"Go Blue" Ends D.C. Online Voting Trial

The Washington Post reports that—as part of a security test—a team of students from The University of Michigan hacked D.C.'s new Internet-based voting system. The "White Hat" hackers from Michigan  compromised the system so that after a vote was cast the Web site played The University of Michigan fight song, "The Victors."

According to the Post, Jeremy Epstein, a computer scientist working with the Common Cause good-government nonprofit on online voting issues said "the fight song is a symptom of deeper vulnerabilities. ... In order to do that, they had to be able to change anything they wanted on the Web site."

Because of the hack, Paul Stenbjorn, the Board of Elections' chief technology officer said a portion of the Internet voting pilot—which was expected to be rolled out this month—is being temporarily scrapped.

The good news, of course, is that to ensure election integrity, D.C. took the opportunity to open its election web-site to community testing. That the vulnerability was found and exploited by a team of students from my Alma Mater is icing on the cake. That they rigged the system to play The Victors is the maraschino cherry on top. Go Blue!

The bad news—and one that every organization having a web site has to pay attention to—is that web-sites, like software everywhere, is buggy. That's why this story is a good reminder to all organizations of the importance of effectively managing cybersecurity risk.

October is National Cybersecurity Awareness Month

October 2010 marks the seventh annual National Cybersecurity Awareness Month. This year's theme —Our Shared Responsibility—reflects two facts about cybersecurity:

1.  The cybersecurity threat has become one of the most serious economic and national security challenges we face. America’s competitiveness and economic prosperity in the 21st century will depend on effective cybersecurity. Every business, not-for-profit, school, government organization and individual is at risk.

2. Every Internet user has a role to play in securing cyberspace and ensuring the safety of ourselves, our families, and our communities online.

Cybersecurity Awareness Month is sponsored by the National Cybersecurity Alliance (NCSA)—a nonprofit dedicated to fostering a culture of cybersecurity—along with the U.S. Department of Homeland Security and the Multi-State Information Sharing and Analysis Center, a cybersecurity prevention and protection collaboration for state and local governments.

As cybersecurity management consultants, Citadel Information Group is proud to join with the Los Angeles Chapter of the Information Systems Security Association, ISACA-LA, InfraGARD-Los Angeles, the LA Chapter of the Open Web Application Security Project (OWASP), and other Los Angeles information security organizations in working together to help keep our community safe from cybercrime.

Interpol Says Cybercrime is "World's Most Dangerous Criminal Threat"

Concerned with the growing threat from an estimated $105-billion-dollar illegal business, 300 top law enforcement officials from 56 countries met in Hong King for the first ever national police anti-cybercrime conference.

Ronald K. Noble, secretary general of the Interpol, told the assembled law enforcement officials that "considering the anonymity of cyberspace, it may in fact be one of the most dangerous criminal threats we will ever face."

More on this story is available from Yahoo News.

Computing Now's Gary McGraw interviews Richard Clarke

From Computing Now's Website: Gary McGraw talks with Richard A. Clarke. Clarke is an internationally-recognized expert on security, including homeland security, national security, cyber security, and counterterrorism. Gary and Richard discuss what needs to change in order for the United States to focus more attention on defense against cyber war (as opposed to offense). They also discuss the importance of software security in preventing cyber crime and cyber war, network scanning as a part of Dick’s "Defensive Triad," and balancing cybersecurity against individual liberty.


Watch Cary McGraw's interview with Richard Clarke.

Thanks to John Cosgrove for this story.

US regulators form plans to encourage banks to better protect customers from online fraud

SC Magazine is reporting that "a panel with representatives from the FDIC, the Federal Reserve System and other agencies is reacting to the rapid evolution of malicious computer programs designed to drain accounts. Among its plans is to require financial institutions to contact customers through means beside the internet, following European banks actions in placing calls to clients' mobile phones to ensure that they intend to transfer money."

Read the entire story at SC Magazine.

Thanks to Richard Greenberg for this story.

Rapport: A Potential Tool for Lowering Risk of Online Bank Theft

Several banks are asking their online bank customers to use a security tool called Rapport. The tool, part of which installs on user workstations is designed to block online bank theft attacks from ZeuS and other malicious software. Brian Krebs interviews Mickey Boodaei, CEO of Tusteer, the company making Rapport.

Read Brian's interview at KrebsOnSecurity.com ...

