cyber Division Jeffrey Troy is that it helps the attackers if companies aren't disclosing breaches to the FBI or law enforcement. "We are most concerned with gathering that information and sharing it with everyone else [affected] so we can harden the systems," Troy says. "If you are not telling us you have been penetrated ... that [may be] another attack vector we can't protect everyone else from.


Read the story at DarkReading ... 



Thanks to Michael Zweiback for this.

Apple Fixes More Than 90 Security Vulnerabilities in Mac OS X

KrebsOnSecurity.com: Apple released a software update on Monday that includes fixes for a massive number of security vulnerabilities in Mac OS X and associated software. ... The update corrects more than 90 security flaws and weaknesses in a variety of Apple and third-party products included in versions of OS X, such as ClamAV, Firewall, iChat, Mail, PHP and QuickTime. ... Updates are available for Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2, through Software Update or via Apple Downloads. You might want to schedule the download when you have some time to be away from the computer: Depending on which version you’re downloading, the size of the update may weigh in at more than 750 megabytes.

Read more at KrebsOnSecurity.com ...

E-Mails of Activists, Academics and Journalists Hacked in China

NewYorkTimes: In what appears to be a coordinated assault, the e-mail accounts of more than a dozen rights activists, academics and journalists who cover China have been compromised by unknown intruders. A Chinese human rights organization also said that hackers disabled its Web site for a fifth straight day. ... The infiltrations, which involved Yahoo e-mail accounts, appeared to be aimed at people who write about China and Taiwan, rendering their accounts inaccessible, according to those who were affected. In the case of this reporter, hackers altered e-mail settings so that all correspondence was surreptitiously forwarded to another e-mail address.

Read more at the New York Times ...

Monday, March 29, 2010

Microsoft Releases Emergency IE Fix

KrebsOnSecurity.com: Microsoft Corp. said today it plans to break from its regularly scheduled monthly software update cycle to issue a patch on Tuesday for a security hole in its Internet Explorer Web browser that hackers have been exploiting lately. ... Tomorrow’s update will correct that flaw, as well as at least nine other security holes in IE that Microsoft had planned to patch on the next official Patch Tuesday(April 13).

Read more at KrebsOnSecurity.com ...

Facebook Proposes Changes in Privacy Policy to Share User Data with Other Sites

WashingtonPost: On Friday afternoon, Facebook announced a set of proposed changes to its privacy policy that could allow the popular social network to share more of its users' data with other sites without first getting their approval. ... The move builds on the Palo Alto, Calif., company's December revision of its privacy rules that made far more user information -- including individual status updates -- public by default. Under the new proposal, Facebook could then provide that data to "pre-approved third party websites and applications" unless a user opted out of that feature.

Read more at the Washington Post ...

Friday, March 26, 2010

New Inexpensive "Sniffer" Captures Keystrokes From Wireless Devices

TheRegister: Kit attacks Microsoft keyboards (and a whole lot more). ... Security researchers on Friday unveiled an open-source device that captures the traffic of a wide variety of wireless devices, including keyboards, medical devices, and remote controls. ...Keykeriki version 2 captures the entire data stream sent between wireless devices using a popular series of chips made by Norway-based Nordic Semiconductor. That includes the device addresses and the raw payload being sent between them. The open-source package was developed by researchers of Switzerland-based Dreamlab Technologies and includes complete software, firmware, and schematics for building the $100 sniffer.

Read more at The Register ...

Thursday, March 25, 2010

Would You Have Spotted this ATM Fraud?

 KrebsOnSecurity.com: The stories I’ve written on ATM skimmers — devices criminals can attach to bank money machines to steal customer data — remain the most popular at Krebs on Security so far. I think part of the public’s fascination with these fraud devices is rooted in the idea that almost everyone uses ATMs, and that it’s entirely possible to encounter this type of sneaky, relatively sophisticated form of crime right in our own neighborhoods. ... police in Alexandria, Va. — just a couple of miles to the East of where I reside — recently were alerted to a skimmer found on an ATM at a Wachovia Bank there.
 
 Read more at KrebsOnSecurity.com ...

Cybercrime Law Update from Washington

KrebsOnSecurity.com: There are several cybersecurity policy issues on Capitol Hill that are worth keeping an eye on. Lawmakers in the Senate have introduced a measure that would call for trade restrictions against countries identified as hacker havens. Another proposal is meeting resistance from academics who worry about the effect of the bill’s mandatory certification programs for cyber security professionals. ... As reported by The Hill newspaper, Senators Orrin Hatch (R-Utah) and Kirsten Gillibrand (D-NY) have introduced The International Cybercrime Reporting and Cooperation Act, a bill that would penalize foreign countries that fail to crack down on cyber criminals operating within their borders. ... one of the world’s largest and oldest educational and scientific computing groups says it is “deeply troubled” by mandatory training provisions included in The Cybersecurity Act, a bill proposed by Senators Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine). The bill is aimed at protecting critical U.S. network infrastructure against cybersecurity threats, but it includes language making it illegal for anyone to offer cybersecurity services to any federal agency or system without being certified and licensed as such under a program to be determined by the Commerce Department.
 
