Articles from last posting
Review of 2005 CSI/FBI Computer Crime and Security Survey
Update on 40 million credit card hack
Iron Mountain loses (more) backup tapes
Who's lookin' at you kid? Spying on hotel guests -and 'fixing' the mini bar tab
Frightening new development for road warriors
If you enjoy a spot of cable TV viewing and Internet surfing when staying at hotels, be warned, you may be under surveillance, and your preferences duly noted.
Hackers armed with gear that can discern what you watched, surfed, and when, can, if the mood takes them, also cause you a mile of bother, by checking you out early, setting a wake up call for 3am, and changing your mini bar tab. Try explaining to Dogbert that you really, really only quafed 2 mini gin bottles, and not the 20 you over looked on your bill.
All joking aside, the potential for such an attack to be used by professionals, in pursuit of industrial espionage opportunities is very real- although a plethora of bugging devices can already do the job, by and large.
The alarming story can be located here
Chinese student hacker cracks Adecco to pay tuition fees
A 27 year old Chinese student has been arrested in Japan for allegedly hacking into global recruiting firm Adecco, a local travel agency, and numerous other companies, and for stealing 520,000 pieces of personal ID. He then sold the data on an Internet bulletin board, under a disarmingly candid by- line- 'Personal information for sale'.
He told investigators he needed the money to pay tuition fees. If this isn't an argument for free education, I don't know what is.
He is exceptionally lucky his countrymen did not capture him. In the past the Chinese authorities have reputedly executed hackers.
Microsoft bounty pays off
Sven Jaschan, the 17 year old German author of the infamous Sasser and NetSky worms, that caused havoc in May 2004, was tried in German juvenile court, and got off lightly- with a sentence of one year and nine months probation - and 30 hours of community service in a hospital or old folk's home.
Prosecutors sought a two year prison sentence, and 200 hours of community service, but there appears to have been fairly widespread sympathy for the teen throughout Germany.
'Der Spiegel'- a kind of Time magazine of Germany- with typical journalistic flourish labelled him (with a cute play on the German) a kid who was "well meaning, but poor in execution".
The defence argued that Jaschan was trying to nuke the MyDoom virus with Sasser, but his well meaning 'do-gooder' instincts were sadly not complemented by the requisite technical acumen to carry it off - and it all went horribly awry.
Subsequent versions of the evil MyDoom virus ridiculed Jaschan for his ill-fated efforts.
Jaschan has the dubious distinction of being the first catch in the MS bounty net- his classmates supposedly ratted him out. An official MS press release indicated that 2 of his pals will share in a bounty of USD $250,000 - a tidy sum in small town Germany.
A bitter pill
"Hi- ho, hi- ho. It's off to work (in a security company) I go.."
The fact that Jaschan was offered a security job in the midst of his legal woes- a job he undoubtedly was happy to scurry off to after his close shave in juvenile court - has proven to be a sore point for many global commentators. They feel he should do hard time in a Gulag, and have to break a few rocks under punishing sunshine, and so on.
However, many of these teens are indeed perfectly capable of being rehabilitated, and the machismo 'teach them a lesson' mentality may, on occasion, be most ill-advised.
"Act of provocation" leads to jail time for Hungarian hacker
Although the good fortune of convicted German 'Sasser' hacker, Sven J - happily working days in his security job - might lead one (unwisely) to assume otherwise, hacking your way into a job is not a guaranteed road to success.
A 26 year old Hungarian, who hacked into the intranet of Swedish mobile giant, Ericsson, and accessed classified, 'Top Secret' documents- with the deluded aim of provoking them into giving him a job- has been sentenced to three years in jail for his efforts- and convicted of industrial espionage and other offences.
It is, of course, most disquieting that the security around 'Top Secret' documents at a company like Ericsson can be breached so easily. Microsoft goes on buying spree
If you have a hot security company in need of a white knight, or an influx of capital, now may be the time to wave it under Microsoft's formidable nasal cavities.
MS recently bought an undisclosed stake in Finjan Software, and obtained non-exclusive patent licensing rights to various Finjan security related IP.
An encouraging note
Incurring the wrath of the Redmond giant, is not apparently injurious to one's chances of being taken out.
MS has had a fractious relationship with Finjan, in recent times sparring over the publication of security vulnerabilities it found in Windows XP Service Pack 2 (the much- hyped security 'fix' from MS). MS apparently didn't take the suggestion that XP SP2 was less than perfection, and a war of words erupted.
Ciscogate
But at least MS did not try to injunct Finjan to keep them silent- a new Cisco tactic that has received much (mainly negative) press comment, including an unflattering overview of the events at the BlackHat security event that lead up to the ruckus - by David Bank in the WSJ.
