Fergie's Tech Blog

In Passing: Steve Jobs

2011-10-05T17:13:00.000-07:00

Steve Jobs

February 24, 1955 – October 5, 2011

In Passing: Jani Lane

2011-08-12T17:27:00.000-07:00

Jani Lane

February 1, 1964 – August 11, 2011

Programming note: Google+

2011-08-08T23:30:00.002-07:00

You may have noticed that blogging has kind of dropped off since Google+ was born -- yes, I got sucked in.

I'll still post to the blog when I find interesting stuff, but you can also follow me on Google+.

It's just so damned addictive. :-)

Cheers,

- ferg

In Passing: Bubba Smith

2011-08-03T19:59:00.000-07:00

Bubba Smith

February 28, 1945 – August 3, 2011

Researchers Warn of SCADA Equipment Discoverable via Google

2011-08-02T16:34:00.000-07:00

Elinor Mills writes on C|Net News:

Not only are SCADA systems used to run power plants and other critical infrastructure lacking many security precautions to keep hackers out, operators sometimes practically advertise their wares on Google search, according to a demo today during a Black Hat conference workshop.

Acknowledging that he wouldn't click on any link results to avoid breaking the law by accessing a network without authorization, researcher Tom Parker typed in some search terms associated with a Programmable Logic Controller (PLC), an embedded computer used for automating functions of electromechanical processes. Among the results was one referencing a "RTU pump status" for a Remote Terminal Unit, like those used in water treatment plants and pipelines, that appeared to be connected to the Internet. The result also included a password--"1234."

That's like putting up a billboard saying SCADA (Supervisory Control and Data Acquisition) system here and, oh by the way, here are the keys to the front door.

More here.

Debt Deal Could be a Blow for Cybersecurity

2011-08-02T11:43:00.000-07:00

Aliya Sternstein writes on NetGov.com:

The $2.1 trillion debt-cap pact that Congress passed Tuesday could hurt economic and national security as agencies postpone plans to invest in cybersecurity technology and hire more network specialists due to uncertainty over potential program cuts, computer security advisers say.

The legislation automatically chops about $1 trillion from federal activities outside of entitlement programs through spending caps between 2012 and 2021. Separately, a $1.2 billion across-the-board cut will kick in if a joint congressional committee cannot reach agreement on additional deficit reduction measures by December.

The belt-buckling is happening at a time when nation-states are believed to be stealing market-moving and security-sensitive information from computers belonging to corporations and policymakers. And businesses cannot afford or are unwilling to pay for the security to do anything about it, according to some experts.

"The main problem is that the call to shrink government and rely on the private sector and markets to address public problems guarantees weak cybersecurity," said James A. Lewis, a cybersecurity specialist at the Center for Strategic and International Studies who has advised the Obama administration on policy matters. "A government small enough to drown in a bathtub is no match for advanced foreign opponents."

More here.

In Passing: Amy Winehouse

2011-07-23T14:25:00.000-07:00

Amy Winehouse

14 September 1983 – 23 July 2011

DoD Cyber Defense Plan Draws Fire (Yet Again)

2011-07-21T19:16:00.000-07:00

Michael Hardy and John Zyskowski write on FCW.com:

In announcing its latest plan to improve the security of military and related mission-critical networks in the public and private sectors, the Defense Department dutifully acknowledged once again that cyberspace is a new domain in which it must defend the United States and its vital interests.

But cyberspace is unlike any other battlefield the Pentagon has encountered before, and the military is clearly struggling to develop operational ground rules for this complicated new domain where the lines are often fuzzy between DOD and civilian activities, war and peace, and the good guys and the bad guys.

The difficulty of the task for DOD officials is evident in just how messy and prone to criticism the process of creating a cybersecurity policy has become. However, there is little doubt that a strategy is crucial. At the July 14 press conference for the plan’s unveiling, Deputy Secretary of Defense William Lynn also disclosed that in March, a “foreign intruder” was able to steal 24,000 files pertaining to cutting-edge weapons systems from the network of a defense contractor.

As an illustration of the messiness, the vice chairman of the Joint Chiefs of Staff, Marine Gen. James Cartwright, made the unusual move of publicly criticizing the plan’s defensive orientation hours before Lynn officially released it.

More here.

Embedded Web Servers Exposing Organizations To Attack

2011-07-21T19:00:00.000-07:00

Kelly Jackson Higgins writes on Dark Reading:

A researcher who has been scanning the Internet for months looking for unsecured, embedded Web servers has found a bounty of digital scanners, office printers, VoIP systems, storage devices, and other equipment fully exposed and ripe for attack.

Michael Sutton, vice president of security research for Zscaler Labs, at Black Hat USA 2011 next month will demonstrate his findings: Ricoh and Sharp copiers, HP scanners, and Snom voice-over-IP (VoIP) phones were the most commonly discovered devices, all accessible via the Internet. "It was pretty shocking to me: Virtually none of these should be exposed to the Internet. There's not a good reason that an HP scanner should be exposed to the Net," Sutton says.

It's a recipe for disaster: Embedded Web servers with little or no security get misconfigured when they're installed. Most likely, the potential victims are small to midsize businesses or consumers with less technical expertise who misconfigure their devices and have no idea they're showing up online. "They're taking this device, plugging it into the wall, and making a mistake on a router or access point ... and suddenly things are exposed to the Web," he says.

More here.

U.S. House Panel Approves Data Breach Notification Bill

2011-07-20T18:54:00.000-07:00

Grant Gross writes on ComputerWorld:

A U.S. House of Representatives subcommittee has voted to approve a bill that would require companies to notify affected customers about data breaches, and would require businesses holding personal information to establish data security programs.

The House Energy and Commerce Committee's trade subcommittee approved the Secure and Fortify Electronic Data Act [.pdf] (SAFE Data Act) by a voice vote Wednesday, after hours of debate on the legislation. Democrats on the subcommittee offered several amendments in an effort to broaden the types of personal data the bill would cover, but the majority Republicans rejected the amendments.

The bill is filled with "loopholes that sacrifice data security and privacy," said Representative Henry Waxman, a California Democrat. "A bill that is supposed to be enhancing data security and consumer privacy would actually seriously undermine it."

Representative Mary Bono Mack, the subcommittee chairwoman and a California Republican, urged lawmakers to move forward with the legislation [.pdf], which she sponsored.

More here.

Three eBay Fraud Rings Dismantled in Romania, 90 Arrested

2011-07-14T18:29:00.000-07:00

Lucian Constantin writes on Softpedia Security News:

A major law enforcement operation in Romania led to the arrest of 90 individuals this morning who are suspected of being members of three distinct cyber fraud rings.

Prosecutors from the Romanian Directorate for the Investigation of Organized Crime and Terrorism (DIICOT) assisted by national police executed 117 raids at residences in nine different cities.

The operation targeted three cyber criminal gangs which between 2009 and 2011 defrauded over 1,000 Internet users. The losses are estimated at around $20 million.

The fraudsters operated by posting fake ads on eBay and Craiglist offering to sell cars, motorcycles, small boats, consumer electronics and other goods.

Payments were received in bank accounts set up in the United States using fake or stolen identities and then wired to Romania.

The large-scale law enforcement action was a joint effort between DIICOT and other Romanian agencies, including the Romanian National Police (IGPR), the Romanian Intelligence Service (SRI), and the General Directorate for Intelligence and Internal Security (DGIPI).

More here.

Update: India Wants to Intercept Skype, Google Communications

2011-07-13T19:13:00.000-07:00

John Ribeiro writes on ComputerWorld:

The controversy over India's demand that it be allowed to monitor online and mobile communications resurfaced again on Wednesday, with an Indian minister telling reporters that the government had asked Skype, Google, and several other companies to give it access.

Google said that it had not received any communication on the issue from the government. "Thereby we are unable to comment on it," a spokeswoman said on Wednesday. Skype also said it could not comment, as it had not received any communication from local authorities in India on the matter.

There is a whole list of companies that have been asked to provide monitoring solutions, as law enforcement agencies, the home ministry, and intelligence agencies want the information for national security, said Sachin Pilot, Minister of State for Communications and IT, speaking in Delhi, according to reports.

The government is worried that terrorist outfits are using the Internet and mobile communications to plot and execute attacks. A spokesman for the Department of Telecommunications said he was not aware of the comment by the minister, as he was not at the event.