Read more at KrebsOnSecurity.com ...

Wednesday, March 24, 2010

Cybercriminals Make $$$$$ Peddling Rogue Anti-Virus Products

KrebsOnSecurity.com: The presence of rogue anti-virus products, also known as scareware, on a Microsoft Windows computer is often just the most visible symptom of a more serious and insidious system-wide infection. To understand why, it helps to take a peek inside some of the more popular rogue anti-virus distribution networks that are paying people to peddle scareware alongside far more invasive threats. ... Distributors or “affiliates” who sign up with avprofit.com, for example, are given access to an installer program that downloads not only rogue anti-virus but also ZeuS, a stealthy piece of malware that specializes in mining online banking credentials from infected PCs. ZeuS is the very piece of malware directly responsible for helping thieves steal tens of millions of dollars from small to mid-sized businesses over the past year. ... Avprofit says it will pay affiliates roughly $1,000 for every 1,000 times they distribute this installer program, or about $1 per install. Typically, affiliates will embed these installers at porn sites or bundle them with programs seeded on peer-to-peer file-sharing services. The nightmare for the victim starts when he or she responds to the fake anti-virus pop-up warning of supposed threats resident on the victim’s PC, by agreeing to download and run a scanning tool.


Read more at KrebsOnSecurity.com ... 

Tuesday, March 23, 2010

Riskiest Online Cities: The Emperor Has No Clothes

Yesterday's news brought an intriguing headline "The Norton Top 10 Riskiest Online Cities Report Reveals Who's Most Vulnerable to Cybercrime." I read the story, examined the report and sadly concluded that there was much less here than meets the eye.

As novelist G.K. Chesterton once wrote “It’s not that they don’t know the answer. It’s that they don’t know the question.”

The report measured the online risk of a city by looking several pieces of data, including:

  • Cybercrimes data from Symantec Security Response, including number of malicious attack, number of potential malware infection, number of spam zombies, number of bot infected computer, and level of Internet access
  • Expenditures on computer hardware and software
  • Wireless hotspots
  • Broadband connectivity
  • Internet usage
  • Online purchases

The report leaves much to be desired for at least three reasons.

First, the data collected may not meaningfully relate to online risk. Expenditures on computer hardware and software may mean little or nothing since one large supercomputer can cost the same as zillions of PCs and actually lower risk.

Second, missing from this list are things that would serve to mitigate risk such as:
  • Number of information systems security professionals in the City
  • Average number of information security professionals per 1,000 computers and per company
  • Percentage of computers who connect to hotspots using a VPN
  • Percentage of companies ISO27001 certified
  • Numbers of CISSPs, CISMs, etc
  • Percentage of businesses / homes with professionally managed firewalls

My third objection may be the most fundamental of all. Just exactly what is "online risk" supposed to mean when applied to a city as opposed to an organization or individual. My online risk goes up or down as the total number of bot infected or spam zombie computers in the world goes up or down. My online risk is pretty much the same whether there are more bot infected or spam zombie computers in Seattle or Los Angeles; it’s the total number that matter, not where they happen to be located.

My risk is my risk: It depends on my specific online habits and the specific security measures I take, not whether I'm more likely to be attacked from down the street or halfway around the country [or even the world].

If a city’s online risk is to measure the likelihood of my being attacked by virtue of being online in that city — analogous to what physical risk measures when we say that one city is safer than another — than the factors Norton used in the survey are, I contend, simply the wrong factors.

As you see, my objections are less related to security than to the nature of the survey itself.

Nice try Norton. But you need to go back to the drawing board, if there's even a drawing board here.

Monday, March 22, 2010

More Online Bank Theft Victims

KrebsOnSecurity.com: An Arkansas public water utility and a New Jersey town are the latest victims of an organized cyber crime gang that is stealing tens of millions of dollars from small to mid-sized organizations via online bank theft.

Read more from KrebsOnSecurity.com ...

Sunday, March 21, 2010

Banking laws leave business customers vulnerable to Internet fraud

Los Angeles Times: If hackers drain a personal account, the bank usually must cover most of the loss. But commercial deposits get no such protection. ... Just ask Fan Bao of Los Angeles. ... Bao, who runs a small import-export business, had $50,000 stolen from his bank account by computer hackers in Croatia. Bank of America has refused to reimburse him, saying the loss was his problem, not the bank's. ... Had the money been stolen out of a personal account, the bank's response would have been dramatically different. Federal law would have required the bank to reimburse Bao. ... But, unbeknown to many, business and personal accounts are governed by completely different rules. Those rules protect individuals from online hacking but can leave small-business owners to twist in the wind. ... Normally that would merely be worrisome. But it's far more frightening now because technology and law enforcement experts believe there is a huge wave growing of sophisticated criminal enterprises that target small-business bank accounts.

