Information Security Incidents

Preventing data breaches is hard; detecting them later can be harder
Jaikumar Vijayan
January 26, 2007 (Computerworld) Protecting corporate systems against intruders isn't easy. But detecting a breach that has already happened can sometimes be even harder, IT managers and analysts said this week in the wake of the high-profile data compromise at The TJX Companies Inc.

The system intrusion at the Framingham, Mass.-based retailer occurred last May but wasn't discovered until mid-December -- seven months later.

In a similar incident at Ohio University last year, a server break-in that exposed the personal data of about 137,000 alumni went unnoticed for more than a year until it -- and several other breaches -- were discovered last spring.

The time gap between the intrusion at TJX and its discovery, though large, isn't entirely surprising given the myriad ways attackers can gain access to systems and then conceal their tracks, said Drew Maness, a senior security strategist at a large entertainment company that he asked not be named. "The reason it's so difficult [to discover a data breach] is because it can come at you from any angle," Maness said. "With physical security, it's very rare that someone breaks in through a side wall on the eighth floor. With computer security, they come in through that side wall."

To quickly and consistently detect such intrusions, IT managers need to be able to collect and analyze literally every transaction flowing through their networks in real time, according to Maness. "You've got to know what every single packet on the network is doing, where it's coming from, where it's going and which ones are bad."

That can be a huge challenge, considering the sheer number of transactions and the terabytes of storage space required on a daily basis to capture and store all of them, said David Jordan, chief information security officer for Virginia's Arlington County. It also requires comprehensive modeling of typical network behavior enterprisewide so any abnormal activity can be pinpointed, Jordan said.

For now, at least, there are few out-of-the-box products that can help companies do end-to-end log collection and real-time data correlation and analysis, said Amer Deeba, vice president of marketing at Qualys Inc., a vulnerability management services provider in Redwood Shores, Calif. And the cost to custom-build such capabilities can be prohibitive, added Deeba.

But there are some tools that IT managers can use to address parts of the challenge, Deeba noted. For instance, several logging and monitoring tools are available for quickly detecting unauthorized database activity.

USEC Inc., a $1.6 billion energy company in Bethesda, Md., uses an appliance from Guardium Inc. to monitor the activities of the database administrators who manage the Oracle and SQL Server databases underlying its financial applications. The Guardium device can detect unauthorized changes and other policy violations that could affect the integrity of USEC's financial data in real time, said CIO David Vordick.

The technology also enables USEC to monitor compliance with its Sarbanes-Oxley financial reporting obligations and provides the company with a real-time, security-alerting capability, Vordick said.

Accor North America, a Carrollton, Texas-based company that operates hotel chains such as Red Roof Inns and Sofitel, is using a similar monitoring technology from Imperva Inc. to monitor for unusual database activity as it occurs. Such tools can allow companies to move from a "passive security" model to a more aggressive one, said Jaimin Shah, a senior security engineer at Accor.

Unlike the logging capabilities built into database products, stand-alone database monitoring tools are optimized for security and have less of an impact on performance, said Phil Neray, a vice president at Guardium. Stand-alone products such as Guardium's are also more difficult to turn off by privileged users and are able to generate real-time, policy-based alerts, he said.

Extending the same kind of monitoring to all network and system assets could help detect suspicious activity more quickly, Shah said. "The problem is that monitoring generates a tremendous amount of logs," he said. The challenge lies in "getting the right information as quickly as we can," from the log data.

Some vendors such as LogLogic Inc. are beginning to offer more efficient ways to sift through voluminous log data and focus on the issues that matter, Maness said. Such products can complement security event management tools, he said.

LogLogic's hardware appliances are designed to automatically capture and store log data from firewalls, routers, servers, applications, operating systems and other devices, said Andy Lark, a spokesman for the San Jose-based company. The appliances can be configured to generate near-real-time alerts when the logs show violations of predefined polices, such as those associated with Payment Card Industry standards, he said.

Products from vendors such as Vericept Inc. and Vontu Inc. that allow companies to monitor the content flowing across their networks can also be useful, Maness said. The products work by inspecting every packet flowing across a network and sending an alert when prohibited or sensitive data is found, he said.

An emerging class of network behavior analysis tools from vendors such as Arbor Networks Inc., Mazu Networks and Lancope Inc. are beginning to give companies a way to more quickly detect unusual or suspicious network behaviors, according to a November Gartner Inc. report. The products work by analyzing traffic and creating a baseline model of typical network behavior. They can then be used to generate real-time alerts when behavior strays from that norm.

Such products are designed to provide a defense against unknown vulnerabilities and threats, said Marty Roesch, chief technology officer and founder of SourceFire Inc., a Columbia, Md.-based vendor of network behavior analysis products. "It is somewhat naive to assume that people are going to be able to craft detection capabilities for every possible break-in," he said. Behavior analysis tools can enable a "continually updated awareness" of the network to detect patterns that might otherwise be missed.

Banks scramble after cyber-breach
Stolen card numbers could mean millions in losses.
Richard Burnett
Sentinel Staff Writer

April 21, 2006

From Citibank to SunTrust, credit unions to community banks, America's financial institutions are scrambling to deal with the biggest cyber-heist of customer debit-card numbers to date.

The huge computer-hacking incident, which took place more than a month ago, has led to potentially millions of dollars in theft by a global ring of hackers using the stolen debit information and personal-identification numbers, industry experts said this week.

In recent weeks, the nation's banks have quietly tried to extinguish the problem by closing hundreds of thousands of debit-card accounts and providing customers new cards, account numbers and PINs, industry officials said.

Exact figures are unknown -- some banks have reported numbers; others have not. It is thought that at least 350,000 accounts across the country were defrauded, involving more than $10 million in losses, according to some experts.

"In terms of financial damage, this is definitely the biggest documented case of debit-card fraud we know of," said Avivah Litan, a banking analyst and online-fraud expert for Gartner Inc., an information-technology research company.

Central Florida's three major banks -- Bank of America, Wachovia and SunTrust -- have acknowledged notifying certain customers about the problem, closing an unspecified number of accounts and issuing new cards and PINs.

The banks said they are closely monitoring the affected accounts for suspicious activity and that a large majority of their customers were not hit by the electronic theft.

Customers whose accounts may have been affected are getting new cards in the mail with letters instructing them to destroy the old ones. Most banks are telling customers that their old cards may have been exposed to fraudulent activity because of a "third-party" security breach.

Kurt Koehler, a Valencia Community College student and part-time house painter, said he got a notice from Bank of America that included a new debit card but said little.

"It was very low key, not a big deal; but it didn't give much information at all, nothing about how it happened or when it might have happened," he said. "And that made me feel even more uneasy."

SunTrust began to take action about four weeks ago after detecting fraudulent charges on some accounts, bank spokesman Hugh Suhr said. Not all customers who were contacted were victims of fraud, he said.

"Our card processor gave us a list of account numbers that might have been compromised," Suhr said. "As a precaution, we've been replacing them in several waves. We're probably in the final wave of that right now."

The financial-services industry's latest security breach came after a series of incidents last year in which more than 50 million account numbers were stolen or misplaced and exposed to potential fraud.

In one case alone, hackers invaded the computers of an Atlanta-based credit-card-processing company, stealing an estimated 40 million credit- and debit-card numbers. The company, CardSystems Solutions Inc., processed card transactions for Visa, MasterCard and all major card brands.

The current case, however, has triggered even more fraud than the CardSystems incident, banking officials said. That's because this time the hackers also captured customer PINs, which made it possible for them to quickly make unauthorized purchases from all over the world and loot accounts from any automated-teller machine.

Banks are trying to find out who's responsible for the breach, said Doug Johnson, counsel for the American Bankers Association. The evidence suggests that it occurred in the retail sector, not the banking system, he said.

"We believe there's a retailer at the end of this chain that was improperly storing PIN-number information in their computer database," Johnson said.

Last month, Visa issued a warning that identified office-supply retailer OfficeMax Inc. as a source of the breach. OfficeMax denied involvement.

Litan, the Gartner analyst, said the source of the problem is more likely a third-party transaction processor that works electronic transactions for a number of retailers. Technically speaking, it is more likely the hackers captured the PIN data as it was speeding through the third-party computers, she said.

Whatever the source, Litan said the banks are being more proactive than ever in dealing with this case. In past breaches, many banks were hesitant to notify customers and reissue cards until actual fraud occurred, she said.

"When you're talking about debit fraud that involves the use of PINs, the banks are required to absorb those losses," Litan said. "With credit-card fraud and debit fraud involving signatures, the losses are eventually shifted to the retailers. That's why the banks have been taking action so quickly this time."

Law-enforcement agencies have also focused on the financial sector's latest security breach. Although the hacker ring is thought to be based in eastern Europe, authorities last month arrested 14 people from New York to Georgia on charges of buying stolen debit-card data, creating counterfeit cards and using them to make fraudulent purchases. Several suspects have already pleaded guilty.