More here.

Programming Note: Off To Manila Again...

2011-07-09T04:00:00.002-07:00

Metro Manila

So I'm off to Manila on business for a while -- back on July 23rd, so blogging may be light until then.

In any event, thanks for the interest, patience, and following.

Cheers,

- ferg

In Passing: Betty Ford

2011-07-08T17:39:00.000-07:00

Betty Ford

April 8, 1918 - July 8, 2011

In Passing: John Mackey

2011-07-07T17:57:00.000-07:00

John Mackey

September 24, 1941 — July 6, 2011

Cyberattacks Take Two U.S. Energy Labs Offline

2011-07-06T17:26:00.000-07:00

William Jackson writes on GCN.com:

Two Energy Department research facilities on opposite sides of the country have been taken offline by what one spokesman called a “sophisticated cyber attack.”

Officials became aware July 1 that the Pacific Northwest National Laboratory in Richland, Wash., and the Thomas Jefferson Laboratory National Accelerator Facility in Newport News, Va., were under attack, PNNL spokesman Greg Koller said.

All network services initially were shut down at PNNL, but external e-mail had been restored by the afteroon on July 6, Koller said. Internal e-mail and some intranet connections havd already been restored at the laboratory. The public website at www.pnl.gov remained offline July 6.

“We expect we will be able to get them online over the next three days,” Koller said.

The Jefferson Lab website at www.jlab.org also was unavailable on Wednesday.

More here.

(Update) 30th Annual Palo Alto Summer Festival & Chili Cook-off

2011-07-04T07:10:00.003-07:00

The place to be today... details here.

Happy Independence Day!

- ferg

Update: 17:20 PDT 4 July 2011: Yes, I went up to the Chili Cook-Off in Palo Alto for a few hours this afternoon -- did some chili-tasting, had a few beers, listened to some music, and of course did some people-watching. All-in-all, a good time was had by all. And I liked the Chili by Secret Mountain Labs (Google it) the best -- it was rockin'. -ferg

Remember Our Troops on This Independence Day...

2011-07-04T03:00:00.002-07:00

You Are Not Forgotten.

Happy 235th Birthday, America

2011-07-04T00:01:00.004-07:00

Happy Independence Day, America.

U.S. Spies Can't Stop Buying Fake Microchips from China

2011-07-03T08:58:00.000-07:00

Adam Clarke Estes writes in The Atlantic Wire:

The U.S. miltary has known for quite some time that they have a quality control problem with the microchips they've been buying in China. A 2005 report from the Defense Science Board warned that in buying weapon circuitry overseas, "trojan horse" chips could find their way into American weapons, potentially prompting missiles to detonate early or computers to shut down in the event of an attack. Then, in 2008, an investigation by BusinessWeek revealed that this was, in fact, happening--fake Chinese microchips were crashing American military networks. In 2010, the military bought 59,000 chips that turned out to be counterfeits. Last week, the government finally announced that they wanted to figure out a way to spot "trojan horse" chips. What took them so long?

Well, for one, China's gotten really good at counterfeiting. The fake Louis Vuitton bags they sell on Canal Street in New York City is one thing, but brand-stamped microchips sold to the U.S. military in the thousands is different in a number of different ways. When BusinessWeek investigated this issue, they found that money and "affirmative-action goals" steered government equipment buyers away from the most trusted manufacturers...

More here.

Cybercrime Fight Hurt by Apathy, Law Enforcement Hurdles

2011-07-01T13:30:00.000-07:00

Michael Cooney writes on NetworkWorld:

General public apathy and collaboration with the law enforcement community assure that cybercrimes of all sorts will continue to rise.

That was one of the conclusions from a congressional hearing this week called "Hacked Off: Helping Law Enforcement Protect Private Financial Information."

A big problem we are facing in the fight against financial crimes is that the criminal complaint has almost disappeared. Even when a police report is filed, it is often "so the bank will give you your money back. Case closed," said [.pdf] Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham.

"The understandable hesitation of law enforcement to 'work a case' in these areas has led to an unfortunate form of apathy by the consumer as well as the financial institutions. Large banks lose millions of dollars each year to phishing and malware, but they reimburse the cost to customers and structure the losses into the cost of doing business. Consumers have been trained that if they experience financial losses they should contact their financial institution rather than the police. If they have had their money returned by their financial institution, there is little incentive to share that information with law enforcement," Warner stated.

More here.

Hackers Are Being Radicalised by Government Policy

2011-07-01T12:02:00.001-07:00

Loz Kaye writes on the Guardian.co.uk:

Now that the LulzSec boat has sailed over the horizon, it seems a good moment to take stock of the past weeks' "hacktivism" frenzy. We've been bombarded with images of oddballs lurking in murky chatrooms – geeky teenagers who are simultaneously global cyber-villains. Given the reporting, we'd be forgiven for thinking that it's all about the personal obsessions of a few nerds. This would be to ignore the wider context.

LulzSec wasn't an isolated or unique phenomenon. People with passionate beliefs have been using new technological tools to effect change out of a sense of powerlessness. In the last year, I've watched 38 Degrees using the strength of association online to change government policy, WikiLeaks force transparency on those who'd rather run from it, even the amorphous mass that is Anonymous taking a stand on whatever issue they feel deserves their attention.

These tools are now themselves under attack. Lord Mandelson's last gift to us, the Digital Economy Act, is just one of a raft of "three strikes laws" worldwide that threaten to cut off households from the web. Buried in the coalition's Prevent strategy is the assertion that "internet filtering across the public estate is essential". Nor is it solely a British issue; Nicolas Sarkozy called for global online governance at the eG8 in his attempt to civilise the "wild west" of the web.

We're starting to see what this civilising process entails. Open Rights Group revealed that Ed Vaizey and lobbyists held a secret meeting discussing the future of web blocking powers. There was no public oversight and no one asked the net natives. Vaizey has relented a little via Twitter, consenting to open up the discussion – the Pirate Party and I welcome that invitation. It will take more, however, than getting a few NGOs around a table to ease the real sense of anger poisoning the online community.

More here.

Despite Controversy, Federal, State Wiretaps on The Rise

2011-06-30T12:42:00.000-07:00

Michael Cooney writes on NetworkWorld:

While their over-use is controversial federal and state requests for court permission to intercept or wiretap electronic communications increased 34% in 2010 over 2009 with California, New York, and New Jersey accounting for 68% of all wire taps approved by state judges.

According to the 2010 Wiretap Report [.pdf], released today by the Administrative Office of the United States Courts (AOUSC) the most frequently noted location in wiretap requests was "portable device," a category that includes cellular telephones and digital pagers. In 2010, a total of 96% of all authorized wiretaps were designated as portable devices. The most common surveillance method was wire surveillance that used a telephone - land line, cellular, cordless or mobile. Telephone wiretaps accounted for 97% (2,253 cases) of the intercepts installed in 2010, the majority of which were cell telephones.

According to the report, 84% of all applications for intercepts (2,675 wiretaps) in 2010 cited illegal drugs as the most serious offense under investigation. As of Dec. 31, 2010, a total of 4,711 people had been arrested and 800 had been convicted as a result of all interceptions reported as terminated.

More here.

Lack of Cyber Pros Puts U.S. in Dangerous Position

2011-06-28T11:15:00.000-07:00

Kevin Coleman writes on GCN.com:

In testimony this year before the Senate Judiciary Committee’s Crime and Terrorism Subcommittee, Gordon Snow, assistant director of the FBI’s Cyber Division, said the number and sophistication of cyberattacks have increased dramatically during the past five years and are expected to continue to grow.

Although that paints a pretty bleak picture, what he said next caught the attention of cybersecurity professionals around the world.

“The threat has reached the point that given enough time, motivation and funding, a determined adversary will likely be able to penetrate any system that is accessible directly from the Internet,” he said.

If you think that is bad, hold on — there is more, and it gets worse. He went on to say, “The FBI has identified the most significant cyber threats to our nation as those with high intent and high capability to inflict damage or death in the U.S.; to illicitly acquire assets; or to illegally obtain sensitive or classified U.S. military, intelligence or economic information.”

More here.

U.S. Urges Banks to Tighten Online Fraud Protections

2011-06-28T10:07:00.000-07:00

Via Reuters.

