Thursday, March 11, 2010

Mark Fiore: Majority Rule

More Mark Fiore brilliance.

Via The San Francisco Chronicle.

- ferg

TJX Hacking Conspirator Gets 4 Years

Kim Zetter writes on Threat Level:

Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced Thursday in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking.

Zaman, a 33-year-old former programmer at Barclays Bank, was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts.

Zaman pleaded guilty in April to one count of conspiracy. His sentence includes three years of supervised release with the condition that Zaman must disclose his conviction to any future employer. Upon release, Zaman will not be barred from using computers.

More here.

Pennsylvania Fires CISO Over RSA Talk

Jaikumar Vijayan writes on ComputerWorld:

Pennsylvania's chief information security officer, Robert Maley, has been fired, apparently for talking publicly at the RSA security conference last week about a recent incident involving the Commonwealth's online driving exam scheduling system.

A source close to the matter said Maley was terminated for not getting the required approvals from the Commonwealth's authorities to talk publicly about the incident.

Commonwealth rules explicitly require all employees to get approval from the appropriate authorities before they publicly disclose official matters, the source said.

A spokesman for the state's governor, Edward Rendell, today confirmed that Maley is no longer working for the Commonwealth. But he refused to say if Maley had been terminated, citing privacy rules.

More here.

Feds: TSA Worker Tried to Sabotage Terror Database

Kim Zetter writes on Threat Level:

A former Transportation Security Administration contractor is being charged in Colorado for allegedly injecting malicious code into a government network used for screening airport security workers and others.

The malicious code, a logic bomb installed last October, was designed to cause damage and “disrupt” data on servers on an undisclosed date but was caught by other workers before it delivered its payload.

Douglas James Duchak, 46, had worked as a data analyst at the TSA’s Colorado Springs Operations Center (CSOC) since 2004. The CSOC is used to vet people who have “access to sensitive information and secure areas of the nation’s transportation network,” according to the indictment. A source involved in the case said this involved screening of both passengers and workers at airports and other transportation facilities.

He pleaded not guilty in a Denver federal court on Wednesday and was released on a $25,000 unsecured bond. The indictment did not say whether the malware was crafted to erase or alter data, or simply disable servers.

More here.

In Passing: Merlin Olsen

Merlin Olsen
(September 15, 1940 - March 10, 2010)

Tuesday, March 09, 2010

Lifelock Dinged $12 Million for Deceptive Business Practices

Kim Zetter writes on Threat Level:

The CEO of Lifelock, Todd Davis, became famous for advertising his Social Security number on television ads and billboards promising his $10 monthly service would protect consumers from identity theft.

The company also offered a $1 million guarantee to compensate customers for losses incurred if they became a victim of identity theft after signing up for the service.

But the Federal Trade Commission said Tuesday that the claims were bogus [.pdf] and accused Lifelock, based in Arizona, of operating a scam and con operation. The commission announced, along with 35 state attorneys general, that it had levied a fine of $12 million against the company for deceptive business practices and for failing to secure sensitive customer data. Of that amount, $11 million will go to refund customers who subscribed to the service. Consumers will receive a letter from the FTC and their attorney general explaining how to take part in the settlement.

The FTC said that Lifelock, which advertises itself as “#1 In Identity Theft Protection,” engaged in false advertising by promising customers that if they signed up with its service their personal information would become useless to thieves.

“In truth, the protection they provided left such a large hole … that you could drive that truck through it,” said FTC Chairman Jon Leibowitz, referring to a Lifelock TV ad showing a truck painted with the CEO’s Social Security number driving around city streets.

More here.

Monday, March 08, 2010

FDIC: Hackers Took More Than $120M in Three Months

Robert McMillan writes on ComputerWorld:

Ongoing computer scams targeting small businesses cost U.S. companies $25 million in the third quarter of 2009, according to the U.S. Federal Deposit Insurance Corporation.

Online banking fraud involving the electronic transfer of funds has been on the rise since 2007 and rose to over $120 million in the third quarter of 2009, according to estimates presented Friday at the RSA Conference in San Francisco, by David Nelson, an examination specialist with the FDIC.

The FDIC receives a variety of confidential reports from financial institutions, which allow it to generate the estimates, Nelson said.

Almost all of the incidents reported to the FDIC "related to malware on online banking customers' PCs," he said. Typically a victim is tricked into visiting a malicious Web site or downloading a Trojan horse program that gives hackers access to their banking passwords. Money is then transferred out of the account using the Automated Clearing House (ACH) system that banks use to process payments between institutions.

Even though banks now force customers to use several forms of authentication, hackers are still stealing money. "Online banking customers are getting too reliant on authentication and on practicing layers of controls," Nelson said.

That's bad news for businesses, which are increasingly on the hook for any losses.

More here.

U.S. Government Auditors Knock Federal Cybersecurity Plan

J. Nicholas Hoover writes on InformationWeek:

The federal government could do a better job defining and coordinating its recently partially declassified Comprehensive National Cybersecurity Initiative, according to a report [.pdf] from the government's own auditors.

The new report, released by the Government Accountability Office last week, found that although the White House and federal agencies have made strides in planning and coordinating the 12-point program by creating interagency working groups like the Joint Interagency Cyber Task Force, the plan lacks definition in some places and doesn't cover the full scope of federal cybersecurity needs.

Among the key challenges for the CNCI: defining roles and responsibilities. For example, then-acting White House cybersecurity policy advisor Melissa Hathaway, in an interview with the GAO, noted an ad hoc, uncoordinated response to July 2009 distributed denial of service attacks targeting government Web sites.

More here.

Thailand Approves Credit Card Hacker's Extradition to U.S.

Owen Fletcher writes on PC World:

A Thai court has approved the extradition to the U.S. of a Malaysian man allegedly involved in hacking credit card information, causing massive losses for victims in the U.S.

Gooi Kokseng will first be held in Thailand for 30 days in case he decides to appeal the court ruling, an employee at Thailand's Office of the Attorney General said by phone Monday.

Kokseng, forty-four years old and also known by the alias Delpiero, is a suspected member of a crime ring that has caused more than 5 billion baht (US$150 million) in losses through hacking aimed at the U.S. and Southeast Asia, according to a report in the Bangkok Post.

More here.

Sunday, March 07, 2010

Cyber War Declared as China Hunts for the West's Intelligence Secrets

Michael Evans and Giles Whittell write on The Times Online:

Urgent warnings have been circulated throughout NATO and the European Union for secret intelligence material to be protected from a recent surge in cyberwar attacks originating in China.

The attacks have also hit government and military institutions in the United States, where analysts said that the West had no effective response and that EU systems were especially vulnerable because most cyber security efforts were left to member states.

NATO diplomatic sources told The Times: “Everyone has been made aware that the Chinese have become very active with cyber-attacks and we’re now getting regular warnings from the office for internal security.” The sources said that the number of attacks had increased significantly over the past 12 months, with China among the most active players.

In the US, an official report released on Friday said the number of attacks on Congress and other government agencies had risen exponentially in the past year to an estimated 1.6 billion every month.

More here.