Labels: BOA, Suntrust, Wachovia

MoneyGram Security Breach Affects 79,000 Customers
Fri Jan 12, 2007 11:01 PM GMT



NEW YORK (Reuters) - MoneyGram International Inc. , the second-largest U.S. money transfer company, on Friday said someone illegally obtained access through the Internet to a company server containing personal data for about 79,000 customers.

The Minneapolis-based company said data that might have been accessed include names, addresses, phone numbers, biller account numbers and bank account numbers. Social Security, driver's license and state identification numbers were not accessed, it said.

MoneyGram said it is notifying customers of the breach, which it called "isolated," and which it said involved customers who made payments to a single biller. It said it is working with law enforcement on the matter, and that forensic experts have not determined whether data were compromised.

The company said it is offering the affected customers free credit monitoring for one year. It does not expect the breach to materially affect financial results.

The company's shares fell 39 cents to $29.03 in afternoon trading on the New York Stock Exchange.

Labels: MoneyGram

# posted by raveneye @ 12:00 PM 0 comments

Statement From Scott & Scott LLP In Response To MoneyGram Data Breach
DALLAS-(Business Wire)-January 16, 2007 - "It was recently disclosed that the personal data of approximately 79,000 MoneyGram(R) customers may have been compromised as a result of a data security breach. In response, legal and technology services firm Scott & Scott wishes to remind businesses that there is no such thing as a completely secure network. Every enterprise with electronic data is at risk of a data security breach, largely as a result of several factors:

— Mobile Devices: The dramatic increase in the use of laptops and personal digital assistants puts enterprises at significant risk of a security breach, because the equipment is often lost or stolen

— Employees: One-third of all employees steal from their employers; included in this statistic is the theft of corporate information

— FTP (File Transfer Protocol): While FTP sites offer convenient remote access to files, they also provide the most direct route into a server. Carelessness can disable an entire network in seconds

— E-mail: 75-95% of all corporate e-mail traffic is dangerous. Any employee who opens a personal e-mail at work can download a virus, leaving the network highly vulnerable to data security breaches

Scott & Scott recommends that companies equip every device containing confidential information with desktop security protection, including proper authentication and encryption technology. Further, encrypting data eliminates the need in many states for enterprises to alert their customers in the event of a data security breach. These steps significantly reduce the risk of potentially catastrophic business implications that are associated with legally required breach notifications.

This incident also highlights the need for companies to investigate and consider purchasing insurance to cover the strong potential for a security breach. Many forward-looking insurance providers have filled the void for network security insurance coverage of a variety of types, including inside job coverage, service provider coverage, employee claimant coverage, regulatory coverage and third-party handling coverage.

Even the few businesses that have implemented the most aggressive encryption, firewall and authentication technologies are well advised to consider obtaining data security and privacy insurance coverage in order to mitigate the financial risks of a network security breach. Those that are less prepared should strongly consider it."

Editor's Note: Julie Machal-Fulks is an expert in IT compliance management and focuses her practice on IT asset management, network security, and privacy. Julie graduated with honors from Texas A&M - Corpus Christi, earning a B.A. in English. She received her law degree from The University of Houston Law Center where she was inducted into the Order of the Barristers. Julie's article, "Privacy, Network Security, and the Law," was recently published in the IT Compliance Journal.

Scott & Scott (www.scottandscottllp.com) is a leading law and technology services firm dedicated to helping senior executives prepare for, mitigate the risks of and respond to network security breaches. Scott & Scott's legal and technology professionals provide network security and privacy solutions, all protected by attorney-client and work-product privileges.

Labels: Scott and Scott LLP

Jan 17, 2007

Debit cards canceled after security breach

Fitchburg Savings Bank replaces cards after warning from Visa USA

By Andi Esposito Business Editor
aesposito@telegram.com





FITCHBURG— About 1,300 debit-ATM cards issued by Fitchburg Savings Bank were deactivated yesterday after the bank was told by Visa USA that a “large-scale data compromise” may have included its check cards.

None of the cards was used fraudulently and all are being replaced, said Martin F. Connors Jr., bank president and chief executive officer. “If someone has the person’s information, at this point they can’t do anything with it,” he said.

Mr. Connors said he was aware of at least one other financial institution in Worcester County with far more cards affected by the security breach. A broader problem was confirmed by the Massachusetts Bankers Association yesterday.


“It appears that Visa has notified a number of banks in Massachusetts that a large-scale retailer has had a problem with some of its customer data,” said Bruce E. Spitzer, an MBA spokesman. “Quite a few banks are replacing cards or notifying customers to be extra vigilant in monitoring their accounts. If a card needs to be reissued, the bank will do it.”

Another source indicated that the breach may be broader than Visa cards.

Mr. Connors said customers should receive new debit cards within a week. Cardholders may activate their new cards immediately by going to one of seven Fitchburg Savings Bank branches with proper personal identification and changing the PIN number on their new card. Or they can wait to receive a new preassigned PIN in the mail and follow the activation instructions, the bank said in a letter dated yesterday to customers.

The bank also recommended customers review their account transactions online, through a telephone banking system or when their paper statement arrives and report any suspicious transactions.

The problem at Fitchburg Savings is only with debit cards; the bank is not a direct issuer of credit cards, said Mr. Connors. If there was fraudulent use, a customer would be reimbursed and the bank would take action against Visa, he said.

Under Massachusetts law, consumers are liable for up to $50 if a debit or credit card is used fraudulently and there is no time limit in which to report the fraud, said David J. Cotney, chief operating officer for the state Division of Banks.

Visa is not required to report card security breaches to the state, said Mr. Cotney.

Visa is also not required to reveal the source of the breach to financial institutions.

Mr. Connors said the bank found out about the problem early yesterday and called in an emergency operations team at 7 a.m. to start card deactivation, which was completed by 9 a.m. The costs of such breaches are not inconsequential. Not only would the bank absorb any potential card losses, it will shoulder the costs of deactivation and card replacement, customer communications and the loss in fee income while cards are being replaced and not in use, said Mr. Connors.

Visa, MasterCard and others have mandated Payment Card Industry Data Security Standards for handling credit and debit card information. The requirements apply to members, merchants and service providers that store, process or transmit cardholder data. A spokesman for Visa said last night that he couldn’t provide any immediate information about the breach.

Labels: Fitchburg Savings Bank

AG's Office: Security Breach Victims Need to Protect Themselves
State Attorney General Roy Cooper said North Carolinians who get word that their personal information could be at risk because of a security breach need to take steps to protect themselves.

In December, a state Department of Revenue laptop containing information about approximately 26,000 consumers and 7,700 businesses was stolen.

As required by law, the department notified Cooper's office and sent letters to people affected by the breach.

“We pushed for laws that require government and businesses to notify consumers when a security breach puts them at risk of identity theft,” said Cooper. “Consumers who get one of these notices can act fast to protect their good names.”

A security breach happens when data or records containing personal information such as Social Security numbers or bank account numbers are lost or stolen.

Under state law, state and local governments as well as businesses must notify consumers if a security breach may have compromised their personal information and potentially placed them at greater risk of identity theft.

Copyright 2007 by WRAL.com. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Labels: Dept. of Revenue

Friday, January 19, 2007

UT Dallas computer security breach potentially exposed 35,000 people
By Pegasus News wire

Email Print Tell us your story Comment
Remember that UT Dallas computer security breach this past December that potentially affected 6,000 people?

Well, make that 35,000 people. From UT Dallas:

The completed analysis of networked computing resources at The University of Texas at Dallas indicates approximately 35,000 individuals potentially have had sensitive information exposed by a computer network intrusion.

The increase includes approximately 29,000 University of Texas at Dallas library patrons, including those who may hold cards from other libraries who have used the UT Dallas library. Data potentially exposed in that group consists of names and social security numbers only.

There continues to be no indication that the information has been disclosed, disseminated or used to anyone’s detriment at this time.

Other individuals whose information is known to be involved include:

In the Erik Jonsson School of Engineering and Computer Science, students and faculty as well as applicants for admission dating back as far back as 1993.
All staff and faculty of the University who were employed from January 1999 through August 2005.
The information that may have been exposed includes names and Social Security numbers, and in some cases addresses, e-mail addresses and telephone numbers.

Investigation of the incident by law enforcement authorities continues. The University is in the process of contacting by U.S. mail those individuals whose information could have been exposed. Individuals who are concerned that they might be affected by this intrusion are encouraged to go to utdallas.edu/datacompromise to learn how to protect their credit information.

Labels: UT Dallas

Analyst: Online ID fraud is hyped; real problem is off-line
Eric Lai
October 25, 2006 (Computerworld) Despite incidents such as the $22 million in losses suffered by E-Trade Financial Corp. and TD Ameritrade Holding Corp. from online identity fraudsters, the problem of online identity theft is vastly hyped when compared with its more prevalent off-line equivalent, according to one analyst group.

The two leading online stock brokerages have admitted in recent days that overseas hackers used software to steal personal customer data to access and create trading accounts as part of a stock-fraud scheme.

While keylogging software, phishing e-mails that impersonate official bank messages and hackers who break into customer databases may dominate headlines, more than 90% of identity fraud starts off conventionally, with stolen bank statements, misplaced passwords or other similar means, according to Javelin Strategy & Research.