Bank regulators warned banks to be on guard against increasingly clever computer hacking on Tuesday, indicating heightened alert against security breaches that have plagued government and corporate institutions in recent weeks.

The Federal Financial Institutions Council -- an interagency group that includes the Federal Reserve, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corp -- issued a reminder to banks to use more than one form of authentication for online consumers.

"Fraudsters have continued to develop and deploy more sophisticated, effective and malicious methods to compromise authentication mechanisms and gain unauthorized access to customers' online accounts," the council said.

The warning comes after a series of high-profile security breaches including a threat to the Fed by a hacking group. The threat never materialized.

More here.

You Are Missed on Your Birthday...

2011-06-28T00:01:00.000-07:00

Happy Birthday, Lori.

You would have been 46 this year.

We miss you.

- ferg

Mark Your Calendars: The 146th Scottish Highland Games, Labor Day Weekend

2011-06-26T11:32:00.000-07:00

Mark Your Calendar: The 146th Scottish Highland Games

Labor Day Weekend at the Alameda County Fairgrounds

September 3rd and 4th, 2011

See you there!

- ferg

In Passing: Nick Charles

2011-06-25T07:25:00.000-07:00

Nick Charles

June 30, 1946 - June 25, 2011

Power Grid Change May Disrupt Clocks (And Other Stuff)

2011-06-24T18:40:00.000-07:00

An AP newswire article by Seth Borenstein, via SFGate.com, reports:

A yearlong experiment with the nation's electric grid could mess up traffic lights, security systems and some computers — and make plug-in clocks and appliances like programmable coffeemakers run up to 20 minutes fast.

"A lot of people are going to have things break and they're not going to know why," said Demetrios Matsakis, head of the time service department at the U.S. Naval Observatory, one of two official timekeeping agencies in the federal government.

Since 1930, electric clocks have kept time based on the rate of the electrical current that powers them. If the current slips off its usual rate, clocks run a little fast or slow. Power companies now take steps to correct it and keep the frequency of the current — and the time — as precise as possible.

The group that oversees the U.S. power grid is proposing an experiment would allow more frequency variation than it does now without corrections, according to a company presentation obtained by The Associated Press.

Officials say they want to try this to make the power supply more reliable, save money and reduce what may be needless efforts. The test is tentatively set to start in mid-July, but that could change.

More here.

Citi Hackers Made $2.7 Million

2011-06-24T18:05:00.000-07:00

Robert McMillan writes on Computerworld.com.au:

Citigroup suffered about US$2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges.

Citi acknowledged the breach earlier this month, saying hackers had accessed more than 360,000 Citi credit card accounts of U.S. customers. The hackers didn't get into Citi's main credit card processing system, but were reportedly able to obtain the numbers, along with the customers' names and contact information, by logging into the Citi Account Online website and guessing account numbers.

Until now, it wasn't clear how much -- if any -- fraud had occurred as a result of the theft. But Citi confirmed Friday that there were losses of $2.7 million from about 3,400 accounts.

The bank has said its customers will not be liable for the losses.

More here.

In Passing: Peter Falk

2011-06-24T13:42:00.000-07:00

Peter Falk

September 16, 1927 – June 23, 2011

LulzSec Releases Arizona Police Documents

2011-06-24T08:55:00.000-07:00

Kevin Poulsen writes on Threat Level:

The hacker group LulzSec published 700 confidential documents Thursday apparently stolen from the Arizona Department of Public Safety.

LulzSec announced its latest conquest on Twitter and released the document cache through BitTorrent. The files are a mix of intelligence bulletins and presentations — including some issued by the FBI, DHS and DEA — private e-mail, training manuals and other material, some it marked “law enforcement sensitive” or “For Official Use Only.”

The group claimed it targeted the Arizona cops because LulzSec is opposed to Arizona’s SB1070, the state’s broad and controversial anti-illegal immigration measure.

Immigrant rights is only the latest in LulzSec’s growing policy platform, which already included support for WikiLeaks and the right to tinker with Sony Play Station consoles, and opposition to the Fox talent show The X-Factor.

More here.

90% of Companies Say They've Been Hacked

2011-06-23T08:43:00.000-07:00

Jaikumar Vijayan writes on InfoWorld:

If it sometimes appears that just about every company is getting hacked these days, that's because they are.

In a recent survey [.pdf] of 583 U.S companies conducted by Ponemon Research on behalf of Juniper Networks, 90 percent of the respondents said their organizations' computers had been breached at least once by hackers over the past 12 months.

Nearly 60 percent reported two or more breaches over the past year. More than 50 percent said they had little confidence of being able to stave off further attacks over the next 12 months.

Those numbers are significantly higher than findings in similar surveys, and they suggest that a growing number of enterprises are losing the battle to keep malicious intruders out of their networks.

More here.

Ukraine Disrupts $72M Conficker Hacking Ring

2011-06-23T08:32:00.000-07:00

Jeremy Kirk writes on ComputerWorld:

Ukraine's security service said Thursday it had disrupted a cybercrime ring that cost the banking industry more than $72 million using Conficker, a fast-spreading worm unleashed in 2008.

The hackers allegedly used Conficker to spread antivirus software, according to a translation of a news release from the SBU, the Ukraine's state security service. The antivirus software, however, contained malware that collected online banking details.

The SBU said it conducted 19 raids on Tuesday in tandem with law enforcement in other countries. Latvian police arrested two people, and more than 40 financial accounts were frozen in banks in Cyprus and Latvia.

The U.S. Federal Bureau of Investigation also participated in the investigation along with agencies in the U.K., the Netherlands, France, Germany, Cyprus, Latvia and two other unnamed countries, according to the release. Thirty servers were seized in countries outside the Ukraine.

Ukrainian authorities questioned 16 people and have seized computer equipment, documents and money. SBU and FBI officials with knowledge of the case could not be immediately reached.

More here.

FBI Targets Two 'Scareware' Rings in U.S., Europe

2011-06-22T16:21:00.000-07:00

Via Reuters.

Police in the United States and seven other countries seized computers and servers used to run a "scareware" scheme that has netted more than $72 million from victims tricked into buying fake anti-virus software.

Twenty-two computers and servers were seized in the United States and 25 others in France, Germany, Latvia, Lithuania, the Netherlands, Sweden and the United Kingdom, the U.S. Justice Department said in a statement on Wednesday.

The suspects involved in the scheme, who were not identified, planted "scareware" on the computers of 960,000 victims. The scareware would pretend to find malicious software on a computer. The goal is to persuade the victim to voluntarily hand over credit card information, paying to resolve a nonexistent problem.

Latvian authorities seized at least five bank accounts believed to have been used by the leaders of the scam, and the Justice Department said nothing about arrests.

U.S. authorities also said on Wednesday they disrupted a second scam, charging two Latvians with running a similar scareware scheme that led to $2 million in losses through an advertisement placed on a Minnesota newspaper's website.

More here.

DHS Official Says ISPs Would Likely Be Covered By Obama Cybersecurity Plan

2011-06-21T16:46:00.000-07:00

Gautham Nagesh writes on The Hill:

A top Department of Homeland Security cybersecurity official told lawmakers Internet Service Providers (ISPs) would likely be among the private-sector firms that would be subject to federal oversight under the White House's proposed cybersecurity legislation.

At a hearing in front of the Senate Judiciary Subcommittee on Crime and Terrorism, DHS acting Deputy Under Secretary Greg Schaffer acknowledged that under the White House's plan, ISPs would likely be among the private firms deemed critical infrastructure and therefore subject to federal security standards.

Schaffer emphasized that the administration's legislative proposal doesn't explicitly lay out which industries would be deemed critical and core critical infrastructure, but witnesses at Tuesday's hearing mentioned transportation, financial services, utilities and healthcare providers as among those sectors that could be included.

Subpanel Chairman Sheldon Whitehouse (D-R.I.) noted that ISPs are in a unique position to know when consumers' computers are under attack or have been enslaved by malicious botnets. He suggested ISPs should take action against infected devices in the event consumers are not aware of the breach.

More here.

