Wednesday, March 05, 2008
Smartphone trojan signals emerging threat
Smartphone trojan signals emerging threat
Jim CarrFebruary 29 2008
Researchers at security vendors Sophos and McAfee have discovered a rare trojan that attacks the Windows Mobile smartphone platform.
The trojan is primarily targeted to handheld devices in China, said Dave Marcus, security research and communications manager for McAfee Avert Labs, speaking with SCMagazineUS.com on Thursday.
Windows Mobile devices become infected with the trojan after a user visits one of several websites in China, Marcus said. The malware author has bundled the trojan inside what appears to be a legitimate package of games or Google Maps so the victims are unaware that their device is compromised.
According to a blog post by Vanja Svajcer of Sophos' U.K. labs, the trojan, called winCE//infojack, is packaged together with several legitimate mini-games, including Mahjongg and a version of Tetris. The trojan is teamed "with just enough social engineering to entice an unsuspecting user into installing the package" on the mobile device, Svajcer wrote in a blog post.
Once downloaded, the trojan lowers the security settings on the device so it "does not complain about the fact that programs are not signed,” Svajcer wrote in the blog. “This is done through a simple registry write, just like on any desktop version of Windows."
The trojan also includes self-replication capabilities that can infect memory cards connected to the device, researchers said. This ensures that the infection is executed every time the card is plugged in.
Once installed on the mobile device, the trojan can steal confidential information -- such as username, password and financial data -- from the phone and send it back to the malware's author, Marcus said. While the trojan is currently limited primarily to Chinese users, Marcus said it could extend beyond that country.
A Microsoft spokesman told SCMagazineUS.com that the company was aware of the threat.
"Microsoft is aware of public reports of malware that could be loaded surreptitiously by an application on a Windows Mobile device. The malware does not exploit any security vulnerability, but rather relies on user interaction in which the user would need to download and accept installation of an unsigned application," he said.
Marcus said trojans written for mobile devices remain rare.
“There isn't a lot of money to be made for malicious software writers on mobile devices," Marcus said. "Most of the malware industry is driven by making money in one form or another -- whether it's stealing information that's for sale or providing services, such as web hosting for other hackers, or sending spam."
That will change when users begin using the devices more for financial transactions, Marcus said. He expects that to occur over the next 12 to 18 months.
"Until the majority of people start using their handhelds for banking or for purchasing, there's no financial need to write malware for mobile devices,” he said.
Experts urged users to install and regularly update anti-malware security software on their handheld devices, just as they protect their personal computers.
“There's been less adoption of security software for mobile devices," Marcus said. “But we've seen more adoption of mobile security software in other parts of world."
Jim CarrFebruary 29 2008
Researchers at security vendors Sophos and McAfee have discovered a rare trojan that attacks the Windows Mobile smartphone platform.
The trojan is primarily targeted to handheld devices in China, said Dave Marcus, security research and communications manager for McAfee Avert Labs, speaking with SCMagazineUS.com on Thursday.
Windows Mobile devices become infected with the trojan after a user visits one of several websites in China, Marcus said. The malware author has bundled the trojan inside what appears to be a legitimate package of games or Google Maps so the victims are unaware that their device is compromised.
According to a blog post by Vanja Svajcer of Sophos' U.K. labs, the trojan, called winCE//infojack, is packaged together with several legitimate mini-games, including Mahjongg and a version of Tetris. The trojan is teamed "with just enough social engineering to entice an unsuspecting user into installing the package" on the mobile device, Svajcer wrote in a blog post.
Once downloaded, the trojan lowers the security settings on the device so it "does not complain about the fact that programs are not signed,” Svajcer wrote in the blog. “This is done through a simple registry write, just like on any desktop version of Windows."
The trojan also includes self-replication capabilities that can infect memory cards connected to the device, researchers said. This ensures that the infection is executed every time the card is plugged in.
Once installed on the mobile device, the trojan can steal confidential information -- such as username, password and financial data -- from the phone and send it back to the malware's author, Marcus said. While the trojan is currently limited primarily to Chinese users, Marcus said it could extend beyond that country.
A Microsoft spokesman told SCMagazineUS.com that the company was aware of the threat.
"Microsoft is aware of public reports of malware that could be loaded surreptitiously by an application on a Windows Mobile device. The malware does not exploit any security vulnerability, but rather relies on user interaction in which the user would need to download and accept installation of an unsigned application," he said.
Marcus said trojans written for mobile devices remain rare.
“There isn't a lot of money to be made for malicious software writers on mobile devices," Marcus said. "Most of the malware industry is driven by making money in one form or another -- whether it's stealing information that's for sale or providing services, such as web hosting for other hackers, or sending spam."
That will change when users begin using the devices more for financial transactions, Marcus said. He expects that to occur over the next 12 to 18 months.
"Until the majority of people start using their handhelds for banking or for purchasing, there's no financial need to write malware for mobile devices,” he said.
Experts urged users to install and regularly update anti-malware security software on their handheld devices, just as they protect their personal computers.
“There's been less adoption of security software for mobile devices," Marcus said. “But we've seen more adoption of mobile security software in other parts of world."
Labels: Smartphone
Report outs banks with most ID theft complaints
Report outs banks with most ID theft complaints
Sue Marquette PorembaFebruary 29 2008
Consumers, regulators, and businesses have no way to reliably assess the incidences and frequency of identity fraud at major financial institutions, a new study concludes.
This lack of information means that customers cannot compare security concerns among banking institutions, says the study, conducted by Chris Hoofnagle, a senior fellow with the Berkeley Center for Law and Technology in California.
By eliminating that type of competition, financial institutions do not feel marketing pressure to devise methods to better protect their customers from fraud, the study determines.
Hoofnagle said he decided to research this issue so customers would be able to consider a bank based on its data security.
“I'm interested in fostering competition among banks for the prevention of identity theft,” he said. “Currently, banks compete through commercials, which do not provide meaningful information about which institutions are most vulnerable to the crime.”
Hoffnagle used the Freedom of Information Act to obtain data submitted by victims in 2006 to the Federal Trade Commission, Hoofnagle said in the report. He found that some banks have a far greater incidence of identity theft than other types of businesses.
“Phishing attacks are out for financial gain, making any e-commerce site attractive for phishers,” said Chenxi Wang, principal analyst for security and risk management at Forrester Research.
But Wang said a select few stand out. She cited the Anti-Phishing Working Group's recent findings that 80 percent of phishing attacks target just 12 brand names, and at the top of the list are some of the biggest financial institutions.
According to Hoofnagle's report, HSBC ranked first with 21.3 incidents of ID theft per billion in deposits, followed by Bank of America, Washington Mutual, Wells Fargo and JP Morgan/Chase. Telecommunications giants AT&T and Sprint/Nextel also ranked high in the list.
“The criminals keep finding new ways to rob consumer bank accounts by stealing their account credentials using increasingly surreptitious methods,” said Avivah Litan of Gartner. “They have moved beyond relatively-easy-to-spot phishing attacks, and developed attack methods that use malware planted on user PCs, which most consumers are unaware of. This malware captures consumer keystrokes, giving criminals their user IDs and passwords, and sometimes even their bank account numbers.”
Banks and other businesses can do more to protect their customers from identity fraud, experts agree. How to protect customers depends on when the fraud takes place.
“In new account fraud, attention should focus on customer authentication, that is, providing that the customer is who she says she is,” said Hoofnagle. “In account takeovers, such as a credit card fraud, there needs to be a better way to prove that the person in possession of the card has authority to use it. Adding a PIN to a credit card would be one way of doing this.”
Customers should also look out for themselves, said Wang.
“When using a banking site, look at the certificate to make sure the site is authentic, and keep virus protection up-to-date,” she said.
Sue Marquette PorembaFebruary 29 2008
Consumers, regulators, and businesses have no way to reliably assess the incidences and frequency of identity fraud at major financial institutions, a new study concludes.
This lack of information means that customers cannot compare security concerns among banking institutions, says the study, conducted by Chris Hoofnagle, a senior fellow with the Berkeley Center for Law and Technology in California.
By eliminating that type of competition, financial institutions do not feel marketing pressure to devise methods to better protect their customers from fraud, the study determines.
