NSA Reviews Future Cybersecurity Techniques, Technologies and Challenges

Brian Krebs reports on a 605 page National Security Association study from 2004. According to Krebs, the document "reads like a listing of the pros and cons for a huge array of defensive and counterintelligence approaches and technologies that an entity might adopt in defending its networks."


Read more and get the full report at KrebsOnSecurity.com ...

Facebook's Social Web: Protecting Your Privacy

Facebook's introduction of Open Graph represents a new challenge for consumers. By default, you're now opted in to the company's new social sharing services which stretch way beyond the confines of Facebook.com.If this concerns you -- and it should -- here are some links with advice on setting your privacy settings.

Watch a CNET Tech Minute: Take back your privacy from Facebook ...

Read PC World's advice on protecting your privacy on Facebook ... 

Read the NY Times guide on opting out of Facebook's instant personalization ...

Rapport: A Potential Tool for Lowering Risk of Online Bank Theft

Several banks are asking their online bank customers to use a security tool called Rapport. The tool, part of which installs on user workstations is designed to block online bank theft attacks from ZeuS and other malicious software. Brian Krebs interviews Mickey Boodaei, CEO of Tusteer, the company making Rapport.

Read Brian's interview at KrebsOnSecurity.com ...

Congressman Asks FTC to Investigate Privacy Risks of Copy Machines

You may not know it but copy machines have computer memories, which means they may store tons of private or otherwise sensitive information. That's why Massachusetts Congressman Edward Markey has asked the Federal Trade Commission to investigate the risk to consumers posed by businesses that don't take steps to erase the memory of their copy machines. Expect a new set of regulations requiring businesses disposing of a copy machine to securely erase its hard drive, just like they are supposed to do for their PCs.

Read the story at the Washington Post ...

Watch the CBS News Report that broke the story: Copy Machines, a Security Risk?

Infamous Spam-Sending "Storm Worm" Stages a Comeback

Brian Krebs reports that the Storm Worm has once again surfaced. 18 months ago Storm Worm was responsible for approximately 20% of all spam. According to Krebs, "It remains unclear whether this Storm 2.0 strain will be as successful and prolific as its predecessor. But according to a blog post by security firm CA, the curators of the new Storm worm are very actively using the collection of PCs infected with this malware to once again relay junk e-mail advertising male enhancement pills and adult Web sites."

Read the story at KrebsOnSecurity.com ...

Report Shows Weaknesses in Anti-Virus Engines

Brian Krebs reports on a research report just released by Google on the increasing difficulty defenses have in countering cybercriminals spreading fake anti-virus programs, commonly known as scareware. Using data provided by Google, purveyors of scareware programs have aggressively stepped up their effort to evade detection by legitimate anti-virus programs, both anti-virus software and Google's own detection efforts.

According to Google's Niels Provos, "We found that if you have anti-virus protection installed on your computer but the [malware detection] signatures for it are out-of-date by just a couple of days, this can drastically reduce the detection rates. It turns out that the closer you get to now, the commercial anti-virus programs were doing a much worse job at detecting pages that were hosting fake anti-virus payloads."

As to the danger, Krebs writes: "Fake anti-virus attacks use misleading pop-ups and videos to scare users into thinking their computers are infected and offer a free download to scan for malware. The bogus scanning programs then claim to find oodles of infected files, and victims who fall for the ruse often are compelled to register the fake anti-virus software for a fee in order to make the incessant malware warnings disappear. Worse still, fake anti-virus programs frequently are bundled with other malware. What’s more, victims end up handing their credit or debit card information over to the people most likely to defraud them."

Read the story and link to the Google report at KrebsOnSecurity.com ...

For what to do if you become a scareware victim, read Brian Krebs tutorial here ...

Money Mules: The Final Link in Getting Your Money to the Cyberthief Who Stole It

One of the ways a cybercriminal steals money from a business is to transfer the money in amounts less than $10,000 to the bank accounts of money mules. These money mules then withdraw the money, keep a percentage for themselves and send the rest to the cybercriminal via a money order or other non-bank method. Brian Krebs provides a fascinating glimpse into how money mules are recruited.

Read the story at KrebsOnSecurity.com ...

Cybercriminals Learn to Hide Their Malware From Search Engines

By now you may have seen security alerts on web-listings returned in a Google or Yahoo search. It's one of the ways that search engines alert their users that the web site contains malicious software. Now Brian Krebs reports that cybercriminals have learned how to 'stealth' their malware so it becomes invisible to the search engines.