Still on Vacation: The National D-Day Memorial

2011-06-21T12:59:00.000-07:00

The Overlord Arch at the National D-Day Memorial, Bedford, Virginia

I'm still on vacation this week, but just wanted to mention a worthwhile side-trip I made earlier today to the National D-Day Memorial in Bedford, Virginia. Bedford is only about an hour-and-a-half drive from where I grew up, and it is the first time that I have been there since the Memorial was dedicated in 2001 (this year is its tenth anniversary).

If you are ever in that neck of the woods, I would highly recommend a visit.

Cheers,

- ferg

U.S. Bank Must Pay Back Customers for Money Stolen by Hackers

2011-06-16T07:34:00.000-07:00

Robert McMillan writes on Techworld.com:

A US court has ruled that Comerica Bank is liable for a $560,000 (£350,000) cyberheist, saying the bank should have done a better job to spot millions of dollars in fraudulent transactions after one of the bank's customers was tricked in a phishing attack two years ago.

In a June 13 decision, the court ruled in favour of Experi-Metal, a custom car parts maker that had sued Comerica after the January 2009 incident. In just a few hours, criminals tried to move millions of dollars to Eastern Europe, before Comerica's fraud department shut down the scam.

Most of the money was recovered, but in his ruling Judge Patrick Duggan of the US District Court for the Eastern District of Michigan said that the bank should have done a better job of stopping the fraud. A "bank dealing fairly with its customers, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier," Judge Duggan wrote in his ruling.

Experi-Metal's troubles started in the early morning hours of January 22, 2009. That's when the company's vice president of manufacturing, Gerry King, received a phishing email telling him to fill out what appeared to be a mundane piece of online paperwork: a "Comerica Business Connect Customer Form." He forwarded the email to Controller Keith Maslowski, who then logged into a website belonging to the criminals. With Maslowski's login credentials, the criminals were off and running. Over the next six-and-a-half hours they raced to steal as much of Experi-Metal's money as they could before their window of opportunity closed.

More here.

Payroll Firm ADP Investigating System Intrusion

2011-06-15T21:31:00.000-07:00

John Ribeiro writes on PC World:

Automatic Data Processing said on Wednesday that it is investigating a system intrusion that likely impacted only one client.

The intrusion, which occurred on a non-payroll legacy platform that is no longer sold by ADP's benefits administration business, was detected by the company's security team during routine system monitoring, the payroll and business outsourcing company said.

ADP did not name the affected client, but said the client was from Workscape, a benefits administration provider it acquired last year. ADP said it immediately notified the client to make the client aware of the situation.

ADP has about 550,000 clients. It said it could not disclose any additional details on the security breach, as the incident is the subject of an ongoing law enforcement investigation.

More here.

Hacking Blitz Drives Cyberinsurance Demand

2011-06-14T17:15:00.000-07:00

Ben Berkowitz writes for Reuters:

The recent string of sensational hacker attacks is driving companies to seek "cyberinsurance" worth hundreds of millions of dollars, even though many policies can still leave them exposed to claims.

Companies are having to enhance not just their information technology practices but also their human resources and employee training functions just to get adequate coverage against intrusion -- and in some cases, they are also accepting deductibles in the tens of millions of dollars.

Insurers and insurance brokers say demand is soaring, as companies try to protect themselves against civil suits and the potential for fines by governments and regulators, but also as they seek help paying for mundane costs like "sorry letters" to customers.

"When you have a catastrophic type of data breach then yes ... the phones ring off the hook," said Kevin Kalinich, co-national managing director of the professional risk group at insurance broker Aon Corp.

More here.

U.S. Senate Website Gets Hacked

2011-06-13T19:55:00.000-07:00

Andrew Morse and Ian Sherr write in the Wall Street Journal:

A hacker group that has claimed attacks on media and law-enforcement affiliates extended its month-long cyber mischief Monday, boasting that it had cracked the U.S. Senate's website.

The group, Lulz Security, posted on its own website a configuration file for the Senate's main website. The material in the file suggests sensitive information was not breached, but does indicate Lulz Security infiltrated the Senate's website.

"This is a small, just-for-kicks release of some internal data from Senate.gov," Lulz Security said in a news release. "Is this an act of war, gentlemen?"

The group appeared to be referencing a recent Wall Street Journal article that reported the Pentagon considered some forms of computer sabotage constituted warfare.

More here.

Thieves Found Citigroup Site An Easy Entry

2011-06-13T19:20:00.000-07:00

Nelson D. Schwartz and Eric Dash write in the New York Times:

Think of it as a mansion with a high-tech security system — but the front door wasn’t locked tight.

Using the Citigroup customer Web site as a gateway to bypass traditional safeguards and impersonate actual credit card holders, a team of sophisticated thieves cracked into the bank’s vast reservoir of personal financial data, until they were detected in a routine check in early May.

That allowed them to capture the names, account numbers, e-mail addresses and transaction histories of more than 200,000 Citi customers, security experts said, revealing for the first time details of one of the most brazen bank hacking attacks in recent years.

The case illustrates the threat posed by the rising demand for private financial information from the world of foreign hackers.

More here.

Regulators Pressure Banks After Citi Data Breach

2011-06-13T06:49:00.000-07:00

Maria Aspan writes for Reuters:

Major U.S. banks came under growing pressure from banking regulators to improve the security of customer accounts after Citigroup Inc became the latest high-profile victim of a cyber attack.

While Citigroup insisted the breach had been limited, experts called it the largest direct attack on a major U.S. financial institution, and said it could prompt an overhaul of the banking industry's data security measures.

The Federal Deposit Insurance Corp, the nation's primary regulator, is preparing new measures on data security. Its chairman Sheila Bair said on Thursday she may ask "some banks to strengthen their authentication when a customer logs onto online accounts."

More here.

FBI Agents Get Leeway to Push Privacy Bounds

2011-06-13T06:36:00.000-07:00

Charlie Savage writes in the New York Times:

The Federal Bureau of Investigation is giving significant new powers to its roughly 14,000 agents, allowing them more leeway to search databases, go through household trash or use surveillance teams to scrutinize the lives of people who have attracted their attention.

The F.B.I. soon plans to issue a new edition of its manual, called the Domestic Investigations and Operations Guide, according to an official who has worked on the draft document and several others who have been briefed on its contents. The new rules add to several measures taken over the past decade to give agents more latitude as they search for signs of criminal or terrorist activity.

The F.B.I. recently briefed several privacy advocates about the coming changes. Among them, Michael German, a former F.B.I. agent who is now a lawyer for the American Civil Liberties Union, argued that it was unwise to further ease restrictions on agents’ power to use potentially intrusive techniques, especially if they lacked a firm reason to suspect someone of wrongdoing.

“Claiming additional authorities to investigate people only further raises the potential for abuse,” Mr. German said, pointing to complaints about the bureau’s surveillance of domestic political advocacy groups and mosques and to an inspector general’s findings in 2007 that the F.B.I. had frequently misused “national security letters,” which allow agents to obtain information like phone records without a court order.

More here.

FBI Investigating Cyber Theft of $139,000 from Pittsford, NY

2011-06-12T08:24:00.000-07:00

Brian Krebs:

Computer crooks stole at least $139,000 from the town coffers of Pittsford, New York this week. The theft is the latest reminder of the widening gap between the sophistication of organized cyber thieves and the increasingly ineffective security measures employed by many financial institutions across the United States.

The attack began on or around June 1, 2011, when someone logged into the online commercial banking account of the Town of Pittsford, a municipality of 25,000 not far from Rochester, N.Y. The thieves initiated a small batch of automated clearing house (ACH) transfers to several money mules, willing or unwitting individuals in the U.S.A. who had been recruited by the attackers prior to the theft. The mules pulled the money out of their bank accounts in cash and wired it to individuals in Saint Petersburg, Russia and Kiev, Ukraine via transfer services Western Union and Moneygram.

Over the next four business days, the thieves initiated another three fraudulent batch payments to money mules. Some transfers went to money mules who owned businesses, such as a $14,750 payment to Mission Viejo, Calif. based Art Snyder Software. Most money mules were sent payments of less than $5,000.

Pittsford town supervisor William Carpenter said the FBI is investigating the incident, and that many of the details of how the attackers got in remain unclear. He said the FBI told him the thieves most likely stole the town’s online banking password using a banking Trojan. He added that the town has recovered just $4,800 of the stolen funds, the proceeds of a single transfer.

More here.