Hoofnagle said he decided to research this issue so customers would be able to consider a bank based on its data security.
“I'm interested in fostering competition among banks for the prevention of identity theft,” he said. “Currently, banks compete through commercials, which do not provide meaningful information about which institutions are most vulnerable to the crime.”
Hoffnagle used the Freedom of Information Act to obtain data submitted by victims in 2006 to the Federal Trade Commission, Hoofnagle said in the report. He found that some banks have a far greater incidence of identity theft than other types of businesses.
“Phishing attacks are out for financial gain, making any e-commerce site attractive for phishers,” said Chenxi Wang, principal analyst for security and risk management at Forrester Research.
But Wang said a select few stand out. She cited the Anti-Phishing Working Group's recent findings that 80 percent of phishing attacks target just 12 brand names, and at the top of the list are some of the biggest financial institutions.
According to Hoofnagle's report, HSBC ranked first with 21.3 incidents of ID theft per billion in deposits, followed by Bank of America, Washington Mutual, Wells Fargo and JP Morgan/Chase. Telecommunications giants AT&T and Sprint/Nextel also ranked high in the list.
“The criminals keep finding new ways to rob consumer bank accounts by stealing their account credentials using increasingly surreptitious methods,” said Avivah Litan of Gartner. “They have moved beyond relatively-easy-to-spot phishing attacks, and developed attack methods that use malware planted on user PCs, which most consumers are unaware of. This malware captures consumer keystrokes, giving criminals their user IDs and passwords, and sometimes even their bank account numbers.”
Banks and other businesses can do more to protect their customers from identity fraud, experts agree. How to protect customers depends on when the fraud takes place.
“In new account fraud, attention should focus on customer authentication, that is, providing that the customer is who she says she is,” said Hoofnagle. “In account takeovers, such as a credit card fraud, there needs to be a better way to prove that the person in possession of the card has authority to use it. Adding a PIN to a credit card would be one way of doing this.”
Customers should also look out for themselves, said Wang.
“When using a banking site, look at the certificate to make sure the site is authentic, and keep virus protection up-to-date,” she said.
Labels: Phishing
Record Number Of Data Breaches Reported In 2007
Record Number Of Data Breaches Reported In 2007
Researchers with the Identity Theft Resource Center cited 443 breaches in the U.S. in 2007 in their annual report, compared to the 315 they identified in 2006.
By Thomas Claburn
InformationWeek
December 31, 2007 05:10 PM
The number of publicly reported data breaches in the U.S. rose by more than 40% in 2007, compared to the previous year, according to statistics compiled by the Identity Theft Resource Center (ITRC), a consumer rights advocacy group.
In its December 24 report, the ITRC said that there were publicly reported 443 breaches in the U.S. in 2007. In 2006, the ITRC identified 315 publicized breaches.
Some 127 million data records were exposed during 2007. In 2006, nearly 20 million records were exposed. In 2005, there were 158 breaches reported involving about 65 million records.
The ITRC will have to update its list to reflect breaches reported during the last seven days of the year, something organization founder Linda Foley said would happen next week.
On Friday, the Tennessean.com reported that someone broke into a Davidson County election office over the Christmas holiday and stole laptops believed to contain the Social Security numbers and other personal information for more than 337,000 registered voters in the Tennessee county.
That same day, the Pioneer Press in Minnesota reported that a laptop containing the personal information of 219 Minnesotans had been stolen from a Pennsylvania vendor doing business with the Minnesota State Commerce Department.
Also on Friday, television station WSFA in Montgomery, Alabama reported that the U.S. Air Force had sent letters to current and former service members whose Social Security numbers, birth dates, addresses, and telephone numbers were on a laptop that was stolen from the home of an Air Force band member based at Bolling Air Force Base in Washington D.C. The station subsequently reported that the missing laptop contained the personal information of 10,501 individuals.
The rise in reported breaches may not be exclusively a reflection of rising data thievery. The ITRC speculates that in addition to an increase in data theft, more data breaches are being reported to the public. And it remains to be seen whether 2007 proves to be a high water mark for data loss, given that the T.J. Maxx breach accounted for 94 million of the 127 million exposed customer records.
Foley reluctantly characterized 2007 as the worst on record from a statistical perspective, but cautioned that the T.J. Maxx breach skews the statistics. "I don't know whether we're seeing more breaches because there's mandatory reporting or because there are more," she said, adding that 39 states and the District of Columbia now require organizations to report data breaches.
But even if 2007 proves to be an aberration, the costs associated with data breaches appear to be rising. According to a study released in November by the Ponemon Institute, an information practices consultancy, data breaches cost businesses an average of $197 per customer record in 2007, up from $182 in 2006.
And that perhaps explains why Cisco (NSDQ: CSCO), Google (NSDQ: GOOG), Raytheon, Symantec (NSDQ: SYMC), Trend Micro, and Websense have all made acquisitions in the past year or so to strengthen their data loss protection offerings. A Gartner report in May estimated that the $50 million data leak protection market measured in 2006 would as much as triple by the end of 2007.
Foley nonetheless expressed optimism, noting that in regulated industries like finance and healthcare, there are far fewer breaches than in other areas of business. "Both are highly regulated industries with a number of government agencies looking over their shoulders," she said. "[But] a lot of the businesses still have not learned how to handle information correctly."
As an example, she points to the fact that only 13 of the data breaches out of 443 reported to date this year involved encrypted data, which is far less vulnerable to unauthorized access or misuse.
While 2007 could fairly be called the year of the data breach, Foley prefers to think of it as the year of data breach awareness. "I think there is a greater awareness this year that is going to have a ripple effect over the next couple of years," she said. "And hopefully that is going to bring the number of breaches down."
Researchers with the Identity Theft Resource Center cited 443 breaches in the U.S. in 2007 in their annual report, compared to the 315 they identified in 2006.
By Thomas Claburn
InformationWeek
December 31, 2007 05:10 PM
The number of publicly reported data breaches in the U.S. rose by more than 40% in 2007, compared to the previous year, according to statistics compiled by the Identity Theft Resource Center (ITRC), a consumer rights advocacy group.
In its December 24 report, the ITRC said that there were publicly reported 443 breaches in the U.S. in 2007. In 2006, the ITRC identified 315 publicized breaches.
Some 127 million data records were exposed during 2007. In 2006, nearly 20 million records were exposed. In 2005, there were 158 breaches reported involving about 65 million records.
The ITRC will have to update its list to reflect breaches reported during the last seven days of the year, something organization founder Linda Foley said would happen next week.
On Friday, the Tennessean.com reported that someone broke into a Davidson County election office over the Christmas holiday and stole laptops believed to contain the Social Security numbers and other personal information for more than 337,000 registered voters in the Tennessee county.
That same day, the Pioneer Press in Minnesota reported that a laptop containing the personal information of 219 Minnesotans had been stolen from a Pennsylvania vendor doing business with the Minnesota State Commerce Department.
Also on Friday, television station WSFA in Montgomery, Alabama reported that the U.S. Air Force had sent letters to current and former service members whose Social Security numbers, birth dates, addresses, and telephone numbers were on a laptop that was stolen from the home of an Air Force band member based at Bolling Air Force Base in Washington D.C. The station subsequently reported that the missing laptop contained the personal information of 10,501 individuals.
The rise in reported breaches may not be exclusively a reflection of rising data thievery. The ITRC speculates that in addition to an increase in data theft, more data breaches are being reported to the public. And it remains to be seen whether 2007 proves to be a high water mark for data loss, given that the T.J. Maxx breach accounted for 94 million of the 127 million exposed customer records.
Foley reluctantly characterized 2007 as the worst on record from a statistical perspective, but cautioned that the T.J. Maxx breach skews the statistics. "I don't know whether we're seeing more breaches because there's mandatory reporting or because there are more," she said, adding that 39 states and the District of Columbia now require organizations to report data breaches.
But even if 2007 proves to be an aberration, the costs associated with data breaches appear to be rising. According to a study released in November by the Ponemon Institute, an information practices consultancy, data breaches cost businesses an average of $197 per customer record in 2007, up from $182 in 2006.
