Wednesday, April 30, 2008
Clothing retailer settles with FTC over credit card breach
Clothing retailer settles with FTC over credit card breach
Dan KaplanApril 21 2008
The Federal Trade Commission has approved a final consent order that settles charges an online clothing retailer failed to properly secure its customers' personal information.
The agency, in a Friday announcement, said it voted unanimously to issue the final consent order.
This follows a January FTC settlement announcement in which Boston-based Life is Good -- best known for making T-shirts bearing optimistic slogans -- agreed to implement an information security program and be audited biennially for 20 years.
In 2006, hackers stole nearly 10,000 credit card numbers from the company's database, apparently through SQL injection attacks, a common way to penetrate websites.
The FTC said Life is Good took a number of information security missteps, including:
storing credit card data in clear, readable text,
failing to address website vulnerabilities and thus opening the site up to attacks, such as SQL injections,
and failing to detect unauthorized credit card data access.
The FTC said the merchant deceived customers by stating on its website that it valued and secured private data.
Under the agreement, similar to other arrangements the FTC has made with companies accused of lax information security practices, Life is Good said it will designate an employee to head up the IT security program, identify risks associated with security, design and deploy measures to mitigate risk, institute processes to select third-party service providers, and regularly evaluate its information security program.
Jim Laughlin, spokesman for Life is Good, told SCMagazineUS.com on Monday that the retailer took action within months of announcing the breach in the fall of 2006.
"We implemented a full suite of actions to make sure our website is secure so our customers could operate with complete trust," he said. "We've done a lot of investment on the IT front to ensure nothing like this happens again."
That included stopping the storage of credit card numbers, implementing a custom-coded back-end shopping cart, properly segmenting the database server from the web server, and ensuring no public IP addresses link to the database, he said.
In addition, the company now conducts quarterly network vulnerability scans and a yearly application security test, Laughlin said. And in November, it launched a new website built on Open Web Application Security Project (OWASP) standards.
"It was a critical moment for a young organization to address this fully and ensure we have everything secure," Laughlin said.
No incidents of fraud were reported as a result of the breach.
Life is Good, with about 250 employees, was founded in 1994.
Dan KaplanApril 21 2008
The Federal Trade Commission has approved a final consent order that settles charges an online clothing retailer failed to properly secure its customers' personal information.
The agency, in a Friday announcement, said it voted unanimously to issue the final consent order.
This follows a January FTC settlement announcement in which Boston-based Life is Good -- best known for making T-shirts bearing optimistic slogans -- agreed to implement an information security program and be audited biennially for 20 years.
In 2006, hackers stole nearly 10,000 credit card numbers from the company's database, apparently through SQL injection attacks, a common way to penetrate websites.
The FTC said Life is Good took a number of information security missteps, including:
storing credit card data in clear, readable text,
failing to address website vulnerabilities and thus opening the site up to attacks, such as SQL injections,
and failing to detect unauthorized credit card data access.
The FTC said the merchant deceived customers by stating on its website that it valued and secured private data.
Under the agreement, similar to other arrangements the FTC has made with companies accused of lax information security practices, Life is Good said it will designate an employee to head up the IT security program, identify risks associated with security, design and deploy measures to mitigate risk, institute processes to select third-party service providers, and regularly evaluate its information security program.
Jim Laughlin, spokesman for Life is Good, told SCMagazineUS.com on Monday that the retailer took action within months of announcing the breach in the fall of 2006.
"We implemented a full suite of actions to make sure our website is secure so our customers could operate with complete trust," he said. "We've done a lot of investment on the IT front to ensure nothing like this happens again."
That included stopping the storage of credit card numbers, implementing a custom-coded back-end shopping cart, properly segmenting the database server from the web server, and ensuring no public IP addresses link to the database, he said.
In addition, the company now conducts quarterly network vulnerability scans and a yearly application security test, Laughlin said. And in November, it launched a new website built on Open Web Application Security Project (OWASP) standards.
"It was a critical moment for a young organization to address this fully and ensure we have everything secure," Laughlin said.
No incidents of fraud were reported as a result of the breach.