IMF Reports Cyberattack Led to ‘Very Major Breach’

2011-06-11T19:44:00.000-07:00

David E. Sanger and John Markoff write in the New York Times:

The International Monetary Fund, still struggling to find a new leader after the arrest of its managing director last month in New York, was hit recently by what computer experts describe as a large and sophisticated cyberattack whose dimensions are still unknown.

The fund, which manages financial crises around the world and is the repository of highly confidential information about the fiscal condition of many nations, told its staff and its board of directors about the attack on Wednesday. But it did not make a public announcement.

Several senior officials with knowledge of the attack said it was both sophisticated and serious. “This was a very major breach,” said one official, who said that it had occurred over the last several months, even before Dominique Strauss-Kahn, the French politician who ran the fund, was arrested on charges of sexually assaulting a chamber maid in a New York hotel.

Asked about the reports of the computer attack late Friday, a spokesman for the fund, David Hawley, declined to provide details or talk about the scope or nature of the intrusion. “We are investigating an incident, and the fund is fully functional,” he said.

More here.

Programming Note: Headed East to See Family

2011-06-10T03:00:00.000-07:00

Morning Fog in The Blue Ridge Mountains

I'm headed to the beautiful Blue Ridge Mountains of Southwestern Virginia today for a couple of weeks to spend some time with family that I haven't seen in a few years.

Blogging will be virtually non-existent until I return home to Northern California later this month, but thanks for following!

I hope everyone is having a great summer so far...

Cheers,

- ferg

Mark Fiore: Danny Appleseed

2011-06-09T23:24:00.001-07:00

More Mark Fiore brilliance.

Via The San Francisco Chronicle.

Enjoy,

- ferg

Citi Data Theft Points Up a Nagging Problem

2011-06-09T22:34:00.000-07:00

Eric Dash writes in the New York Times:

Citigroup’s revelation that hackers stole personal information from more than 200,000 credit card holders makes it one of the largest direct attacks on a major bank.

Even more striking is that similar data breaches have been occurring for years — and the financial industry has failed to prevent them.

Details remain scarce, but the disclosure of the Citigroup breach on Thursday quickly turned into a debate on whether the banks and major credit card companies had invested enough money to safeguard the personal information of their customers.

“They’re not at all on top of it,” said Avivah Litan, a financial security analyst at Gartner Inc. “It’s almost shocking.”

More here.

Feds Seize Swiss Bank Account of Scareware Mogul

2011-06-09T18:33:00.000-07:00

Tim Greene writes on NetworkWorld:

Federal authorities have seized all the cash in a Swiss bank account held by a scareware mogul and scam artist who is charged with selling phony Symantec security software.

The U.S. Attorney's office in New York filed for the forfeiture of $14.8 million stashed in the account by Shaileshkumar "Sam" Jain, who has fled the U.S. after being charged in the counterfeit antivirus scheme.

Jain was charged three years ago, but has been on the run since after failing to show for court appearances, and is believed to have moved to the Ukraine. He is charged with trafficking in counterfeit goods, wire fraud and mail fraud.

The charges stem from a scheme that employed spam to lure victims to a website where they used credit cards to buy what was purported to be genuine Symantec antivirus software. In return, they were sent counterfeit software from a facility in Ohio, according to U.S. Immigration and Customs Enforcement.

More here.

Citi Says Hackers Access Bank Card Data

2011-06-08T23:04:00.000-07:00

Via Reuters.

Citigroup Inc said computer hackers breached the bank's network and accessed data on hundreds of thousands of bank card holders in the latest of a string of cyber attacks on high-profile companies.

Citigroup said about 1 percent of its card customers were affected by the breach, which a report in the Financial Times said had been discovered in May during routine monitoring.

The names of customers, account numbers and contact information, including email addresses, were viewed, Citi said.

However, it said other information such as birth dates, social security numbers, card expiration dates and card security codes (CVV) were not compromised.

"We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event," Sean Kevelighan, a U.S.-based spokesman, said by email.

Citigroup joins a growing list of companies that have suffered cyber attacks.

More here.

iCloud Raises Serious Data Security Concerns

2011-06-08T17:38:00.000-07:00

Toney Bradley writes on PC World:

One of the biggest announcements from Apple at this week's Worldwide Developers Conference (WWDC) was the unveiling of iCloud. One crucial element was missing from the Apple magic show, though--will the data be secure?

Apple's iCloud will wirelessly upload music, e-mail, contacts, calendars, and other data, and seamlessly sync and update all associated PCs and iOS devices. The functionality sounds awesome, but you don't have to dig far to find stories of wireless data being intercepts, or data stored online being hacked and compromised.

A simple phishing scam or socially engineered attack could easily dupe a user into surrendering username and password credentials that will expose the data stored in iCloud. In order for iCloud to be a success, Apple has to assure consumers and businesses that the data is protected.

Andrew Storms, Director of Security Operations for nCircle, warns, "Apple's iCloud announcement is missing enterprise security content, and we saw the same thing with the iPhone introduction. They left almost all of the enterprise level security and compliance questions about iCloud unanswered."

More here.

Nearly Two-Thirds of Security Pros Want National Data Breach Reporting Law

2011-06-08T17:31:00.000-07:00

John P. Mello writes on GSNMagazine.com:

Nearly two-thirds of information technology security professionals would like to see a national law on data breach reporting replace the current crazy quilt of state laws governing the issue, according to the findings in a survey released June 8 by San Francisco-based automated security and compliance auditing solutions provider nCircle.

When asked if the federal government should pass data breach/privacy legislation that supersedes existing state laws, 63 percent of 544 IT security pros participating in the poll responded in the affirmative.

“Our respondents are asking the federal government to unify the patchwork of state cyber-security legislation into a single federal standard," nCircle Director of Federal Markets Keren Cummins observed in a statement.

"There certainly has been significant legislative activity on multiple bills in both the House and the Senate, so we may be headed in that direction, but Congress still has a lot of work to do," she added. "Unifying the conflicting provisions across all the bills and creating laws that are prescriptive enough to be meaningful and enforceable is a significant task."

More here.

Greek Police Arrest Teen on Hacking Charges

2011-06-08T12:39:00.000-07:00

Jeremy Kirk writes on PC World:

Police in Greece have arrested an 18-year-old Athens man on suspicion of hacking into the Interpol website and other government sites in the U.S. and France.

The man, whose name was not released, made an appearance in an Athens court on Tuesday. He faces charges of computer fraud, forgery, data use and violations related to the possession of guns and flares, according to the Hellenic Police. U.S. and French authorities assisted in the investigation.

Authorities allege the man conducted the attacks with software used to create botnets, which are computers that are hacked and then remotely controlled by an attacker often without the knowledge of the computer's owner, according to an official at the Secretariat General of Communication, part of Greece's Ministry of Interior.

It is suspected he also conducted distributed denial-of-service (DDOS) attacks, a type of attack that usually intends to make a website become unavailable. The attacks occurred in February 2008 and February 2009 when the man was 16 years old.

More here.

In Business ACH Account Hijacking, Legal Ruling Favors Bank

2011-06-06T12:24:00.000-07:00

Tracy Kitten writes on BankInfoSecurity.com:

A magistrate has recommended that a U.S. District Court in Maine deny a motion for a jury trial in an ACH fraud case filed by a commercial customer against its former bank. According to the order [.pdf], which must still be reviewed by the presiding judge, the bank fulfilled its contractual obligations for security and authentication through its requirement for log-in and password credentials.

Now Mark Patterson, president of PATCO Construction Inc., the commercial customer in the case, says he's weighing his legal options. "Things are not always fair, and we have to decide how long we want to fight the fight," Patterson says. "We do feel very strongly about this issue, but how far do we want to go?"

At issue for PATCO is whether banks should be held responsible when commercial accounts, like PATCO's, are drained because of fraudulent ACH and wire transfers approved by the bank. How much security should banks and credit unions reasonably be required to apply to the commercial accounts they manage?

"Obviously, the major issue is the banks are saying this is the depositors' problem," Patterson says, "but the folks that are losing money through ACH fraud don't have enough sophistication to stop this."

More here.

June 6, 1944: Operation Overlord - D-Day in Normandy

2011-06-06T00:01:00.001-07:00

A United States Navy LCVP disembarks troops at Omaha Beach, Normandy, France on D-Day, June 6, 1944.