And that perhaps explains why Cisco (NSDQ: CSCO), Google (NSDQ: GOOG), Raytheon, Symantec (NSDQ: SYMC), Trend Micro, and Websense have all made acquisitions in the past year or so to strengthen their data loss protection offerings. A Gartner report in May estimated that the $50 million data leak protection market measured in 2006 would as much as triple by the end of 2007.
Foley nonetheless expressed optimism, noting that in regulated industries like finance and healthcare, there are far fewer breaches than in other areas of business. "Both are highly regulated industries with a number of government agencies looking over their shoulders," she said. "[But] a lot of the businesses still have not learned how to handle information correctly."
As an example, she points to the fact that only 13 of the data breaches out of 443 reported to date this year involved encrypted data, which is far less vulnerable to unauthorized access or misuse.
While 2007 could fairly be called the year of the data breach, Foley prefers to think of it as the year of data breach awareness. "I think there is a greater awareness this year that is going to have a ripple effect over the next couple of years," she said. "And hopefully that is going to bring the number of breaches down."
Labels: ITRC
Insiders Remain Greatest Security Threat
Insiders Remain Greatest Security Threat
Workers and other insiders admit to risky behavior -- like accessing corporate e-mail from Wi-Fi hot spots -- in
a survey by security firm RSA.
By Thomas Claburn, InformationWeek
Dec. 11, 2007
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=204801414
The people inside an organization represent its greatest security risk.
That's according to a report (pdf) released on Monday by RSA, the security division of enterprise storage company EMC.
RSA said that the survey was fielded in November and consisted of 126 of person-on-the-street interviews (using questionnaires)
of government and corporate office workers in Boston and Washington, D.C.
"The findings of the survey underscore that the threat posed to data by well-meaning insiders -- employees, contractors,
suppliers, partners, visitors and consultants who have physical and/or logical access to organizational assets -- greatly broadens
that posed by malicious insiders who deliberately leak sensitive data for personal financial gain or other criminal purposes," the
report states.
The recent 2007 SANS Top 20, a list of the year's most significant security risks, also noted that computer users tended to be the
weakest link in the computer security chain.
What sort of risky behavior are office workers engaging in? Some 52% said they sometimes or frequently accessed work-related
e-mail via a public computer, such as a might be found at a Internet cafe, hotel, or airport. And 56% sometimes or frequently
accessed work-related e-mail through a wireless hotspot.
Asked, "Have you ever lost a laptop, smartphone and/or USB flash drive with corporate information on it?", 8% said they had.
And 63% of respondents indicated that they sometimes or frequently send corporate documents to a personal e-mail address in
order to work on them at home.
While the RSA report suggests that additional security technology can mitigate these risks -- RSA is in the business of selling
such things, after all -- it also acknowledges that the blame for users' disregarding security policies belongs in part with the
creators of those policies.
"Organizations can mitigate this risk by developing information-centric policies that acknowledge and align with the needs and
realities of the business," the report says. "Once such policies are in place, companies should constantly measure actual user
behavior against established policy and use what they learn to inform smart policy changes that minimize risk and maximize
business productivity. When security is as convenient as possible for end users, they are less likely to work around security
policy."
And the fact is for many workers, corporate security policies are either not convenient or are poorly understood. About 35% of
respondents said that they felt they needed to work around corporate security policies to get their jobs done.
Sam Curry, VP of product management at RSA, said that the survey respondents were "innocent people working hard to do their
jobs" and risks arising from their willful or accidental contravention of corporate policy weren't the product of malice. "Security
procedures need to be in touch with the realities of human behavior," he said.
Curry stressed the need for user education, to make workers aware of the consequence of their actions. And he also said that
organizations needed tools to monitor employee behavior to understand the gaps between policy and worker behavior.
"Organizations need visibility into how people actually behave," he said.
Workers and other insiders admit to risky behavior -- like accessing corporate e-mail from Wi-Fi hot spots -- in
a survey by security firm RSA.
By Thomas Claburn, InformationWeek
Dec. 11, 2007
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=204801414
The people inside an organization represent its greatest security risk.
That's according to a report (pdf) released on Monday by RSA, the security division of enterprise storage company EMC.
RSA said that the survey was fielded in November and consisted of 126 of person-on-the-street interviews (using questionnaires)
of government and corporate office workers in Boston and Washington, D.C.
"The findings of the survey underscore that the threat posed to data by well-meaning insiders -- employees, contractors,
suppliers, partners, visitors and consultants who have physical and/or logical access to organizational assets -- greatly broadens
that posed by malicious insiders who deliberately leak sensitive data for personal financial gain or other criminal purposes," the
report states.
The recent 2007 SANS Top 20, a list of the year's most significant security risks, also noted that computer users tended to be the
weakest link in the computer security chain.
What sort of risky behavior are office workers engaging in? Some 52% said they sometimes or frequently accessed work-related
e-mail via a public computer, such as a might be found at a Internet cafe, hotel, or airport. And 56% sometimes or frequently
accessed work-related e-mail through a wireless hotspot.
Asked, "Have you ever lost a laptop, smartphone and/or USB flash drive with corporate information on it?", 8% said they had.
And 63% of respondents indicated that they sometimes or frequently send corporate documents to a personal e-mail address in
order to work on them at home.
While the RSA report suggests that additional security technology can mitigate these risks -- RSA is in the business of selling
such things, after all -- it also acknowledges that the blame for users' disregarding security policies belongs in part with the
creators of those policies.
"Organizations can mitigate this risk by developing information-centric policies that acknowledge and align with the needs and
realities of the business," the report says. "Once such policies are in place, companies should constantly measure actual user
behavior against established policy and use what they learn to inform smart policy changes that minimize risk and maximize
business productivity. When security is as convenient as possible for end users, they are less likely to work around security
policy."
And the fact is for many workers, corporate security policies are either not convenient or are poorly understood. About 35% of
respondents said that they felt they needed to work around corporate security policies to get their jobs done.
Sam Curry, VP of product management at RSA, said that the survey respondents were "innocent people working hard to do their
jobs" and risks arising from their willful or accidental contravention of corporate policy weren't the product of malice. "Security
procedures need to be in touch with the realities of human behavior," he said.
Curry stressed the need for user education, to make workers aware of the consequence of their actions. And he also said that
organizations needed tools to monitor employee behavior to understand the gaps between policy and worker behavior.
"Organizations need visibility into how people actually behave," he said.
Labels: Insiders
CES Risk: Free USB Flash Drives
CES Risk: Free USB Flash Drives
Security researchers warn that flash media given away at trade shows -- or even bought off the shelf -- may contain malware.
By Thomas Claburn
InformationWeek
January 7, 2008 03:20 PM
Visitors to the Consumer Electronics Show in Las Vegas this week might want to forgo freebie flash drives, or at least use them with caution. The SANS Internet Storm Center has published several anecdotal reports indicating that computer peripherals like USB flash drives and consumer electronics products like digital picture frames have been found infested with malware.
While a few reports of infectious devices hardly constitute an epidemic, the issue is being taken seriously by security researchers. "USB flash drives are everywhere these days," observed former Microsoft (NSDQ: MSFT) security researcher and author Jesper M. Johansson in an article in the January edition of Microsoft TechNet magazine. "At almost every conference, some vendor is giving them away like candy. Those drives may not have a lot of capacity, but you don't need a lot of storage space to take over an entire network... The technical details of the attack are actually quite simple. It all starts with an infected USB flash drive being inserted into a single computer. What happens then depends on the payload on that drive and, of course, how gullible the user is. "
Given the ongoing success of cyber attacks that rely on social engineering, it appears that gullibility is everywhere these days, too.
In mid-December, Kaspersky Lab senior virus analyst Aleks Gostev penned a blog post describing his experience with an infectious Compact Flash card for his digital camera. "We've already written more than once about viruses and worms which spread via removable storage media by launching automatically from autorun.inf," he said. "A number of users have also come across this type of malicious program. There are also a number of cases where hard disks, flash drives, MP3 players, and other devices were already infected with malware when shipped by the manufacturers."
In a report on the evolution of malware last year, Kaspersky Lab noted that in the first half of 2007, "so-called classic viruses demonstrated the most growth among all malware (+237%)," an increase attributed to the "highly widespread method of using flash drives to spread viruses." An example of this is a Skype worm spotted in September 2007 called Worm.Win32.Skipi.a that attempts to spread through Skype and through copying itself to attached flash drives.
