Time is the hacker's enemy. The countdown starts as soon as a hacker learns about a security loophole that makes an Internet site vulnerable to a break-in. Security and software firms have, by and large, succeeded in shortening this period, but hackers have responded in kind.
They've created a brisk underground market for buying and selling "zero day" code—software that can be used instantly to exploit an as-yet-unsecured loophole.
The demand for IT skills has become ubiquitous across every industry globally. The market for IT professionals is strong and is still the fastest-growing sector in the U.S. economy, with more than a million new jobs projected to be added between 2004 and 2014.
Five of the 30 occupations projected by the U.S. Bureau of Labor Statistics to grow the fastest by 2016 are IT-related, led by network and data communications analysts, software engineers, and systems analysts.
As of Friday, Jan. 11, 2008, at least 3,921 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,186 died as a result of hostile action, according to the military's numbers.
The AP count is six higher than the Defense Department's tally, last updated Friday at 10 a.m. EST.
As of Friday, Jan. 11, 2008, at least 408 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Jan. 5 at 10 a.m. EST.
Of those, the military reports 276 were killed by hostile action.
A Polish teenager allegedly turned the tram system in the city of Lodz into his own personal train set, triggering chaos and derailing four vehicles in the process. Twelve people were injured in one of the incidents.
The 14-year-old modified a TV remote control so that it could be used to change track points, The Telegraph reports. Local police said the youngster trespassed in tram depots to gather information needed to build the device. The teenager told police that he modified track setting for a prank.
"He studied the trams and the tracks for a long time and then built a device that looked like a TV remote control and used it to manoeuvre the trams and the tracks," said Miroslaw Micor, a spokesman for Lodz police.
Note: As Steve Bellovin writes on his blog regarding this incident:
There are several lessons here. The first is that security through obscurity simply doesn't work for SCADA systems, whether it's a tram, a traffic light, or a sewage plant.
A second lesson is that security problems can have real-world consequences, such as injuries.
Chris Soghoian writes on the C|Net "surveill@nce st@te" Blog:
A scathing congressional report released Friday confirms that security flaws in a Transportation Security Administration site put thousands of Americans at risk of identity theft.
The report [.pdf] also reveals that a no-bid contract to create the site was awarded to an outside company by a TSA employee who had previously worked for that company. Was this just business as usual at TSA?
A resident of Norcross, Ga., who used to work for Cox Communications is going to jail for five months and was ordered to pay $15,470 for hacking into the company's computer system and shutting down service in three states.
U.S. District Judge Thomas W. Thrash on Thursday sentenced William Bryant, 38, on a charge of knowingly causing the transmission of information to a computer used in interstate commerce, and, as a result, intentionally and without authorization causing damage to that computer. Bryant pleaded guilty to the charges on Sept. 26, 2007. Today he got five months in jail to be followed by five months of home confinement and two years of supervised release.
"Clearly, we're not just seeing the rise of a new security threat here, but the emergence of an entire competitive market. We're seeing price competition, product differentiation, and the creation of niche markets."
Since the introduction of mandatory chip and PIN cards in the UK, banks have increasingly turned down fraud victims claiming compensation on the grounds that such chip-embedded smartcards cannot be cloned.
Chip and PIN has been heralded as the way forward for card security, with Westpac recently issuing them to customers, and with more banks set to roll out the cards once compatible terminals become more widely deployed in Australia.
However, Cambridge PhD students and security researchers, Steven J Murdoch and Saar Drimer, showed at a recent conference in Germany that the cards do not need to be cloned to be compromised -- a situation that has ruffled the feathers of banks, which rely on the UK's Banking Code of Practice to deny compensation claims if the fraud victim has been deemed to have compromised the security of their card.
The ability to reject such claims relies on the presumption that cloning is the only manner in which fraud can occur on the smartcard, which, according UK banks, is simply impossible.
Efforts to fight high-tech crime are suffering as a result of overseas deployments which drain both the manpower and resources of the Australian Federal Police (AFP), a senior police figure has revealed.
"These deployments represent a diversion to roles that are different to what officers had been doing," Jim Toor, CEO of the Australian Federal Police Association (AFPA), told ZDNet Australia.
Toor said that these areas included, but were not limited to, high-tech crimes such as child pornography and identity theft investigations.
"It requires a huge commitment to fight these emerging crime types, the technology moves so quickly, and the AFP has a large focus on that sort of criminality," he said.