Mozilla Disables Insecure Java Plugin in Firefox

KrebsOnSecurity.com: Brian Krebs reports that Mozilla has disabled vulnerable versions of the Java Development Toolkit for Firefox that cybercriminals have been using to install malicious software on users desktops. Mozilla is taking this action to protect Firefox users from the vulnerabilities in older versions in Java that we reported in our April 15th blog post: Java Patch Targets Latest Attacks.  To make sure Java is disabled from Firefox, go to Tools, Add-ons and click the Plugins icon. If any Java Plugins are listed, select the Toolkit and hit the “Disable” button.


Read more at KrebsOnSecurity.com ...

Changing Culture Improves Organization's Data Privacy and Information Security Program

From a recent report by the renowned Poneman Institute: there is a "strong correlation between an organization’s level of respect for an individual’s personal data and the likelihood that the organization will suffer a data breach. By establishing an environment within an organization that encourages employees to see data as an extension of the customer and not merely something owned by the company, thereby fostering the development of a “culture of caring,” data privacy and information security programs become more effective."

Download the Poneman Report ...

Download our paper "Beyond Awareness Training: It's Time to Change the Culture" from our web site ...

Washington State Law Requires PCI Compliance; Allows Banks to Recover Data Breach Costs

eSecurity Planet: Washington last week became the third state to pass legislation that will allow banks to recover certain costs and damages from retailers and credit card processors that suffer data breaches after failing to comply with current Payment Card Industry (PCI) standards. ...The law, which goes into effect on July 1 in Washington, follows similar laws passed in the states of Minnesota and Nevada and marks a fundamental change in the way government and private sector industries assign responsibility and accountability for preventing identity theft.

Read more at eSecurity Planet ...

Dozens of ZeuS Botnets Knocked Offline

KrebsOnSecurity: Security experts are tracking a massive drop in the global number of control servers for various ZeuS botnets that are online, suggesting that a coordinated takedown effort may have been executed by law enforcement and/or volunteers from the security research community acting in tandem.

Read more ...

Organiser of Darkmarket fraud website jailed

BBC: A man who created a website trading in stolen financial information linked to tens of millions of pounds in losses has been jailed for nearly five years. ... Renukanth Subramaniam, 33, founded Darkmarket, a "Facebook for fraudsters" where criminals could buy and sell credit card details and bank log-ins. ... The site was shut down in 2008 after an FBI agent infiltrated it, leading to more than 60 arrests worldwide.

Read more ...

UK Police Reveal Arrests Over Zeus Banking Malware

What's happening: British police said Wednesday they've made the first arrests in Europe of two people for using Zeus, a malicious software program often used in sophisticated online bank fraud. When installed on a PC, Zeus can send spam, steal financial or other data or conduct a distributed denial-of-service attack against other computers. Machines infected with Zeus are essentially a botnet.

What it means: While it's good to get these two cybercriminals off the street, the total effect is like taking a glass of water out of the ocean.

What to do: Celebrate that these two are in jail. Then go back to protecting sensitive business and family information.The battle is far from over.

**********************************
Two held in global PC fraud probe

5 More Indicted in Probe of International Carding Ring

Threat Level; Wired Magazine: Five eastern European men were indicted in New York on Monday as part of an international ring allegedly responsible for at least $4 million in credit card theft.

The ring, which authorities dubbed the Western Express Cybercrime Group, operated between 2001 and 2007 and trafficked in at least 95,000 known stolen credit card numbers, including some belonging to victims in New York, where the case is being prosecuted by the Manhattan District Attorney’s office.

The ring allegedly operated an online carding forum called the International Association for the Advancement of Criminal Activity, where thieves trafficked in stolen credit card numbers and other information. The defendants also allegedly forged credit cards using stolen numbers, and turned them into cash with the unwitting help of eBay users.

http://www.wired.com/threatlevel/2009/09/westernexpress/

Hacker to Plead Guilty in Major Identity Theft Case

Washington Post: Computer hacker Albert Gonzalez accused of masterminding one of the largest cases of identity theft in U.S. history agreed Friday to plead guilty and serve up to 25 years in federal prison.

Albert Gonzalez of Miami was charged with conspiracy, wire fraud and aggravated identity theft in federal courts in New York and Boston. Court documents filed in federal court in Boston indicate that the 28-year-old agreed to plead guilty to 19 counts and to have the two cases combined in federal court in Massachusetts.

http://www.washingtonpost.com/wp-dyn/content/article/2009/08/28/AR2009082803779.html

TJX Hacker Indicted in Heartland, Hannaford Breaches

Brian Krebs; Washington Post: A federal grand jury has indicted three individuals for allegedly hacking into credit and debit card payment processing giant Heartland Payment Systems last year, as part of an investigation the Justice Department is calling the largest identity theft case ever prosecuted.

http://voices.washingtonpost.com/securityfix/2009/08/heartland_payment_systems_hack.html