Via Wikipedia.

The Battle of Normandy was fought in 1944 between the German forces occupying Western Europe and the invading Allied forces as part of the larger conflict of World War II. Over sixty years later, the Normandy invasion, codenamed Operation Overlord, still remains the largest seaborne invasion in history, involving almost three million troops crossing the English Channel from England to Normandy in then German-occupied France.

The majority of the Allied forces were composed of American, British, Canadian, and French units. Other countries including Australia, Belgium, Czechoslovakia, Greece, the Netherlands, New Zealand, Norway, and Poland also took a major part.

The Normandy invasion began with overnight airborne paratrooper and glider landings, massive air attacks and naval bombardments, and an early morning amphibious assault on June 6, "D-Day". The battle for Normandy continued for more than two months, with campaigns to establish, expand, and eventually break out of the Allied beachheads. It concluded with the liberation of Paris and the fall of the Falaise Pocket.

You Are Not Forgotten.

More here.

Image source: Wikimedia

Flashback: Tiananmen Square Protests, 4 June 1989

2011-06-04T18:14:00.000-07:00

Tiananmen Square Protests

4 June 1989

In Passing: Lawrence Eagleburger

2011-06-04T08:16:00.000-07:00

Lawrence Eagleburger

August 1, 1930 - June 4, 2011

Stolen Data Is Tracked to Hacking at Lockheed

2011-06-03T20:40:00.000-07:00

Christopher Drew writes in the New York Times:

Lockheed Martin said Friday that it had proof that hackers breached its network two weeks ago partly by using data stolen from a vendor that supplies coded security tokens to tens of millions of computer users.

Lockheed’s finding confirmed the fears of security experts about the safety of the SecurID tokens and heightened concerns that other companies or government agencies could be vulnerable to hacking attacks.

The tokens, which are used to protect remote access to computer networks, are sold by the RSA Security Division of the EMC Corporation. RSA officials said Friday that they accepted Lockheed’s findings and were working with customers to offset the risks through other measures.

RSA disclosed in March that hackers had stolen data that could compromise a company’s SecurID system in a broader attack, and the breach of Lockheed, the nation’s largest defense contractor, is the first time that is known to have occurred.

More here.

Gmail Hack Targeted White House

2011-06-03T13:13:00.000-07:00

Devlin Barrett and Siobhan Gorman write on WSJ.com:

People who work at the White House were among those targeted by the China-based hackers who broke into Google Inc.'s Gmail accounts, according to one U.S. official.

The hackers likely were hoping the officials were conducting administration business on their private emails, according to lawmakers and security experts.

The government has acknowledged senior administration officials were targeted in the "phishing'' attacks on hundreds of users of the email service. White House officials declined to discuss who was targeted.

The Obama administration reiterated Thursday that no official messages were compromised. But lawmakers and outside computer-security experts said recent White House history suggests administration officials sometimes use personal email to talk business, despite rules against doing so.

The Federal Bureau of Investigation and the Department of Homeland Security are working with Google to investigate. "These allegations are very serious," Secretary of State Hillary Rodham Clinton said Thursday.

More here.

Attackers Stole Secret Canadian Government Data

2011-06-03T12:28:00.000-07:00

Julie Ireton writes for CBC.ca:

Hackers who attacked two of Canada's federal departments stole classified information before being discovered last January, CBC News has learned.

The revelation comes from documents obtained under Access to Information laws, and contradicts what the minister in charge said at the time.

Six months ago, hackers launched an unprecedented cyber attack on the federal government. In January, the government's computer system came under attack.

Hackers sent malicious emails to staff that appeared to be coming from senior managers. When staff opened the attachments, hackers found a path into the federal network, providing access to classified information.

"Indications are that data has been exfiltrated and that privileged accounts have been compromised," said a memo written Jan. 31, 2011.

More here.

In Passing: James Arness

2011-06-03T11:09:00.000-07:00

James Arness

May 26, 1923 – June 3, 2011

UK: Spies Hack al-Qaida's Inspire Magazine

2011-06-03T10:23:00.000-07:00

An AP newswire article by Paisley Dodds, via Salon.com, reports:

Britain's spy agencies have a new message for terrorists: make cupcakes, not war.

Intelligence agents managed to hack into the extremist Inspire magazine, replacing its bombmaking instructions with a recipe for cupcakes.

It's the first time the agents sabotaged the English-language magazine linked to U.S.-born Yemeni cleric Anwar al-Awlaki, an extremist accused in several recent terror plots.

The quarterly online magazine, which is sent to websites and email addresses as a pdf file, had offered an original page titled "Make a Bomb in the Kitchen of Your Mom" in one of its editions last year. The magazine's pages were corrupted, however, and the instructions replaced with the cupcake recipe.

"We're increasingly using cybertools as part of our work," a British government official who spoke on condition of anonymity to discuss intelligence matters said Friday, confirming that the Inspire magazine had been successfully attacked.

The hackers were reportedly working for Britain's eavesdropping agency, GCHQ, which has boosted its resources in the past several years.

More here.

In Passing: Jack Kevorkian

2011-06-03T10:19:00.000-07:00

Jack Kevorkian

May 26, 1928 – June 3, 2011

Identity Theft to Steal Tax Refunds Goes Through the Roof, Official Reports

2011-06-02T11:19:00.000-07:00

Via FCW.com.

The Internal Revenue Service has seen a nearly fivefold increase in taxpayer identity theft in the past few years — from 51,702 incidents in 2008 to 248,357 in 2010, Larry Margasak reports for the Associated Press. However, a government official recently told a congressional panel that the IRS hasn’t been chasing many of the perpetrators.

Tax identity thieves typically file returns for refunds earlier than legitimate taxpayers, who then receive notification from the IRS that two returns were filed using the same Social Security number, Margasak wrote.

According to the AP article, James White, director of strategic issues at the Government Accountability Office, said in testimony prepared for a subcommittee of the House Oversight and Government Reform Committee that "IRS officials told us that IRS pursues criminal investigations of suspected identity thieves in only a small number of cases."

White said that in fiscal 2010, the IRS' criminal investigations division launched slightly more than 4,700 investigations of all types — far less than the number of identity theft cases.

More here.

Mark Fiore: Snuggly & Otto Pen

2011-06-01T23:36:00.000-07:00

More Mark Fiore brilliance.

Via The San Francisco Chronicle.

- ferg

U.S. Defense Contractors Said to Be Bleeding Secrets to Cyber Foes

2011-06-01T21:45:00.000-07:00

Jim Wolf writes for Reuters:

Top Pentagon contractors have been bleeding secrets for years as a result of penetrations of their computer networks, current and former national security officials say.

The Defense Department, which runs its own worldwide eavesdropping, spying and code-cracking systems, says more than 100 foreign intelligence organizations have been trying to break into U.S. networks.

Some of the perpetrators "already have the capacity to disrupt" U.S. information infrastructure, Deputy Defense Secretary William Lynn, who is leading remedial efforts, wrote last fall in the journal Foreign Affairs.

Joel Brenner, the National Counterintelligence executive from 2006 to 2009, said most if not all of the big defense contractors' networks had been pierced.

"This has been happening since the late '90s," he told Reuters Tuesday. He identified the main threats as coming from Russia, China and Iran.

"They're after our weapons systems and R&D," or research and development, said Brenner, now with the law firm of Cooley LLP in Washington.

More here.

Pentagon: Cyber Attacks Can Justify Armed Response

2011-05-31T17:12:00.000-07:00

Grant Gross and Jaikumar Vijayan write on ComputerWorld:

The U.S. military is prepared to use physical attacks in response to cyberattacks, the U.S. Department of Defense said Tuesday.

The agency, preparing its first cyberspace strategy, is prepared to defend U.S. national security through "all available means," a DOD spokeswoman said.

The Wall Street Journal reported Tuesday that the DOD's Defense Strategy for Operating in Cyberspace, due to be released within the next month, will conclude that physical attacks may be justified in response to cyberattacks on U.S. targets.

The DOD is prepared to "conduct the full spectrum of cyberspace operations" in response to a cyberattack, but the agency's potential response is not limited to cybermeasures, the spokeswoman said. "All appropriate options would be on the table," as they would be in response to a physical attack, she said.