Read the whole story at KrebsOnSecurity.com ... 

Analysis of 43 Online Bank Thefts Illustrates Diversity of Victims

Brian Krebs reports on an analysis of 43 on-line bank thefts showing that the preponderance of reported thefts is from the East Coast and Midwest. As these 43 online bank thefts represent a small fraction of  the total, it's impossible to make any generalizations from the data. Nevertheless, the data does show how varied the victims are. The only two things that victims have in common may be (1) that they were vulnerable and (2) they got caught up in the 'net' of some cybercriminal, no different from a tuna getting caught up in the net of a tuna boat.


Read the story at KrebsOnSecurity.com ...

White House Moves to Focus Cybersecurity Strategy on Protection, Not Auditing

In a sign that the traditional information security audit was failing to control increasing cyber-risk, the Office of Management and Budget has ordered federal agencies to adopt a real-time approach to cyber threats. In a memo issued Wednesday, Agencies will be expected to constantly collect information on cyber threats and submit it to the Homeland Security Department, which will analyze the data and offer advice on best practices.

"Agencies have spent too much time, money and energy on generating paperwork that they end up filing away in these secure cabinets and they don't end up protecting systems," said Vivek Kundra, the government's chief information officer, in an interview published in Federal Times.

Kundra and Howard Schmidt, White House Cybersecurity Coordinator, said  that the new policy points toward continuous monitoring and patching of federal systems, and also toward the deployment of cybersecurity systems that better position the government against constantly evolving threats. 


Read the entire story and download the OMB Memo at Information Week ... 

Symantec 2009 Global Internet Security Threat Report

Symantec has published their 2009 Global Internet Security Threat Report. According to the report, the top web-based attacks in 2009 were on Internet Explorer and Adobe Acrobat/Reader. The report notes the growth in PDF attacks, from 11% of web-based attacks in 2008 to 49% in 2009. The report covers topics like threat activities, vulnerability trends, phishing and the underground economy.


Download the Executive Summary from Symantec ... 

Download the entire Report ...

Fire Alarm Company Burned by e-Banking Fraud

KrebsOnSecurity.com reports that a fire alarm company in Arkansas lost more than $110,000 when cybercriminals stole the firm's online bank credentials and drained its payroll account. The bank has told the company that the bank would not accept responsibility for the loss.

Read the story at KrebsOnSecurity.com ...

Cybercriminals Take Advantage of McAfee Snafu

Brian Krebs reports about McAfee's bad update (see yesterday's blog post: McAfee Anti-Virus Software Locks up PCs)  that searching for information about the update returns pages of results that when visited launch the come-ons that try to frighten visitors into purchasing bogus (if not also malicious) anti-virus products. The pages are also capable of being booby-trapped so that unsuspecting users will download and install malicious software on their PCs. Internet Explorer users are most at risk of booby-traps, as the booby-trapped pages simply would not load if users follow our recommendation to use Firefox with the noscript add-on enabled.

Read more at KrebsOnSecurity.com ... 
 

Social Engineering Case Study: Google Hackers Duped Their Victims

So how did Google and 30 other large companies get hacked? (See our blog post: Google Attacks Highlight Growing Problem of Cyber Security Threats.) Part of the answer is that the attackers duped everyone from system administrators with access to passwords to executives with access to intellectual property and other information, according to a report in the Washington Post. Social engineering attacks, where the cybercriminals take advantage of gullibility and other human weaknesses to gain illegitimate access to sensitive information, have becoming an increasingly common component of cybercriminal attack.

Read the entire story at the Washington Post ... 

McAfee Antivirus Software Locks Up PCs

Several news sources report that McAfee's anti-virus software is erroneously detecting legitimate Windows system files as malicious, causing reboot loops and serious stability problems for many Windows XP users, according to multiple reports.I've talked to several clients who have experienced the same problem. One Citadel client had to rebuild over 100 affected computers, a complete waste of time for IT staff.

Read the whole story at KrebsOnSecurity.com ...

Health Care Survey: Slow Hospital Compliance with New Regulations Causing Increased Data Breaches & Medical Identity Theft

From the Spring 2010 National Survey of Hospital Compliance Executives conducted by Identity Forces:

• Compliance continues to lag as nearly 85% of hospitals are NOT in compliance with the HITECH Act
• Breaches are up over 120% from last year's survey
• 41% of hospitals now have 10 or MORE data breaches annually
• Potential patient ID fraud and misuse going un‐investigated as 34% of hospitals keep inadequate records
• 48% of hospitals do not check to make sure vendors and business associates are in compliance with the HITECH act.