Life is Good, with about 250 employees, was founded in 1994.
Labels: Life is Good
University of Miami admits to stolen medical records
University of Miami admits to stolen medical records
Dan KaplanApril 18 2008
The University of Miami disclosed on Friday that one of its storage vendors lost a number of back-up tapes containing the personal information of more than two million patients.
The university, located in Coral Gables, Fla., said in a news release that the data includes names, Social Security numbers, addresses and health information for patients of University of Miami physicians or anyone who visited a university health facility since Jan. 1, 1999.
The university did not say how many individuals were affected, but the Miami Herald reported on Friday that the total could be as high as 2.1 million people. The school did say that it planned to alert 47,000 patients whose credit card and other financial data were on the lost tapes.
Officials do not believe any of the tapes, which were lost when a container carrying them was stolen March 17 in downtown Coral Gables, can be accessed "because of the complex and proprietary format in which they were written."
"Even though I am confident that our patients' data is safe, we felt that in the best interest of the physician-patient relationship, we should be transparent in this matter," Pascal Goldschmidt, senior vice president of medical affairs and dean of the University of Miami Miller School of Medicine, said in the release.
Dan KaplanApril 18 2008
The University of Miami disclosed on Friday that one of its storage vendors lost a number of back-up tapes containing the personal information of more than two million patients.
The university, located in Coral Gables, Fla., said in a news release that the data includes names, Social Security numbers, addresses and health information for patients of University of Miami physicians or anyone who visited a university health facility since Jan. 1, 1999.
The university did not say how many individuals were affected, but the Miami Herald reported on Friday that the total could be as high as 2.1 million people. The school did say that it planned to alert 47,000 patients whose credit card and other financial data were on the lost tapes.
Officials do not believe any of the tapes, which were lost when a container carrying them was stolen March 17 in downtown Coral Gables, can be accessed "because of the complex and proprietary format in which they were written."
"Even though I am confident that our patients' data is safe, we felt that in the best interest of the physician-patient relationship, we should be transparent in this matter," Pascal Goldschmidt, senior vice president of medical affairs and dean of the University of Miami Miller School of Medicine, said in the release.
Labels: Univ. of Miami
confidential ground zero blueprints that he says were dumped
NEW YORK - A homeless man has come forward with two sets of confidential ground zero blueprints that he says were dumped in a Lower Manhattan trash can.
The man brought the Freedom Tower plans to the New York Post, which says the 150-page schematic is marked: "Secure Document — Confidential."
The documents are dated Oct. 5, 2007. They contain plans for each floor, the thickness of the concrete-core wall, and the location of air ducts, elevators, electrical systems and support columns.
The agency that owns the World Trade Center site, the Port Authority of New York and New Jersey, calls it a serious security lapse.
Spokeswoman Candace McAdams says mishandling the blueprints would be "cause for serious disciplinary action."
The man brought the Freedom Tower plans to the New York Post, which says the 150-page schematic is marked: "Secure Document — Confidential."
The documents are dated Oct. 5, 2007. They contain plans for each floor, the thickness of the concrete-core wall, and the location of air ducts, elevators, electrical systems and support columns.
The agency that owns the World Trade Center site, the Port Authority of New York and New Jersey, calls it a serious security lapse.
Spokeswoman Candace McAdams says mishandling the blueprints would be "cause for serious disciplinary action."
Labels: Freedom Tower
Google Comes Knocking In Search Of Hidden Data
Google Comes Knocking In Search Of Hidden Data
By crawling using HTML forms (and abiding by robots.txt), Google claims it leads search engine users to documents that otherwise would not be easily found -- but privacy concerns remain.
By Thomas Claburn, InformationWeek
April 14, 2008
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=207200561
Google on Friday said that it has been testing ways to index data that is normally hidden to search engine crawlers, a change that should improve the breadth of information available through Google.
The so-called "hidden Web" that Google has begun indexing refers to data beyond static Web pages, such as Web pages generated dynamically from a database, based on input such as might be provided through a Web submission form.
