Articles from last posting
Microsoft's security strategy finally unveiled
But who does Bill Gates really fear?
More US security breach (reporting) laws
HSBC blames banking customers- and passes liability
Read Mary's latest Globe & Mail column
The Horns of a security dilemma.
Read about the use of keyloggers to commit cybercrimes, and understand why consumers may get little sympathy from their banks if they fall victim to increasingly cunning phishing attacks.
A related article on HSBC can be located above.
LexisNexis and T-Mobile attacks carried out by resourceful youth
A story in the Washington Post about the recent LexisNexis data security breach, and the T-Mobile attack (that left celebrity Paris Hilton’s cell phone habits exposed) highlights a number of disquieting facts. Firstly it seems that both attacks were initiated by a small number of youth, including teenagers and a minor. Secondly, they reportedly used a keylogger infested virus or trojan to seize control of computers from a broad swath of users, including police officers.
The victims opened what they thought was an attachment containing child pornography. One can only hope that the police officers did so to advance legitimate police work, but in any event, they handed over the keys to the vast Seisint database (owned by LexisNexis) to the gang, when they legitimately accessed a service it provided. The keylogger did the rest.
The youth were then able to open sub accounts with information the police officer revealed, and eventually sold on data such as SSN numbers and sensitive data they had gleaned on friends, celebrities and strangers to an identity theft ring in California.
Insiders strike again
The Washington Post article also suggests that the T-Mobile hack was facilitated by an T-Mobile employee at a store in California who was persuaded or cajoled to give the gang information that was integral to the attack. Social engineering rears its ugly head yet again?
Numerous arrests have been made across the country, and the FBI are dragging various youth at gunpoint from their homes. No doubt they will sing like canaries.
16 year Swede - and his trusty keylogger - steal Cisco source code
Yet more highly discouraging news. The Swedish kid responsible for stealing Cisco operating system source code, apparently did so with the help of a keylogger- breaching Cisco security with what appears to have been a modicum of effort.
There is a lot of talk nowadays about building security into the network -into routers (many of which are made by Cisco)- gizmos that act as traffic cops and move data around the Internet and around proprietary closed networks. 'Self Defending Networks' (Cisco marketing hoopla) will, we are told, save the day and make the Internet as safe as Bridgehampton.
I would not hold your breath. Although smugness is ill- advised, the fact that the (highly commercial) defenders of the internet cannot protect the crown jewels of their own operations - such as IP protected source code - from 16 year old attackers with common variety garden hacker tools- is not reassuring.
Furthermore, as this article suggests, the stolen code is undoubtedly still making the rounds in certain illicit circles, and may help more sophisticated hackers identify additional vulnerabilities in Cisco gear.
The same kid supposedly also broke into NASA's Jet Propulsion Laboratory, the supercomputing network known as the TeraGrid, Patuxent River Naval Air Station, the White Sands Missile Range, the University of Minnesota, University of California at Berkeley, etc.
Assuming he is not the greatest computing genius that ever lived (and the Swedes are indeed very brainy), much soul searching is needed.
Microsoft had source code stolen some time back also- Russians may have been inside their network for months. No one is immune, or so it seems.
And we wonder what sophisticated cyber mercenaries might achieve?
Robin Hood defence sinks like a stone
Several men who may have seen themselves as latter day cyber Robin Hoods - in freeing a pirated copy of the Windows 95 operating system into the wild - two weeks before Microsoft actually released it - are not so merry, and currently behind bars.
They were the brains behind the UK chapter of DrinkOrDie, an international code cracking group that bilked the software industry of billions of dollars in sales. The implacable prosecutor and presiding judge were unmoved by the fact they made no money off the piracy ring- and categorised their actions as straight up fraud, rather than a misguided attempt to 'provide free access to everyone'.
These stories give a whole new meaning to the time honoured adage that 'crime does not pay'. Clearly even crimes that don't pay, don't pay. Way harsh. |
Britons headfried with PIN fatigue
According to the UK Evening Standard newspaper, Britons are frazzled trying to remember multiple PIN numbers and passwords, and they are writing them down to try to cope.
A survey of 1,000 adults by Teamspirit, a UK financial services marketing company, found that 8% of respondents kept their PIN beside their credit cards in a wallet or purse, in breach of debit card rules just about everywhere on the planet.
Some desperate types opt for convenience – and write the card number on the back of the card itself- a tactic guaranteed to send bank and card company executives into paroxysms of agony, and likely to illicit calls for desperate measures against errant consumers.
However, some folk do make a heroic effort to disguise the numbers, writing them backwards - a ploy not nearly sneaky enough to defeat even the average not so bright teenager.
The survey found that people have two PIN numbers on average, and six passwords- not including internet banking numbers. But many had far more -in some cases they had as many as 45 passwords to remember.
Not surprisingly, only six in ten people could remember two passwords or PIN numbers, and their powers of recall got significantly worse the more they had to remember. In addition, many of them, to lighten their burden, used the same number over and over.
But confusion is still rife, with people constantly locked out of internet sites, when they cannot remember their access codes. Of course, the fact that many retailers are often only too happy to email them their passwords and user id – fully in the clear - compounds the problem.
The recent migration to a Chip and PIN system in the UK was heralded as the dawn of a new secure era. Alas, not so for consumers, many of whom are still opting to sign for purchases (under the old system) when they cannot recall their PIN number. However, as the system is fully phased in, that option will disappear in most cases.
So headfry is truly alive and well, with little salvation on the horizon.
Debt collection agencies and law firms buy stolen data
Wachovia, Bank of America, PNC Bank and Commerce Bank have unwittingly assisted sundry collection agencies and law firms chasing debtors, by providing them with data useful to track them down.
Some of their employees, whose ranks allegedly included 'senior personnel' took screen shots of customer account details, and sold them to the lynchpin - a New Jersey operator charged with racketeering - for up to USD 10 per account. As many as 500,000 customer records appear to have been traded. The New Jersey operator resold them for USD 70 to USD 100 per account.
New Jersey police are investigating to see if the buyers knew the source of the data. A number of arrests have been made, including several bank employees. The Wall Street Journal reported that Bank of America has notified in excess of 60,000 customers, and that Wachovia has told over 48,000 customers about the security breach- as a result of receiving copies of computer discs from N.J police (presumably seized from the criminals) full of customer data.
The victims are located across the US. There is no evidence of identity theft as yet. However, this kind of bad news is undoubtedly the last thing that people already in debt want to hear.
|