As medical consumers, should we be worried. You betcha! 

Download the report (PDF).

Thanks to Hal Amens for this story.

China-Google Controversy Illustrates Cloud Security Risk

Terry Corbell, The Biz Coach, explores the security implications of the China-Google controversy. Terry was kind enough to quote me about particular Cloud security challenges. Here's what I told Terry:

“As the story makes clear, businesses considering cloud services like those offered by Google, Amazon and others must ‘look before they leap’,” warns Internet security expert Stan Stahl, Ph.D., Citadel Information Group, Inc. “While it’s probably obvious to look at the security provided by the cloud provider, less obvious is that the business needs to also look at that part of security that will still be its responsibility, the part of security that the cloud service provider isn’t providing,” says Dr. Stahl, as the go-to security authority. “Security can never be a matter of looking at ‘this’ or ‘that.’ Security must always be about looking at ‘this’ and ‘that’,” he adds.

Read Terry's blog ...

Rent-a-Fraudster: A Fascinating Look at the Cybercrime Underworld

KrebsOnSecurity.com reports that a call service catering to online bank and identity thieves has been busted by U.S. and international authorities. The takedown provides a fascinating look at a special niche of service providers in the cybercrime underworld. Suppose, for example, you're a cybercriminal with a thick Russian accent, you have all the appropriate information about David Smith that his bank requires to transfer money, and you want to move $250,000 from David Smith's bank account but Smith's bank requires an out-of-band phone call with the bank before they'll release the money. To get your $250,000, you rent an English-speaking fraudster who calls the bank for you! Another rent-a-fraud service provides a password-protected Web site catering to customers with stolen credit cards. Yet a third Web site, appropriately named the "Fraud Shop," manages cybercriminal transactions at legitimate Web sites, even arranging for shipping stolen merchandise to mules.

Read the story at KrebsOnSecurity.com ...

GAO report says IRS Blase' about Cybersecurity

There's so much anger at the government that I'm almost embarrassed to post this, but it's an important illustration of just how bloody hard it is to effectively manage information systems security ... and why leadership is so very important. And why, perhaps, some of the anger is well-deserved. The GAO reports that sixty-nine percent of 89 security weaknesses and deficiencies identified by the GAO during a 2008 fiscal year audit remain unresolved and depicts the IRS' attitude toward security as rather blasé.


Read the story at Information Week ... 

Mozilla Disables Insecure Java Plugin in Firefox

KrebsOnSecurity.com: Brian Krebs reports that Mozilla has disabled vulnerable versions of the Java Development Toolkit for Firefox that cybercriminals have been using to install malicious software on users desktops. Mozilla is taking this action to protect Firefox users from the vulnerabilities in older versions in Java that we reported in our April 15th blog post: Java Patch Targets Latest Attacks.  To make sure Java is disabled from Firefox, go to Tools, Add-ons and click the Plugins icon. If any Java Plugins are listed, select the Toolkit and hit the “Disable” button.


Read more at KrebsOnSecurity.com ...

A Security Flaw in Palm Pre Demonstrates Need for Caution

Intrepidus Group announced that they've identified dangerous vulnerabilities in the Palm Pre WebOS. The vulnerabilities illustrate one more reason why we would NEVER use an off-the-shelf mobile device for online banking or anything else really sensitive. Even if the on-line bank app was written without security flaws [which is more than doubtful], flaws in the underlying OS [or Trojan horses embedded in other apps] just make it way too dangerous. Don't be lulled by the fact that Palm has already released an update to WebOS. Remember the mantra: All complex software is flawed and has vulnerabilities.

Read more at V3.co.uk ...

California Senate Passes Strengthened Data Breach Disclosure Law

Information Week reports that the California Senate has passed SB-1186, a new data breach disclosure law that would require a breach notification letter to include the type of information exposed, a description of the breach, and steps potential victims can take to mitigate risks.

To read the story on Information Security ...

Changing Culture Improves Organization's Data Privacy and Information Security Program

From a recent report by the renowned Poneman Institute: there is a "strong correlation between an organization’s level of respect for an individual’s personal data and the likelihood that the organization will suffer a data breach. By establishing an environment within an organization that encourages employees to see data as an extension of the customer and not merely something owned by the company, thereby fostering the development of a “culture of caring,” data privacy and information security programs become more effective."

Download the Poneman Report ...

