Thursday, September 24, 2009

Toon of The Month: The Fox News Target Audience

Click for larger image.

Via Daryl Cagle.

Companies Still Not Securing Customer Data

Larry Barrett writes on

Despite a slew of disastrous, high-profile identity theft cases in the past few years, companies conducting transactions both online and in their brick-and-mortar stores still aren't doing enough to protect their customers' personal and financial data, according to a new survey released by Imperva and the Ponemon Institute.

The survey, which queried IT security professionals responsible for securing data at 517 U.S. and multinational companies, found that 55 percent are securing credit card information but not Social Security numbers, bank account details and variety of other customer data.

Imperva, a data security software vendor and the Ponemon Institute, an independent research firm, embarked on the survey hoping to find out just how many companies were complying with the Payment Card Industry's (PCI) Data Security Standard (DSS) and how many were going above and beyond the credit card industry's security benchmark.

More here.

ICANN Set To Become Independent of U.S. Government

Via The Economist.

Forty years ago this month American academics sent the first message over the ARPANET, a military network that was the precursor of today’s internet. A legacy of those efforts is that the American government continues to control the internet’s underlying technology—notably the system of allocating addresses. This is about to change, albeit slightly.

For the past decade America has delegated some of its authority over the internet to a non-profit organisation called the Internet Corporation for Assigned Names and Numbers (ICANN)—an arrangement other countries have complained about, both because they have little say in it and because ICANN’s management has occasionally proved erratic. ICANN’s latest mandate is due to expire on September 30th. The day before, a new accord is planned to come into effect, whereby America will pass some of its authority over ICANN to the “internet community” of businesses, individual users and other governments.

Previous agreements had maintained close American oversight over ICANN and imposed detailed reforms, but the latest document, called an “affirmation of commitments”, is only four pages long. It gives ICANN the autonomy to manage its own affairs. Whereas prior agreements had to be renewed every few years, the new one has no fixed term.

The agreement sets up oversight panels that include representatives of foreign governments to conduct regular reviews of ICANN’s work in four areas: competition among generic domains (such as .com and .net), the handling of data on registrants, the security of the network and transparency, accountability and the public interest—the only panel on which America will retain a permanent seat. But there are no penalties if ICANN fails to heed its new overseers short of a termination of the accord.

More here.

Hat-tip: Domain Name Wire

SCADA Watch: New Smart Grid Standards Are Out, Complexity Is In

Click for larger image.

Andy Bochman writes in The Smart Grid Security Blog:

...the new NIST Smart Grid standards draft [.pdf] released today. Far from appearing as an afterthought or not at all, Cyber Security issues are front and center in the executive summary and are described in some detail on pages 71-79 of the document. Also significant is that control system security, which some feel is getting short shrift in this process, is given substantial attention and weighting, with a list of applicable security-related standards on page 79.

As the diagram above illustrates, however, complexity itself may ultimately become the biggest security challenge. The best human minds, augmented with the most sophisticated tools, will have a monumental task keeping track of the myriad threat vectors and security controls deployed to defend against them.

More here.

Image source: U.S. National Institute of Standards and Technology (NIST)

'Money Mule' Recruitment Network Exposed

Brian Krebs writes on Security Fix:

In a blog post earlier this week, Security Fix examined the crucial role of "money mules" -- people in the United States who are willingly or unwittingly recruited to help cyber fraudsters steal money from businesses. In this column, we'll peer a bit deeper into how mules are recruited, and how they often communicate with their employers.

Security Fix interviewed one of the mules hired to receive money from Sanford School District, a small school system in Colorado that was robbed of $117,000 last month when hackers used the district's online banking credentials to send sub-$10,000 payments to this mule and 16 others.

The mule I spoke with said she was hired by a company called the Scope Group Inc., which claimed to be a nearly 20-year-old investment firm operating out of New York. The Scope Group did not return e-mails seeking comment, but there is no listing for a current company by that name in the New York State business register. Also, the company's Web site is hosted in China, and its domain name -- ends with a Chinese country code. In addition, that domain name was registered on June 25, 2009, just a few weeks before the fraud against Sanford School District was perpetrated.

The Sanford mule -- who spoke on the condition of anonymity out of fear of reprisals by the hacked company and perhaps by the hackers themselves -- said the Scope Group approached her via e-mail, saying it had found her resume on, and would she be interested in a work-at-home job acting as a "financial manager"? Having worked as a payroll manager in a previous job, the mule said she thought it was a perfect fit. Besides, she said, she'd been out of work since March.

More here.

Maine Firm Sues Bank After $588,000 Cyber Heist

Brian Krebs writes on Security Fix:

A construction firm in Maine is suing a local bank after cyber thieves stole more than a half million dollars from the company in a sophisticated online bank heist.