Some of the anecdotal reports published by SANS speculate that the malware infections were made possible by poor manufacturer quality controls. Others suggest the malware might have been installed in retail outlets as a result of poor inventory oversight. And some suggest that malicious software may be installed post-sale, as purchased products that get returned to store shelves as a prank or malicious attack.
"We have heard of USB drives being used," said Kevin Haley, director of Symantec (NSDQ: SYMC) Security Response, in an e-mail. "They have been used for targeted attacks. And they have been used for 'commercials' for the spyware/trackware software the purchaser then attaches to the PC they want to spy on. They are not practical for mass attacks (you have to buy, prep, and distribute the drives). We don't believe it's a significant trend. It's not cost effective."
The bigger fear, said Haley, would be that a manufacturer might unwittingly put malware on a device of some sort.
That appears to be just what happened to the maker of the Victory LT-200 MP3 player, according to a blog post published on Friday by Kaspersky Lab researcher Roel Schouwenberg. The manufacturer "told us they were aware that a few months ago there was a partially infected batch of these MP3 players, and that they'd taken steps to fix the problem," he said.
"Whether it's a picture frame, a digital camera, or any USB, CF, SD, etc. memory card, the portable nature of these devices dredges up of memories of all the floppy boot viruses we used to have to deal with," said David Goldsmith of the SANS Internet Storm Center in a recent blog post. "Care should be taken when attaching storage devices to your computer to ensure you scan them for possible malware and handle them in as secure a fashion as is possible."
Security researchers warn that flash media given away at trade shows -- or even bought off the shelf -- may contain malware.
By Thomas Claburn
InformationWeek
January 7, 2008 03:20 PM
Visitors to the Consumer Electronics Show in Las Vegas this week might want to forgo freebie flash drives, or at least use them with caution. The SANS Internet Storm Center has published several anecdotal reports indicating that computer peripherals like USB flash drives and consumer electronics products like digital picture frames have been found infested with malware.
While a few reports of infectious devices hardly constitute an epidemic, the issue is being taken seriously by security researchers. "USB flash drives are everywhere these days," observed former Microsoft (NSDQ: MSFT) security researcher and author Jesper M. Johansson in an article in the January edition of Microsoft TechNet magazine. "At almost every conference, some vendor is giving them away like candy. Those drives may not have a lot of capacity, but you don't need a lot of storage space to take over an entire network... The technical details of the attack are actually quite simple. It all starts with an infected USB flash drive being inserted into a single computer. What happens then depends on the payload on that drive and, of course, how gullible the user is. "
Given the ongoing success of cyber attacks that rely on social engineering, it appears that gullibility is everywhere these days, too.
In mid-December, Kaspersky Lab senior virus analyst Aleks Gostev penned a blog post describing his experience with an infectious Compact Flash card for his digital camera. "We've already written more than once about viruses and worms which spread via removable storage media by launching automatically from autorun.inf," he said. "A number of users have also come across this type of malicious program. There are also a number of cases where hard disks, flash drives, MP3 players, and other devices were already infected with malware when shipped by the manufacturers."
In a report on the evolution of malware last year, Kaspersky Lab noted that in the first half of 2007, "so-called classic viruses demonstrated the most growth among all malware (+237%)," an increase attributed to the "highly widespread method of using flash drives to spread viruses." An example of this is a Skype worm spotted in September 2007 called Worm.Win32.Skipi.a that attempts to spread through Skype and through copying itself to attached flash drives.
Some of the anecdotal reports published by SANS speculate that the malware infections were made possible by poor manufacturer quality controls. Others suggest the malware might have been installed in retail outlets as a result of poor inventory oversight. And some suggest that malicious software may be installed post-sale, as purchased products that get returned to store shelves as a prank or malicious attack.
"We have heard of USB drives being used," said Kevin Haley, director of Symantec (NSDQ: SYMC) Security Response, in an e-mail. "They have been used for targeted attacks. And they have been used for 'commercials' for the spyware/trackware software the purchaser then attaches to the PC they want to spy on. They are not practical for mass attacks (you have to buy, prep, and distribute the drives). We don't believe it's a significant trend. It's not cost effective."
The bigger fear, said Haley, would be that a manufacturer might unwittingly put malware on a device of some sort.
That appears to be just what happened to the maker of the Victory LT-200 MP3 player, according to a blog post published on Friday by Kaspersky Lab researcher Roel Schouwenberg. The manufacturer "told us they were aware that a few months ago there was a partially infected batch of these MP3 players, and that they'd taken steps to fix the problem," he said.
"Whether it's a picture frame, a digital camera, or any USB, CF, SD, etc. memory card, the portable nature of these devices dredges up of memories of all the floppy boot viruses we used to have to deal with," said David Goldsmith of the SANS Internet Storm Center in a recent blog post. "Care should be taken when attaching storage devices to your computer to ensure you scan them for possible malware and handle them in as secure a fashion as is possible."
Labels: USB Flash Drive
Black Hat Conference: Experts Develop Cybersecurity Recommendations For Next President
Black Hat Conference: Experts Develop Cybersecurity Recommendations For Next President
The Cyber Commission has loose ties with each of the remaining presidential campaigns, yet members admit they don't expect all of their recommendations to be followed.
By J. Nicholas Hoover
InformationWeek
February 20, 2008 05:10 PM
A group of 40 former and current government cybersecurity experts has convened to put together a series of cybersecurity recommendations for the next U.S. president, members of the think-tank-sponsored Cyber Commission for the 44th President said Wednesday at the Black Hat securityconference in Washington, D.C.
"This is no longer a boutique issue," said James Lewis, director of the technology and public policy program for the Center for Strategic and International Studies. "It has to be a part of the thinking about national security from this point on. This is one of the central issues for national security and we want to make sure it doesn't go away."
Though the Cyber Commission has loose, informal ties with each of the remaining presidential campaigns, members admitted that they don't expect all of their recommendations to be followed. The nine-month-long panel began its work a few weeks ago and hasn't yet come to any final recommendations. Since it is being run out of CSIS, it doesn't necessarily have the credibility of a government-mandated commission. But prominent members, including two sitting members of Congress and Jerry Dixon, former executive director of the National Cyber Security Division at the Department of Homeland Security, could give it some sway.
There are several key questions commission members said they want to address. For example, they want to define and flesh out a clearer command and control structure for federal cybersecurity, which doesn't necessarily include a cybersecurity czar. They also want to recommend standardization of technology procurement procedures across federal agencies and determine research and development priorities.
"The benefit of the commission is, it's really going to reorient and prioritize," Dixon said. "When something happens in the information security realm for government, we're often reactive. How do we get to proactive?"
Tom Kellerman, VP of security awareness for Core Security Technologies and a former cybersecurity exec at the World Bank, rattled off a number of statistics he said showed how urgent it is to create a cohesive cybersecurity policy for the country. He said the federal government has seen a 158% increase in successful cyberintrusions over the past year and that an FBI study found 108 countries were engaging in cyberespionage of some sort.
The Cyber Commission has loose ties with each of the remaining presidential campaigns, yet members admit they don't expect all of their recommendations to be followed.
By J. Nicholas Hoover
InformationWeek
February 20, 2008 05:10 PM
A group of 40 former and current government cybersecurity experts has convened to put together a series of cybersecurity recommendations for the next U.S. president, members of the think-tank-sponsored Cyber Commission for the 44th President said Wednesday at the Black Hat securityconference in Washington, D.C.
"This is no longer a boutique issue," said James Lewis, director of the technology and public policy program for the Center for Strategic and International Studies. "It has to be a part of the thinking about national security from this point on. This is one of the central issues for national security and we want to make sure it doesn't go away."
Though the Cyber Commission has loose, informal ties with each of the remaining presidential campaigns, members admitted that they don't expect all of their recommendations to be followed. The nine-month-long panel began its work a few weeks ago and hasn't yet come to any final recommendations. Since it is being run out of CSIS, it doesn't necessarily have the credibility of a government-mandated commission. But prominent members, including two sitting members of Congress and Jerry Dixon, former executive director of the National Cyber Security Division at the Department of Homeland Security, could give it some sway.