"An insignificant portion of identity fraud actually starts with the Internet," said James Van Dyke, president of Javelin, who pointed out that many firms still rely on simple security questions such as one's mother's maiden name. "The Internet always grabs the headlines, but it is individuals who are close to the victims, such as family and friends, that are doing most of it," he said.

The Pleasanton, Calif.-based research firm has polled 5,000 consumers by telephone for the past three years. Extrapolating from that sample, Javelin estimates that identity fraud in all its forms resulted in $56.6 billion in losses last year.

While fraudsters often use the Internet to access existing bank, phone or brokerage accounts or to create new ones using stolen details, in only one out of 10 of those incidents did the actual theft of the personal data take place through e-mail or the Web or somewhere else on the Internet, according to Javelin. "No matter how you slice the data, it's really hard to arrive at a scenario where the Internet could be the source of the majority of identity fraud," Van Dyke said.

All told, 4% of Americans were affected by identity fraud in 2005, a statistic that is slowly shrinking, though the value of each fraud incident is growing, Van Dyke said. The total losses attributed to identity fraud has held steady the past three years.

Bank customers in the U.S. are not the most frequent targets of the most common form of online identity theft, phishing attacks. Statistics from antimalware vendor McAfee Inc. show that more than half of all recent phishing attacks involved e-mails from a sender masquerading as VolksBank, a German bank, with another quarter targeting customers of U.K. bank Barclays PLC.

EBay Inc., through its namesake auction site as well as its PayPal financial site, is impersonated in phishing e-mails 14% of the time. Fraudulent e-mails purport to be from Bank of America Corp. and Nationwide Bank 3% and 1.5% of the time, respectively.

Van Dyke argued that U.S. financial institutions, by and large, are taking the right steps to protect themselves and customers from identity fraud.

According to a report released this month, more than half of the 24 leading U.S. financial institutions surveyed met Javelin's criteria for having good policies for detecting identity fraud. That's up from a third that won praise for their efforts in 2005.

Policies that "deputize the customer," such as those that let customers set triggers to receive e-mail or phone alerts when their account status or personal information changes, or that allow them to opt out of receiving paper statements via the mail, aid in customer self-detection and reduce proven risks, Van Dyke said.

Bank of America was ranked the safest bank, followed closely by JP Morgan Chase & Co. Washington Mutual, according to Javelin's "Banking Identity Safety Scorecard."

Bank size does not always correlate with safety, said Van Dyke, pointing to KeyCorp, a large regional bank based in Cleveland. It ranked as the fourth-safest bank. The next five banks, in order, were Fifth Third Bank, Wells Fargo, Marshall & Ilsley Bank, Sun Trust and Citibank.

E-Trade, which said last week that it had lost $18 million to fraud, was ranked 17th. TD Ameritrade, which lost $4 million to identity fraud, was not ranked.

TD Ameritrade's CIO, Jerry Bartlett, agreed that eliminating risk on the consumer side is paramount. The Omaha-based online brokerage offers free downloadable software so customers can scan for and eliminate data snooping programs. It also lets customers set e-mail alerts when money transfers are requested or personal account details are changed.

But Bartlett was unsure whether conventional identity theft really remains a much bigger problem than fraud that begins online. "We know from experience that there is a lot of sharing of user IDs and passwords. And once you begin sharing them and writing them down, you lose control of them, like throwing away personal bills without shredding them first," Bartlett said. "But I'm not sure if regular fraud is an order of magnitude larger than online fraud."

Hackers steal $35,000 from customers of federal savings plan
Linda Rosencrance
January 19, 2007 (Computerworld) Hackers stole $35,000 from two dozen users of the Thrift Savings Plan (TSP), a retirement savings and investment plan for federal employees.


In late December, the computers of several TSP participants were infected with keylogging software that allowed criminals to record all keystrokes made by participants without their knowledge. The hackers also retrieved the customers' TSP personal identification number and other account information, according to a statement on the TSP Web site. However, the TSP's system was not breached, the company said.


"We were able to identify approximately two dozen participants who had relatively small amounts withdrawn from their accounts and electronically forwarded to fraudulent accounts," the TSP said. "Although we are working with the financial companies involved for the return of the funds, the total amount of loss involved is approximately $35,000. All affected participants have been notified."


"External penetration testing has demonstrated that our system has not been breached," the TSP said. "There is no evidence of any successful attacks against the system to identify a PIN and thus obtain access."


TSP officials said the personal information was compromised when keyloggers monitored each keystroke made by the users while they entered their TSP information into their own computers. All cases that have been identified involve electronic funds transfers. As an added security measure, the TSP has discontinued making these electronic payments for online transactions.


The TSP said over the coming months, it will be introducing several enhancements to the Web site, including a new alert message, more robust Web passwords and TSP account numbers, which will replace the use of the Social Security numbers for most TSP purposes.


A TSP spokesman declined to comment beyond the statement.

Labels: Thrift Savings Plan

Retailer TJX reports computer hack
The extent of the breach of TJX Companies’ network is still unclear
By Ellen Messmer, Network World, 01/18/07

Framingham, Mass.-based retailer TJX Companies, which operates T.J. Maxx, Marshalls and other stores, warned customers that its computer network has been broken into, compromising customer credit-card information and other data.

In a letter posted on the TJX Web site today, company founder and chairman Ben Cammarata wrote of his disappointment about the discovery of the unauthorized intrusion into the company’s network, and said an investigation is ongoing to understand its consequences more fully. TJX has set up toll-free phone numbers in the United States, Canada, the United Kingdom and Ireland to take questions from customers about the security incident.

“I can tell you that we were extremely disappointed when we determined that we have suffered an unauthorized intrusion into our computer systems that process and store information related to customer transactions,” Cammarata stated in the public letter. He noted: “While there is much we still have yet to understand about this issue, I can assure you that we are taking steps to safeguard confidential information and working closely with law enforcement in the U.S., Canada and the U.K. so that those responsible for this act will be brought to justice.”

In a separate statement, TJX said it discovered the intrusion into its systems for processing credit, debit and returns in mid-December 2006 and immediately notified law enforcement. TJX added that “it immediately engaged General Dynamics and IBM,” hiring them to “monitor and evaluate the intrusion, assess possible data compromise, and seek to identify affected information.” The two vendors are also expected to help TJX upgrade its systems.

TJX so far has determined that the intrusion involves computers pertaining to its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the United States and Puerto Rico, and its Winners and HomeSense stores in Canada. While it has not yet confirmed further penetration in its network, TJX suspects intruders also may have breached systems related to its T.K. Maxx Stores in the United Kingdom. and Ireland and its Bob’s Stores in the United States.

As part of the statement, TJX also noted the company “does not yet have enough information to estimate the extent of the financial cost it will incur as a result of the situation.”

Labels: TJX Companies Inc.

Financial services firms share security tactics
Visa, JPMorgan Chase, and Experian among companies adopting more stringent corporate defense mechanisms
By Ellen Messmer, Network World, 12/07/06

Some of the top players in the financial services arena-- such as Visa, JPMorgan Chase and Experian International -- are expanding their tactics for preventing customer data loss.

IT security managers convening at two interrelated conferences in New York this week said their firms are adopting both new network defenses and organizational structures to lower risk of a data breach. Some say the very survival of their businesses may be at stake, since news reports about incidents are leading to customer loss and million-dollar lawsuits. California was the first state to require public disclosure of a data breach, and now there are now about 30 other states and localities that do as well.

“When an event becomes public, the stock price tilts, there’s brand damage and finally decreased revenues,” said James Christiansen, chief information security officer at Experian International, speaking at the Summit on Preventing Data Leakage.

Experian, a global company with over $3.1 billion in annual sales from consumer credit reports and other business data and analytics, was able to cite its rival, ChoicePoint, as the industry’s bad boy poster child at present. ChoicePoint last year acknowledged a loss of 145,000 customer records and is still fighting lawsuits about it. In the hope of avoiding a similar fate, Christiansen acknowledged Experian has racketed up its defenses in several ways.

For one thing, “We just won’t accept data that isn’t encrypted anymore,” said Christiansen. In addition to encouraging employees to report any suspicious events, about eight months ago Experian also started using a data-leak prevention appliance to monitor employee e-mail, file transfer and instant messaging.

"The first time you use it, it’s like turning on a light in a kitchen at night and catching the cockroaches running,” said Christiansen. Experian doesn’t block suspicious network behavior but does investigate data transfers that may violate corporate policy, such as failure to use encryption. Most of the time these incidents are mistakes by employees that require training re-enforcement.

According to Christiansen, cybercrime that targets sensitive customer financial data is lucrative and well-organized, something that hit home by working with the U.S. Secret Service on what’s called the Project Harvest research online with others in the industry.

Click to see:

Required procedures
Amendments to the U.S. court system's Federal Rules of Civil Procedure call for businesses to retain and be able to retrieve electronic documents.