On Friday, Sanford, Maine based Patco Construction Co. filed suit in York County Superior Court against Ocean Bank, a division of Bridgeport, Conn. based People's United Bank. The lawsuit alleges that Ocean Bank did not do enough to prevent cyber crooks from transferring approximately $588,000 to dozens of co-conspirators throughout the United States over an eight-day period in May.

People's United Bank spokeswoman Valerie Carlson declined to comment for this story, saying the company is aware of the lawsuit but does not discuss pending litigation.

According to the complaint, the fraudulent transfers began on Thursday, May 7, when thieves who had hijacked the company's online banking credentials initiated a series of transfers totaling $56,594 to several individuals that had no prior businesses with Patco. The company alleges that this pattern of fraud continued each day of the following business week, during which time the thieves made additional batches of fraudulent transfers totaling $532,257.

More here.

Wednesday, September 23, 2009

Drudge, Other Sites Flooded With Malicious Ads

Robert McMillan writes on PC World:

Criminals flooded several online ad networks with malicious advertisements over the weekend, causing popular Web sites such as the Drudge Report, and to inadvertently attack their readers, a security company said Wednesday.

The trouble started on Saturday, when the criminals somehow placed the malicious ads on networks managed by Google's DoubleClick, as well as two others: YieldManager and ValueClick's Fastclick network, according to Mary Landesman, a senior security researcher with ScanSafe.

The attack comes just a week after the New York Times Web site was tricked into displaying a deceptive 'scareware' advertisement for fake antivirus software from scammers pretending to be ad buyers with Vonage, an Internet telephony company.

Instead of trying to trick Web surfers into buying bogus software, these ads attacked.

More here.

SCADA Watch: Contractor Pleads Guilty to SCADA Tampering

Robert McMillan writes on PC World:

A former IT consultant for an oil and gas exploration company has pleaded guilty to tampering with the company's computer systems after he was turned down for a permanent position with the company.

Mario Azar, 28, pleaded guilty on Sept. 14 to one count of damaging computer systems and faces a maximum of 10 years in prison. News of his plea was announced Wednesday by the U.S. Federal Bureau of Investigation.

According to court records, Azar accessed Supervisory Control and Data Acquisition (SCADA) computer systems belonging to Pacific Energy Resources of Long Beach, California, and caused the company to lose control of its computer systems around May or June of 2008.

Only a handful of SCADA computer intrusions have been reported, but because the systems are used to control large-scale industrial systems in manufacturing plants, public utilities and the chemical industry, security experts worry that tampering with them could lead to a large-scale power outage or environmental disaster.

More here.

PCI Survey Finds Some Merchants Don't Use AV Software

Jeremy Kirk writes on PC World:

Consumers face a greater risk of losing control of their data when doing business with smaller retailers, as many haven't made investments to comply with the Payment Card Industry's Data Security Standard (PCI DSS), according to a new survey.

The survey, which covered 560 U.S. and multinational organizations, asked respondents a variety of questions about their investments and deployment of technology to comply with PCI DSS, which was introduced in 2005. It's an industry standard created by major credit card companies that's designed to protect customer payment data.

The survey found that 55 percent of organizations only secured credit card information but not other data such as Social Security and driver's license numbers or bank account details. Also, only 28 percent of smaller companies between 501 to 1,000 employees comply with PCI DSS. That compares with more than 70 percent of large merchants with 75,000 or more employees that claimed they're compliant.

"If you go the larger organizations to do business, you are more likely to be secure today," said Amichai Shulman, CTO for Imperva, which makes security software for businesses to comply with PCI DSS. Imperva commissioned the survey from Ponemon Institute, a company that conducts research into privacy and information security policy.

The prime reason that companies don't comply with PCI DSS is cost, Shulman said. "They don't go to the effort to be compliant because it's all or nothing, so they currently do nothing," Shulman said.

More here.

Newly Declassified Files Detail Massive FBI Data-Mining Project

Ryan Singel writes on Threat Level:

A fast-growing FBI data-mining system billed as a tool for hunting terrorists is being used in hacker and domestic criminal investigations, and now contains tens of thousands of records from private corporate databases, including car-rental companies, large hotel chains and at least one national department store, declassified documents obtained by show.

Headquartered in Crystal City, Virginia, just outside Washington, the FBI’s National Security Branch Analysis Center (NSAC) maintains a hodgepodge of data sets packed with more than 1.5 billion government and private-sector records about citizens and foreigners, the documents show, bringing the government closer than ever to implementing the “Total Information Awareness” system first dreamed up by the Pentagon in the days following the Sept. 11 attacks.