There are several key questions commission members said they want to address. For example, they want to define and flesh out a clearer command and control structure for federal cybersecurity, which doesn't necessarily include a cybersecurity czar. They also want to recommend standardization of technology procurement procedures across federal agencies and determine research and development priorities.
"The benefit of the commission is, it's really going to reorient and prioritize," Dixon said. "When something happens in the information security realm for government, we're often reactive. How do we get to proactive?"
Tom Kellerman, VP of security awareness for Core Security Technologies and a former cybersecurity exec at the World Bank, rattled off a number of statistics he said showed how urgent it is to create a cohesive cybersecurity policy for the country. He said the federal government has seen a 158% increase in successful cyberintrusions over the past year and that an FBI study found 108 countries were engaging in cyberespionage of some sort.
Labels: Black Hat Conference
Monday, March 03, 2008
Google-Powered Hacking Makes Search A Threat
Google-Powered Hacking Makes Search A Threat
A hacker group has released Goolag Scanner, a tool that scans Web sites for vulnerabilities.
By Thomas Claburn, InformationWeek
Feb. 22, 2008
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=206801429
Over the past few years, cybersecurity professionals have watched as the cinematic cliche of police with pistols being outgunned by thieves with automatic weapons has become applicable to their industry. Increasingly, they find themselves defending against automated attacks that can easily overwhelm the technologically underequipped.
Wednesday saw the debut of the latest such tool, which derives its power from Google's vast index. That's when the Cult of the Dead Cow, the self-proclaimed "world's most attractive hacker group," released a Web auditing tool called Goolag Scanner.
"It's no big secret that the Web is the platform," said cDc official Oxblood Ruffin, in a statement. "And this platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for Web site owners to patch up their online properties. We've seen some pretty scary holes through random tests with the scanner in North America, Europe, and the Middle East. If I were a government, a large corporation, or anyone with a large Web site, I'd be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious."
To prove that point, Ruffin provided InformationWeek with a list of 11 high-profile U.S. government agency and lab Web sites that had been scanned and found to have what appear to be significant security holes, including satellite access codes, credentials for VPNs and routers, and open proxies. He asked that the information not be published, as the group's intent is not to embarrass government officials or encourage attempts to hack government systems.
The Department of Homeland Security, which Ruffin several weeks ago said was notified of the flaws, did not respond to a request for comment.
Goolag Scanner presently exists only as a Windows application, though it is being ported to other platforms. It allows the user to quickly scan Google's index for files on Web sites that may reveal security vulnerabilities. For example, Goolag Scanner allows you to search Web sites for containing file called "unattend.txt," which is used to drive unattended Microsoft Windows installations. The file may include information useful to hackers, such as administrator passwords.
Goolag Scanner doesn't do anything a hacker or penetration tester couldn't do by typing text into Google and using certain operator commands to constrain the search to a specific domain or file type. But it makes searching for holes much easier.
"The Goolag Scan tool isn't especially innovative in terms of the methods it implements," said Mark Kraynak, senior director of strategic marketing for data protection company Imperva, in an e-mail. "These techniques have been well known in the security community for some time."
What is does do, Kraynak said, is allow less-sophisticated attackers to exploit application and data layer vulnerabilities. "This will result in even more application attacks," he said. "This is bad news, since SQL Injection and Cross-Site Scripting already rank among the most common attacks lodged against online applications. ... The bad guys now have automatic weapons, so as a security community we need to upgrade our defense systems for these new threats."
What that means, in addition to addressing specific vulnerabilities, is defending against search.
As Petko D. Petkov, founder of security consulting firm GnuCitizen, explained in a blog post on Friday, search engines can be used very efficiently to collect information about vulnerabilities, particularly metadata that isn't ordinarily indexed.
Petkov proposes using the Amazon Web Services platform to build a custom search application for identifying vulnerabilities. "By using Amazon's Services and more specifically their Elastic [Compute] Cloud infrastructure, attackers can gain immense scalability, which they can use for their own evil good," he explained. "The cloud allows developers to spawn ritualized instances of any type of operating system, which can be instructed to go through any kind of heavy machine processing task, such as crawling Web sites, port-scanning, etc. The information can be stored on Amazon's Simple Storage Service. The whole package is quite cheap and very affordable."
But for the organization that gets hacked, the expense could be considerable.
A hacker group has released Goolag Scanner, a tool that scans Web sites for vulnerabilities.
By Thomas Claburn, InformationWeek
Feb. 22, 2008
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=206801429
Over the past few years, cybersecurity professionals have watched as the cinematic cliche of police with pistols being outgunned by thieves with automatic weapons has become applicable to their industry. Increasingly, they find themselves defending against automated attacks that can easily overwhelm the technologically underequipped.
Wednesday saw the debut of the latest such tool, which derives its power from Google's vast index. That's when the Cult of the Dead Cow, the self-proclaimed "world's most attractive hacker group," released a Web auditing tool called Goolag Scanner.
"It's no big secret that the Web is the platform," said cDc official Oxblood Ruffin, in a statement. "And this platform pretty much sucks from a security perspective. Goolag Scanner provides one more tool for Web site owners to patch up their online properties. We've seen some pretty scary holes through random tests with the scanner in North America, Europe, and the Middle East. If I were a government, a large corporation, or anyone with a large Web site, I'd be downloading this beast and aiming it at my site yesterday. The vulnerabilities are that serious."
To prove that point, Ruffin provided InformationWeek with a list of 11 high-profile U.S. government agency and lab Web sites that had been scanned and found to have what appear to be significant security holes, including satellite access codes, credentials for VPNs and routers, and open proxies. He asked that the information not be published, as the group's intent is not to embarrass government officials or encourage attempts to hack government systems.
The Department of Homeland Security, which Ruffin several weeks ago said was notified of the flaws, did not respond to a request for comment.
Goolag Scanner presently exists only as a Windows application, though it is being ported to other platforms. It allows the user to quickly scan Google's index for files on Web sites that may reveal security vulnerabilities. For example, Goolag Scanner allows you to search Web sites for containing file called "unattend.txt," which is used to drive unattended Microsoft Windows installations. The file may include information useful to hackers, such as administrator passwords.
Goolag Scanner doesn't do anything a hacker or penetration tester couldn't do by typing text into Google and using certain operator commands to constrain the search to a specific domain or file type. But it makes searching for holes much easier.
"The Goolag Scan tool isn't especially innovative in terms of the methods it implements," said Mark Kraynak, senior director of strategic marketing for data protection company Imperva, in an e-mail. "These techniques have been well known in the security community for some time."
What is does do, Kraynak said, is allow less-sophisticated attackers to exploit application and data layer vulnerabilities. "This will result in even more application attacks," he said. "This is bad news, since SQL Injection and Cross-Site Scripting already rank among the most common attacks lodged against online applications. ... The bad guys now have automatic weapons, so as a security community we need to upgrade our defense systems for these new threats."
What that means, in addition to addressing specific vulnerabilities, is defending against search.
As Petko D. Petkov, founder of security consulting firm GnuCitizen, explained in a blog post on Friday, search engines can be used very efficiently to collect information about vulnerabilities, particularly metadata that isn't ordinarily indexed.
Petkov proposes using the Amazon Web Services platform to build a custom search application for identifying vulnerabilities. "By using Amazon's Services and more specifically their Elastic [Compute] Cloud infrastructure, attackers can gain immense scalability, which they can use for their own evil good," he explained. "The cloud allows developers to spawn ritualized instances of any type of operating system, which can be instructed to go through any kind of heavy machine processing task, such as crawling Web sites, port-scanning, etc. The information can be stored on Amazon's Simple Storage Service. The whole package is quite cheap and very affordable."
But for the organization that gets hacked, the expense could be considerable.
Labels: Google, Goolag Scanner
For Sale: Passwords To Fortune 500's Servers
For Sale: Passwords To Fortune 500's Servers
Cybercriminals are paying premiums based on compromised sites' Google PageRank to buy thousands of login names and FTP credentials, a security software company reports.
By Thomas Claburn, InformationWeek
Feb. 27, 2008
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=206900557
More than 8,700 FTP login names and passwords, some of which grant access to Fortune 500 servers, are being sold online through a sort of eBay for stolen data, a security company revealed this week.
