Friday, December 04, 2009

New Study Calls for Cyber Security Overhaul in U.S.

Grant Gross writes on ComputerWorld:

The U.S. government and private businesses need to overhaul the way they look at cybersecurity, with the government offering businesses new incentives to fix security problems, the Internet Security Alliance said.

The alliance, in a report released Thursday, also called for permanent international cybersecurity collaboration centers, new security standards for VoIP (voice over Internet Protocol) communications and programs to educate corporate leaders about the benefits of enhanced cybersecurity efforts.

Lots of groups have called for better information security education for students, but education for enterprise leaders is often overlooked, said Joe Buonomo, president and CEO of Direct Computer Resources, a data security products vendor.

"At some point, almost every public official who addresses this subject stresses the need to train our kindergarten to 12th-graders on this topic," he said. "In many instances, these officials also note the need to upgrade cyber expertise in the federal workforce. Something else is necessary."

More here.

Tuesday, December 01, 2009

Classic xkcd: Spinal Tap Amps

Click for larger image.

We love xkcd.

- ferg

D.C. Businessman Loses Thousands After Clicking on Wrong e-Mail

Brian Krebs writes on Security Fix:

Pay-per-click revenue in the online advertising business may be diminishing for traditional media publishers, but thieves increasingly are earning five- to seven-digit returns when victims click on a booby-trapped link or attachment sent via e-mail.

The latest victim to learn this was Nigel Parkinson, president of D.C.-based Parkinson Construction, a firm with an estimated $20 million in annual revenue that has worked on some of Washington's top gathering places, including the new D.C. Convention Center and the Nationals baseball stadium.

Parkinson said he had an expensive crash course in computer security, when on Nov. 24, he clicked a link in an e-mail purporting to be from the Social Security Administration warning him about potential errors on his Social Security statement. Parkinson fell for the ruse and ended up downloading a copy of the Zeus Trojan, a prolific family of malicious software that criminal gangs have used to great effect to steal tens of millions of dollars from victimized businesses so far this year.

Zeus is primarily a password-stealing Trojan, and in short order the thieves had stolen the credentials Parkinson uses to administer his construction firm's bank account online.

From there, the hackers sent $92,000 of Parkinson's cash to nine different money mules, accomplices hired through work-at-home job schemes who are instructed to withdraw the money and wire it overseas (typically minus an eight percent commission).

More here.

Yahoo, Verizon: Our Spy Capabilities Would ‘Shock’, ‘Confuse’ Consumers

Kim Zetter writes on Threat Level:

Want to know how much phone companies and internet service providers charge to funnel your private communications or records to U.S. law enforcement and spy agencies?

That’s the question muckraker and Indiana University graduate student Christopher Soghoian asked all agencies within the Department of Justice, under a Freedom of Information Act (FOIA) request filed a few months ago. But before the agencies could provide the data, Verizon and Yahoo intervened and filed an objection on grounds that, among other things, they would be ridiculed and publicly shamed were their surveillance price sheets made public.

Yahoo writes in its 12-page objection letter, that if its pricing information were disclosed to Soghoian, he would use it “to ’shame’ Yahoo! and other companies — and to ’shock’ their customers.”

“Therefore, release of Yahoo!’s information is reasonably likely to lead to impairment of its reputation for protection of user privacy and security, which is a competitive disadvantage for technology companies,” the company writes.

Verizon took a different stance. It objected to the release of its Law Enforcement Legal Compliance Guide because it might “confuse” customers and lead them to think that records and surveillance capabilities available only to law enforcement would be available to them as well — resulting in a flood of customer calls to the company asking for trap and trace orders.

More here.

8 Million Reasons for Real Surveillance Oversight

Chris Soghoian writes on Slight Paranoia:

Sprint Nextel provided law enforcement agencies with its customers' (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.

The evidence documenting this surveillance program comes in the form of an audio recording of Sprint's Manager of Electronic Surveillance, who described it during a panel discussion at a wiretapping and interception industry conference, held in Washington DC in October of 2009.

It is unclear if Federal law enforcement agencies' extensive collection of geolocation data should have been disclosed to Congress pursuant to a 1999 law that requires the publication of certain surveillance statistics -- since the Department of Justice simply ignores the law, and has not provided the legally mandated reports to Congress since 2004.

Much more here.

Monday, November 30, 2009

Hackers Attempt to Take $1.3 Million from D.C. Firm

Brian Krebs writes on Security Fix:

It has been a while since I've written about online banking fraud against small to mid-sized businesses, but I assure you the criminals perpetrating these attacks have been busier than ever. In fact, from more than a dozen incidents I've been investigating lately, the attackers for whatever reason now appear to be focusing heavily on property management and real estate firms, and title companies.

On Nov. 12, I was contacted by a woman in Washington, D.C. who runs a large property management firm. The woman said her company had just been the victim of online banking fraud, but that her board of directors would not let her discuss the incident on the record. Per her request, I am omitting her name and the name of her firm.

The woman said hackers had tried to transfer more than $1.3 million out of her firm's account, but that all three transactions had been stopped. Still, her story is worth telling because it was not a victimless crime, and it shows how attackers are adding yet another layer of complexity to their scams, all in a bid to buy them more time to make off with the loot. In addition, it illustrates how even a security compromise that has been cleaned up can come back to haunt you, and it demonstrates how one weak link in the chain of trust in commercial online banking can be used to attack other organizations.

More here.