Such a system, if successful, would correlate data from scores of different sources to automatically identify terrorists and other threats before they could strike. The FBI is seeking to quadruple the known staff of the program.

But the proposal has long been criticized by privacy groups as ineffective and invasive. Critics say the new documents show that the government is proceeding with the plan in private, and without sufficient oversight.

More here.

Cisco Patches a Dozen Router Bugs

Robert McMillan writes on ComputerWorld:

Cisco Systems has released its twice-yearly set of security patches for its router firmware, fixing 12 security flaws in the products.

Cisco describes the bugs in 11 security advisories, released Wednesday, saying that they affect routers and switches that use the Cisco Unified Communications Manager, as well as a variety of services in the devices' underlying Cisco IOS operating system.

"Exploits of the individual vulnerabilities could result in two different impacts, a breach in confidentiality or a denial of service," Cisco said in a note describing the updates, posted to its Web site on Wednesday.

Among the patches is a fix for an IOS bug that could let an attacker bypass access control policies on devices that use the Object Groups for ACL feature, Cisco said. This could give an attacker access to parts of the network that they shouldn't be allowed to reach.

More here.

Google Exec Calls for ISPs to Get Tough on Botnets

Ryan Naraine writes on the ZDNet "Zero Day" Blog:

Head of Google’s Anti-Malvertising team Eric Davis wants Internet Service Providers (ISPs) to look beyond profits and take a more proactive approach to dealing with malware-infested computers on their networks.

During a keynote presentation at the Virus Bulletin conference here, Davis said competitors in the ISP space must look beyond profits and partner on new initiatives to deal with the “parasites” that have taken control of the Internet landscape.

“Technology is only one part of security,” Davis said, adding that the necessary countermeasures are currently undermined by structural issues. “We need to explore industry self-regulation, education and reputation systems, he argued.

Making it clear his statements were not necessarily the views of his employer, the Google executive chided ISPs for not doing enough to help users with infected machines.

“The ISPs are in the best position to detected infected machines. They’re in the best place to do something about malware. They already have monitoring systems that could be used to identify signs of malware and botnet activity. If they see abnormally high e-mail activity, that’s most likely spam from a botnet,” Davis said.

However, because ISPs have no monetary incentive to notify and help disinfect machines, the botnets live and thrive within ISP networks, he added.

More here.

Tuesday, September 22, 2009

U.S. Toll in Iraq, Afghanistan

Iraq and Afghanistan statistics via The Boston Globe (AP).

As of Tuesday, Sept. 22, 2009, at least 4,346 members of the U.S. military had died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes nine military civilians killed in action. At least 3,473 military personnel died as a result of hostile action, according to the military's numbers.

The AP count is two fewer than the Defense Department's tally, last updated Tuesday at 10 a.m. EDT.

As of Tuesday, Sept. 22, 2009, at least 764 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Tuesday at 10 a.m. EDT.

Of those, the military reports 587 were killed by hostile action.

More here and here.

Honor the Fallen.

Classic xkcd: Tornado Hunter

Click for larger image.

We love xkcd.

- ferg

National Australia Bank, VISA Encouraging Insecure, Low Cost Payment Card Transactions?!

Fran Foo writes on Australian IT:

The popular salad bar outlet has been trialling technology that allows customers simply to hold their credit or debit card up to a contactless payment reader to pay for lunch.

The cards, issued by National Australia Bank, are embedded with Visa's chip-based payment technology called payWave.

According to NAB and Visa, more than 500 merchants in Melbourne will start using the technology and thousands more are set to sign up before the holiday period.

For purchases under $100, hungry patrons need not sign or enter their PIN, hastening the transaction process.

More here.

Comment: Wow, the possibilities for fraud & abuse here seem endless. -ferg

Cyber Attacks Target Foreign Media in China

A Reuters newswire article by Lucy Hornby, via MSNBC, reports that:

Foreign media in China have been targeted by e-mails laden with malicious computer software in attacks that appear to be tied to the run-up to the National Day military parade on October 1.

While spam and viral attacks are not uncommon, the latest wave is part of a pattern of increasingly sophisticated e-mails tailored to tempt foreign reporters, rights activists and other targets to open infected attachments.

On Oct 1, the Communist Party is celebrating 60 years of rule over mainland China with a military parade. Beijing has tightened security ahead of the anniversary, with armed paramilitary troops at subway exits during rehearsals and neighborhood residents recruited to watch over the streets.

"There is definitely a pattern of virus attacks in the run-up to important dates on the Chinese political calendar," said Nicholas Bequelin of Human Rights Watch in Hong Kong. He noted that non-government organizations are also favorite targets.

More here.