Prices vary in relation to the Google PageRank of the compromised sites. The customers are cybercriminals who seek access to trusted sites in order to launch malware or hide files.
Finjan, a computer security company based in Israel, made the discovery and elaborates on its findings in its February Malicious Page of the Month report.
Finjan CTO Yuval Ben-Itzhak describes the online crime database application the company found as "the holy grail of hackers." It contains the "hacked FTP credentials of very large companies, some of them in the Fortune 500." More than 100 stolen login names are associated with one of the 500 most visited Web sites on the Internet, as measured by Alexa.com.
"There is a whole industry of buying and selling all these stolen credentials," said Ben-Itzhak. "It opens for us a new window to see how they really manage to infect all these companies and legitimate Web sites very quickly."
Ben-Itzhak declined to be more specific to avoid embarrassing the affected organizations but said that one of set of FTP credentials found granted access to a state court Web site. A state court site appears on p. 14 of the Finjan report, but the URLs in the printed screen shot have been obscured to prevent identification.
However, a Google search for a conspicuous portion of one of the obscured URLs suggests that the featured site belongs to California's Mono County Superior Court. (The Great Seal of the State of California can be easily identified on the Web site screen shot in the report despite an effort to blur it.)
A spokesperson for Finjan said the company could not name the compromised organizations it had identified for legal reasons.
Robert Dennis, the executive officer of the Mono County Superior Court, said he is not aware of the Finjan report or of any current problem with the court's Web site. However, he said that in January he had moved the court's Web site to a new ISP, and from a .gov domain to a .org domain, and that there had been occasional security issues in the past with the court's old ISP and site. The semi-obscured court URL in the Finjan report shows a .gov address.
"When we were with the prior host, we would occasionally have a problem where someone would hack the site," Dennis said, noting that it might have happened two or three times over the course of a year. "Somebody was adding code to our home page."
Dennis declined to name the court's old ISP, a large hosting provider that had served the court for eight years, but said a technical contact there had told him about difficulties keeping a specific server clean. "The guy said they'd clean it out and [the malware] would come back," he said.
The countries of origin for the stolen FTP credentials include the United States (2,621), Russia (1,247), Australia (392), and various Asia-Pacific Region countries (354), to name a few.
The Finjan report also says that the creators of crimeware toolkits have adopted the software-as-a-service model. It describes Neosploit 2.0, a Web-based hacking application that provides detailed infection statistics and other attack management tools. The result, as Ben-Itzhak describes it, is push-button cybercrime.
Cybercriminals are paying premiums based on compromised sites' Google PageRank to buy thousands of login names and FTP credentials, a security software company reports.
By Thomas Claburn, InformationWeek
Feb. 27, 2008
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=206900557
More than 8,700 FTP login names and passwords, some of which grant access to Fortune 500 servers, are being sold online through a sort of eBay for stolen data, a security company revealed this week.
Prices vary in relation to the Google PageRank of the compromised sites. The customers are cybercriminals who seek access to trusted sites in order to launch malware or hide files.
Finjan, a computer security company based in Israel, made the discovery and elaborates on its findings in its February Malicious Page of the Month report.
Finjan CTO Yuval Ben-Itzhak describes the online crime database application the company found as "the holy grail of hackers." It contains the "hacked FTP credentials of very large companies, some of them in the Fortune 500." More than 100 stolen login names are associated with one of the 500 most visited Web sites on the Internet, as measured by Alexa.com.
"There is a whole industry of buying and selling all these stolen credentials," said Ben-Itzhak. "It opens for us a new window to see how they really manage to infect all these companies and legitimate Web sites very quickly."
Ben-Itzhak declined to be more specific to avoid embarrassing the affected organizations but said that one of set of FTP credentials found granted access to a state court Web site. A state court site appears on p. 14 of the Finjan report, but the URLs in the printed screen shot have been obscured to prevent identification.
However, a Google search for a conspicuous portion of one of the obscured URLs suggests that the featured site belongs to California's Mono County Superior Court. (The Great Seal of the State of California can be easily identified on the Web site screen shot in the report despite an effort to blur it.)
A spokesperson for Finjan said the company could not name the compromised organizations it had identified for legal reasons.
Robert Dennis, the executive officer of the Mono County Superior Court, said he is not aware of the Finjan report or of any current problem with the court's Web site. However, he said that in January he had moved the court's Web site to a new ISP, and from a .gov domain to a .org domain, and that there had been occasional security issues in the past with the court's old ISP and site. The semi-obscured court URL in the Finjan report shows a .gov address.
"When we were with the prior host, we would occasionally have a problem where someone would hack the site," Dennis said, noting that it might have happened two or three times over the course of a year. "Somebody was adding code to our home page."
Dennis declined to name the court's old ISP, a large hosting provider that had served the court for eight years, but said a technical contact there had told him about difficulties keeping a specific server clean. "The guy said they'd clean it out and [the malware] would come back," he said.
The countries of origin for the stolen FTP credentials include the United States (2,621), Russia (1,247), Australia (392), and various Asia-Pacific Region countries (354), to name a few.
The Finjan report also says that the creators of crimeware toolkits have adopted the software-as-a-service model. It describes Neosploit 2.0, a Web-based hacking application that provides detailed infection statistics and other attack management tools. The result, as Ben-Itzhak describes it, is push-button cybercrime.
Labels: FTP login names and passwords, Google, Google PageRank
Worker snooping on customer data common
Worker snooping on customer data common
By RYAN J. FOLEY, Associated Press Writer
Sat Feb 23, 7:40 AM ET
A landlord snooped on tenants to find out information about their finances. A woman repeatedly accessed her ex-boyfriend's account after a difficult breakup. Another obtained her child's father's address so she could serve him court papers.
All worked for Wisconsin's largest utility, where employees routinely accessed confidential information about acquaintances, local celebrities and others from its massive customer database.
Documents obtained by The Associated Press in an employment case involving Milwaukee-based WE Energies shine a light on a common practice in the utilities, telecommunications and accounting industries, privacy experts say.
Vast computer databases give curious employees the ability to look up sensitive information on people with the click of a mouse. The WE Energies database includes credit and banking information, payment histories, Social Security numbers, addresses, phone numbers, and energy usage. In some cases, it even includes income and medical information.
Experts say some companies do little to stop such abuses even though they could lead to identity theft, stalking and other privacy invasions. And companies that uncover violations can keep them quiet because in many cases it is not illegal to snoop, only to use the data for crimes.
"The vast majority of companies are doing very little to stop this widespread practice of snooping," said Larry Ponemon, a privacy expert who founded The Ponemon Institute, a Traverse City, Mich.-based think tank.
Jim Owen, spokesman for the Edison Electric Institute, a lobbying association that represents utilities, disputed suggestions the problem was common in the industry.
"I am not aware of any other situation that has arisen in the utility sector," he said.
Companies generally avoid talking about snooping or any measures they've taken to prevent it.
Scott Reigstad, a spokesman for Madison, Wis.-based Alliant Energy, which has one million electric and 420,000 natural gas customers in Iowa, Wisconsin and Minnesota, said his company has safeguards in place to stop misuse but does not discuss them publicly.
"We haven't had any issues that we're aware of," he said.
Jay Foley, executive director of the Identity Theft Resources Center, said state regulators and lawmakers must step in if companies are not guarding their customer information responsibly.
"Something needs to be done at the state level to make sure this is illegal," he said.
He said more companies have to start using software that can track each customer account that employees access.
WE Energies says it has taken numerous steps to stop the problem but even so detecting misuse can be difficult. That's because it is hard to discern the legitimate access of customer information from employees looking for curiosity.
"People were looking at an incredible number of accounts," Joan Shafer, WE Energies' vice president of customer service, said during a sworn deposition last year. "Politicians, community leaders, board members, officers, family, friends. All over the place."
Her testimony came in a legal case involving an employee who was fired in 2006 for repeatedly accessing information about her ex-boyfriend and another friend. An arbitrator in November upheld the woman's firing. The AP reviewed testimony and documents made public as part of the case.
The misuse came to light in 2004 when an employee helped leak information to the media during a heated race for Milwaukee mayor that a candidate, acting Mayor Marvin Pratt, was often behind in paying his heating bills. Pratt lost to the current mayor, Tom Barrett.