"This experiment is part of Google's broader effort to increase its coverage of the Web," Google engineers Jayant Madhavan and Alon Halevy said in a blog post. "In fact, HTML forms have long been thought to be the gateway to large volumes of data beyond the normal scope of search engines. The terms Deep Web, Hidden Web, or Invisible Web have been used collectively to refer to such content that has so far been invisible to search engine users. By crawling using HTML forms (and abiding by robots.txt), we are able to lead search engine users to documents that would otherwise not be easily found in search engines, and provide Webmasters and users alike with a better and more comprehensive search experience."
Robots.txt is a file Web publishers place on their servers that specifies what data can or can't be accessed by crawling programs, should those programs chose to abide by its rules.
In their post, Madhavan and Halevy twice mention that Google follows robots.txt rules, perhaps to allay fears that Google's more curious crawler will expose sensitive data. Google's wariness of being seen as an invader of privacy is underscored by the fact that its two engineers characterize the Google crawler as "the ever-friendly Googlebot."
"Needless to say, this experiment follows good Internet citizenry practices," Madhavan and Halevy said in their post. "Only a small number of particularly useful sites receive this treatment, and our crawl agent, the ever-friendly Googlebot, always adheres to robots.txt, nofollow, and noindex directives. That means that if a search form is forbidden in robots.txt, we won't crawl any of the URLs that a form would generate. Similarly, we only retrieve GET forms and avoid forms that require any kind of user information."
Given that Google has and continues to be accused of disregarding privacy concerns -- a charge it has and continues to rebut -- such prudence is quite understandable.
In a 2001 paper, Michael K. Bergman, CTO of BrightPlanet, estimated that the hidden Web was 400 to 550 times larger than the exposed Web. Though it's not immediately clear whether this ratio still holds after seven years, Google's decision to explore the hidden Web more thoroughly should make its massive index even more useful, and perhaps even more controversial.
Indeed, not everyone has been won over. In a blog post, Robin Schuil, a software developer at eBay, criticized what Google was doing for creating an extra burden on sites.
He said it's "really awfully close to what some of the search engine spammers do: targeted scraping of Web sites."
By crawling using HTML forms (and abiding by robots.txt), Google claims it leads search engine users to documents that otherwise would not be easily found -- but privacy concerns remain.
By Thomas Claburn, InformationWeek
April 14, 2008
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=207200561
Google on Friday said that it has been testing ways to index data that is normally hidden to search engine crawlers, a change that should improve the breadth of information available through Google.
The so-called "hidden Web" that Google has begun indexing refers to data beyond static Web pages, such as Web pages generated dynamically from a database, based on input such as might be provided through a Web submission form.
"This experiment is part of Google's broader effort to increase its coverage of the Web," Google engineers Jayant Madhavan and Alon Halevy said in a blog post. "In fact, HTML forms have long been thought to be the gateway to large volumes of data beyond the normal scope of search engines. The terms Deep Web, Hidden Web, or Invisible Web have been used collectively to refer to such content that has so far been invisible to search engine users. By crawling using HTML forms (and abiding by robots.txt), we are able to lead search engine users to documents that would otherwise not be easily found in search engines, and provide Webmasters and users alike with a better and more comprehensive search experience."
Robots.txt is a file Web publishers place on their servers that specifies what data can or can't be accessed by crawling programs, should those programs chose to abide by its rules.
In their post, Madhavan and Halevy twice mention that Google follows robots.txt rules, perhaps to allay fears that Google's more curious crawler will expose sensitive data. Google's wariness of being seen as an invader of privacy is underscored by the fact that its two engineers characterize the Google crawler as "the ever-friendly Googlebot."
"Needless to say, this experiment follows good Internet citizenry practices," Madhavan and Halevy said in their post. "Only a small number of particularly useful sites receive this treatment, and our crawl agent, the ever-friendly Googlebot, always adheres to robots.txt, nofollow, and noindex directives. That means that if a search form is forbidden in robots.txt, we won't crawl any of the URLs that a form would generate. Similarly, we only retrieve GET forms and avoid forms that require any kind of user information."
Given that Google has and continues to be accused of disregarding privacy concerns -- a charge it has and continues to rebut -- such prudence is quite understandable.