Read more ...

Saturday, March 20, 2010

How Privacy Vanishes Online

NewYorkTimes: If a stranger came up to you on the street, would you give him your name, Social Security number and e-mail address?... Probably not. ... Yet people often dole out all kinds of personal information on the Internet that allows such identifying data to be deduced. Services like Facebook, Twitter and Flickr are oceans of personal minutiae — birthday greetings sent and received, school and work gossip, photos of family vacations, and movies watched. ... Computer scientists and policy experts say that such seemingly innocuous bits of self-revelation can increasingly be collected and reassembled by computers to help create a picture of a person’s identity, sometimes down to the Social Security number.

Read more ...

Paper in China Sets Off Alarms in U.S.

New York Times: It came as a surprise this month to Wang Jianwei, a graduate engineering student in Liaoning, China, that he had been described as a potential cyberwarrior before the United States Congress. ... Larry M. Wortzel, a military strategist and China specialist, told the House Foreign Affairs Committee on March 10 that it should be concerned because “Chinese researchers at the Institute of Systems Engineering of Dalian University of Technology published a paper on how to attack a small U.S. power grid sub-network in a way that would cause a cascading failure of the entire U.S.

Read more ...

In Bid to Sway Sales, Cameras Track Shoppers

New York Times: The curvy mannequin piqued the interest of a couple of lanky teenage boys. Little did they know that as they groped its tight maroon shirt in the clothing store that day, video cameras were rolling. ... At a mall, a father emerged from a store dragging his unruly young son by the scruff of the neck, as if he were the family cat. The man had no idea his parenting skills were being immortalized. ... At an office supply store, a mother decided to get an item from a high shelf by balancing her small child on her shoulders, unaware that she, too, was being recorded.... These scenes may seem like random shopping bloopers, but they are meaningful to stores that are striving to engineer a better experience for the consumer, and ultimately, higher sales for themselves. Such clips, retailers say, can help them find solutions to problems in their stores — by installing seating and activity areas to mollify children, for instance, or by lowering shelves so merchandise is within easy reach. ... Privacy advocates, though, are troubled by the array of video cameras, motion detectors and other sensors monitoring the nation’s shopping aisles.

Read more ...

Bad BitDefender Antivirus Update Hobbles Windows PCs

KrebsOnSecurity: A faulty update is being blamed for incapacitating an untold number of Microsoft Windows systems running anti-virus software from BitDefender. ...BitDefender says the problem occurred Saturday morning with a faulty update for 64-bit Windows systems that caused multiple Windows and BitDefender files to be quarantined. The bad update causes the anti-virus program to flag thousands of legitimate Windows and BitDefender program files as a threat called “”FakeAlert.5″.

Read more ...

Friday, March 19, 2010

Google patches Chrome days before hacking contest

ComputerWorld: Google has patched 11 vulnerabilities in the Windows version of Chrome, including one that earned its finder the first $1,337 check from the company's new bug bounty program. ... The update to Chrome 4.1.249.1036 fixes six flaws rated "high," the second-most-severe ranking in Google's four-step threat system; plugs three "medium" holes; and quashes two "low" bugs.

Read more ...


Mozilla confirms critical Firefox bug

ComputerWorld: Mozilla yesterday confirmed a critical vulnerability in the newest version of Firefox, and said it would plug the hole by the end of the month. ... "The vulnerability was determined to be critical and could result in remote code execution by an attacker," Mozilla acknowledged in a post to its security blog late Thursday. "The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix." ...Firefox 3.6, which Mozilla launched in January, is affected, Mozilla said, adding that it would be patched in version 3.6.2, currently slated to ship on March 30.


Read more ...


Naming and Shaming ‘Bad’ ISPs

KrebsOnSecurity:Roughly two years ago, I began an investigation that sought to chart the baddest places on the Internet, the red light districts of the Web, if you will. What I found in the process was that many security experts, companies and private researchers also were gathering this intelligence, but that few were publishing it. Working with several other researchers, I collected and correlated mounds of data, and published what I could verify in The Washington Post. The subsequent unplugging of malware and spammer-friendly ISPs Atrivo and then McColo in late 2008 showed what can happen when the Internet community collectively highlights centers of badness online. ... Fast-forward to today, and we can see that there are a large number of organizations publishing data on the Internet’s top trouble spots. I polled some of the most vigilant sources of this information for their recent data, and put together a rough chart indicating the Top Ten most prevalent ISPs from each of their vantage points.

Read more ...

