HTML5 Security Facts Developers Should Keep in Mind
Brian Prince writes on eWeek:
The war of words between Apple and Adobe Systems has prompted plenty of speculation about the fate of HTML5. But while HTML5 remains a work in progress, the one thing that is certain is developers who adopt HTML5 will have a new set of features to consider as part of their application security development lifecycle.
So how will HTML5 impact the attack surface you have to cover? eWEEK spoke to some security experts and got feedback on a few key areas.
'Bulletproof' ISP for Crimeware Gangs Knocked Offline
Dan Goodin writes on The Register:
One of the internet's most resilient and crimeware-friendly networks was knocked offline Friday after the plug was pulled on its upstream service provider, security watchers said.
Russia-based PROXIEZ-NET lost its connection to the internet at about 3 am California time, according to Zeus Tracker, a website that monitors the status of internet service providers used to control PCs infected by the notorious Zeus crimeware package. Before it was disconnected, the "bulletproof" provider hosted 13 known Zeus command and control channels, making it the most Zeus-friendly ISP, Zeus Tracker statistics show.
Zeus Tracker leaders don't yet know the reason for the outage, but one of them pointed out to The Register that PROXIEZ-NET's upstream provider, DIGERNET, has also had its internet connection severed. Classless Inter-Domain Routing records show it being unceremoniously withdrawn from internet routing tables, leaving its downstream node unable to communicate.
PROXIEZ-NET has been widely accused as being a haven for purveyors of crimeware. On Tuesday, the network was added to the real-time block list maintained by Spamhaus. On Thursday night, DIGERNET was removed from the same list.
Crypto Guru Whit Diffie Takes ICANN Security Job
Robert McMillan writes on PC World:
Six months after leaving his job at Sun Microsystems noted cryptographer Whitfield 'Whit' Diffie has landed a new gig, this time as a security adviser to the corporation that manages the Internet.
Diffie has taken a job as vice president for information security and cryptography at the Internet Corporation for Assigned Names and Numbers (ICANN), a not-for-profit group that bears high-level responsibility for the domain name system and the Internet's IP addresses.
At ICANN, the cryptographer will supervise the "design, development and implementation of security methods for ICANN-managed networks" and advise the group on security matters, ICANN said in a statement released Friday.
Diffie is one of the inventors of the Diffie--Hellman key exchange, a cryptographic protocol that enabled public key cryptography and helped make strong cryptography mainstream. In his job at Sun, he worked as a high-level adviser to the company and often spoke publicly on security issues.
Researchers Hijack a Car's Brakes and Engines
Erica Naone writes on the MIT Technology Review:
Never mind faulty electronic accelerators--researchers have now shown how to hijack a car's electronic system, overriding the driver's control over both its brakes and engine.
The recent controversy concerning flaws in Toyota's electronic throttle systems shows how serious the results can be when the embedded systems in automobiles go awry. Researchers from the University of Washington and the University of California San Diego are now looking at what can happen when those systems are attacked maliciously.
These efforts are described in a report from the Center for Automotive Embedded Systems Security, a new research center formed to explore emerging automotive technology. The work will be presented next week at the IEEE Symposium on Security and Privacy in Oakland, CA. The researchers say that, assuming an attacker has physical access to the interior of the car they studied, she could take control of many of its computerized systems.
ACH Fraud: Is Legislation Needed?
Tracy Kitten writes on Bank Info Security:
The Federal Deposit Insurance Corp. (FDIC) gets credit for finally touching the hot-stove debate over ACH fraud that's boiling between banks and businesses. But more attention is needed, say attendees of the agency's one-day symposium on cyber threats.
"No one wants to talk about what's really going on," says Amanda Gross, vice president of government affairs for Chicago-based Authenticity Inc., which provides multifactor authentication for Internet-based transactions.
"Small businesses, the companies that the economy is leaning on to pull us out of the economic recession, are bearing the brunt (of losses related to fraud), and it's not fair," says Goss, who attended the FDIC's May 11 event in Arlington, VA. "What I'd like to see is an open dialogue between the banks and the small business owners. We need to encourage the legislators to put pressure on banks to support and protect our smaller businesses."
George Tubin of Needham, MA-based TowerGroup and Tiffany Riley of Los Altos, CA-based Guardian Analytics agree that deeper discussions between bankers and retailers are needed, and this event only scratched the surface.
Ukrainian in Biggest Credit Card Con Job in Delhi
Faizan Haider writes on India Today:
Officers from the Federal Bureau of Investigation (FBI) and its Indian counterpart detained a Ukrainian national from the Indira Gandhi International Airport (IGIA) on Monday for his involvement in Net fraud and identity theft.
The man, Sergey V. Storchak, was travelling on a Jetlite flight S2 120 (Goa-Mumbai-Delhi).
He is alleged to have been involved in the theft and sale of more than 40 million credit and debit card numbers.
The US justice department had described it as the largest hacking and identity theft case ever in the country.
A criminal case has been filed against Storchak for conspiracy to traffic in unauthorised access devices.
The FBI, which had issued a look- out circular (LOC) for Storchak, had intimated the Central Bureau of Investigation (CBI) about his presence in Delhi.
Mark Fiore: Give Him A Hand!
More Mark Fiore brilliance.
Via The San Francisco Chronicle.