In a 2001 paper, Michael K. Bergman, CTO of BrightPlanet, estimated that the hidden Web was 400 to 550 times larger than the exposed Web. Though it's not immediately clear whether this ratio still holds after seven years, Google's decision to explore the hidden Web more thoroughly should make its massive index even more useful, and perhaps even more controversial.
Indeed, not everyone has been won over. In a blog post, Robin Schuil, a software developer at eBay, criticized what Google was doing for creating an extra burden on sites.
He said it's "really awfully close to what some of the search engine spammers do: targeted scraping of Web sites."
Labels: Google
Dot-coms daunted by the financial downturn would be well advised to look to the cybercrime economy.
Dot-coms daunted by the financial downturn would be well advised to look to the cybercrime economy.
Cybercriminals "have very sound business models," said Joe St Sauver, manager of Internet2 Security Programs through the University of Oregon at an RSA Conference panel this past week. These models, he believes, are "better than many corporate business plans I routinely see."
The conference session, "Deconstructing the Modern Online Criminal Ecosystem," offered interesting insight into the way the Internet's black market works.
While most of the security professionals I've spoken with at RSA expressed optimism about dealing with future cyberthreats, I find it hard to see where that optimism comes from, given the economics of cybercrime as explained by the participating panelists.
One of them was Larry. He provided no last name and asked that his picture not be published, presumably for his safety. He's the chief investigator for Spamhaus.org, a site that tracks spammers. "It's almost impossible to take these [spam Web sites] down because the DNS changes every five minutes or so," he said.
"Almost impossible" is not the stuff of optimism.
As the panelists explained, a single spam message might be tied to as many as 10 separate organizations and perhaps five suppliers. Every task in the criminal economy has become a separate specialty. Some people sell e-mail lists, others sell lists of compromised IP addresses, there are sellers of credit card numbers, and those who sell access to bot nets. Then there are those who handle product fulfillment for spammers, and those who specialize in laundering money.
All this specialization insulates the network from prosecution by providing a degree of deniability.
And this stuff apparently pays well. IronPort's Patrick Peterson observed that an IT graduate in Romania might be able to earn $400 per month legitimately, compared with several thousand per month in the cybercrime economy.
Cybercriminals make so much money, in fact, that they employ money mules, networks of thousands of people to help them launder money by receiving and sending cash for a commission.
A typical scam: They're wired money and asked to send out a lesser amount via Western Union. Only later do they learn that wire transfers can be reversed, whereas Western Union money transfers are irrevocable.
A final factoid from the session: Lawrence Baldwin, chief forensics officer with myNetWatchman, said that in the past few months he was aware of about 30 data breaches at companies and only two have been publicly reported.
The trend, Baldwin said, was to go after midsize organizations because the big ones have too much security and individuals don't have enough valuable data.
Cybercriminals "have very sound business models," said Joe St Sauver, manager of Internet2 Security Programs through the University of Oregon at an RSA Conference panel this past week. These models, he believes, are "better than many corporate business plans I routinely see."
The conference session, "Deconstructing the Modern Online Criminal Ecosystem," offered interesting insight into the way the Internet's black market works.
While most of the security professionals I've spoken with at RSA expressed optimism about dealing with future cyberthreats, I find it hard to see where that optimism comes from, given the economics of cybercrime as explained by the participating panelists.
One of them was Larry. He provided no last name and asked that his picture not be published, presumably for his safety. He's the chief investigator for Spamhaus.org, a site that tracks spammers. "It's almost impossible to take these [spam Web sites] down because the DNS changes every five minutes or so," he said.
"Almost impossible" is not the stuff of optimism.
As the panelists explained, a single spam message might be tied to as many as 10 separate organizations and perhaps five suppliers. Every task in the criminal economy has become a separate specialty. Some people sell e-mail lists, others sell lists of compromised IP addresses, there are sellers of credit card numbers, and those who sell access to bot nets. Then there are those who handle product fulfillment for spammers, and those who specialize in laundering money.
All this specialization insulates the network from prosecution by providing a degree of deniability.