Robert Vamosi writes on the C|Net "D3F3NS3 1N D3PTH" Blog:
According to a release on Wednesday from the State Department, law enforcement officials and private parties may soon be able to request personal passport details. Currently, only State Department staffers who have undergone "background security investigation" handle such requests.
The change to the State Department's system of records notice, or SORN, affects records dating as far back to 1925 and addresses amendments introduced in 2007 to the Privacy and Security Act of 1974.
An AP newswire article by Laura Jakes Jordan, via The Boston Globe, reports that:
Telephone companies cut off FBI wiretaps used to eavesdrop on suspected criminals because of the bureau's repeated failures to pay phone bills on time, according to a Justice Department audit released Thursday.
The faulty bookkeeping is part of what the audit, by the Justice Department's inspector general, described as the FBI's lax oversight of money used in undercover investigations. Poor supervision of the program also allowed one agent to steal $25,000, the audit said.
More than half of 990 bills to pay for telecommunication surveillance in five unidentified FBI field offices were not paid on time, the report shows. In one office alone, unpaid costs for wiretaps from one phone company totaled $66,000.
And at least once, a wiretap used in a Foreign Intelligence Surveillance Act investigation — the highly secretive and sensitive cases that allow eavesdropping on suspected terrorists or spies — "was halted due to untimely payment."
With a willing ex-wife as his partner in crime, a Colombian engineer's clever scheme to steal thousands of dollars from unsuspecting travelers worldwide went undetected for years.
Then Mario Alberto Simbaqueba Bonilla's high-tech computer crime spree accidentally attracted the attention of the Pentagon.
In spring 2006, Defense Department officials discovered someone had hacked into the personal financial accounts of 17 U.S. soldiers and fleeced their payroll deposits along with mortgage, car, and other payments. Investigators tracked the trail of electronic evidence to Simbaqueba.
On Wednesday, Simbaqueba, 40, pleaded guilty in Miami federal court to tapping into hotel business-center computers here and in other cities to swipe personal financial information from hundreds of travelers to pay for his lavish international lifestyle. Simbaqueba stayed in first-class hotels in places such as Hong Kong, Italy and Dubai, and bought expensive electronics, jewelry and clothing for himself and his many girlfriends.
The Defense Department employees were among more than 600 people -- mostly business travelers and college students -- whose identities were found on Simbaqueba's laptop computer, seized upon his arrest last August at Miami International Airport. His total take: between $400,000 and $750,000, prosecutors say.
Dozens of companies, including Chase Manhattan Bank, E*Trade, and American Airlines, ended up covering most of the victims' financial losses.
This is perhaps one of the BEST short trailers I've seen that truly hammers the real issues that we face every day in the realm of Internet security threats.
I personally think it is marvelously done.
Nice to see my old friend Marcus Ranum in a cameo. :-)
As of Wednesday, Jan. 9, 2008, at least 3,921 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,183 died as a result of hostile action, according to the military's numbers.
The AP count is nine higher than the Defense Department's tally, last updated Wednesday at 10 a.m. EST.
As of Wednesday, Jan. 9, 2008, at least 408 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Wednesday at 10 a.m. EST.
Of those, the military reports 276 were killed by hostile action.
White House, Congress Looking For Ways to Keep Surveillance Alive
Michael Isikoff and Mark Hosenball write on Newsweek.com:
Faced with the growing likelihood that Congress will not meet a looming deadline to approve critical electronic-eavesdropping legislation, the Bush administration is working on a short-term fix--a temporary extension to a law enacted last summer amid Democratic complaints that the White House had muscled the bill through.
The Office of the Director of National Intelligence, which is the administration's principal negotiator with Congress on the surveillance legislation, says it would much prefer that Congress move forward with a permanent extension of the spy law. Privately, however, intel czar Mike McConnell has acknowledged that there may be little chance of winning passage of a permanent new bill before the current law expires.
The Defense Department will continue to work with QinetiQ North America to provide security services for the next five years under a new $30 million follow-on contract.
QNA’s Missions Solutions Group — formerly Analex — will provide a wide range of unspecified security services to DOD’s Counterintelligence Field Activity, primarily in the Washington area.
QNA won the contract in December 2003 to help protect government personnel, critical infrastructure and sensitive defense programs.