Wednesday, March 17, 2010

After weeklong fight, rogue ISP Troyak struggles for life

ComputerWorld: After an international take-down effort, a rogue ISP responsible for controlling large numbers of computers infected with data-stealing code is down for the moment, but it may be reconnecting with the Internet, according to security researchers. ... Troyak, which is believed to be based in eastern Europe, was knocked offline earlier this month after other networks supplying its connectivity to the Internet stopped carrying its traffic due to complaints it was complicit in cybercrime. ... Since then the network has fought a cat-and-mouse game with network providers in 12 countries and international law enforcement, according to Jart Armin, the pseudonymous editor of the Hostexploit.com Web site, which has been involved in the action. ... "Troyak is still fighting hard, as it is the only link to the outside Internet for a few [criminal groups]," he said in an e-mail interview. ... Troyak and another ISP, Group 3, provided connectivity for 90 of 249 servers used to control Zeus, a sophisticated piece of malware that steals financial credentials and other data. Group 3 has also been disconnected. ... At this point, Troyak's reputation is so sullied that it is becoming difficult for it to find other ISPs to carry its traffic on the Internet.

Read more ...

Measure would force White House, private sector to collaborate in cyber-crisis

Washington Post: Key members of Congress are pushing legislation that would require the White House to collaborate with the private sector in any response to a crisis affecting the nation's critical computer networks. ... The Cybersecurity Act, drafted by Senate commerce committee Chairman John D. Rockefeller IV (D-W.Va.) and committee member Olympia J. Snowe (R-Maine), is an attempt to prod the Obama administration and Congress to be more aggressive in crafting a coordinated national strategy for dealing with cyberthreats. It is to be unveiled Wednesday. ... The senators also sponsored the National Cybersecurity Advisor Act, which would create a Senate-confirmed, Cabinet-level position to lead efforts to protect the nation's computer systems, elevating the role of the cyber coordinator's job that President Obama filled late last year. That bill is pending in the Senate.

Read more ...

Closing Down ISPs that Allow Malicious Activity

MIT Technology Review: A study highlights efforts to take down ISPs that allow malicious activity. ... In recent years, cyber gangs have been careful to spread their operations across multiple Internet service providers, a tactic that makes it much harder for law enforcement and security administrators to track organized crime activity. ... But new research shows that gathering data from various places, including anti-malware and anti-spam companies and phishing blacklists, makes it possible to identify dense clusters of ISPs that that appear to be overly tolerant of malicious activity. This pattern was particularly evident in Eastern Europe and the Middle East.

Read more ...

Revised Cybersecurity Bill Introduced in Senate

ComputerWorld: A revised version of a cybersecurity bill first proposed last year was introduced again in the U.S. Senate today, notably without a controversial provision that would have given the President authority to disconnect networks from the Internet during a national emergency. ...The bill, called the Cybersecurity Act, is sponsored by Senators Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine). It seeks to improve national cybersecurity preparedness by fostering a closer collaboration between the government and the private sector companies, which own a vast portion of the country's critical infrastructure. ... The bill contains several provisions designed to encourage the growth of a trained and certified cybersecurity workforce, promote public awareness of cybersecurity issues and to foster and fund research leading to the development of new security technologies.

Read more ...

FCC Broadband Plan Calls For Enhanced Cyber Defenses

ChannelWeb: The National Broadband Plan, presented to Congress by the Federal Communications Commission this week, contains stipulations that could equip U.S. communications networks with stronger defenses against cyber threats and protect users' privacy online. ... Among other things, the plan gives a boost for the development of cyber security infrastructure, proposing the implementation of online privacy measures and calling for continued cooperation between the FCC and the Department of Homeland Security on public safety issues and initiatives.

Read more ...


Google Attacks Highlight Growing Problem of Cyber Security Threats

VoiceOfAmerica: Google’s recent disclosure that it was the target of a highly sophisticated cyber attack has brought renewed attention to the growing problem of cyber security threats. Officials and security experts say that while past cyber attacks focused largely on national secrets and defense technologies, that focus is changing. ... Speaking at a recent congressional hearing on future threats to U.S. national security, FBI Director Robert Mueller said cyber attacks are increasingly taking a wider aim. [Director Mueller’s Testimony to Senate Committee on Intelligence] "As the global economy integrates, many cyber threats now focus on economic or non-government targets as we have seen with the recent cyber attack on Google," he explained. "Targets in the private sector are at least as vulnerable and the damage can be just as great."

Read more ...



Texan accused of disabling 100 cars over Internet

AP: DALLAS — A man fired from a Texas auto dealership used an Internet service to remotely disable ignitions and set off car horns of more than 100 vehicles sold at his old workplace, police said Wednesday. ... Austin police arrested Omar Ramos-Lopez, 20, on Wednesday, charging him with felony breach of computer security. ...Ramos-Lopez used a former colleague's password to deactivate starters and set off car horns, police said. Several car owners said they had to call tow trucks and were left stranded at work or home.

Read more ...

Researchers Map Multi-Network Cybercrime Infrastructure

KrebsOnSecurity: Last week, security experts launched a sneak attack to disconnect Troyak, an Internet service provider in Eastern Europe that served as a global gateway to a nest of cyber crime activity. For the past seven days, unnamed members of the security community reportedly have been playing Whac-a-Mole with Troyak, which has bounced from one legitimate ISP to the next in a bid to reconnect to the wider Internet.