Amendment Effect on IT
Rule 16(b): A description of all electronically stored information must be presented within 99 days of the beginning of a legal case. E-mail archiving and retention software and policies should be put in place.
Rule 26(a): Electronically stored information, including e-mail, must be searched without waiting for a discovery request. IT should put in place e-mail archiving and retention policies so information can be discovered rapidly.
Rule 26(b): A party need not provide discovery of electronically stored information . . . if there is an undue burden or cost. Requires the organization to prove that putting in e-mail archiving software is an onerous expense.
Rule 26(f): Requires litigants to discuss any issues relating to preserving discoverable information. Requires legal counsel to know how e-mails are being retained and how they can be searched and retrieved.
Rule 34(b): Requires requesting party to designate the form in which it wants electronically stored information to be produced; requires the responding party to identify the form in which records will be produced. IT must be aware of how e-mails are stored — on disk or tape, for example — and how they will be retrieved.
Rule 37: Establishes a safe harbor provision for deleting records. Lets IT establish policies for the deletion of e-mail.




He said he sees that thieves around the world are selling software financial-theft Trojan programs for $1,000 to $5,000, a credit card with PIN for $500, and change of billing data for $80 to $300, and $7 to $25 depending on volume for stolen credit card numbers with security codes. “It costs $7 for a PayPal account logon and password,” he added.

With the stakes ever higher, card-services giant Visa International has begun an ambitious retooling of its network authentication process to combine physical and logical security information to deter potential network misuse.

The project involves combining information taken from Visa’s physical-security badge readers worn by employees and cross-checking real-time physical location with network authentication information to make sure there’s an acceptable match.

“We’re taking the next step,” said Phil Maier, vice president of information security in the emerging technology and network group at Visa USA’s technical arm, Inovant, who spoke at the FinSec conference. “The badge ID has to have a link to the domain ID [on the computer]."

If the physical and logical thresholds don’t match up — say, activity is occurring at a restricted computer when the badge reading shows the employee is not physically there, or an employee is viewed as physically present but an authentication process is occurring remotely — the session should not be allowed since it raises security questions.

To do this, Inovant is working on a home-grown coding project that has the company’s badge-reader system linked into the corporation security information management system from Intellitactics.

To have this and probably any security monitoring work correctly, it’s necessary to time-synchronize all computers precisely using the Network Time Protocol based on the government-supported Atomic Clock, Maier added.

The various data-breach disclosure laws that now mandate the public be informed about incidents is driving change not just in technology implementation but in how organizations work to communicate between IT departments and upper management.

Anish Bhimani, managing director at JPMorgan Chase, who spoke at FinSec, said the desire to avoid becoming another data-loss news story has prompted some changes, including adding laptop encryption and possibly adopting “tapeless” data centers for the long term.

“We used to think more backups is better but that’s not exactly the case,” said Bhimani. Another process change involves automated scanning for 40,000 servers for penetration testing instead of having people do it manually.

A chief concern involves making sure JPMorgan Chase’s 3,500 third-party providers also follow specific security practices, noting it’s difficult to define everything that can go wrong.

One of JPMorgan’s “outside service providers,” as Bhimani refers to them, recently misplaced some data that was recovered. “We looked at everything except what went wrong,” said Bhimani.

One major cultural change at JPMorgan Chase, a huge firm with 170,000 employees, has been to “focus on security metrics” by “focusing on the results, not activity,” he noted.

Instead of just issuing data-filled reports to management, the focus is being refined to target concrete results. Weekly meetings are now required where IT staff discuss risks, exposures and compliance with unit CIOs, and unit CIOs huddle together on their own and with CEOs more frequently.

The goal is to figure out “how do you actually improve the risk posture of the organization with the data you have,” said Bhimani. JPMorgan Chase is also trying organizational change that involves assigning more security experts into the business divisions instead of technology units.

“The CISO role will now be the ‘deputy risk manager,’” said Bhimani, adding the IT department will be split from risk management “so we can focus on maturing the discipline of IT risk.”

“The business needs to be able to take risks to make money, and our job is to help them find a way to do that,” said Bhimani. Another change for JPMorgan Chase will be a “zero-based budget” where you start each year with no specifically allotted spending for security and go up. “You start to think about doing things differently.”

Banking on Security

NOVEMBER 29, 2006 | We were recently hired by a regional bank to assess its security. When negotiating the services agreement with the bank president we agreed to perform the standard network security penetration testing, but he insisted we also test the security awareness of the bank staff.

What he really wanted to discover was whether employees have become complacent in verifying credentials of the customers, but more importantly checking out the people who service the bank's needs. The bank had recently outsourced its IT functions, and although they were promised a dedicated technician by the outsourcing firm, the revolving door of technicians coming and going had become the standard.

After signing some legal boilerplate and "get out of jail free" paperwork, here's what we agreed to: Pose as a vendor, enter the facility, plug into the network, sniff traffic, look for login and passwords, then try to become domain administrator of the network.

Our first step was to select a vendor to impersonate. To keep the suspicion level down, it needed to be someone who'd use a computer or laptop once inside. To find out more, I sent a colleague into the bank to inquire about a checking account. While in the bank she took notice of the various pieces of office equipment, specifically the printers, faxes, and copiers. While discussing the possibilities of becoming a customer, our spy also inquired about the manager of the bank and the availability of that person in the event a question or problem arose. Days, times, and even a cellphone number was provided to our insider.

After reviewing the list of office equipment she retrieved, we decided the best person to enter the facility was a copier technician. The bank used digital multifunction devices so each copier worked as a local printer on the network. From there we looked into our cache of vendor clothing. We were fortunate to have a brand new denim shirt embroidered with the copier company logo. Being close to Halloween we thought it would be entertaining to throw on a fake beard or mustache but scrapped the idea when saw how bad it really looked. We then put together an assortment of tools and credentials.

Our office at Secure Network Technologies utilizes a proximity card access system, which also serves as an employee identification badge. Conveniently, we have the machine that prints these things. After a few minutes in the device's editing program, we used a digital photo to create an identification card that looked official enough to be from the copier company.

Using our past experience with copier folks, we put together a giant silver briefcase on wheels, a mini-vacuum cleaner, and a few reams of paper. Inside the briefcase was our laptop, loaded with all the software tools needed to poke and probe their network.

On the day we planned to go in, I called the bank and indicated I was new to the copier company and wanted to get familiar with the machine to properly service the equipment. I indicated we could perform a preventive maintenance call at no charge to insure the quality of the prints and copies. The person at the bank agreed and thought it was a good idea. I requested her name in the event we needed to validate who we spoke to when we attempted to go in. Later that afternoon I stopped in at the bank with my new denim work shirt and a rolling briefcase full of gear in tow.

I entered the bank lobby and was immediately greeted by a woman in a small glass-paneled workspace. I mentioned we called earlier, dropped the contact's name, and indicated I was here to service the copier/printer. Without hesitation I was escorted to the machine and left unattended. To make it appear as if I were working on the device, I opened every panel on the machine, pulled all the trays out, and placed my laptop on the glass surface of the copier/printer.

I was approached by a few people who needed to make copies, I apologized for the inconvenience and said the machine might be down for 30-40 minutes. I then disconnected the network cable from the copier/printer and attached my laptop. As soon as my laptop booted up, DHCP provided a network address and I was on the internal network. I started a few of our utilities and started sniffing the traffic on the network.

Within seconds I had a variety of logins and passwords, access to numerous shared folders, data, and administrative accounts. We usually single out a few of the key employees that might be considered important, i.e. bank president, vice president, and operations manager, and make a note of their logins and passwords. When I determined I had enough data I decided to snap a few digital images to throw into the report. I took a six or seven pictures, even utilized the flash with nobody questioning or asking why I was doing this.

In the event they asked, I figured I'd tell them we do this to document the cleanliness of the machine after we service it, primarily of complaints about the machine being covered and smudged in black toner.

Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine.

When I returned to my office I immediately called my contact and explained what we did and that we were successful. After retrieving the ream of paper with his password, I could hear the concern in his voice since our job confirmed his worst fears. I explained to him this type of problem can be fixed by sharing the results with his employees, and that no one person should be targeted as a single point of failure.

Our effort required us to talk and interact with several people. At no time did anybody question who we are or call the vendor to confirm our identity.

Over the years and after doing several security assessments using social engineering techniques, nine times out of 10 we usually get caught when that one person says "I need to call someone about what you're doing." That call to confirm, usually raises enough suspicion to stop us from proceeding. And after that person realizes what they did, word travels real fast throughout the organization that they caught the "bad guy."

Combine catching the bad guy and letting an organization know this type of theft and criminal behavior really exists, and you get one of the best tools in educating employees about vigilance and how to be proactive in security.

SAN FRANCISCO
SFSU students' information stolen
School alerts 3,000 affected by theft of faculty laptop
- Nanette Asimov, Chronicle Staff Writer
Friday, June 23, 2006


San Francisco State University officials have put students and staff on alert because a thief broke into a faculty member's car earlier this month and stole a laptop with nearly 3,000 Social Security numbers and names of former and current students.

Students' phone numbers and grade-point averages were also on the stolen laptop "in some cases," according to an information sheet posted on the campus Web site.

