IMF Reports Cyberattack Led to ‘Very Major Breach’
David E. Sanger and John Markoff write in the New York Times:
The International Monetary Fund, still struggling to find a new leader after the arrest of its managing director last month in New York, was hit recently by what computer experts describe as a large and sophisticated cyberattack whose dimensions are still unknown.
The fund, which manages financial crises around the world and is the repository of highly confidential information about the fiscal condition of many nations, told its staff and its board of directors about the attack on Wednesday. But it did not make a public announcement.
Several senior officials with knowledge of the attack said it was both sophisticated and serious. “This was a very major breach,” said one official, who said that it had occurred over the last several months, even before Dominique Strauss-Kahn, the French politician who ran the fund, was arrested on charges of sexually assaulting a chamber maid in a New York hotel.
Asked about the reports of the computer attack late Friday, a spokesman for the fund, David Hawley, declined to provide details or talk about the scope or nature of the intrusion. “We are investigating an incident, and the fund is fully functional,” he said.
Programming Note: Headed East to See Family
Morning Fog in The Blue Ridge Mountains
I'm headed to the beautiful Blue Ridge Mountains of Southwestern Virginia today for a couple of weeks to spend some time with family that I haven't seen in a few years.
Blogging will be virtually non-existent until I return home to Northern California later this month, but thanks for following!
I hope everyone is having a great summer so far...
Mark Fiore: Danny Appleseed
More Mark Fiore brilliance.
Via The San Francisco Chronicle.
Citi Data Theft Points Up a Nagging Problem
Eric Dash writes in the New York Times:
Citigroup’s revelation that hackers stole personal information from more than 200,000 credit card holders makes it one of the largest direct attacks on a major bank.
Even more striking is that similar data breaches have been occurring for years — and the financial industry has failed to prevent them.
Details remain scarce, but the disclosure of the Citigroup breach on Thursday quickly turned into a debate on whether the banks and major credit card companies had invested enough money to safeguard the personal information of their customers.
“They’re not at all on top of it,” said Avivah Litan, a financial security analyst at Gartner Inc. “It’s almost shocking.”
Feds Seize Swiss Bank Account of Scareware Mogul
Tim Greene writes on NetworkWorld:
Federal authorities have seized all the cash in a Swiss bank account held by a scareware mogul and scam artist who is charged with selling phony Symantec security software.
The U.S. Attorney's office in New York filed for the forfeiture of $14.8 million stashed in the account by Shaileshkumar "Sam" Jain, who has fled the U.S. after being charged in the counterfeit antivirus scheme.
Jain was charged three years ago, but has been on the run since after failing to show for court appearances, and is believed to have moved to the Ukraine. He is charged with trafficking in counterfeit goods, wire fraud and mail fraud.
The charges stem from a scheme that employed spam to lure victims to a website where they used credit cards to buy what was purported to be genuine Symantec antivirus software. In return, they were sent counterfeit software from a facility in Ohio, according to U.S. Immigration and Customs Enforcement.
Citi Says Hackers Access Bank Card Data
Citigroup Inc said computer hackers breached the bank's network and accessed data on hundreds of thousands of bank card holders in the latest of a string of cyber attacks on high-profile companies.
Citigroup said about 1 percent of its card customers were affected by the breach, which a report in the Financial Times said had been discovered in May during routine monitoring.
The names of customers, account numbers and contact information, including email addresses, were viewed, Citi said.
However, it said other information such as birth dates, social security numbers, card expiration dates and card security codes (CVV) were not compromised.
"We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event," Sean Kevelighan, a U.S.-based spokesman, said by email.
Citigroup joins a growing list of companies that have suffered cyber attacks.
iCloud Raises Serious Data Security Concerns
Toney Bradley writes on PC World:
One of the biggest announcements from Apple at this week's Worldwide Developers Conference (WWDC) was the unveiling of iCloud. One crucial element was missing from the Apple magic show, though--will the data be secure?
Apple's iCloud will wirelessly upload music, e-mail, contacts, calendars, and other data, and seamlessly sync and update all associated PCs and iOS devices. The functionality sounds awesome, but you don't have to dig far to find stories of wireless data being intercepts, or data stored online being hacked and compromised.
A simple phishing scam or socially engineered attack could easily dupe a user into surrendering username and password credentials that will expose the data stored in iCloud. In order for iCloud to be a success, Apple has to assure consumers and businesses that the data is protected.