Thieves Flood Victim’s Phone With Calls to Loot Bank Accounts
Kim Zetter writes on Threat Level:
Bank thieves have rolled out a new weapon in their arsenal of tactics — telephony denial-of-service attacks that flood a victim’s phone with diversionary calls while the thieves drain the victim’s account of money.
A Florida dentist lost $400,000 from his retirement account last year in this manner, and the FBI said the attacks are growing.
A spokeswoman for the Communication Fraud Control Association — a telecom industry organization — told Threat Level that although fraudulent transfers have been halted in a number of cases, the losses are increasing.
“I know it’s in the millions,” said Roberta Aranoff, executive director of the CFCA. “It has exceeded a million dollars easily.”
Serious Challenges Await Head of Cyber Command
Brian Prince writes on Security Watch:
The U.S. Senate confirmed Lt. Gen. Keith Alexander May 7 as head of the U.S. Cyber Command. He will have his work cutout for him.
"There is a glass," James Miller, principal deputy assistant secretary of defense for policy, told the Defense Department's American Forces Press Service today. "It has some water in it. The water is dirty, and we have an insatiable thirst in this area."
In an assessment of the country's cyber security posture, Miller said the government faces "immense" challenges as it develops a strategy flexible enough to address the diversity of cyber threats.
"We don't really understand the nature of the threat that we face," he noted. "Over the past decade, we have seen the frequency and sophistication of intrusions into our networks increased. Our networks are scanned thousands of times an hour."
The Defense Department alone has about 15,000 networks, with millions of users in 88 countries.
Botnet 'Test' That Aimed DDoS at ISP Leads to Guilty Plea
Robert McMillan writes on ComputerWorld:
The second man charged in 2006 computer attacks on The Planet and T35 Hosting has agreed to plead guilty.
According to court filings, Thomas James Frederick Smith is set to plead guilty before a federal judge in Dallas on June 10. He and David Anthony Edwards are facing five years in prison and fines of up to US$250,000 on charges that they assembled a 22,000-node botnet and then trained it on two ISPs to show a prospective buyer what it could do.
Edwards pleaded guilty to the charges before U.S. District Judge Jane J. Boyle on April 29. He is set to be sentenced August 19. Before he decided to plead guilty, Smith's case had been set to go to trial next week.
Federal prosecutors say that Smith and Edwards -- known by their hacker handles Zook and Davus -- created a botnet they called Nettick, which they then tried to sell to cybercriminals, asking US$0.15 per infected computer.
FBI Promises Action Against Money Mules
The FBI’s top anti-cyber crime official today said the agency is planning a law enforcement action against so-called “money mules,” individuals willingly or unwittingly roped into helping organized computer crooks launder money stolen through online banking fraud.
Patrick Carney, acting chief of the FBI’s cyber criminal section, said mules are an integral component of an international crime wave that is costing U.S. banks and companies hundreds of millions of dollars. He said the agency hopes the enforcement action will help spread awareness that money mules are helping to perpetuate crimes.
“We want to make sure that public understands this is illegal activity and one of the best ways we can think of to give that message is to have some prosecutions,” Carney said at a Federal Deposit Insurance Corporation (FDIC) symposium in Arlington, Va. today on combating commercial payments fraud. “We realize it’s not going to make the problem go away, but it should help raise awareness and send a signal.”
Heartland Breach Expenses Pegged at $140M - So Far
Jaikumar Vijayan writes on ComputerWorld:
The costs to Heartland Payment Systems Inc. from the massive data breach that it disclosed in January 2009 appear to be steadily adding up.
Quarterly financial results released by Heartland last week show that the card payment processor has accrued $139.4 million in breach-related expenses. The figure includes a settlement totaling nearly $60 million with Visa, another of about $3.5 million with American Express and more than $26 million in legal fees.
That total also includes $42.8 million that Heartland has set aside to fund proposed settlements with several other litigants over the breach. One example of what the fund is set up for is Heartland's offer to settle several consumer class action lawsuits against it for $4 million.
So far, Heartland has recovered about $30 million from insurance companies. Even with the updated figures, Heartland so far has spent considerably less than the staggering $250 million that TJX Companies Inc. estimated it would eventually spend to address its massive 2006 data breach.
Romainian Police Apprehend Phishing Gang
Via The H Security.
Romanian police investigators have exposed a gang of criminals who fraudulently gained online access to bank accounts and for months, continued to draw money from these accounts. The Romanian Directorate for Investigating Organised Crime and Terrorism (DIICOT) in Bucharest said that after conducting nationwide searches on Monday, the Romanian police questioned 28 suspects.Link
The gang is said, since October 2009, to have obtained sensitive data, such as online banking and credit card user names and passwords, particularly of Bank of America customers, via phishing attacks. The criminals then transferred money from these accounts via the Western Union financial service and withdrew the money in Vienna, Munich, Prague and Romania. According to the DIICOT, the damages incurred amount to approximately $1 million (£665,000).
Most of the suspects come from the Romanian city of Constanta on the Black Sea coast. The gang is said to have had 70 members in total. Romanian authorities collaborated with US agencies in investigating the case.
In Passing: Frank Frazetta
In Passing: Lena Horne
Mark Fiore: Little Green Man
More Mark Fiore brilliance.
Via The San Francisco Chronicle.