Beware of Holiday Season Phishing Scams and Malware Campaigns

US-CERT is receiving reports of an increased number of phishing scams and malicious software campaigns that take advantage of the winter holiday and holiday shopping season. We urge users to be on their guard, mindful of the potential that an email message could be part of a potential phishing scam or malware campaign.

Users are urged to be sensitive to:

• Electronic greeting cards that may contain malware
• Requests for charitable contributions that may be phishing scams and may originate from Illegitimate sources claiming to be charities
• Movie clips, screensavers or other forms of media that may contain malware
• Credit card applications that may be phishing scams or identity theft attempts
• Online shopping advertisements that may be phishing scams or identity theft attempts from bogus retailers

We strongly urge users to protect themselves during the holiday season:

• Don't follow unsolicited web links in email messages. Consider running Firefox with the No-Script Add-in.
• Use caution when opening email attachments; Is the email from someone you know? Was the email expected? When in doubt, Don't.
• Maintain up-to-date antivirus and anti-spyware software.
• Keep your systems patched. Be careful of the latest vulnerabilities. Follow our Weekly Vulnerability and Patch Report, published on our blog, Citadel on Security.

Interpol Says Cybercrime is "World's Most Dangerous Criminal Threat"

Concerned with the growing threat from an estimated $105-billion-dollar illegal business, 300 top law enforcement officials from 56 countries met in Hong King for the first ever national police anti-cybercrime conference.

Ronald K. Noble, secretary general of the Interpol, told the assembled law enforcement officials that "considering the anonymity of cyberspace, it may in fact be one of the most dangerous criminal threats we will ever face."

More on this story is available from Yahoo News.

Free WiFi at Starbucks — Reminder of Cybersecurity Risk

The New York Times reports that Starbuck's will begin offering free WiFi on July 1. This makes it a good time to remind everyone about the need to be cautious when using public Wi-Fi. While the most common risk is eavesdropping, one cannot overlook the risk of computer compromise. Here are five basic rules anytime you're on a WiFi network whose security cannot be verified:

1. No online banking or other eCommerce
2. No email containing sensitive information except via an approved encrypted link from PC to  Mail Server
3. Keep anti-virus or host intrusion prevention software (better) up-to-date
4. Make sure software patches are up-to-date
5. Use VPN for access to office

Congressman Asks FTC to Investigate Privacy Risks of Copy Machines

You may not know it but copy machines have computer memories, which means they may store tons of private or otherwise sensitive information. That's why Massachusetts Congressman Edward Markey has asked the Federal Trade Commission to investigate the risk to consumers posed by businesses that don't take steps to erase the memory of their copy machines. Expect a new set of regulations requiring businesses disposing of a copy machine to securely erase its hard drive, just like they are supposed to do for their PCs.

Read the story at the Washington Post ...

Watch the CBS News Report that broke the story: Copy Machines, a Security Risk?

Separating April Fools’ From Fraud on the Web

NewYorkTimes: On the Internet, every day is April Fools’ Day. ... Thinking about how people get fooled on April 1 is a good way to prepare for the year-round attempts by swindlers to bamboozle the naïve, the witless and those who just aren’t paying close attention. In other words, all of us. ... The same themes run through the e-mail solicitations of Nigerian princes waiting to share their riches, messages by banks to type in your PIN or frantic pleas from Facebook friends trapped overseas without any money. ... How do you tell the real from the surreal today?

Read more at the New York Times ...

Facebook Proposes Changes in Privacy Policy to Share User Data with Other Sites

WashingtonPost: On Friday afternoon, Facebook announced a set of proposed changes to its privacy policy that could allow the popular social network to share more of its users' data with other sites without first getting their approval. ... The move builds on the Palo Alto, Calif., company's December revision of its privacy rules that made far more user information -- including individual status updates -- public by default. Under the new proposal, Facebook could then provide that data to "pre-approved third party websites and applications" unless a user opted out of that feature.

Read more at the Washington Post ...

New Inexpensive "Sniffer" Captures Keystrokes From Wireless Devices

TheRegister: Kit attacks Microsoft keyboards (and a whole lot more). ... Security researchers on Friday unveiled an open-source device that captures the traffic of a wide variety of wireless devices, including keyboards, medical devices, and remote controls. ...Keykeriki version 2 captures the entire data stream sent between wireless devices using a popular series of chips made by Norway-based Nordic Semiconductor. That includes the device addresses and the raw payload being sent between them. The open-source package was developed by researchers of Switzerland-based Dreamlab Technologies and includes complete software, firmware, and schematics for building the $100 sniffer.