Indeed, the antics of Cisco - ripping pages from BlackHat conference binders- to prevent disclosure of a flaw in their cash -cow routers - made them look like school yard bullies, and almost certainly brought far more attention to the flaw than if they had left well alone, and taken their lumps.
By an interesting coincidence, Cisco also has a stake in Finjan.
MS also plans to buy FrontBridge Technologies -a secure messaging service provider, to complement MS Exchange.
Ballmer (MS's ebullient CEO) recently broke with tradition (he was opposed to acquisitions in past years), and announced that his wallet is fat, and he is going shopping. The incumbent security vendors are well advised- unless open to being taken out - to quake in their collective boots.
MS shames developers with hacker feats
It seems MS has decided to bring a selected few hackers into the blue-badged fold- at least to the extent of inviting them to shame MS developers with Windows hacking feats.
Red faces abounded, it seems. Very, very cunning.
MS anti- piracy initiative broken in one day
One can hazard a guess that MS's new found ambivalence towards hackers does not extend to the great unwashed who broke their much derided scanning technology - intended to ensure that you are using a valid MS product - in one full day.
Cisco's security woes continue
It seems that the much heralded Cisco 'self defending network', can't do one thing well - that is, defend its own perimeters.
It has apparently acknowledged a problem with the cisco.com web site that may have exposed the passwords of registered users. Finger pointing begins in 40 million credit card hack
A fascinating report in CIO Insight makes it clear that the fallout from what may be the largest data breach case to date will be ugly, and most unsportsmanlike.
No Marques of Queensbury rules here, I fear. Everyone and anyone concerned they might remotely carry any portion of the blame for the fiasco appears to be headed for the proverbial hills, with huge signs- "it wasn't me"- plastered on their heroic backs.
In testimony to a US congressional committee investigating the fiasco, David Watson, the Chairman of Merrick Bank (one of the US banks that used the disgraced payments processor CardSystems) revealed the role of Cable & Wireless Security (since sold to Savvis Communications), in the debacle. C & W, now Savvis, did the security audit for CardSystems in 2003 that infamously gave them a clean bill of health.
Ubizen, a security company called in by Merrick to do a forensic audit at CardSystems when the problems came to light, found evidence of non compliance with Visa rules, and sundry security hazards - dating back to 1998.
John Perry, Card Systems CEO - clearly reaching for whatever straws come his way - has intimated that Savvis flunked the audit, and suggested that staff involved in the audit are uncontactable. He also indicated that he relied upon C & W/now Savvis to ensure that CardSystems was playing by the Visa credit card company rules.
The CSO at Savvis predictably has reacted with a furious denial (he was also CSO at C&W during the relevant period), calling Perry a liar, and suggesting that CardSystems may have concealed the machines from his audit team that retained the illict data.
Meanwhile, to add fuel to the fire, Visa has stopped using Savvis, and asked it to revalidiate previous audits, and to explain the discrepancy with the Ubizen audit results.
Repercussions
Visa has cut off CardSystems, and American Express has indicated it will do the same. MasterCard seems to be more forgiving, and has given CardSystems until August 31, to put its house in order.
Perry, the beleaguered CEO, faces the real and present danger that the lapse- however caused- may cost him his business.
US banking regulators issue guidance on spyware prevention and detection
The US Federal Deposit Insurance Corporation (FDIC) has issued guidance to member banks as to how to address the spyware issue.
The 4 page document provides a nice overview of the threat, including the use of keyloggers, and makes recommendations to mitigate the risks, such as suggesting that financial institutions 'expand the risk-assessment process to consider threats from spyware.. this ensures that the financial institution considers all risks to private customer information and takes appropriate steps to mitigate those risks'.
Steps to rein in inappropriate Internet behaviour by staff is also suggested, and emphasis is placed on the need to enforce these policies. Employee access to P2P and IM messaging services should also be curtailed, unless 'a legitimate business need' is present.
Banks are also encouraged to investigate 'multi-factor authentication methods' to thwart id thieves.
In addiiton, the need for user awareness education and training is emphasized, and especially the need to avoid public computers to connect to 'on line banking Web sites'. Customers should also be 'encouraged' to take steps to 'prevent and detect' spyware on their own computers.
The document wisely falls short of calling all customers errant dummies primarily responsible for their own misfortunes, but does not suggest that banks should pick up the tab for customers who suffer losses as a result of phishing scams, etc.
Indeed, it is a carefully worded 'word to the wise' to member banks- to whom none of this should remotely come as a surprise - to be on their guard, and to up the ante in advising users about possible threats. However, it markedly avoids attempts to alarm users to the point of discouraging them from using a very lucrative channel to market.
However. some banks, as we have previously pointed out - have taken the position that they will attempt to foist all liability for losses incurred in the e-banking arena onto customers -when spyware is located on their home PCs.
Such draconian action is clearly a little too rich- at least at this juncture- for the regulators.
But neither do they explicitly rule it out.
|