University of Georgia Computers Hacked, Identity Theft Concerns
An AP newswire article, via WTLV.com, reports that:
University of Georgia officials are trying to contact more than 4,000 current, former and perspective residents of a university housing complex after a hacker was able to access a server containing personal information.That information included Social Security numbers.
University officials said yesterday the security breach happened between December 29th and 31st.
During that time, a computer with an overseas IP address was able to access the personal information -- including Social Security numbers, names and addresses -- of 540 current graduate students living in graduate family housing and 3,710 former students and applicants.
Freeman Klopott and Bill Myers write on Examiner.com:
District of Columbia police lost track of at least four years’ worth of criminal evidence after a power outage wiped out a computer database, The Examiner has learned.
Police Chief Cathy Lanier said the collapse of the computer database caused no permanent damage because the department has millions of paper files in its evidence warehouse to back up the digital system.
Teams of technicians are manually entering the log books into a restored hard drive to reconstruct the lost evidence files, the chief said.
Lanier said she has inherited many of her problems. The evidence database that collapsed, she said, was at least five years out of date.
Web surfers aren't just mad about online privacy violations. They're getting even. Consumers are speaking out publicly against companies they say have gone too far in tracking their Web surfing patterns, creating public relations nightmares. They're also heading for the courts, seeking millions of dollars in damages. Before long, companies will need to pay more than lip service to privacy protection or they may end up being forced to pay up—period.
The latest alleged corporate breach involves Sears Holdings, parent of department stores Sears and Kmart. On Jan. 8, the Berkman Center for Internet and Society, a research program at Harvard Law School, released a report accusing Sears of violating the privacy of users of its online community site. To join, customers download a program that tracks their online purchases and other activity. Sears failed to sufficiently explain what the software does, according to the study's authors.
Robert Vamosi writes on the C|Net "D3F3NS3 1N D3PTH" Blog:
On Wednesday, the SANS Internet Storm Center and others published details about the massive SQL-based Web attack that occurred over the weekend. The attack, says SANS, is similar to a smaller SQL-injection attack seen last November. At least 70,000 sites were compromised in short period of time, leading some speculate this was an automated attack..
From logs files, the attack code appears to exploit a variety of SQL injection vulnerabilities existing on Web sites using Microsoft SQL or Microsoft IIS. On the vulnerable sites, malicious javascript is injected into all varchar and text fields in the SQL database such that when a visitor hits the site, their browsers, if vulnerable, are then redirected to another domain--in this case, us8010.com.
AT&T and Other ISPs May Be Getting Ready to Filter Your Traffic
Brad Stone writes on The New York Times' Bits Blog:
For the past fifteen years, Internet service providers have acted - to use an old cliche - as wide-open information super-highways, letting data flow uninterrupted and unimpeded between users and the Internet.
But ISPs may be about to embrace a new metaphor: traffic cop.
At a small panel discussion about digital piracy here at NBC’s booth on the Consumer Electronics Show floor, representatives from NBC, Microsoft, several digital filtering companies and telecom giant AT&T said the time was right to start filtering for copyrighted content at the network level.
Such filtering for pirated material already occurs on sites like YouTube and Microsoft’s Soapbox, and on some university networks.
Network-level filtering means your Internet service provider – Comcast, AT&T, EarthLink, or whoever you send that monthly check to – could soon start sniffing your digital packets, looking for material that infringes on someone’s copyright.
U.S. Man Gets Record Sentence for Computer Sabotage
A Reuters newswire article, via The New York Times, reports that:
A computer systems administrator has been sentenced to 30 months in a US prison for trying to sabotage his company's servers out of fear he was about to lose his job, prosecutors said.
The US Attorney's Office in New Jersey said Yung-Hsun Lin received the longest ever federal prison term for a criminal attempt to damage a computer system.
He was also ordered to pay $81,200 in restitution to his former employer, pharmacy benefit manager Medco Health Solutions.
Lin, 51, admitted he modified computer codes and added code to create a "logic bomb" designed to wipe out servers on Medco's network in October 2003, around the time Medco was being spun off by Merck & Co, authorities said.
Additional security protocol training for employees, better information sharing with local counterintelligence officials and periodic review of laptop PC security procedures are among the recommendations made by the Energy Department’s inspector general after an investigation into a security breach at the department’s Y-12 National Security Complex in Oak Ridge, Tenn.