Pratt said he's convinced the disclosure cost him votes and unfairly damaged his reputation. Pratt said he recently met with top company executives and was satisfied it has stopped the problem as much as possible. He said he has dropped earlier plans to explore a lawsuit.
"They caught this and they are making corrections to it, which they should. But it never should have happened in the first place. Not just to me, but to anyone. They gave their employees too much latitude to access files."
After the incident involving Pratt, the company fired the employee who leaked the information and vowed to crack down after finding others engaged in similar practices. But problems continued.
In all, the utility fired or disciplined at least 17 employees for breaking the policy between 2005 and 2007, according to testimony and company records. Another employee gained access to Pratt's account for no business purpose and was suspended in 2005 but kept her job.
Others looked up information on their bosses at WE Energies and local conservative radio host Mark Belling, who said he had never been told of the breach.
Ponemon said employees with access to vast amounts of customer information often see nothing wrong with looking up an individual out of curiosity, or in some cases, more sinister motives.
Governmental agencies have also struggled with the problem.
The IRS took 219 disciplinary actions, including firings and suspensions, against employees who browsed through confidential taxpayer information last year, according to the U.S. Treasury Inspector General for Tax Information. That was more than double the number the previous year.
Last month, the Minnesota Department of Public Safety said it disciplined two employees who accessed information on 400 residents from its driver's license database. The agency did not say what the discipline was because it continues to investigate. It said the employees were looking for their own entertainment, not any criminal motives.
WE Energies serves 1.1 million electric customers in Wisconsin and Michigan's Upper Peninsula and 1 million natural gas customers in Wisconsin.
Shafer said in an interview that the utility took steps to eliminate the practice and only one employee has been disciplined for violations in the last year.
After the 2004 incident, the company started checking who accessed high-profile customer accounts and requiring annual training on its policies.
Still, Shafer acknowledged in her deposition last year that it would be "difficult, if not impossible" to discover many instances of misuse.
Utility regulators in Michigan and Wisconsin said they had not been notified of the company's problems. They say they do not have any rules covering such misuse.
The head of the Wisconsin Citizens' Utility Board, which lobbies on behalf of utility customers, said he was "shocked and dismayed" to learn about the practice.
"The testimony is incredibly candid. I'm very surprised that utility employees were misusing this information," said executive director Charlie Higley. "We hope WE Energies has taken steps to ensure that information is treated privately."
By RYAN J. FOLEY, Associated Press Writer
Sat Feb 23, 7:40 AM ET
A landlord snooped on tenants to find out information about their finances. A woman repeatedly accessed her ex-boyfriend's account after a difficult breakup. Another obtained her child's father's address so she could serve him court papers.
All worked for Wisconsin's largest utility, where employees routinely accessed confidential information about acquaintances, local celebrities and others from its massive customer database.
Documents obtained by The Associated Press in an employment case involving Milwaukee-based WE Energies shine a light on a common practice in the utilities, telecommunications and accounting industries, privacy experts say.
Vast computer databases give curious employees the ability to look up sensitive information on people with the click of a mouse. The WE Energies database includes credit and banking information, payment histories, Social Security numbers, addresses, phone numbers, and energy usage. In some cases, it even includes income and medical information.
Experts say some companies do little to stop such abuses even though they could lead to identity theft, stalking and other privacy invasions. And companies that uncover violations can keep them quiet because in many cases it is not illegal to snoop, only to use the data for crimes.
"The vast majority of companies are doing very little to stop this widespread practice of snooping," said Larry Ponemon, a privacy expert who founded The Ponemon Institute, a Traverse City, Mich.-based think tank.
Jim Owen, spokesman for the Edison Electric Institute, a lobbying association that represents utilities, disputed suggestions the problem was common in the industry.
"I am not aware of any other situation that has arisen in the utility sector," he said.
Companies generally avoid talking about snooping or any measures they've taken to prevent it.
Scott Reigstad, a spokesman for Madison, Wis.-based Alliant Energy, which has one million electric and 420,000 natural gas customers in Iowa, Wisconsin and Minnesota, said his company has safeguards in place to stop misuse but does not discuss them publicly.
"We haven't had any issues that we're aware of," he said.
Jay Foley, executive director of the Identity Theft Resources Center, said state regulators and lawmakers must step in if companies are not guarding their customer information responsibly.
"Something needs to be done at the state level to make sure this is illegal," he said.
He said more companies have to start using software that can track each customer account that employees access.
WE Energies says it has taken numerous steps to stop the problem but even so detecting misuse can be difficult. That's because it is hard to discern the legitimate access of customer information from employees looking for curiosity.
"People were looking at an incredible number of accounts," Joan Shafer, WE Energies' vice president of customer service, said during a sworn deposition last year. "Politicians, community leaders, board members, officers, family, friends. All over the place."
Her testimony came in a legal case involving an employee who was fired in 2006 for repeatedly accessing information about her ex-boyfriend and another friend. An arbitrator in November upheld the woman's firing. The AP reviewed testimony and documents made public as part of the case.
The misuse came to light in 2004 when an employee helped leak information to the media during a heated race for Milwaukee mayor that a candidate, acting Mayor Marvin Pratt, was often behind in paying his heating bills. Pratt lost to the current mayor, Tom Barrett.
Pratt said he's convinced the disclosure cost him votes and unfairly damaged his reputation. Pratt said he recently met with top company executives and was satisfied it has stopped the problem as much as possible. He said he has dropped earlier plans to explore a lawsuit.
"They caught this and they are making corrections to it, which they should. But it never should have happened in the first place. Not just to me, but to anyone. They gave their employees too much latitude to access files."
After the incident involving Pratt, the company fired the employee who leaked the information and vowed to crack down after finding others engaged in similar practices. But problems continued.
In all, the utility fired or disciplined at least 17 employees for breaking the policy between 2005 and 2007, according to testimony and company records. Another employee gained access to Pratt's account for no business purpose and was suspended in 2005 but kept her job.
Others looked up information on their bosses at WE Energies and local conservative radio host Mark Belling, who said he had never been told of the breach.
Ponemon said employees with access to vast amounts of customer information often see nothing wrong with looking up an individual out of curiosity, or in some cases, more sinister motives.
Governmental agencies have also struggled with the problem.
The IRS took 219 disciplinary actions, including firings and suspensions, against employees who browsed through confidential taxpayer information last year, according to the U.S. Treasury Inspector General for Tax Information. That was more than double the number the previous year.
Last month, the Minnesota Department of Public Safety said it disciplined two employees who accessed information on 400 residents from its driver's license database. The agency did not say what the discipline was because it continues to investigate. It said the employees were looking for their own entertainment, not any criminal motives.
WE Energies serves 1.1 million electric customers in Wisconsin and Michigan's Upper Peninsula and 1 million natural gas customers in Wisconsin.
Shafer said in an interview that the utility took steps to eliminate the practice and only one employee has been disciplined for violations in the last year.
After the 2004 incident, the company started checking who accessed high-profile customer accounts and requiring annual training on its policies.
Still, Shafer acknowledged in her deposition last year that it would be "difficult, if not impossible" to discover many instances of misuse.
Utility regulators in Michigan and Wisconsin said they had not been notified of the company's problems. They say they do not have any rules covering such misuse.
The head of the Wisconsin Citizens' Utility Board, which lobbies on behalf of utility customers, said he was "shocked and dismayed" to learn about the practice.
"The testimony is incredibly candid. I'm very surprised that utility employees were misusing this information," said executive director Charlie Higley. "We hope WE Energies has taken steps to ensure that information is treated privately."
Labels: WE Energies
IP Crime Convictions Nearly Doubled In 2007
IP Crime Convictions Nearly Doubled In 2007
The number of defendants sentenced for IP crimes rose dramatically, from 149 in fiscal year 2005 to 287 in fiscal year 2007, according to a Department of Commerce report.
By K.C. Jones, InformationWeek
Feb. 11, 2008
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=206401978
Criminal sentencing for illegal use of intellectual property rose by 92% since the federal government's 2005 fiscal year, according to a new report.
The Department of Justice filed 217 IP cases in fiscal year 2007, up 7% from the previous year and up 44% from fiscal year 2005. The number of defendants sentenced for IP crimes rose even more dramatically, from 149 in fiscal year 2005 to 287 in fiscal year 2007, according to figures the Department of Commerce released Monday.
