Articles from last posting
Why security matters and finding an ROI
The joys of encryption; Faster math, but key management issues endure
Going spear phishing? The latest scams
Spyware and Star Wars confusion in the UK
Briton on Crete extorts UK insurer
Bank security chief, 26, steals USD$245,000
Ex- employee steals backup tapes to sell to competitor
New Jersey teen gets 5 years for 'denial of service for hire scam'
Acxiom 'hacker' convicted; Acxiom spin the tale
SA bank takes steps to protect customers
US banks poor on access control; Benchmarking needed
News
DDoS attacks and extortion alive and well
Some recent surveys would suggest that DDoS attacks (distributed denial of service attacks- bad guys flood you with traffic to take you down)- once the bad kid on the block -are dead and gone.
Not so.
This article in ComputerWorld showcases a couple of examples of businesses in the UK and Australia laid low by such attacks. SMEs are less able to defend against them, as they can't afford to have a zillion servers to pick up the slack when the forest fires start burning.
The extortion messages remain the stuff of bad crime shows - one 'Tony Martino' (too much Sopranos anyone?) wrote "You should pay $10,000."When we receive money, we stop attack immediately". Tony even offered a business case for submission- " "Think about how much money you lose, while your servers are down."
In return for complete capitulation, the feisty, but grammatically challenged Martino (in all likelihood - according to UK law enforcement, who suspect Russian organized crime, a Boris, rather than a Tony) promised one year's protection for the required $10,000 to lay off the attack- a modest markup on traditional security vendors' annual subscription rates.
One of the victims put the attack into rather poignant perspective: "It's very alarming for us that an unknown assailant can do so much to a business that I've spent so many years trying to build,".
Security software is a bug laden nightmare (too)
I will be writing about this topic in my next Globe & Mail column- I will post the link as soon as it is up.
Suffice to say, it is horribly scary stuff, but then nothing surprises me anymore.
The basic premise of the story- based in large part on a presentation made by two researchers at the recent extremely exciting (venue for the infamous Ciscogate affair) BlackHat event -is that the standard of coding in anti-virus products is seemingly very poor, and that these products, from most of the major security vendors, are rife with errors that expose systems to hackers.
The fact that these programmes largely operate with full and trusted access to your beloved PC, makes such news all the worse. It is like finding out that your live -in nanny is actually robbing you - and beating your kids for good measure.
Wheeler's closing comment in this article (the lead researcher): "Using a security product is supposed to protect you- not hurt you - so having flaws in it kind of defeats the purpose," ..."I think we're just scratching the surface with AV flaws right now" - is food for thought for all of us, I think.
And it is yet another dagger through the heart of the 'dummies did it' school of thought, when it comes to security management
Phishers defeat anti- spyware techniques
In July 2005, the Anti-Phishing Working Group (APWG)- they track the number of phishing attacks in the US - spotted bad guys working their way around systems designed to stop keyloggers from grabbing banking passwords and stealing sensitive data.
They are using ' screenscraper technology' (more jargon) to get around the 'graphical keyboard systems' some of the banks are using to thwart keyloggers- the keyboard is a point and click system on the screen, rather than a traditional keyboard.
So the bad guys are simply taking screenshots that they can then 'call home'. Same difference from their perspective. They are also targeting smaller banks, using schemes that mimic the tactics of traditional marketers. It can be very hard to tell the difference.
One alarming statistic. The number of websites hosting keylogger operations rose almost 100 per cent since the previous survey
A good week for Microsoft investigators
Microsoft investigators and lawyers seem to be on a roll lately.
They recently provided information that led to the capture of two persons in Eastern Europe suspected of unleashing the Zotob worm that caused a number of US news agencies and Canadian banks to come a cropper.
They also helped track down Jayson Harris, 22, newly charged with 75 counts of wire fraud for allegedly stealing credit card numbers and personal data in a phishing scam that targeted Microsoft's MSN customers.
Harris managed to get out on bail without having to post his life, or any savings, or anyone else's for that matter- after appearing before a U.S. magistrate in Rock Island, Ill.
It seems he gave MS a bit of a chase, as they tracked him ' through a couple of San Francisco-based ISPs and a re-direct service in Austria, which pointed back to the U.S'.
However, humble Microsoft sleuths admitted that they are not always so lucky, and that their only hope, as always, is to follow the money trail
Can, or will, the credit card companies protect us?
It seems the horrendous publicity generated by the recent CardSystems' (the Arizona based payment processor) exposure of as many as 4 million credit card accounts, has caused the card ompanies to engage in some uncharacteristic soulful introspection, or so the rhetoric goes.
But is that all it is? A face saving PR exercise?
This C/Net news.com article emphasizes what little incentive there is for them to tackle the problem at source, and to call errant merchants and member banks to task for lax security, especially as the card companies collect hefty fees for transactions on their networks.
In addition, they profit if the merchants mess up- with charge back fees- plus the merchants must often eat the full cost of the fraudulent transaction. The card companies also clearly represent their member banks- they are not independent regulators, or consumer activists.
Expect the real regulators to take a harder look if the card companies ostensibly cannot, or will not, protect the financial services sector. Or so one can only hope
|