According to the IG’s report [.pdf], in 2006 an unauthorized laptop with wireless capability was taken into a "limited area” at the Y-12 nuclear weapons plant. Limited areas are defined as "secure work areas that employ physical controls to prevent unauthorized access to classified matter or special nuclear material," the report states.
An AP newswire article by Peter Svensson, via PhysOrg.com, reports that:
The Federal Communications Commission will investigate complaints that Comcast Corp. actively interferes with Internet traffic as its subscribers try to share files online, FCC Chairman Kevin Martin said Tuesday.
A coalition of consumer groups and legal scholars asked the agency in November to stop Comcast from discriminating against certain types of data. Two groups also asked the FCC to fine the nation's No. 2 Internet provider $195,000 for every affected subscriber.
"Sure, we're going to investigate and make sure that no consumer is going to be blocked," Martin told an audience at the International Consumer Electronics Show.
In an investigation last year, The Associated Press found that Comcast in some cases hindered file sharing by subscribers who used BitTorrent, a popular file-sharing program. The findings, first reported Oct. 19, confirmed claims by users who also noticed interference with other file-sharing applications.
An extremely convincing phishing attack is using a cross-site scripting vulnerability on an Italian Bank's own website to attempt to steal customers' bank account details. Fraudsters are currently sending phishing mails which use a specially-crafted URL to inject a modified login form onto the bank's login page.
The vulnerable page is served over SSL with a bona fide SSL certificate issued to Banca Fideuram S.p.A. in Italy. Nonetheless, the fraudsters have been able to inject an IFRAME onto the login page which loads a modified login form from a web server hosted in Taiwan.
As the United States' presidential candidates pinball their way across New Hampshire on the day of the state's closely watched primary elections, a new form of grassroots activism appears to be taking root across the Atlantic, in Eastern Europe, that melds dirty pool tactics with the cutting edge of malware technology.
Researchers with carrier security specialists Arbor Networks claim that they recently discovered several additional incidents of botnet-driven DOS attacks that were tied to political issues. Danny McPherson, chief research officer at Arbor, will report his group's findings to the assembled computer security and law enforcement experts at next week's Department of Defense Cyber-crime conference in St. Louis.
While the "spam king" might have been dethroned, experts say that malicious e-mail lives on and is more prolific than ever.
Many security experts say the overall impact to the amount of spam on the Web will likely be negligible, if anything at all after Thursday's federal grand jury indictment of "spam king" Alan Ralsky. Federal charges were brought against the Michigan man and nine others for running an international spamming and stock fraud scheme following a three-year investigation.
As of Monday, Jan. 7, 2008, at least 3,911 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,181 died as a result of hostile action, according to the military's numbers.
The AP count is three higher than the Defense Department's tally, last updated Monday at 10 a.m. EST.
A U.S.-based Web site that hosts Chinese dissidents' blogs is being hacked again, days after an attack took it offline and nearly destroyed its archives.
The Web site, Boxun.com, which hosts some 2000 blogs, was the target of a "very strong" distributed denial of service, or DDOS, attack last week, its editor, Watson Meng, told United Press International.
He added that hackers probing the Web sites of several U.S. government agencies had "spoofed" or forged their Internet addresses to make it seem as if the probes came from his site.
"Our service provider received complaints from a number of government agencies," he said.
ICANN has posted the NSO Initial Report on Domain Tastinghere [.pdf], and unsurprisingly, it states that (paraphrased) "...more study is needed".
One bright spot in the report, however, is that:
The ISPCP Constituency is concerned that the practice of exploiting the AGP (Add Grace Period) to test profitability of domain names (popularly known as “domain name tasting”) is deleterious to the stability and security of the Internet.
If you bought anything from Geeks.com in at least the last year or so, you might want to start paying close attention to your credit card statements — the company sent out an email on Friday telling former customers that they "recently discovered on December 5, 2007 that customer information, including Visa credit card information, may have been compromised."
TV presenter Jeremy Clarkson has lost money after publishing his bank details in his newspaper column.
The Top Gear host revealed his account numbers after rubbishing the furore over the loss of 25 million people's personal details on two computer discs.
He wanted to prove the story was a fuss about nothing.
But Clarkson admitted he was "wrong" after he discovered a reader had used the details to create a £500 direct debit to the charity Diabetes UK.
As of Sunday, Jan. 6, 2008, at least 3,910 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,178 died as a result of hostile action, according to the military's numbers.
The AP count is six higher than the Defense Department's tally, last updated Friday at 10 a.m. EST.