More here.

Second Defense Contractor L-3 'Actively Targeted' With RSA SecurID Hacks

2011-05-31T16:17:00.000-07:00

Kevin Poulsen writes on Threat Level:

An executive at defense giant L-3 Communications warned employees last month that hackers were targeting the company using inside information on the SecurID keyfob system freshly stolen from an acknowledged breach at RSA Security.

The L-3 attack makes the company the second hacker target linked to the RSA breach — both defense contractors. Reuters reported Friday that Lockheed Martin had suffered an intrusion.

“L-3 Communications has been actively targeted with penetration attacks leveraging the compromised information,” read an April 6 e-mail from an executive at L-3’s Stratus Group to the group’s 5,000 workers, one of whom shared the contents with Wired.com on condition of anonymity.

It’s not clear from the e-mail whether the hackers were successful in their attack, or how L-3 determined SecurID was involved. L-3 spokeswomen Jennifer Barton declined comment last month, except to say: “Protecting our network is a top priority and we have a robust set of protocols in place to ensure sensitive information is safeguarded. We have gotten to the bottom of the issue.” Barton declined further comment Tuesday.

More here.

Memorial Day Remembrances: You Are Not Forgotten

2011-05-30T00:01:00.001-07:00

You Are Not Forgotten.

Programming Note: Off to Taipei... Again

2011-05-16T08:36:00.001-07:00

Taipei, Taiwan, and the Taipei 101 Skyscraper

Blogging will be mostly non-existent until the end of the month (beginning today) while business calls me away to Taiwan -- again.

I'll be back in Northern California early in the Memorial Day weekend, so blogging should get back to normal (whatever that is) soon thereafter.

Thanks for reading.

Cheers!

- ferg

Programming Note: ISOI9

2011-05-11T06:00:00.002-07:00

I'm off to Northern Virginia today for ISOI9, hosted by AOL this time around.

Blogging will be pretty much non-existent until the weekend.

Thanks for following.

- ferg

DOJ Wants Wireless Providers to Store User Info

2011-05-10T11:28:00.000-07:00

Declan McCullagh writes on C|Net News:

The U.S. Department of Justice today called for new laws requiring mobile providers to collect and store information about their customers, a proposal that pits it against privacy advocates and even other federal agencies.

Jason Weinstein, the deputy assistant attorney general for the criminal division, picked an odd place to describe the department's proposal: a U.S. Senate hearing that arose out of revelations about iPhones recording information about owners' locations, and, in some cases, transmitting those data to Apple without consent.

Nevertheless, Weinstein said, "when this information is not stored, it may be impossible for law enforcement to collect essential evidence." In January, CNET was the first to report that the Justice Department had started a new legislative push for what is generally known as mandatory data retention.

"Many wireless providers do not retain records that would enable law enforcement to identify a suspect's smartphone based on the IP addresses collected by Web sites that the suspect visited," he added.

More here.

Programmimg Note: ICSJWG 2011 Spring Conference

2011-05-02T06:00:00.000-07:00

Well, I am heading to Dallas, Texas, to attend the Industrial Control Systems Joint Working Group (ICSJWG) 2011 Spring Conference this week.

Blogging will be pretty much non-existent until the end of the week.

Thanks for following.

- ferg

At Long Last...

2011-05-01T21:23:00.001-07:00

Mark Fiore: United States of Reality T.V.

2011-04-27T19:12:00.000-07:00

More Mark Fiore brilliance.

Via The San Francisco Chronicle.

- ferg

DOJ Report Critical of FBI Ability to Fight National Cyber Intrusions

2011-04-27T12:41:00.000-07:00

Michael Cooney writes on NetworkWorld:

Despite a push to bulk up its security expertise, the FBI in some case lacks the skills to properly investigate national security intrusions.

That was one of the major conclusions found in the U.S. Department of Justice inspector general audit [.pdf] of the FBI's ability to address national security cyberthreats today. The DOJ looked at 10 of the 56 FBI field offices and interviewed 36 agents. Of those interviewed, 13 "lacked the networking and counterintelligence expertise to investigate national security intrusion cases."

The good news of course is that the audit found 23 of the agents there were qualified to handle national cyber intrusions, which are the FBI's top online priority. The report says that each of the FBI's 56 field offices has a cyber squad -- some have more than one -- devoted to cybercrime.

The report went on to say that the FBI's strategy of rotating agents every three years among FBI field offices, in an effort to encourage a variety of work experiences, hinders the agents' cybersecurity abilities. That's because upon transfer, these agents may not be assigned a cybersecurity function at the new office, wasting their expertise.

More here.

In Passing: Phoebe Snow

2011-04-26T11:43:00.000-07:00

Phoebe Snow

July 17, 1952 – April 26, 2011

Seattle Police Say 'wardrivers' Are Hitting Small Businesses

2011-04-22T16:42:00.000-07:00

Robert McMillan writes on PC World:

Seattle police are investigating a group of criminals who they say have been cruising around town in a black Mercedes stealing credit card data by tapping into wireless networks belonging to area businesses.

The group has been at it for about five years, according to an affidavit signed by Detective Chris Hansen, a fraud investigator with the Seattle Police Department.

"A number of area small and medium-sized businesses have been targeted in these network intrusions, which have also involved a pattern of financial and personal identifying information (such as credit card information)," Hansen wrote in his affidavit, dated April 13. He declined to comment for this story.

Hansen believes the group has been "wardriving" the Seattle area in a customized 1988 Mercedes Benz, looking for companies using an unsecure Wi-Fi standard called Wired Equivalent Privacy (WEP). WEP has well-documented security flaws and has been considered for years to be unsecure, but was widely used in routers built between about 2000 and 2005. Many consumers and small businesses still use it.

More here.

Love Your Mother: Earth Day 2011

2011-04-22T00:01:00.001-07:00

Love your Mother Earth.

She's the only one we have.

- ferg

Carder Pleads Guilty to Fraud Involving $36 Million in Losses

2011-04-21T13:37:00.000-07:00

Kim Zetter writes on Threat Level:

A hacker and carder has pleaded guilty to trafficking in more than half a million stolen card numbers that resulted in $36 million in fraud losses.

Rogelio Hackett, Jr., 26, pleaded guilty Thursday in Virginia to one count of access device fraud and one count of aggravated identity theft.

The hacker was arrested in 2009 for selling stolen bank card numbers in online criminal forums and IRC chatrooms. When authorities searched his home at the time, they found more than 675,000 stolen credit card numbers on his computers and in e-mail accounts. According to court records [.pdf], more than $36 million in fraudulent transactions have been attributed to the stolen numbers found in Hackett’s possession. Authorities don’t say how many of these transactions were committed by him or by others.

More here.

Mark Fiore: Dumber Than Rocks

2011-04-20T19:49:00.000-07:00

More Mark Fiore brilliance.

Via The San Francisco Chronicle.

- ferg

In Passing: Chris Hondros

2011-04-20T16:00:00.000-07:00

Chris Hondros

March 14, 1970 - April 20, 2011

In Passing: Tim Hetherington

2011-04-20T15:58:00.000-07:00

Tim Hetherington

1970 – April 20, 2011

Oak Ridge National Lab Shuts Down Internet After Cyberattack

2011-04-19T16:39:00.000-07:00

Jaikumar Vijayan writes on ComputerWorld:

The Oak Ridge National Laboratory, home to one of the world's most powerful supercomputers , has been forced to shut down its email systems and all Internet access for employees since late last Friday, following a sophisticated cyberattack.

The restrictions on Internet access will remain in place until those investigating the attack know that for sure that it has been completely contained, said Barbara Penland, ORNL's director of communications.

The lab is expected to restore external email service sometime on Wednesday, however no attachments will be allowed for the time being.

Penland said several other national laboratories and government organizations were targeted in the same attacks, which appear to have been launched earlier this month.

The measures at Oak Ridge were implemented late on Friday night after initial investigations showed that those behind the attacks were attempting to steal technical data from lab's systems and send it to an external system, Penland said.

More here.

Mark Fiore: Pretty Please

2011-04-13T20:25:00.000-07:00

More Mark Fiore brilliance.

Via The San Francisco Chronicle.