Read more at The Register ...

Identity theft may be prelude to more serious crime

Los Angeles Times: Identity theft may be the financial world's equivalent of a staph infection. Just when you thought you had a handle on protecting your identity from criminals, the crime has morphed into something new and far more toxic. ... identity criminals are now using your information as they commit felonies, including child abuse and terrorism. Others are using your records to file fraudulent medical claims, experts say. These new forms of identity theft are nearly invisible until they cause serious problems.

Read more ...

Verisign: Security Solutions Overwhelming to Consumers

"Consumers are overwhelmed and frustrated by all the security solutions out there," said Verisign's (NASDAQ: VRSN) Jim Bidzos, who organized the first RSA Conference in 1991. "In fact some of the security tools we offer are nearing the point of negative returns." ... "It's time we started thinking about security as only part of the solution and ask what users really need from us. Today users are faced with pop-ups and all sorts of security procedures designed to make them feel more secure, but may simply frustrate them and question whether the Internet is safe," he said. ...In fact, Bidzos said the results from multiple surveys that asked consumers whether they thought the Internet is safe "indicates we're not quite there yet."

Read more ...

Source: eSecurity Planet

New Massachusetts Data Privacy Law

darkREADING: Massachusetts Data Privacy Law went into effect on March 1, focuses on prevention. .... After regulators granted more than a year's delay of compliance enforcement, the Massachusetts Data Privacy Law 201 CMR 17 finally went into effect on March 1. Unlike most of today's state-based data privacy laws, which primarily focus on public disclosure once a breach occurs, the new Massachusetts law prescribes that more stringent protective measures be taken to prevent breaches from occurring in the first place. ... The primary regulatory drive behind the new law is to ensure companies have an overarching security policy framework and the means to enforce the policy in order to protect sensitive data stores.

Read more ...

Mass. Privacy Law: Are You Compliant?

BankInfoSecurity: Monday, March 1, was the deadline for entities doing business in Massachusetts to comply with a tough new state law designed to safeguard residents' personal information. ... The new law, Massachusetts identity theft regulations, 201 Code of Massachusetts Regulations 17.00, applies to any individual, company or organization that handles personal information in connection with employment or the sale of goods or services. Under the law, Massachusetts will require any entity that stores or transmits residents' personal information to encrypt the data when it's stored on portable devices or transmitted via the Internet. ... The state's goal is to stop data breaches that in the last two years exposed the personal information of more than 1.05 million people in Massachusetts.

Read more ...

Widespread Data Breaches Uncovered by FTC Probe. FTC Warns of Improper Release of Sensitive Consumer Data on P2P File-Sharing Networks.

FTC: The Federal Trade Commission has notified almost 100 organizations that personal information, including sensitive data about customers and/or employees, has been shared from the organizations’ computer networks and is available on peer-to-peer (P2P) file-sharing networks to any users of those networks, who could use it to commit identity theft or fraud. The agency also has opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks. ... “Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk. For example, we found health-related information, financial records, and drivers’ license and social security numbers--the kind of information that could lead to identity theft,” said FTC Chairman Jon Leibowitz. “Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure. Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”

Read more ...

Consumer Electronics Company Agrees to Settle Data Security Charges; Breach Compromised Data of Hundreds of Consumers

FTC: An online seller of computer supplies and other consumer electronics has agreed to settle Federal Trade Commission charges that it violated federal law by failing to provide reasonable security to protect sensitive customer data. ... According to the FTC’s complaint, Compgeeks.com (Compgeeks), which operates the www.geeks.com Web site, and its parent company, Genica Corporation (Genica), collect sensitive information from consumers to obtain authorization for credit card purchases. ... In January 2008, media reports revealed a data breach at the company. It was later confirmed that hackers accessed the sensitive information of hundreds of consumers. ... The proposed settlement ... requires them to implement and maintain a comprehensive information-security program that includes administrative, technical, and physical safeguards. It also requires the companies to obtain, every other year for 10 years, an audit from a qualified, independent, third-party professional to ensure that the security program meets the standards of the order. In addition, the proposed settlement contains standard record-keeping provisions to allow the FTC to monitor compliance.

Read more ...