Read more ...

Tuesday, March 16, 2010

The Snitch in Your Pocket

Newsweek: Law enforcement is tracking Americans' cell phones in real time—without the benefit of a warrant. ... How many of the owners of the country's 277 million cell phones even know that companies like AT&T, Verizon, and Sprint can track their devices in real time?

Read more ...

Thanks to Richard Greenberg for this.

MSE Users: Check for Updates, Piracy

KrebsOnSecurity: One of the systems that just sits here idling all the time in what the wife lovingly calls the Krebs on Security “command center” runs Microsoft’s free Security Essentials anti-virus and security tool. Late last week, I just happened to notice that for who-knows-how-long, a pending upgrade to the program has left that system “potentially unprotected,” according to Microsoft.

Read more ...

eBanking Victim? Take a Number.

KrebsOnSecurity: Over the past nine months, I have spent a substantial amount of time investigating and detailing the plight of dozens of small businesses that have had their bank accounts cleaned out by organized criminals. ... I am now hearing from multiple companies each week that have suffered tens of thousands or hundreds of thousands of dollar losses from a single virus infection .... In each of these dramas, the plot line is roughly the same: Attackers planted malicious software on the victim’s PC to steal the company’s online banking credentials, and then used those credentials to siphon massive amounts of money from the targeted accounts. The twists to the stories come in how the crooks evade security technologies, how the banks react, and whether the customers are left holding the (empty) bag.

Read more ...

Monday, March 15, 2010

Stopgap IE Fix, Safari Update Available

KrebsOnSecurity: Microsoft has issued a stopgap fix to shore up a critical security hole in older versions of its Internet Explorer browser. Meanwhile, exploit code showing would-be attackers how to use the flaw to break into vulnerable systems is being circulated online. ... In other news, Apple has pushed out a new version of its Safari Web browser that includes some important security patches. Updates are available for both Mac and Windows versions of the software. Windows users can grab the update through the Apple Software Update tool, while Mac users can patch via Software Update.

Read more ...

Sunday, March 14, 2010

Identity theft may be prelude to more serious crime

Los Angeles Times: Identity theft may be the financial world's equivalent of a staph infection. Just when you thought you had a handle on protecting your identity from criminals, the crime has morphed into something new and far more toxic. ... identity criminals are now using your information as they commit felonies, including child abuse and terrorism. Others are using your records to file fraudulent medical claims, experts say. These new forms of identity theft are nearly invisible until they cause serious problems.

Read more ...

Saturday, March 13, 2010

FBI: Online Fraud Costs Skyrocketed in 2009

KrebsOnSecurity: Reported losses from online fraud more than doubled last year, from $265 million in 2008 to nearly $560 million in 2009, according to figures released Friday by the FBI.

Read more ...

Friday, March 12, 2010

Apple plugs 16 holes in Safari as Pwn2Own looms

ComputerWorld: Two weeks before a browser hacking contest is to kick off in Vancouver, British Columbia, Apple Inc. yesterday patched 16 vulnerabilities in Safari, 12 of them critical bugs that could be used to hijack a machine. ... Apple updated Safari for both Mac OS X and Windows to Version 4.0.5, hardening the browser before it's tossed into the ring with Microsoft's Internet Explorer, Mozilla's Firefox and Google's Chrome at this year's Pwn2Own hacking challenge. The contest organizer has predicted that Safari would be the first to fall when researchers battle for $40,000 in prize money beginning March 24 at the CanSecWest security conference.

Read more ...


Thursday, March 11, 2010

ZeuS botnet code keeps getting better… for criminals

NetworkWorld: $10,000 will buy a ZeuS module that takes complete control of a compromised PC. ... New capabilities are strengthening the ZeuS botnet, which criminals use to steal financial credentials and execute unauthorized transactions in online banking, automated clearing house (ACH) networks and payroll systems. The latest version of this cybercrime toolkit, which starts at about $3,000, offers a $10,000 module that can let attackers completely take control of a compromised PC.

Read more ...

Thanks to Brad Maryman for this.

Massachusetts Data Security Rules to Have National Impact

InternetLawCenter: Massachusetts sweeping data security regulations went into effect on March 1st. The regulations which are intended to provide “minimum standards” for safeguarding personal information for any businesses that own or sell personal data of Massachusetts residents. ... Companies possessing such data must develop and monitor a comprehensive written “Information Security Program,” designate an employee to be responsible for the Information Security Program,, implement training, establish policies regarding access to the data, use encryption and require that service providers comply with these requirements in all written contracts. The full regulations are available here. Consult your counsel for compliance requirements. Mass Data Security Regs.

Read more ...

Thanks to Bennet Kelley of ILC for this.