"The university employee's car was burglarized and the laptop was stolen on Thursday, June 1," the Web site says.

But university officials did not learn of the theft until five days later, said Ellen Griffin, the university's spokeswoman, who declined to say what disciplinary actions, if any, had been taken against the faculty member.

"All we'll say is that we've taken appropriate actions," said Griffin. However, it is "very common" for faculty members to keep student information on their computers, she said.

Police told the university that they have made no progress in recovering the stolen information, and that they are treating the matter as a "typical break-in into a car," said Griffin, adding that police don't believe the thief knew in advance that the students' information was on the laptop.

San Francisco State University stopped using Social Security numbers for student identification last July 1, when a new state law took effect. By contrast, UC campuses individually stopped using Social Security numbers between four and eight years ago, a spokesman said.

In all, the Social Security numbers of 2,751 former San Francisco State students and 65 current students were stolen. The campus began notifying them on June 12.

"We suggest that you be on the alert for any misuse of your personal information," university registrar Suzanne Dmytrenko warned in a letter to all who were affected, as well as to 219 others whose partial Social Security numbers were on the laptop.

California law requires state agencies to disclose when personal information has been stolen.

School officials also notified the faculty of the theft and told them to be more careful.

"People don't necessarily think to go back and make sure the information on their computers is consistent with new guidelines," said Griffin. "So we have sent out an e-mail to all faculty reminding them of good practices and of the need to protect privacy."

The university has posted an information sheet at www.sfsu.edu/~admisrec/reg/idtheft.html.

Labels: San Francisco State Univ.

Jan 18, 2007

Massive Security Breach Reveals Credit Card Data

The TJX Companies, a large retailer that operates more than 2,000 retail stores under brands such as Bob’s Stores, HomeGoods, Marshalls, T.J. Maxx and A.J. Wright, said on Wednesday that it suffered a massive computer breach on a portion of its network that handles credit card, debit card, check and merchandise transactions in the United States and abroad.

The company does not know the extent of the breach, which was first discovered in December 2006. However, hackers may have made off with credit and debit information from transactions in the United States, Canada and Puerto Rico in 2003 as well as transactions between May and December 2006, according to a company statement.

Banking officials in Massachusetts say the TJX breach is behind a recent warning by Visa to banks in Massachusetts, which have contacted customers in recent days and had to reissue thousands of ATM and debit cards. In the end, the hack may affect a wide range of credit card companies and thousands of consumers in America and in countries like the United Kingdom and Ireland, experts say.

TJX said it is working with IBM and General Dynamics to investigate the breach, which is believed to have occurred on computer systems that process and store information on customer transactions for T.J. Maxx, Marshalls, HomeGoods and A.J. Wright. Transactions from T.K. Maxx in the United Kingdom and Ireland may have also been exposed in the breach.

TJX said it knows of "a limited number of credit card and debit card holders whose information was removed from the system," and has provided that information to credit card companies. TJX is also working with law enforcement, including the U.S. Department of Justice, U.S. Secret Service and Royal Canadian Mounted Police, TJX said in its statement.

The company said it does not yet have enough information to determine the extent of the breach or what other customer information may have been compromised, nor can it quantify the financial impact of the breach.

Between eight and 10 Massachusetts banks have already had customers whose accounts were raided as a result of the breach. Those banks have had to reissue debit cards in response, said Bruce Spitzer, director of communications at the Massachusetts Bankers Association (MBA).

However, the MBA is still surveying its membership of 205 banks and credit unions. The effect of the TJX hack could be much wider and international in scope, he said.

Fitchburg Savings Bank in Fitchburg, Mass., has had to reissue 1,300 cards to customers whose account information was stolen, said Linda Racine, an executive vice president at the bank.

Fitchburg Savings was contacted by Visa on Monday night about the compromised customer accounts. However, the credit card company would not reveal the identity of the retailer that was the source of the breach, citing company rules, Racine said.

Fitchburg savings has sent letters to customers and reissued cards for affected accounts. However, no Fitchburg Savings customers appear to have been victims of fraud so far, she said.

The TJX breach recalls other recent hacks, including BJ’s wholesale club and another, reportedly at OfficeMax in 2005. Those breaches, as well as incidents like the hacking of card processor Card Systems, prompted the payment card industry to issue new rules, dubbed the PCI, about how sensitive data is stored and transmitted on internal systems.

However, Spitzer of the MBA said that banks still bore the brunt of security breaches at retailers because they have to pay to reissue cards to customers and absorb the financial losses from unauthorized account withdrawals. Small banks and credit unions often have trouble absorbing those costs, though they are not at fault in the breach itself, Spitzer said.

Spitzer took issue with the delay between the time TJX learned of the breach and when his organization and banks were notified as well as with Visa’s policy of keeping the source of the breach a secret.

"We would have liked to know sooner," he said.

MBA is working with state and federal lawmakers to hold card companies and retailers more accountable for the costs of security lapses, he said.

-Paul F. Roberts, InfoWorld

Labels: TJX Companies Inc.

CU-Boulder Reports Security Breach In College Of Arts And Sciences Advising Computer
Dec. 15, 2006

University of Colorado at Boulder officials today announced that a server in the campus's Academic Advising Center was the subject of a computer attack.

CU-Boulder officials said they had begun the process of notifying 17,500 individuals that their personal information - including names and Social Security numbers - might have been exposed in the attack. CU-Boulder officials are continuing to determine the extent of information exposed.

Employees with CU-Boulder's Information Technology Services office discovered the attack on Dec. 8 and, following CU guidelines, began an investigation to determine how the system compromise occurred.

"The hacker apparently entered the server through a Web page," said Todd Gleeson, dean of CU-Boulder's College of Arts and Sciences, which houses the Academic Advising Center. "The information exposed contained the names and Social Security numbers of students who attended CU-Boulder orientation sessions from 2002 to 2004. We do not presently have any evidence that the data were actually accessed or used, and we are notifying the students affected."

In 2005, CU-Boulder ceased using Social Security numbers as administrative identifiers for faculty, staff, students and administrators.

CU-Boulder Vice Provost for Campus Technology Robert Schnabel said the attack was quickly discovered and assessed by ITS personnel. "Following our protocols, they immediately notified our campus ITS security office and the investigation began," said Schnabel.

Schnabel said the attack comes at a time when a comprehensive effort is under way on the Boulder campus to locate and remove existing personal data from departmental servers and to protect other sensitive data. He said ITS is piloting a new "sweeping" software utility called "Spider" that identifies personal data such as Social Security numbers that may still exist on a computer, so that the data can be quickly purged.

"Using this sweeping software is part of our continued effort to build a comprehensive information risk management program," said Schnabel.

Students who wish to know more about how to deal with identity theft can visit a special CU Web site at www.colorado.edu/its/security/awareness/privacy/identitytheft.pdf.


Contact: Bronson Hilliard, (303) 735-6183 or
(303) 818-7496 (cell)
Bobby Schnabel, (303) 492-5094
Todd Gleeson, (303) 492-7294

Labels: Univ. of Colorado

Identity thieves prey on colleges

By Gary Gentile/The Associated Press and Enterprise staff
Universities have become attractive targets for hackers who are taking advantage of the openness of the schools’ networks, their decentralized security and the personal information they keep on millions of young adults.

A major database breach at UCLA that went undetected for more than a year and a smaller breach at the University of Texas are the latest examples of how vulnerable colleges are to such attacks, security experts said.

At least one such incident has occurred at UC Davis. In March 2005, someone hacked into a main computer in the plant biology section, potentially compromising the names and Social Security numbers of about 1,100 UCD students, faculty, visiting speakers and staff.

Letters were sent to notify everyone whose personal information was stored on the computer, but there was no evidence that hackers actually retrieved or used any personal data on the computer. New computer security measures were being developed at the time in response to changes in state law.

Universities account for more than 50 data breaches on a list of more than 300 so far this year as tracked by the Privacy Rights Clearinghouse. Hackers have broken into computer systems at Georgetown University, Ohio University, the University of Alaska and Western Illinois University, among others.

“They are a major category, if not the major category,” Clearinghouse director Beth Givens said.

The UCLA breach was discovered Nov. 21 when the university noticed a hacker was fishing through the database specifically for names and Social Security numbers. Officials said the hacks date back to at least October 2005.

University officials say only a small number of records containing Social Security numbers were accessed, probably fewer than 5 percent of the 800,000 total records. The university notified the FBI, which has launched a probe into the incident.

Hackers also might have obtained the personal information of 6,000 people who worked for, applied to or attended the University of Texas at Dallas, school officials said last week. The information includes names and Social Security numbers, the school said. In some cases, addresses, e-mail addresses and telephone numbers also might have been obtained.

In both cases, school officials stress there is no indication that any of the information has been used to obtain phony credit cards or commit identity-theft crimes.

One reason university databases make such attractive targets is that Social Security numbers are routinely used to identify students.

“It is about time that Social Security numbers receive more protection or that they no longer be used for identifying individuals within the university system,” Givens said.