Andrew Storms, Director of Security Operations for nCircle, warns, "Apple's iCloud announcement is missing enterprise security content, and we saw the same thing with the iPhone introduction. They left almost all of the enterprise level security and compliance questions about iCloud unanswered."
Nearly Two-Thirds of Security Pros Want National Data Breach Reporting Law
John P. Mello writes on GSNMagazine.com:
Nearly two-thirds of information technology security professionals would like to see a national law on data breach reporting replace the current crazy quilt of state laws governing the issue, according to the findings in a survey released June 8 by San Francisco-based automated security and compliance auditing solutions provider nCircle.
When asked if the federal government should pass data breach/privacy legislation that supersedes existing state laws, 63 percent of 544 IT security pros participating in the poll responded in the affirmative.
“Our respondents are asking the federal government to unify the patchwork of state cyber-security legislation into a single federal standard," nCircle Director of Federal Markets Keren Cummins observed in a statement.
"There certainly has been significant legislative activity on multiple bills in both the House and the Senate, so we may be headed in that direction, but Congress still has a lot of work to do," she added. "Unifying the conflicting provisions across all the bills and creating laws that are prescriptive enough to be meaningful and enforceable is a significant task."
Greek Police Arrest Teen on Hacking Charges
Jeremy Kirk writes on PC World:
Police in Greece have arrested an 18-year-old Athens man on suspicion of hacking into the Interpol website and other government sites in the U.S. and France.
The man, whose name was not released, made an appearance in an Athens court on Tuesday. He faces charges of computer fraud, forgery, data use and violations related to the possession of guns and flares, according to the Hellenic Police. U.S. and French authorities assisted in the investigation.
Authorities allege the man conducted the attacks with software used to create botnets, which are computers that are hacked and then remotely controlled by an attacker often without the knowledge of the computer's owner, according to an official at the Secretariat General of Communication, part of Greece's Ministry of Interior.
It is suspected he also conducted distributed denial-of-service (DDOS) attacks, a type of attack that usually intends to make a website become unavailable. The attacks occurred in February 2008 and February 2009 when the man was 16 years old.
In Business ACH Account Hijacking, Legal Ruling Favors Bank
Tracy Kitten writes on BankInfoSecurity.com:
A magistrate has recommended that a U.S. District Court in Maine deny a motion for a jury trial in an ACH fraud case filed by a commercial customer against its former bank. According to the order [.pdf], which must still be reviewed by the presiding judge, the bank fulfilled its contractual obligations for security and authentication through its requirement for log-in and password credentials.
Now Mark Patterson, president of PATCO Construction Inc., the commercial customer in the case, says he's weighing his legal options. "Things are not always fair, and we have to decide how long we want to fight the fight," Patterson says. "We do feel very strongly about this issue, but how far do we want to go?"
At issue for PATCO is whether banks should be held responsible when commercial accounts, like PATCO's, are drained because of fraudulent ACH and wire transfers approved by the bank. How much security should banks and credit unions reasonably be required to apply to the commercial accounts they manage?
"Obviously, the major issue is the banks are saying this is the depositors' problem," Patterson says, "but the folks that are losing money through ACH fraud don't have enough sophistication to stop this."
June 6, 1944: Operation Overlord - D-Day in Normandy
A United States Navy LCVP disembarks troops at Omaha Beach, Normandy, France on D-Day, June 6, 1944.
The Battle of Normandy was fought in 1944 between the German forces occupying Western Europe and the invading Allied forces as part of the larger conflict of World War II. Over sixty years later, the Normandy invasion, codenamed Operation Overlord, still remains the largest seaborne invasion in history, involving almost three million troops crossing the English Channel from England to Normandy in then German-occupied France.
The majority of the Allied forces were composed of American, British, Canadian, and French units. Other countries including Australia, Belgium, Czechoslovakia, Greece, the Netherlands, New Zealand, Norway, and Poland also took a major part.
The Normandy invasion began with overnight airborne paratrooper and glider landings, massive air attacks and naval bombardments, and an early morning amphibious assault on June 6, "D-Day". The battle for Normandy continued for more than two months, with campaigns to establish, expand, and eventually break out of the Allied beachheads. It concluded with the liberation of Paris and the fall of the Falaise Pocket.
You Are Not Forgotten.
Image source: Wikimedia