- ferg

U.S. Police Increasingly View Private Email, Instant Messages

2011-04-12T11:30:00.000-07:00

Jeremy Kirk writes on ComputerWorld:

Law enforcement organizations are making tens of thousands of requests for private electronic information from companies such as Sprint, Facebook and AOL, but few detailed statistics are available, according to a privacy researcher.

Police and other agencies have "enthusiastically embraced" asking for e-mail, instant messages and mobile-phone location data, but there's no U.S. federal law that requires the reporting of requests for stored communications data, wrote Christopher Soghoian, a doctoral candidate at the School of Informatics and Computing at Indiana University, in a newly published paper.

"Unfortunately, there are no reporting requirements for the modern surveillance methods that make up the majority of law enforcement requests to service providers and telephone companies," Soghoian wrote. "As such, this surveillance largely occurs off the books, with no way for Congress or the general public to know the true scale of such activities."

That's in contrast to traditional wiretaps and "pen registers," which record non-content data around a particular communication, such as the number dialed or e-mail address that a communication was sent to. The U.S. Congress mandates that it should receive reports on these requests, which are compiled by the Administrative Office of the U.S. Courts, Soghoian wrote.

More here.

Mark Fiore: New Nation

2011-04-06T23:18:00.000-07:00

More Mark Fiore brilliance.

Via The San Francisco Chronicle.

- ferg

Mark Fiore: One Day

2011-03-30T21:59:00.000-07:00

More Mark Fiore brilliance.

Via The San Francisco Chronicle.

- ferg

In Passing: Paul Baran

2011-03-27T16:57:00.000-07:00

Paul Baran

April 29, 1926 – March 27, 2011

In Passing: Geraldine Ferraro

2011-03-26T18:37:00.000-07:00

Geraldine Ferraro

August 26, 1935 – March 26, 2011

Man Charged With Hiring Pump-and-Dump Spam Botnet

2011-03-21T17:15:00.000-07:00

Robert McMillan writes on ComputerWorld:

A Texas man was charged Monday by the U.S. Department of Justice with helping to inflate the prices of penny stock companies by promoting them with a spam-spewing botnet of hacked computers.

Christopher Rad, of Cedar Park, Texas, faces a maximum sentence of five years in prison and a $250,000 fine on charges that he acted as a middleman between unscrupulous stock promoters and Russian hackers, who operated the botnet.

Rad allegedly worked with another man, James Bragg, to make the companies' stock-prices move in a scheme that ran between November 2007 and February 2009. In October 2010, Bragg pleaded guilty to his role in the scheme. No date has been set for his sentencing.

Prosecutors say that the two men promoted penny stocks for now-defunct companies such as RSUV (Remote Surveillance Technologies) and VSHE ( VShield Software). They did this not only by using the botnet to spam would-be investors, but also by having their Russian hackers take over brokerage accounts and purchase the stocks they were pumping, so it would look like the companies had market momentum.

More here.

Welcome, Rainy Springtime

2011-03-19T23:30:00.001-07:00

Welcome, Spring 2011.

I'm already sick of rain, wind, and darkness.

Summer can't come fast enough.

Yes, I know we're spoiled here in Northern California -- while the rest of the country has been pounded by snow and bitter cold, we have only had to deal with a little rain and cool weather.

On a better note, we're no longer in a drought emergency situation in Northern California for the first time in a while.

- ferg

Mark Fiore: Disaster

2011-03-17T22:33:00.000-07:00

More Mark Fiore brilliance.

Via The San Francisco Chronicle.

- ferg

Revealed: U.S. Spy Operation That Manipulates Social Media

2011-03-17T19:16:00.000-07:00

Nick Fielding and Ian Cobain write on The Guardian:

The US military is developing software that will let it secretly manipulate social media sites such as Facebook and Twitter by using fake online personas to influence internet conversations and spread pro-American propaganda.

A Californian corporation has been awarded a contract with United States Central Command (Centcom), which oversees US armed operations in the Middle East and Central Asia, to develop what is described as an "online persona management service" that will allow one US serviceman or woman to control up to 10 separate identities based all over the world.

The project has been likened by web experts to China's attempts to control and restrict free speech on the internet. Critics are likely to complain that it will allow the US military to create a false consensus in online conversations, crowd out unwelcome opinions and smother commentaries or reports that do not correspond with its own objectives.

The discovery that the US military is developing false online personalities – known to users of social media as "sock puppets" – could also encourage other governments, private companies and non-government organisations to do the same.

More here.

EU Lawmakers Upset by Poor Protection of Swift Banking Data

2011-03-17T11:56:00.000-07:00

Jennifer Baker writes on PC World:

A second review of the controversial Terrorist Finance Tracking Program (TFTP) has done little to allay European parliamentarians' fears of poor data security.

Last week an internal report by Europol, the European police force charged with overseeing the accord, sparked anger among Members of the European Parliament (MEPs) when it revealed that the written requests made by the U.S. for European banking data were too vague to assess whether they meet European Union data standards. But Europol went ahead and rubber-stamped them anyway. Many members of the Parliament's civil liberties committee said they felt betrayed.

On Wednesday, Isabel Cruz, chairwoman of Europol's internal oversight unit, explained that additional oral information was provided to Europol staff by the U.S. authorities, but that the content of that information is not known, again making it impossible to verify compliance with the TFTP agreement. Her report recommended that in the future, requests must contain more detailed information, specific to each request, and the U.S. authorities may need to provide certain additional information.

The TFTP (also known as the Swift agreement) came into force last August and allows the transfer of European citizens' banking data to the U.S. under certain conditions. One of these was that a high degree of data protection would be enforced and that Europol would oversee the implementation. Under Article 4 of the agreement Europol has the task of verifying U.S. requests for data. However, "we always said it had to be a legal, judicial body to verify the legality of these requests. Europol has a role which is extremely confusing," said Cruz.

More here.

The Culprits?

2011-03-15T21:02:00.003-07:00

The greedy bankers, of course.

If you haven't seen "Inside Job", you really should.

And not a single person involved in this enormous scourge has even been indicted or charged with a crime.

And it continues -- the foxes are in the hen house. Still.

It will make you angrier than you already should be.

- ferg

Obama Admin Calls for More ICANN Accountability

2011-03-14T22:04:00.000-07:00

Declan McCullagh writes on C|Net News:

The Obama administration today called for improvements in the mechanisms used to oversee Internet domain names, saying changes are needed to make the process more "accountable" and "transparent."

Larry Strickling, a Commerce Department assistant secretary, said that the California nonprofit group created in 1998 to oversee these functions--the Internet Corporation for Assigned Names and Numbers, or ICANN--"needs" to do more to explain the reasoning for its decisions and to heed the advice of national governments.

"We still have work to do to make the reality of ICANN meet the vision," said Strickling, who heads the department's National Telecommunications and Information Administration (NTIA). In some areas, he said ICANN's efforts "remain incomplete."

Strickling's comments follow a rare and unprecedented public rift between ICANN and national governments over the rules for approving new top-level domain names. Hundreds of applications for these suffixes are expected later this year, once the process has been finalized, including bids for .car, .love, .movie, .web, and .win.

More here.

German Federal Finance Agency's Web Server Wide Open

2011-03-11T18:27:00.000-08:00

Via The H Security:

Having been informed of serious security problems by the Chaos Computer Club (CCC), Germany's federal finance agency has taken its online service offline. According to the CCC, for several years internet users have been able to set up their own quotes for financial transactions from a web browser and to alter, amend and add to quotes provided by the agency. What is not clear is whether or not this has occurred in practice.

Bundesrepublik Deutschland – Finanzagentur GmbH, also known as the Deutsche Finanzagentur, is a financial services company which deals with placing federal borrowing with large customers and managing federal debt. The agency also offers free portfolio management of Federal securities; a service which private investors can also make use of.

The cause of the problem appears to have been a browser based file manager which was accessible to all users and allowed free access to files on the server. This made it possible to change both settings and content. Because the agency's website also includes an entry page to internet banking services, attackers could have intercepted access data entered by customers – this could have been achieved using a PHP script or by reconfiguring the Apache server, for example.

More here.

Xeth Feinberg: How To Be A Media Pundit

2011-03-09T20:58:00.001-08:00

More Fiore brilliance, this time by Xeth Feinberg (filling in for Mark).

Via The San Francisco Chronicle.

- ferg