Zeus botnet temporarily disrupted, but back in full force

SearchSecurity.com: The Zeus botnet, a Trojan family widely used by cybercriminals to target victims with data-stealing malware, was temporarily disrupted this week after the ISP suspected of hosting its command-and-control servers was brought down. ... Kazakhstan-based Troyak.org, which harbors servers that control spam and malware botnets, went down temporarily on Tuesday. Troyak is considered to host 25% of the command-and-control servers that connect to Zeus infected computers. ScanSafe, which was recently acquired by Cisco Systems Inc., identified a sharp uptick in malware traffic prior to the shutdown, indicating the bot herders may have known there would be a disruption to their operations. ..."The data seems to indicate they had some sort of advance warning and if so they would have had ample opportunity to update their bots," said Mary Landesman, senior security researcher at ScanSafe, now part of Cisco.

Read more ...

Crooks Crank Up Volume of E-Banking Attacks

KrebsOnSecurity: Computer crooks stole more than $200,000 from an auto body shop in Ohio last month in a brazen online robbery. The attack is yet another example of how thieves are using malicious software to bypass bank security technologies that are often touted as strong deterrents to this type of fraud.

Read more ...

Dozens of ZeuS Botnets Knocked Offline

KrebsOnSecurity: Security experts are tracking a massive drop in the global number of control servers for various ZeuS botnets that are online, suggesting that a coordinated takedown effort may have been executed by law enforcement and/or volunteers from the security research community acting in tandem.

Read more ...

Wednesday, March 10, 2010

Law Firms slow to awaken to cybersecurity threat

National Law Journal: Hackers delve for client secrets, litigation plans, negotiation strategies and details of pending transactions.

An oddly worded e-mail was the first sign of something amiss at Los Angeles firm Gipson Hoffman & Pancione. It didn't read like the messages the firm's attorneys usually sent each other — didn't pass the "smell test." ... His suspicions raised, the recipient, associate Gregory Fayer, picked up the phone and discovered that the colleague who supposedly sent the e-mail knew nothing of it. Other attorneys at the firm also received the bogus e-mail, which was eventually traced to China — where Gipson Hoffman is litigating a $2.2 billion copyright infringement suit against the government. Fayer was well aware that cyberattackers often use fake e-mail messages to break into computer networks.

Read more ...

Thanks to Dave Roberts and Leba Finklestein for this.


Security gaps exploited in grade scandal remain, may be difficult to close

Washington Post: Montgomery County school officials have not yet closed gaps in their computer system that allowed students at a high-performing Potomac high school to change dozens of grades using a device that can be bought from Amazon.com for $69. And other school systems, including Fairfax County, remain just as vulnerable, school officials said Tuesday.... At least eight students at Winston Churchill High School are believed to have used the readily available device to obtain teachers' passwords for the school system's grading system. ... Computer experts said that Churchill teachers were lucky to catch the students. Just about every school system that protects its teachers' data with a simple username and password is vulnerable, experts said, and accessing a teacher's computer files is extremely common. ... "That's the first hack that every kid who becomes a criminal has done," said Alan Paller, director of research at the SANS Institute, an information security group.

Read more ...

Tuesday, March 9, 2010

Verisign: Security Solutions Overwhelming to Consumers

"Consumers are overwhelmed and frustrated by all the security solutions out there," said Verisign's (NASDAQ: VRSN) Jim Bidzos, who organized the first RSA Conference in 1991. "In fact some of the security tools we offer are nearing the point of negative returns." ... "It's time we started thinking about security as only part of the solution and ask what users really need from us. Today users are faced with pop-ups and all sorts of security procedures designed to make them feel more secure, but may simply frustrate them and question whether the Internet is safe," he said. ...In fact, Bidzos said the results from multiple surveys that asked consumers whether they thought the Internet is safe "indicates we're not quite there yet."

Read more ...

Source: eSecurity Planet


Monoprice.com Shuttered After Fraud Complaints

KrebsOnSecurity: Audio visual cabling giant monoprice.com shut down its Web site – possibly for the next couple of weeks – while it investigates the possible compromise of its customer credit and debit card information. ... Monoprice’s corporate page on Facebook.com features a number of interesting comments from customers, some of whom attributed recent fraudulent charges to the incident, while others are praising the company for being so forthcoming and providing continuous updates via Facebook.

Read more ...

Microsoft Patch Tuesday: Two Bug Fixes, IE Warning

Microsoft released two patches for eight security holes in its March "Patch Tuesday" drop, but also issued an advisory about a recently discovered flaw in Internet Explorer. ... The bugs fixed by the two patches are rated "important," the second highest ranking on Microsoft's four-tier severity rating scale. ... One bug that Microsoft did not fix this time around is a zero-day flaw in the way older versions of Windows handles help files and scripting -- Microsoft sent out a Security Advisory regarding the hole last week. ... According to Microsoft, the zero-day help file hole affects Windows 2000 Service Pack 4 (SP4), Windows XP SP2 and SP3, as well as 64-bit versions of XP Professional SP2, and Windows Server 2003. More recent releases of Windows, including Vista, Windows Server 2008, and Windows 7, are not at risk, Microsoft said.