UCLA no longer uses Social Security numbers to identify students, according to Jim Davis, the university’s chief information officer.

In addition, the school has tightened security by requiring that all computers connecting to its networks be inspected and have the latest antivirus software and other security programs installed.

Computers used for administrative purposes have even tougher security software installed that allows for central monitoring and updating of security software.

Davis said the university tries to balance the need for libraries and other research facilities to have more open access to data with the need to keep sensitive information concentrated and secure.

“We are striving very hard to strike exactly the right balance, recognizing we do need to protect information,” he said. “But we don’t want to undercut the way the university works in regards to open communications.”

Universities also need to communicate freely with other educational institutions and the public to foster research.

“On the academic side, we want people to see what we do and who we are, within limits,” said David Farber, professor of Computer Science and Public Policy in the School of Computer Science at Carnegie Mellon University.

Universities do take seriously, however, the need to separate sensitive personal data from academic data that is more open, Farber said.

“On the administration side of the house, they are running a business and should behave like a business,” he said.

Tougher penalties for data breaches also need to be enacted, said Robert Brownstone, an attorney at the Silicon Valley law firm Fenwick & West LLP.

Despite several attempts, there is no strong federal law mandating that universities notify everyone whose information has been compromised due to security breaches. Laws in 33 states vary in notification requirements placed on universities and corporations.

Notification is not enough, Brownstone said. Tough financial penalties also need to be included in future legislation.

“It’s kind of a backward stick,” Brownstone said. “Theoretically, it would make a company want to take tougher security measures. But if the only real penalty is you have to send a notice out, even that strong statute is deficient.”

Credit card numbers, Social Security numbers, dates of birth and other items of personal information can be sold on the black market and used to make illegal online purchases. Young adults, with their usually blank credit histories, make ideal targets for identity theft.

The UCLA and University of Texas breaches are among the latest involving universities, financial institutions, private companies and government agencies.

This spring, Ohio University announced the first of what would be identified as five cases of data theft, affecting thousands of students, alumni and employees — including the president. About 173,000 Social Security numbers may have been stolen since March 2005, along with names, birth dates, medical records and home addresses.

In 2005, a database at the University of Southern California was hacked, exposing the records of 270,000 individuals.

— Associated Press writer Matt Reed contributed to this report.

On the Net: UCLA: www.identityalert.ucla.edu/

Monday, December 18, 2006

Happy holidays for hackers?
Robert McMillan
December 21, 2006 (IDG News Service) There wasn't a lot of holiday cheer for Microsoft Corp.'s Security Response Center late last year.

Just a few days after Christmas, criminals had found a new way to attack. By taking advantage of an unpatched bug in the way Internet Explorer processed an obscure graphics format, called WMF (Windows Metafile), they were able to install unauthorized software on PCs.

Soon reports started coming into Microsoft of malicious Web sites that were taking advantage of this bug to spread adware and spyware.

"Within 15 minutes, we were all on the phone and people were coming in and discussing it through the holidays," said Mark Griesi, senior program manager with Microsoft.

"People were literally here 24 hours a day," he said. "I really hand it to those guys. They came in and worked through the holidays. ... It's a side of Microsoft that folks don't see."

A week later, Microsoft took the unusual step of issuing an emergency patch for the WMF problem. Still, critics said that the software giant had waited too long, given the scope of the attack.

So will there be another WMF-style outbreak next week?

Nobody really knows the answer to that question, of course, but recent patterns of attacks seem to suggest it may be likely. The Sobig, Blaster and Zotob worms were all released in August, for example, the end of summer holidays in Europe and the U.S., and attackers seem to be getting better lately at timing the release of their malicious software in order to have maximum effect.

IT administrators are harder to reach, and less likely to patch software or issue work-arounds during the holidays. And college-age hackers have more time on their hands to work out new attacks, or so the thinking goes.

Security experts generally agree that another WMF-style attack is no more likely to occur next week than any other, however.

The idea that attacks somehow spike during the holidays is "more of a fallacy than anything else, said David Marcus, security research and communications manager with McAfee Inc.'s Avert Labs. "Most enterprises I've dealt with have just as much coverage during the holidays as any time of year."

Microsoft's Griesi agreed that the traditional holiday business slowdown in the U.S. does not apply to security professionals. "The holiday season doesn't affect our ability to respond," he said.

Though enterprises may be prepared for cyberattacks, the December rush of online shopping does spur certain types of online scams, Marcus said. "You'll see certain techniques become prevalent at certain times of the year," Marcus said. "You'll see some holiday spam or some charity spam."

Nevertheless, Susan Bradley plans to be a little extra-cautious over the next week, monitoring a well-known computer security discussion list for any signs of trouble. "I will be looking at the Full Disclosure list like crazy" said Bradley, chief technology officer with Tamiyasu, Smith, Horn and Braun, Accountancy Corp.

And like Microsoft, many businesses are prepared to quickly mobilize their IT teams, in the event of an attack.

At the Port of Seattle, for example, security monitoring will continue as normal over the holidays, according to Ernie Hayden, chief information security manager with the port.

He isn't sure whether next week will bring another WMF-style outbreak, but he said he was holding to a simple mantra over the holiday season. "Be prepared. Just be a good old-fashioned Boy Scout," he said. "Don't expect that everything you're doing is going to be perfect."

Microsoft sees botnets as top '07 Net threat
Robert McMillan
December 27, 2006 (IDG News Service) If there's one thing that Aaron Kornblum would like to quash, it's the botnet armies.

These are the remote-controlled PCs that have been taken over without their users' knowledge. Symantec Corp. counted more than 4.5 million of them during the first six months of the year, and according to Kornblum, they are the backbone of today's cybercrime.

"Botnets are really where it's at for serious cybercriminals, because of their concentrated power," said Kornblum, a senior attorney with Microsoft Corp.'s Internet Safety Enforcement team. "That power can be used for all sorts of malicious conduct on the Internet."

These armies of compromised computers are behind such scourges as spam, phishing and denial-of-service attacks. More recently, the bad guys have been using botnets to boost Web advertising billings by automatically clicking on Internet ads, a practice known as clickfraud.

Kornblum is on a team that was created in 2002 to help crack down on cybercrime. A splinter group of three Microsoft employees who had been working on software piracy and counterfeiting, the team initially focused on computer viruses and spam. But it has since grown into a 65-person operation that has tackled child pornography, typo-squatting and, of course, the botnet threat.

Over the past year, Kornblum's group has helped law enforcement crack down on worldwide phishing scams, helping, for example, to take down a Bulgarian gang that had been spoofing Microsoft's own customer service team.

"Unfortunately, we continue to see phishing as a serious threat," Kornblum said.

Phishers have been getting more sophisticated and better at reproducing trusted Web sites. And lately they've also been taking on new targets that may not have the resources of major e-commerce or financial players.

"They're moving away from the top banking brands like Citibank ... and they're moving down to mid-level and smaller-market financial institutions like credit unions and community banks, which may not have done as much consumer education," Kornblum said.

Botnets are changing the economics of cybercrime, according to Daniel Druker, executive vice president of marketing with Postini Inc. "I call it grid computing gone bad," he said.

The botnet networks have emerged as the number one source of spam over the past year, giving spammers access to virtually unlimited bandwidth, he said.

Because spammers no longer have to pay for the messages they send, they can e-mail larger documents, such as image files, he said. And the bad guys have been able to use these distributed networks to make it harder for vendors such as Postini to identify and block spamming computers.

There typically are about 50,000 computers sending spam and malicious content at any given moment, Druker said. Usually, these computers will pop up and operate for about 45 minutes, and then go silent, making it hard for them to be identified.

A few years ago, Bill Gates predicted that the spam problem would be solved by the end of 2006, a prediction that proved to be seriously off the mark.

Kornblum, for his part, declined to guess when the botnet problem will be solved.

"The only certainty is that the problems and challenges will continue to evolve," he said. "They're all unique, though they're interrelated, certainly ... but botnets are the most dangerous at present, because of their power."

2006: The year in security
Jeremy Kirk and Robert McMillan
December 07, 2006 (IDG News Service) Though Internet-crippling virus attacks now seem to be a thing of the past, PC users didn't feel a lot more secure in 2006. That's because online attacks have become more sneaky and professional, as a new breed of financially motivated cybercriminals has emerged as public enemy No. 1. Microsoft Corp. patched more bugs than ever, and whole new classes of flaws were discovered in kernel-level drivers, office suites and on widely used Web sites. Vendors' chatter about security is at an all-time high, but the bad guys are still finding lots of places to attack.

And, oh yes, spam is back.

Following are five of the top computer security stories in 2006.

Cybercrime dividends

Hackers teamed with professional criminal gangs in increasingly sophisticated computer crime operations aimed purely for profit.

Much of the trouble centered on phishing, a type of attack where fake Web pages are constructed to harvest log-in details, credit card numbers or other personal information. Credit card numbers are often sold online for illicit gain.

In May, 20,000 phishing complaints were reported, a 34% increase over the previous year, according to a U.S. Department of Justice report. The U.S. hosts the largest percentage of phishing sites, it said.