Download our paper "Beyond Awareness Training: It's Time to Change the Culture" from our web site ...

Visitors to Web Sites Hosted by Network Solutions Again at Risk

KrebsOnSecurity.com reports that Network Solutions has again been hacked by cybercriminals. The cybercriminals installed malicious software on web sites hosted by Network Solutions. This put visitors to these sites at risk that cybercriminals could take control of their computers, allowing them to steal online credit and bank account passwords and other sensitive information.


Read the story at KrebsOnSecurity.com ...

$500 Buys Entry-Level Cybercrime Exploit Pack

The iPack may sound like Steve Jobs' next great product but don't be fooled. It's a new custom exploit pack for sale to cybercriminals at prices starting at $500. Like many other exploit kits, the iPack make it easy for hackers to booby-trap Web sites with code that installs malicious software.Other exploit kits are available to cybercriminals to make it easy to exploit workstation weaknesses such as missing patches.

Read the story at KrebsOnSecurity.com ...

Java Patch Targets Latest Attacks

KrebsOnSecurity.com: Oracle Corp. has shipped Java 6 Update 20, a new version of its Java software that nixes a feature in Java that hackers have been using to foist malicious software.The best advice is to turn off Java in your browser, but if you believe you need it, then make sure to keep it patched.

Read more at KrebsOnSecurity.com ...

Download Java Update ...

U.K. Approves Crackdown on Internet Pirates

NewYorkTimes: The British Parliament on Thursday approved plans to crack down on digital media piracy by authorizing the suspension of repeat offenders’ Internet connections.

Read more at The New York Times ... 

In cyberwar, who's in charge?

This Business Week article continues the public dialogue we need so we can find the common cyber-ground needed to prevail against cyberwar, cyberterrorism and cybercrime.

Read more at Business Week ...

ISP Privacy Proposal Draws Fire

Brian Krebs reports that the American Registry for Internet Numbers (ARIN) — one of five regional registries worldwide that is responsible for allocating blocks of Internet addresses – is considering a proposal to ease rules that require ISPs to publish address and phone number information for their business customers. The proposal is drawing strong criticism from information systems security professionals as it will make it harder to fight spam, malware and other forms of cybercriminal activity.

Read more at KrebsOnSecurity.com ...

Cybersecurity Coordinator Howard Schmidt: Private Sector Key to Stopping Google-style Attacks

Speaking at CSO Perspectives 2010, White House Cybersecurity Coordinator Howard Schmidt says the information security community is right to be spooked by massive, coordinated attacks that recently targeted Google. But he believes the best defense remains in the hands of the private sector."You guys have been carrying the water," Schmidt told attendees at CSO Perspectives 2010. "The government can do a lot to improve the nation's cyber defenses. But ultimately," he said, "the key to warding off attacks like the one Google experienced remains private-sector vigilance." ... "I see this as a whole range of threats we have to deal with -- everything from script kiddies to organized crime and everything in between," he said. "There are a lot of different actors we need to worry about, and we have to work harder to reduce the number of vulnerabilities out there so we can stop all of them, whoever and wherever they are."

Read more at Network World ...

Computer Crooks Steal $100,000 from Ill. Town

Brian Krebs reports on another online bank theft, this one the small Village of Summit, just outside Chicago. In addition to the village's loss, Krebs also notes that crooks recently stole $100,000 from the New Jersey township of Egg Harbor; $130,000 from a public water utility in Arkansas; $378,000 from a New York town; $160,000 from a Florida public library; $500,000 from a New York middle school district; and $415,000 from a Kentucky county.

Read the full story at KrebsOnSecurity.com ...

Researchers begin work on 'sophisticated' security for healthcare IT

Healthcare IT News reports that the Information Trust Institute (ITI) at the University of Illinois at Urbana-Champaign has received $15 million to lead a multi-university consortium of researchers to create technology that will make electronic health record systems and health data exchange secure enough to gain the confidence of doctors and patients.

Read the story at Healthcare IT News ...