Read more ...

Source: eSecurity Planet


Cyber Crooks Leave Traditional Bank Robbers in the Dust

KrebsOnSecurity: Organized cyber criminals stole more than $25 million from small to mid-sized businesses in brazen e-banking heists in the 3rd quarter of 2009 alone, federal regulators said last week. In contrast, traditional stick-up artists hauled less than $9.5 million out of U.S. banks over that same time period last year.

Read more ...

LifeLock Will Pay $12 Million to Settle Charges by the FTC and 35 States That Identity Theft Prevention and Data Security Claims Were False

FTC: LifeLock, Inc. has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the CEO’s Social Security number on the side of a truck. ... “While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” said FTC Chairman Jon Leibowitz.

Read more ...

Energizer DUO: Trojan yourself for only $19.99

The Energizer DUO, a USB-powered battery recharger, was confirmed on Friday by Energizer Holdings to contain malicious code. According to this Energizer Press Release, they were notified by the CERT Coordination Center that the Windows software that ships with their DUO Charger "contains a vulnerability". ...Energizer has discontinued sale of this product and has removed the site to download the software. In addition, the company is directing consumers that downloaded the Windows version of the software to uninstall or otherwise remove the software from your computer. This will eliminate the vulnerability. In addition CERT and Energizer recommend that users remove a file that may remain after the software has been removed. The file name is Arucer.dll, which can be found in the Window system32 directory. ... Additional technical information can be found at http://www.kb.cert.org/vuls/id/154421.

Read more ...

Source: CyberCrime & Doing Time

Monday, March 8, 2010

Victim Asks Capital One, ‘Who’s in Your Wallet?’

KrebsOnSecurity: ... Joseph Mier and Associates Inc., a real estate appraisal company based in Hammond, L.a., lost more than $27,000 last year when four unauthorized automated clearing house (ACH) withdrawals were made from its accounts and sent to individuals around the United States.

Read more ...

Fiserv to Banks: Stay on Outdated Adobe Reader

KrebsOnSecurity: One of the nation’s largest providers of money-transfer and online banking services to credit unions and other financial institutions is urging customers not to apply the latest security updates for Adobe Reader, the very application most targeted by criminal hackers and malicious software. ... At issue is a non-public advisory issued by Fiserv, a Fortune 500 company that provides bank transaction processing services and software to more than 16,000 clients worldwide.

Read more ...

Friday, March 5, 2010

New Massachusetts Data Privacy Law

darkREADING: Massachusetts Data Privacy Law went into effect on March 1, focuses on prevention. .... After regulators granted more than a year's delay of compliance enforcement, the Massachusetts Data Privacy Law 201 CMR 17 finally went into effect on March 1. Unlike most of today's state-based data privacy laws, which primarily focus on public disclosure once a breach occurs, the new Massachusetts law prescribes that more stringent protective measures be taken to prevent breaches from occurring in the first place. ... The primary regulatory drive behind the new law is to ensure companies have an overarching security policy framework and the means to enforce the policy in order to protect sensitive data stores.

Read more ...

FBI to Private Sector: Cybersecurity Joint Effort

If anyone came to the RSA Conference this week expecting to hear technology was winning the war against cyber threats, they'd be sorely disappointed. Just as Homeland Security Chief Janet Napolitano did the previous day, FBI director Robert Mueller told an audience here at the conference that the U.S. risks falling dangerously behind in the fight against cyber criminals. ... Noting the breadth of attacks by numerous criminal organizations here and abroad, Mueller said our computer systems are suffering "death by a thousand cuts, bleeding data, bit by bit and terabyte by terabyte," as he put it. ..."We're playing cat and mouse and the mouse seems to be ahead most of the time," the FBI director continued. "We have to make the cost of business too expensive for them."

Read more ...

Source: eSecurityPlanet.com

Yep, There’s a Patch for That

KrebsOnSecurity: The average Microsoft Windows user has software from 22 vendors on her PC, and needs to install a new security update roughly every five days in order to use these programs safely, according to an insightful new study released this week. ... Those programs come from more than 22 vendors, so as a first order estimate the number of different vendors you have on your box is the number of different update mechanisms you have to master.

Read more ...

Regulators Revisit E-Banking Security Guidelines

KrebsOnSecurity: Prodded by incessant reports of small- to mid-sized business losing millions of dollars at the hands of organized cyber criminals, federal regulators may soon outline more stringent steps that commercial banks need to take to protect business customers from online banking fraud and educate users about the risks of banking online. ... At issue are the guidelines jointly issued in 2005 by five federal banking regulators under the umbrella of the Federal Financial Institutions Examination Council (FFIEC). The guidance was meant to prod banks to implement so-called “multifactor authentication” — essentially, to require customers to provide something else in addition to a user name and password when logging into their bank accounts online, such as the output from a security token.