But law enforcement agencies are getting more organized and cooperating better, particularly in international investigations. At least 45 countries participate in the G8 24/7 High Tech Crime Network, which requires nations to have contacts available around the clock to aid in quickly securing electronic evidence for transborder cybercrime investigations.

The private sector has also helped. Microsoft filed dozens of civil suits and gave information to law enforcement for criminal cases in Europe, the Middle East and the U.S. against alleged phishers throughout 2006.

It's a brand-new zero day

With automatic software updates now the norm, hackers have been forced to look a little harder for ways to put their malicious software on unsuspecting victims' PCs. In 2006, they turned to zero-day attacks as never before.

These attacks take advantage of previously unreported flaws in software, and in 2006, they became a top concern, according to the SANS Institute. In fact, hackers kicked off the new year in 2006 by releasing zero-day attack code based on a flaw in the way Internet Explorer handled Windows Metafile documents.

This was followed later in the year by a rash of very targeted online attacks that exploited unpatched flaws in Microsoft's Office software. In fact, Microsoft warned of the latest such attack -- this one targeting a flaw in Word -- just this Tuesday (see "Microsoft warns of zero-day attack on Word").

To underline the scope of the zero-day problem, security researchers launched widely publicized "Month of Kernel Bugs" and "Month of Browser Bugs" projects, during which they exposed a new, unpatched vulnerability in browsers and operating systems every day for a month.

Spam avalanche

Microsoft's Chief Software Architect Bill Gates predicted two years ago that spam would be gone by 2006. He should check his in-box.

Rising volumes of junk mail nagged IT administrators throughout 2006. Up to 90% of all e-mail was spam, depending on the vendor recording the statistics. Spammers found creative ways to circumvent security software. Image-based spam, where individual messages appear to be unique by subtracting or adding pixels, foiled some security techniques.

Spammers also put messages in the images themselves, a tougher challenge to stop since it requires processor-intensive optical character recognition techniques. Spam remained the delivery vehicle for other malicious software such as keystroke loggers and rootkits in addition to promoting links to phishing sites, which often aim to steal financial data or log-in credentials.

Web 2.0 gets Hacked 1.0

MySpace.com may be a poster child for Web 2.0, but from a security perspective, it hasn't been looking so pretty.

That's because the popular social networking site was hit hard this week by a password-stealing worm that exploited a scripting vulnerability on the Web site. And this was not even the first worm to hit MySpace. In October, another more benign worm, called Samy, automatically added a Los Angeles teenager's name to visitors' profiles, quickly making him appear to be the most popular member of the MySpace community (see "Teen uses worm to boost ratings on MySpace.com").

Security experts say that the kind of cross-site scripting attack used in the recent MySpace worm has become much more prevalent in the past year, as hackers have discovered just how much can be done with these attacks. These bugs can be used to do far more harm than many people realize, security experts say, including forcing PCs to download illegal content, hack other Web sites or send e-mail.

Vista lockout irks vendors

Microsoft rankled security vendors by saying it wouldn't allow their software to access the kernel of the 64-bit version of Windows Vista. Patch Guard, Microsoft's kernel security technology, blocks access to prevent unauthorized modifications by malicious software.

Vendors, led by Symantec Corp. and McAfee Inc., argued they needed access to the kernel to detect malicious software such as rootkits, which burrow deep into the operating system. After a flurry of public statements and pressure from the European Commission, Microsoft agreed to make application programming interfaces (API) available.

The APIs will allow host intrusion-prevention technologies used by vendors to function without hooking the kernel. But Microsoft said the APIs wouldn't be ready until the release of Service Pack 1 for Vista.

'Rock Phish' blamed for surge in attacks
Robert McMillan
December 12, 2006 (IDG News Service) The first thing you need to know about Rock Phish is that nobody knows exactly who, or what, they are.

Wikipedia defines the Rock Phish Kit as "a popular tool designed to help nontechnical people create and carry out phishing attacks," but according to security experts, that definition is not correct. They say that Rock Phish is actually a person, or perhaps a group of people, who are behind as much as one-half of the phishing attacks being carried out these days.

No one can say for sure where Rock Phish is based, or if the group operates out of a single country.

"They are sort of the Keyser Söze of phishing," said Zulfikar Ramzan, senior principal researcher with Symantec's Security Response group, referring to the secretive criminal kingpin in the 1995 film The Usual Suspects.

"They're doing some pretty scary things out there," he added.

This criminal organization first appeared in late 2004 and was given the name "Rock Phish" because the URLs (Uniform Resource Locators) on the group's fake sites included a distinctive subdirectory named "rock," a technique the group abandoned once phishing filters began looking for the word.

Since then, it has grown to be one of the most prominent phishing groups in operation. It has developed a variety of new attack techniques that have earned the group a kind of grudging respect among security professionals, several of whom declined to be interviewed on the record for this story for fear of being physically harmed. They estimated that the criminal organization's phishing schemes have cost banks more than $100 million to date.

Rock Phish is not known for targeting the two most popular phishing targets -- eBay and PayPal. Instead, it specializes in European and U.S. financial institutions. At last count, the group had spoofed 44 brands from businesses in nine countries, sending out e-mails that try to trick victims into visiting phony Web sites and entering information such as credit card numbers and passwords. Rock Phish sites have spoofed Citibank, ETrade, Barclays and Deutsche Bank, among others.

Security experts estimated that Rock Phish is responsible for between one-third and one-half of all phishing messages being sent out on any given day. "They are probably the most active group of phishers in the world," said Dan Hubbard, senior director, security and technology research with Websense Inc.

What causes particular concern among security experts such as Hubbard is Rock Phish's ability to stay one step ahead of both security products and law enforcement.

For example, Rock Phish pioneered image spam: the technique of sending e-mail messages in graphic files in order to bypass spam filters, according to security experts.

And just as browser makers have been building phishing filters into their products, the group has begun creating unique URLs for its phishing messages to get around blacklists of known phishing addresses.

These single-use URLS make it extremely difficult for antiphishing researchers to identify and block phishing pages, Symantec's Ramzan said.

This is bad news for products such as the Firefox browser, which uses a blacklist. "Ultimately, technologies that rely heavily on blacklists are going to be useless," Ramzan said.

Rock Phish has contributed to a surge in the number of phishing Web sites over the past few months, according the Anti-Phishing Working Group. In August, the group counted 19,000 phishing URLs. By October, the most recent month for which data is available, that number had nearly doubled to 35,000.

Security experts guess that Rock Phish is run by an extremely small group of technically savvy criminals -- probably about a dozen hackers -- who set up the phishing Web sites, manage the domain name registration and ensure that the stolen financial information is funneled into a central server, which researchers call "the Mother Ship."

This group then sells the credit card and banking information in Internet-based chat rooms to a much wider range of money launderers who actually extract money from these accounts, according to researchers who asked not to be identified.

Rock Phish uses a network of hacked computers to redirect Web visitors to the Mother Ship, and the group has been particularly adept at exploiting the decentralized nature of the Internet for its illegal activity. One successful trick has been to register new phishing addresses in little-used country domains -- São Tomé and Principe (.st) and Moldovia (.md) have been recent targets -- where law enforcement and phishing take-down groups may not have establish contacts, according to researchers.

During the time it takes to establish contacts with the domain name registrars and have them take down the fraudulent Web domains, Rock Phish can continue to collect information.

"They're the innovators in the phishing space," said Symantec's Ramzan. "Whenever there's a new technique that comes out, it can be traced back to the Rock Phish group."

Santa's Web site hacked
Robert McMillan
December 22, 2006 (IDG News Service) As if Santa Claus hasn't got enough to do this week, it turns out he's fighting off some very, very nasty elves.

The consumer advocacy group stopbadware.org said it was approached this week by an Incline Village, Nev., man who has legally changed his name to Santa Claus, who asked them to help figure out why his Web site was being flagged by Google Inc.'s Web site filters.

It turned out that Santa's Web site, Santaslink.net had been hacked.

On Friday, the Web site was still downloading malicious software, according to Roger Thompson, chief technology officer at Exploit Prevention Labs Inc. It exploits a bug in Internet Explorer that Microsoft Corp. patched last August, meaning that people running older versions of the browser could be at risk, Thompson said via instant message.

"The site is hacked," he said. "If you are not patched, it uses an exploit to silently install a huge amount of adware and spyware."

Claus is a children's advocate who has traveled across the U.S. meeting with legislators, according to his Web site. He also makes seasonal appearances as Saint Nick.

"He had consulted local experts, which we can only assume were elves, but they were unable to identify anything wrong with his site," wrote StopBadware.org Developer Jason Callina, in a Thursday blog posting.

"Nestled all snug in the bottom of his home page was a nice little bit of code containing a badware link," he added.

The problem was soon resolved, but alas, while good boys and girls may fall asleep waiting for a visit from St. Nicholas, there's no delay at all when you're dealing with the bad guys. On Friday, malware had again cropped up on the Web site.