And this stuff apparently pays well. IronPort's Patrick Peterson observed that an IT graduate in Romania might be able to earn $400 per month legitimately, compared with several thousand per month in the cybercrime economy.
Cybercriminals make so much money, in fact, that they employ money mules, networks of thousands of people to help them launder money by receiving and sending cash for a commission.
A typical scam: They're wired money and asked to send out a lesser amount via Western Union. Only later do they learn that wire transfers can be reversed, whereas Western Union money transfers are irrevocable.
A final factoid from the session: Lawrence Baldwin, chief forensics officer with myNetWatchman, said that in the past few months he was aware of about 30 data breaches at companies and only two have been publicly reported.
The trend, Baldwin said, was to go after midsize organizations because the big ones have too much security and individuals don't have enough valuable data.
Labels: Dot-coms
Study Finds 'Alarming' Ignorance About Cybercrime
Study Finds 'Alarming' Ignorance About Cybercrime
"Consumers' unsecured computers play a major role in helping cybercriminals conduct cybercrimes," the National Cyber Security Alliance warns.
By Thomas Claburn, InformationWeek
April 11, 2008
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=207200253
At the RSA Conference on Wednesday, the National Cyber Security Alliance (NCSA) reported that U.S. consumers don't understand botnets, networks of compromised computers that have become one of the major methods for attacking computer systems.
"Botnets continue to be an increasing threat to consumers and homeland security," said Ron Teixeira, executive director of the NCSA, in a statement. "Consumers' unsecured computers play a major role in helping cybercriminals conduct cybercrimes not only on the victim's computer, but also against others connected to the Internet."
The NCSA survey involved 2,249 online consumers between the ages of 18 and 65, polled by Harris Interactive.
The NCSA said its study indicates that Americans understand that their computers can be subverted, thereby degrading security for others.
Among the study's findings: 71% are not familiar with the term "botnet"; 59% believe it's unlikely that their computer could affect homeland security; 47% believe it's not possible for their computer to be commandeered by hackers; 51% have not changed their password in the past year; and 48% do not know how to protect themselves from cybercriminals.
Such findings should come as no surprise. Last October, a joint study conducted by McAfee and the NCSA found that almost half the consumers surveyed erroneously believed their computers were protected by antivirus software.
Moreover, the ongoing success of social engineering attacks demonstrates that people are easily fooled. And really, given the frequency with which studies exposing people's ignorance about all manner of things appear, it should be assumed that more education about everything is needed.
Teixeira considers it "alarming" that people don't know how to keep their computers secure.
That may well be cause for alarm, but it's worth noting that companies with highly paid IT professionals get hacked, too. That's at least as alarming, if not more so.
"Consumers' unsecured computers play a major role in helping cybercriminals conduct cybercrimes," the National Cyber Security Alliance warns.
By Thomas Claburn, InformationWeek
April 11, 2008
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=207200253
At the RSA Conference on Wednesday, the National Cyber Security Alliance (NCSA) reported that U.S. consumers don't understand botnets, networks of compromised computers that have become one of the major methods for attacking computer systems.
"Botnets continue to be an increasing threat to consumers and homeland security," said Ron Teixeira, executive director of the NCSA, in a statement. "Consumers' unsecured computers play a major role in helping cybercriminals conduct cybercrimes not only on the victim's computer, but also against others connected to the Internet."
The NCSA survey involved 2,249 online consumers between the ages of 18 and 65, polled by Harris Interactive.
The NCSA said its study indicates that Americans understand that their computers can be subverted, thereby degrading security for others.
Among the study's findings: 71% are not familiar with the term "botnet"; 59% believe it's unlikely that their computer could affect homeland security; 47% believe it's not possible for their computer to be commandeered by hackers; 51% have not changed their password in the past year; and 48% do not know how to protect themselves from cybercriminals.
Such findings should come as no surprise. Last October, a joint study conducted by McAfee and the NCSA found that almost half the consumers surveyed erroneously believed their computers were protected by antivirus software.
Moreover, the ongoing success of social engineering attacks demonstrates that people are easily fooled. And really, given the frequency with which studies exposing people's ignorance about all manner of things appear, it should be assumed that more education about everything is needed.