Thanks to Hal Amens for this story.

e-Banking Guidance for Banks & Businesses

KrebsOnSecurity.com: One of Krebs' sources was recently at a conference where one of the key speakers was a senior official from the Office of the Comptroller of the Currency, one of the main banking industry regulators. ... According to Krebs' source, the OCC official stressed the following points:

• Authentication (including token based/one-time password generators) is only one layer of control. Out of band (also being called 3rd factor) verification such as call backs, fax, etc…  is still highly recommended.
• Businesses and banks should require dual controls.
• Establish and monitor exposure limits.  You may want to consider 2 limits – lower limits for authentication only, higher limit with out-of-band verification.
• Set up alerts to your customers so they know when a transaction has been initiated.
• Have a relatively low limit (less than 9K) for daily reporting.
• Monitor for “money mule” activity, typified by the presence of one or more of the following:
  
  
  • New accounts that are opened by a customer with a small deposit, followed shortly by one or more large deposits by ACH credit or wire transfer.
  • An existing account with a sudden increase in the number and dollar amounts of deposits by ACH credit or wire transfer.
  • A new or existing account holder that withdraws a large amount of cash shortly after a large deposits (often 5%-10% less then the deposit).

• Examiners will be looking at this hard at your next exam: They will be looking for a combination of controls; authentication, verification, limits, risk management and monitoring.
• Educate your customers but do not rely on customer controls.
• Recommend to customer that they set up a single use computer specifically for online banking and nothing else.
• Don’t let marketing “over promise” and “under deliver”. For example, “Business banking on-line, anywhere, anytime at the touch of the key” encourages customers to not worry about security (i.e. connecting onto unsecured wireless networks).
• Have an Incident Response plan specifically for situations of this type.
• The FBI is interested. There are currently more than 250 ongoing investigations. If your bank/customer experiences an ACH attack, contact the Cyber Supervisor at the local FBI office. They have been given guidance in how to respond and report.

Read more at KrebsOnSecurity.com ...

Security Updates for Foxit, QuickTime/iTunes

KrebsOnSecurity.com: Foxit Software has issued an update to make it easier for users to spot PDF files that may contain malicious content. Also, Apple has pushed out new versions of QuickTime and iTunes that correct nearly two dozen security problems in those programs.

Read more at KrebsOnSecurity.com ...

Cyber Security Survey Finds Businesses' Most Valuable Data at Risk

The survey, conducted by Forrester Consulting, identified two primary types of information needing to be secured: (1) Sales lists, strategies and other secrets conferring competitive advantage and (2) custodial information, like credit card numbers, requiring protection. One of the conclusions of the survey: Investments are overweighed against protection and toward compliance.
 
Read more at eSecurity Planet ...

Cybercriminals Find Way to Test Malware Before Launching an Attack

How does a cybercriminal make sure that the malware attack he's about to launch won't get blocked by anti-malware products? The cybercriminal can't turn to legitimate malware testing sites since they report malware to the major anti-malware makers. Brian Krebs has uncovered a malware testing site that keeps its mouth shut.


Read more at KrebsOnSecurity.com ... 

Java Patch Plugs 27 Security Holes

KrebsOnSecurity.com: A new version of Java is available that fixes at least 27 security vulnerabilities in the ubiquitous software. ... To see which version of Java you have installed, visit this link and click the “Do I Have Java?” link under the big red “Free Java Download” button. The newest version that includes these 27 fixes is Java 6 Update 19.

Read more at KrebsOnSecurity.com ...

Cybercrime Gangs Fight Each Other Over Desktops

KrebsOnSecurity.com:It’s common for malware writers to taunt one another with petty insults nested within their respective creations. Competing crime groups also often seek to wrest infected machines from one another. A very public turf war between those responsible for maintaining the Netsky and Bagle worms back in 2005, for example, caused a substantial increase in the volume of threats generated by both gangs. ... The latest rivalry appears to be budding between the authors of the Zeus Trojan — a crime kit used by a large number of cyber thieves — and “SpyEye,” a relatively new kit on the block that is taking every opportunity to jeer at, undercut and otherwise siphon market share from the mighty Zeus. ... Symantec alluded to this in a February blog post that highlighted a key selling point of the SpyEye crimeware kit:  If the malware created with SpyEye lands on a computer that is already infected with Zeus, it will hijack and/or remove the Zeus infection.
 
Read more at KrebsOnSecurity.com ... 

Washington State Law Requires PCI Compliance; Allows Banks to Recover Data Breach Costs

eSecurity Planet: Washington last week became the third state to pass legislation that will allow banks to recover certain costs and damages from retailers and credit card processors that suffer data breaches after failing to comply with current Payment Card Industry (PCI) standards. ...The law, which goes into effect on July 1 in Washington, follows similar laws passed in the states of Minnesota and Nevada and marks a fundamental change in the way government and private sector industries assign responsibility and accountability for preventing identity theft.

Read more at eSecurity Planet ...