Stopbadware.org was founded earlier this year, with funding from Google Inc., Lenovo Group Ltd. and Sun Microsystems Inc. as a community watchdog organization to help protect consumers from malicious software like spyware and viruses.

Callina said he's learned something from the Santa Claus experience.

"The moral of the story is that the Grinches who are looking to spread their unsafe software are willing to hack even Santa’s Web site."

Labels: santaslink.net

High-def DVD copyright security allegedly hacked
Gina Keating



December 29, 2006 (Reuters) The companies behind an encryption system for high-definition DVDs are looking into a hacker's claim that he has cracked the code protecting the new discs from piracy, a spokesman for one of the companies said yesterday.

A hacker known as Muslix64 posted on the Internet details of how he unlocked the encryption, known as the Advanced Access Content System, which prevents high-definition discs from illegal copying by restricting which devices can play them.

The AACS system was developed by companies, including the Walt Disney Co., Intel Corp., Microsoft Corp., Toshiba Corp. and Sony Corp., to protect high-definition formats, including Toshiba's HD-DVD and Sony's Blu-ray.

Muslix64 posted a video and decryption codes showing how to copy several films, including Warner Bros.' Full Metal Jacket and Universal Studios' Van Helsing, on a popular hacker Internet blog and a video-sharing site.

The hacker also promised to post more source code on January 2 that will allow users to copy a wider range of titles.

A spokesman for one of the AACS companies, who declined to have the company identified, said they were aware of it and were looking into the claims, but he would not elaborate.

The vulnerability could pose a threat to movie studios looking for ways to boost revenue as sales of standard-format DVDs flatten. In 2005, U.S. DVD sales generated some $24 billion for the movie industry.

If the encryption code has been cracked, then any high-definition DVD released up to now can be illegally copied using the Muslix64 "key," according to technology experts.

Jeff Moss, organizer of DefCon, the world's largest hacking convention that draws thousands of security researchers, government workers and hackers, said that Muslix64 appears to have found a real breach in the encryption system.

"Everybody is talking like it worked, and apparently it's not that hard," said Moss. "This will be the first trial run of how this [AACS] is going to work whenever a compromised player comes out."

Adrian Kingsley-Hughes, a U.K.-based technology expert and author of Internet blog PC Doctor, wrote in a Thursday posting on technology site ZDNet.com that Muslix64's source code "seems genuine enough."

He said the hack would not necessarily make much of a difference in the battle for supremacy between the new HD-DVD and Blu-ray formats.

"What's interesting here is that while this hack might give HD-DVD a temporary advantage amongst enthusiasts who want to backup discs ... in the long run it won't give either format an advantage because both HD-DVD and Blu-ray use the now-cracked AACS," he wrote.

Two charged with hacking LA traffic lights
Robert McMillan
January 10, 2007 (IDG News Service) Two men have been charged with illegal computer access after they allegedly hacked into the Los Angeles city traffic center to turn off traffic lights at four intersections last August.

The two men, both engineers with the city's Automated Traffic Surveillance Center, accessed city computers on the morning of Aug. 21, and were able to turn off signal control boxes just hours before a job action by city engineers, the Los Angeles district attorney said in a statement released late last week.

The accused were able to bar other city employees from accessing the computer system to put the lights back online. No accidents were reported, but it took four days to fix the city's traffic control system, the statement said.

Gabriel Murillo, 37, and Kartik Patel, 34, are both charged with unauthorized access of a computer. Murillo is also charged with identity theft, and Patel faces four counts of disruption or denial of computer services.

Labels: Los Angeles City Traffic Center

Update: Two universities disclose data breaches
Jaikumar Vijayan
January 12, 2007 (Computerworld) The University of Idaho in Moscow yesterday began sending letters to more than 331,000 people warning them about the potential compromise of their personal data following the theft of three desktop computers in November.

Meanwhile, in a separate incident, officials at the University of Arizona in Tucson are investigating a computer break-in that disrupted several school services this week and continued to keep an online procurement system offline even today.

The computers stolen from the University of Idaho were being used by its advancement services office and contained names, addresses and Social Security numbers of university alumni, donors, employees and students. The computers were stolen over the Thanksgiving break by thieves who appear to have been after the hardware, not the data on them, said Christopher Murray, vice president of advancement services at the university.

The reason it has taken the university so long to inform affected individuals is because the prosecutor's office had asked the school to delay a public notification while it launched a criminal investigation of the incident, he said.

The stolen computers were password protected, but none of the data on them was encrypted, he said. Following the incident, the university has begun removing sensitive information "from specific computing devices" and has begun installing encryption software on desktop and laptop systems that access sensitive information, according to a statement posted on its Web site.

Meanwhile, IT officials at the University of Arizona are investigating a computer break-in that disrupted a procurement system, university library services, as well as a payroll processing and meal plan system. The unauthorized access, in which multiple servers and workstations appear to have been illegally accessed in November and December, was discovered on Jan. 2, according to a statement from the school.

"Hackers installed software to store files [such as movies or games] on the systems, and may have attempted to access other information," the university said. "At this point, no evidence exists that data actually were accessed in any way and no evidence exists of theft, including data theft, money theft or other."

The FBI is currently investigating the incident.

Michele Norin, director of the university's center for computing and IT said that upwards of 30 Windows-based servers - including domain name servers and 350 workstations -- were illegally accessed by what appears to have been a hacker or hackers based in France.

In addition to installing movies and games on the systems, the hackers apparently also installed key-stroke logging software on some of the systems, Norin said.

The break-in was discovered when a routine process being handled by one of the compromised servers failed to execute properly, Norin said. The incident prompted an investigation by the IT department, which, in turn, led to the discovery of the compromises, according to Norin. At the moment, it is still not clear how the hackers got into the systems, although it is possible that they may have cracked passwords, she said.

Restoring the systems has proved to be a challenge, in terms of complexity and resources, Norin said. For instance, both the production and the back-up servers handling the university's procurement systems were affected by the breach "so it required alternative sources of software" to restore, Norin said. It also took a lot of time to rebuild all of the domain profiles on the affected domain server, she said.

The sheer number of systems affected by the breach has also put an enormous strain on IT resources, she said.

The compromised computers contained "business-oriented type of data," but it doesn't appear that any of them held non-public information she added.

The university is instituting new measures such as firewalls, stronger passwords and traffic segregation to mitigate the risk of something similar happening again, Norin said.

Labels: Univ. of Arizona and Univ. of Idaho

Mass. settles with financial services firm over stolen laptop
Linda Rosencrance
December 15, 2006 (Computerworld) Minneapolis-based Ameriprise Financial Services Inc. has agreed to pay $25,000 to the commonwealth of Massachusetts in connection with the loss of a laptop containing personal and financial data on thousands of Massachusetts residents, Secretary of State William Galvin said this week.

The laptop was stolen in December 2005 from an Ameriprise employee who had left it unsecured and unattended in a locked vehicle in a parking lot. The exact location of the theft is unclear, although the laptop has since been recovered.

The computer contained information on about 158,000 customers, including their names, account numbers or Social Security numbers, and account values. It also held identifiable personal information on about 68,000 current and former Ameriprise advisers, including their names and Social Security numbers.

The employee used the information, which was not encrypted, to create business reports. According to Galvin, the employee violated Ameriprise policies and procedures by leaving the company's premises with the laptop and by not encrypting the sensitive information. In addition, saving the information to the laptop's hard drive was a violation of Ameriprise's policies and procedures at the time, according to a memorandum of understanding between the state and the company.

After the laptop was recovered, a forensic analysis firm determined that none of the sensitive data had been accessed.

Ameriprise officials could not be reached for comment.

Ameriprise has also agreed to hire an independent consultant to review its policies and procedures concerning the use of laptops that contain personal and financial information of its customers, Galvin said. The consultant will be required to submit a written report to Galvin's office within six months, setting out recommendations and including written verification that Ameriprise has implemented them.

"The amount of personal data that was on this employee's laptop computer is shocking," Galvin said in a statement. "Most of this information should not have been there. Registered broker dealers who give employees access to sensitive personal information and then allow them to carry this information on laptop computers must be held responsible and must implement all reasonable steps to prevent this form of investor abuse."

Labels: Ameriprise Financial Services Inc.

Banks face growing threat of inside identity theft

While banks are confident they can deal with phishing attacks by constantly warning customers of the dangers, they are now getting increasingly concerned about the physical theft of confidential client data by insiders or impostors. Widespread outsourcing of data management and other services has exposed some weaknesses and made it harder to prevent identity theft by insiders. In what many regard as the biggest wake-up call in recent memory for financial institutions, thieves disguised as cleaning staff last year narrowly failed to steal the equivalent of more than $400 million from the London branch of Sumitomo Mitsui. They installed programs to record keystrokes on computers that were used to handle international wire transfers of money. After analyzing user identifications and passwords recorded by the keylogging programs, they used the information to make a huge money transfer to an Israeli bank but were foiled at the last minute when police were tipped off. Banks are starting to respond to the threat by combining teams working on physical and information technology security, which have traditionally been separate functions, said Potter. Source: http://www.eweek.com/article2/0,1895,2062804,00.asp