Teixeira considers it "alarming" that people don't know how to keep their computers secure.
That may well be cause for alarm, but it's worth noting that companies with highly paid IT professionals get hacked, too. That's at least as alarming, if not more so.
Labels: National Cyber Security Alliance
Tuesday, April 08, 2008
Internet Fraud Loss For 2007 Tops $239 Million
Internet Fraud Loss For 2007 Tops $239 Million
The dollar loss reported from Internet crime reached an all-time high in 2007, while the number of reported crimes was lower than in each of the last three years.
By Thomas Claburn
InformationWeek
April 4, 2008 04:45 PM
The dollar loss reported from Internet crime reached an all-time high in 2007, according to the Internet Crime Complaint Center's (IC3) 2007 Internet Crime report.
The IC3 serves to field complaints about online crime on behalf of the Federal Bureau of Investigation and the National White Collar Crime Center.
The IC3 received 206,884 complaints in 2007 through its Web site, fewer than the number submitted in 2006 (207,492), 2005 (231,493), or 2004 (207,449). With the addition of other methods of complaint, IC3 received 219,553 complaints last year.
IC3 referred 90,008 complaints to the appropriate law enforcement authorities for investigation, most of which alleged fraud and financial loss. The dollar loss for referred complaints totaled $239.09 million, with a median loss of $680 per complainant. This represents an increase over the 2006 total of $198.44 million.
James E. Finch, assistant director of the FBI's cyberdivision, appears to believe that a significant number of people are not reporting Internet crimes. "The Internet presents a wealth of opportunity for would-be criminals to prey on unsuspecting victims, and this report shows how extensive these types of crime have become," he said in a statement. "What this report does not show is how often this type of activity goes unreported. Filing a complaint through IC3 is the best way to alert law enforcement authorities of Internet crime."
The report indicates that in complaints that could be linked to a perpetrator, more than 75% of cybercriminals were men and that half resided in California (15.8%), Florida (10.1%), New York (9.9%), Texas (7%), Illinois (3.6%), Pennsylvania (3.5%), or Georgia (3.1%).
When perpetrators were measured per 100,000 people, the District of Columbia had the most, with 99.10 per 100,000, followed by Nevada (65.45), Delaware (41.98), and Florida (40.73).
Counting by country, the United States had the most cybercriminals, with 63.2%, followed by the United Kingdom (15.3%) and Nigeria (5.7%).
It bears repeating that these numbers do not reflect overall Internet crime activity in these countries. Rather, they represent statistics drawn specifically from the more than 90,000 IC3 complaints investigated.
Men reported larger losses than women, with their median losses coming to $765 and $552, respectively.
E-mail was the most common means (73.6%) by which cybercriminals made contact with their victims, followed by Web pages (32.7%), phone contact (18%), and postal mail (10.1%). "The anonymous nature of an e-mail address or a Web site allows perpetrators to solicit a large number of victims with a keystroke," the report explains.
By far the most common type of fraud reported was auction fraud (35.7%) and nondelivery of merchandise (24.9%). Compared with 2006, these figures represent a 20.5% decrease and a 31.1% increase, respectively.
Other types of fraud reported were confidence fraud (6.7%), credit/debit card fraud (6.3%), check fraud (6%), computer fraud (5.3%), identity theft (2.9%), financial institution fraud (2.7%), threat (1.6%), and Nigerian letter fraud (1.1%).
The report notes that auction fraud may be overrepresented among complaints because eBay, the leading online auction site, provides its users with links to the IC3 site as part of its anti-fraud efforts.
The dollar loss reported from Internet crime reached an all-time high in 2007, while the number of reported crimes was lower than in each of the last three years.
By Thomas Claburn
InformationWeek
April 4, 2008 04:45 PM
The dollar loss reported from Internet crime reached an all-time high in 2007, according to the Internet Crime Complaint Center's (IC3) 2007 Internet Crime report.
The IC3 serves to field complaints about online crime on behalf of the Federal Bureau of Investigation and the National White Collar Crime Center.