In its annual report to President George W. Bush and Congress on intellectual property enforcement and protection, the department reported 14,000 seizures of counterfeit and copyright-infringing goods, worth $200 million, at U.S. borders. That number of seizures leveled off after five years, but the value of the merchandise increased by 27%, according to the report. The Department of Commerce said that IP issues take priority in international relationships through several channels, including the G8 and Security & Prosperity Partnership IP working groups.
In October, the U.S. announced it will negotiate an international agreement (Anti-Counterfeiting Trade Agreement, or ACTA) on IP enforcement with interested governments in Canada, the European Union, Japan, Korea, Mexico, New Zealand, and Switzerland. In fiscal year 2007, the Department of Commerce also expanded an IP Attache program to include eight new people in Brazil, China, Egypt, India, Russia, and Thailand. The Department of Justice sent two envoys to Romania and Thailand.
At the same time, the U.S. Trade Representative stepped up efforts within the World Trade Organization to resolve IP-related trade disputes by bringing the first such dispute against China.
Inside the U.S., leaders have tried to expand government and industry engagement by holding "road shows" throughout the country to explain basic IP enforcement.
Finally, the Department of Commerce touted American efforts to inform the public that counterfeit and copyright-infringing goods pose a threat to the health and safety of Americans and consumers around the world.
The number of defendants sentenced for IP crimes rose dramatically, from 149 in fiscal year 2005 to 287 in fiscal year 2007, according to a Department of Commerce report.
By K.C. Jones, InformationWeek
Feb. 11, 2008
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=206401978
Criminal sentencing for illegal use of intellectual property rose by 92% since the federal government's 2005 fiscal year, according to a new report.
The Department of Justice filed 217 IP cases in fiscal year 2007, up 7% from the previous year and up 44% from fiscal year 2005. The number of defendants sentenced for IP crimes rose even more dramatically, from 149 in fiscal year 2005 to 287 in fiscal year 2007, according to figures the Department of Commerce released Monday.
In its annual report to President George W. Bush and Congress on intellectual property enforcement and protection, the department reported 14,000 seizures of counterfeit and copyright-infringing goods, worth $200 million, at U.S. borders. That number of seizures leveled off after five years, but the value of the merchandise increased by 27%, according to the report. The Department of Commerce said that IP issues take priority in international relationships through several channels, including the G8 and Security & Prosperity Partnership IP working groups.
In October, the U.S. announced it will negotiate an international agreement (Anti-Counterfeiting Trade Agreement, or ACTA) on IP enforcement with interested governments in Canada, the European Union, Japan, Korea, Mexico, New Zealand, and Switzerland. In fiscal year 2007, the Department of Commerce also expanded an IP Attache program to include eight new people in Brazil, China, Egypt, India, Russia, and Thailand. The Department of Justice sent two envoys to Romania and Thailand.
At the same time, the U.S. Trade Representative stepped up efforts within the World Trade Organization to resolve IP-related trade disputes by bringing the first such dispute against China.
Inside the U.S., leaders have tried to expand government and industry engagement by holding "road shows" throughout the country to explain basic IP enforcement.
Finally, the Department of Commerce touted American efforts to inform the public that counterfeit and copyright-infringing goods pose a threat to the health and safety of Americans and consumers around the world.
Labels: IP Crimes
Technology, media firms overconfident, unprepared for breaches: Deloitte survey
Technology, media firms overconfident, unprepared for breaches: Deloitte survey
Jim CarrFebruary 07 2008
Media, technology and telecommunications industries are overconfident in their security postures and ill-prepared to handle breaches, according to a survey conducted by consulting firm Deloitte Touche Tohmatsu.
The 2007 Technology, Media and Telecommunications (TMT) Survey indicates that 46 percent of the more than 100 respondents have no formal information security strategy. However, 69 percent of the respondents surveyed said they're "very confident" or "extremely confident" in their abilities to deal with security challenges.
"The key finding, I think, is that companies are still struggling to get ahead of security challenges," Rena Mears, global and national service offering leader of Deloitte's privacy and data protection team, told SCMagazineUS.com. "They're just keeping up or still have a way to go to say they're keeping pace with their security challenges."
Mears added that other findings show respondents seem to be reactive to emerging threats.
"When you look at the survey, 38 percent say they have the skills and capabilities to respond effectively to security challenges -- that's less than 40 percent," she said. "We're talking about a security function that's in reactive mode -- they're not getting ahead of game."
Almost half of the companies studied -- mostly media, technology and telecommunications organizations -- have between 5,000 to 50,000 employees, and about half reported annual revenue between $1 billion and $10 billion.
The data was compiled through face-to-face interviews with chief security officers, chief information security officers and security management teams, according to Deloitte.
Forty-nine percent of respondents said they're falling behind on security threats. Just seven percent replied that they thought their security situation was improving, and only five percent said they had increased security spending by 15 percent or more.
A major problem, Mears explained, is that many organizations consider security to be an IT initiative only. Thirty-eight percent of respondents said their senior executives do not consider security to be a strategic issue.
"Governance has to be taken seriously by senior management and evangelized," she said. "Companies have to invest and incorporate security into business processes, and only then can security be successfully supported by various components such as IT."
Jim CarrFebruary 07 2008
Media, technology and telecommunications industries are overconfident in their security postures and ill-prepared to handle breaches, according to a survey conducted by consulting firm Deloitte Touche Tohmatsu.
The 2007 Technology, Media and Telecommunications (TMT) Survey indicates that 46 percent of the more than 100 respondents have no formal information security strategy. However, 69 percent of the respondents surveyed said they're "very confident" or "extremely confident" in their abilities to deal with security challenges.
"The key finding, I think, is that companies are still struggling to get ahead of security challenges," Rena Mears, global and national service offering leader of Deloitte's privacy and data protection team, told SCMagazineUS.com. "They're just keeping up or still have a way to go to say they're keeping pace with their security challenges."
Mears added that other findings show respondents seem to be reactive to emerging threats.
"When you look at the survey, 38 percent say they have the skills and capabilities to respond effectively to security challenges -- that's less than 40 percent," she said. "We're talking about a security function that's in reactive mode -- they're not getting ahead of game."
Almost half of the companies studied -- mostly media, technology and telecommunications organizations -- have between 5,000 to 50,000 employees, and about half reported annual revenue between $1 billion and $10 billion.
The data was compiled through face-to-face interviews with chief security officers, chief information security officers and security management teams, according to Deloitte.
Forty-nine percent of respondents said they're falling behind on security threats. Just seven percent replied that they thought their security situation was improving, and only five percent said they had increased security spending by 15 percent or more.
A major problem, Mears explained, is that many organizations consider security to be an IT initiative only. Thirty-eight percent of respondents said their senior executives do not consider security to be a strategic issue.
"Governance has to be taken seriously by senior management and evangelized," she said. "Companies have to invest and incorporate security into business processes, and only then can security be successfully supported by various components such as IT."
Labels: Media and Telecommunications (TMT), Technology
Social engineering at the Giants party
Social engineering at the Giants party
A Giants fan with more brass than most found a way to crash his heroes' victory party and make it look easy. Joe Whelan, who lives in Manhattan, simply took a seat with the team on the stage at City Hall Park Tuesday, rode with the Mara family out to Giants Stadium and even basked in the cheers of thousands as he stood on the field - all because nobody stopped him. Nobody had said boo to him at any of the security checkpoints. Wearing a Giants cap and an Eli Manning jersey, Whelan said he later nervously "blended in" with the group and got on buses that took everybody to Giants Stadium.
A Giants fan with more brass than most found a way to crash his heroes' victory party and make it look easy. Joe Whelan, who lives in Manhattan, simply took a seat with the team on the stage at City Hall Park Tuesday, rode with the Mara family out to Giants Stadium and even basked in the cheers of thousands as he stood on the field - all because nobody stopped him. Nobody had said boo to him at any of the security checkpoints. Wearing a Giants cap and an Eli Manning jersey, Whelan said he later nervously "blended in" with the group and got on buses that took everybody to Giants Stadium.
Labels: Giants, Social Engineering