Read more ...

Thursday, March 4, 2010

Homeland Security Chief Details Cyber Threats

If there's one message Department of Homeland Security (DHS) Secretary Janet Napolitano stressed during an address here at the RSA conference, it was the need for speed in dealing with cyber threats. ... "We need to do more and do it faster," she said. While there is perhaps no ultimate technology solution to protect the country's digital infrastructure, Napolitano said her department wants to provide the ability to "bounce back" from an attack of any size, which would require more sophisticated failover and disaster recovery technology than is currently available.

Read more ...

Source: eSecurityPlanet.com

Criminal investigation opened in grade-changing scandal at Churchill High

Washington Post: The Montgomery County state's attorney has opened a criminal investigation into a grade-changing scheme at Winston Churchill High School, officials said Wednesday, elevating the digital subterfuge into a major scandal at one of the region's most prestigious public schools.... Police, prosecutors and school officials are examining the actions of at least eight students who allegedly used a USB device to steal teachers' passwords and change the grades of 54 students. Nearly 700 student records have been subpoenaed, and three of the eight students identified as ringleaders have left the school.

Read more ...

New BlackEnergy Trojan Targeting Russian, Ukrainian Banks

DarkREADING: Botnet lets attackers steal online banking credentials and DDoS Russian and Ukrainian bank ... Russian hackers have written a more sophisticated version of the infamous BlackEnergy Trojan associated with the 2008 cyberattacks against Georgia that now targets Russian and Ukrainian online banking customers.

Read more ...

SECURITY ALERT: Citadel has begun seeing attacks in the US using the new BlackEnergy Trojan.

Thanks to Brad Maryman for this.

Wednesday, March 3, 2010

RSA panel: No easy solution for Zeus Trojan, banking malware

The Zeus Trojan has been keeping David Shroyer up at night. The sneaky, ever-changing malware comes in many variants and is constantly finding ways to evade detection, said Shroyer, vice president of online security and enrollment at Bank of America. ..."The complexity of the Trojan is what makes it so scary," he said during a panel discussion on banking malware Tuesday at the RSA Conference. New solutions to fight the threat can quickly become outdated, he added. ... Bank of America does a lot of threat scoring; last year, phishing was the top threat facing its customers. But this year, in the wake of Zeus, "The customer endpoint has become the number one threat," he said. ...Cybercriminals have been using the Zeus Trojan to steal online banking credentials, and researchers say the highly customizable and easily obtainable malware kit has proven to be particularly successful. Small and midsize businesses have been especially hard hit by online banking fraud triggered by password-stealing malware.

Read more ...

Source: SearchFinancialSecurity.com

Thanks to Brad Maryman for this.

Tuesday, March 2, 2010

White House: Comprehensive National Cybersecurity Initiative

The White House has released its Comprehensive National Cybersecurity Initiative (CNCI). The CNCI consists of a number of mutually reinforcing initiatives with the following major goals designed to help secure the United States in cyberspace:
  • To establish a front line of defense against today’s immediate threats by creating or enhancing shared situational awareness of network vulnerabilities, threats, and events within the Federal Government—and ultimately with state, local, and tribal governments and private sector partners—and the ability to act quickly to reduce our current vulnerabilities and prevent intrusions.
  • To defend against the full spectrum of threats by enhancing U.S. counterintelligence capabilities and increasing the security of the supply chain for key information technologies.
  • To strengthen the future cybersecurity environment by expanding cyber education; coordinating and redirecting research and development efforts across the Federal Government; and working to define and develop strategies to deter hostile or malicious activity in cyberspace.
The CNCI identifies 12 specific initiatives for accomplishing the above objectives.

Download the CNCI Overview with a link to the CNCI ...

Information on U.S. website for medical data thefts is bare-bones

Los Angeles Times: The medical records of more than 18,000 patients of at least five Torrance doctors were potentially accessed by cyber-thieves on a single day in September, but this is probably the first you're hearing of it. ... Although a new federal law requiring greater disclosure of medical-data security breaches was passed a year ago, it wasn't until recently that the Department of Health and Human Services began posting specific incidents online.

Read more ...

Monday, March 1, 2010

Wyndham computers hacked into again for credit card names, numbers

USA Today: Hackers broke into computer systems at Wyndham Hotels & Resorts recently, stealing customer's credit card information, according to an IDG New Service article on CIO.com. Wyndham operates chains including Days Inn, Ramada, Super 8 and Howard Johnson. ... It's the latest sign that computer hackers continue to target hotel networks to obtain sensitive guest data, which they can then use to purchase stolen goods. Earlier this month, Hotel Check-In reported that hotels had become hackers' No. 1 target last year, hitting hotels even more than banks and other financial service company sites.

Read more ...