The IC3 received 206,884 complaints in 2007 through its Web site, fewer than the number submitted in 2006 (207,492), 2005 (231,493), or 2004 (207,449). With the addition of other methods of complaint, IC3 received 219,553 complaints last year.
IC3 referred 90,008 complaints to the appropriate law enforcement authorities for investigation, most of which alleged fraud and financial loss. The dollar loss for referred complaints totaled $239.09 million, with a median loss of $680 per complainant. This represents an increase over the 2006 total of $198.44 million.
James E. Finch, assistant director of the FBI's cyberdivision, appears to believe that a significant number of people are not reporting Internet crimes. "The Internet presents a wealth of opportunity for would-be criminals to prey on unsuspecting victims, and this report shows how extensive these types of crime have become," he said in a statement. "What this report does not show is how often this type of activity goes unreported. Filing a complaint through IC3 is the best way to alert law enforcement authorities of Internet crime."
The report indicates that in complaints that could be linked to a perpetrator, more than 75% of cybercriminals were men and that half resided in California (15.8%), Florida (10.1%), New York (9.9%), Texas (7%), Illinois (3.6%), Pennsylvania (3.5%), or Georgia (3.1%).
When perpetrators were measured per 100,000 people, the District of Columbia had the most, with 99.10 per 100,000, followed by Nevada (65.45), Delaware (41.98), and Florida (40.73).
Counting by country, the United States had the most cybercriminals, with 63.2%, followed by the United Kingdom (15.3%) and Nigeria (5.7%).
It bears repeating that these numbers do not reflect overall Internet crime activity in these countries. Rather, they represent statistics drawn specifically from the more than 90,000 IC3 complaints investigated.
Men reported larger losses than women, with their median losses coming to $765 and $552, respectively.
E-mail was the most common means (73.6%) by which cybercriminals made contact with their victims, followed by Web pages (32.7%), phone contact (18%), and postal mail (10.1%). "The anonymous nature of an e-mail address or a Web site allows perpetrators to solicit a large number of victims with a keystroke," the report explains.
By far the most common type of fraud reported was auction fraud (35.7%) and nondelivery of merchandise (24.9%). Compared with 2006, these figures represent a 20.5% decrease and a 31.1% increase, respectively.
Other types of fraud reported were confidence fraud (6.7%), credit/debit card fraud (6.3%), check fraud (6%), computer fraud (5.3%), identity theft (2.9%), financial institution fraud (2.7%), threat (1.6%), and Nigerian letter fraud (1.1%).
The report notes that auction fraud may be overrepresented among complaints because eBay, the leading online auction site, provides its users with links to the IC3 site as part of its anti-fraud efforts.
Labels: Internet Crime Complaint Center
The evolution of CyberCrime Inc.
The evolution of CyberCrime Inc.
By Doreen Carvajal
Sunday, April 6, 2008
PARIS: There is no storefront or corporate headquarters for Cybercrime Inc., but savvy salesmen in a murky, borderless economy are moving merchandise by shilling credit card numbers - "two for the price one."
"Sell fresh CC," promised one salesman who offered teaser credit card numbers for samples in New Jersey and Canada. "Visa, MasterCard, Amex. Good Prices. Many countries!!!!!"
Electronic crime is maturing, according to security experts, and with its evolution, clever criminals are adopting conventional approaches that reflect cold business sense - from supermarket-style pricing to outsourcing to specialists acting as portfolio managers, coders, launchers, miners, washers and minders of infected "zombie" computers.
"It's a remarkable development of a whole alternative business environment that's occurred over the last couple years," said Richard Archdeacon, a senior director of global services for Symantec, an Internet security company with 11 research centers around the world tracking crime trends. "What's been so astonishing is the speed with which it's developed and the effect with which the market has grown and matured."
In the United States alone, victims of reported Internet fraud lost $239 million in 2007, with average losses running about $2,530 per complaint recorded by a special Web-based hot line operated by the FBI and the National White Collar Crime Center, a nonprofit corporation focusing on electronic crime.
The most common frauds were fake e-mail messages and phony Web pages and the crimes were organized from the United States, England, Nigeria, Canada, Romania and Italy, according to an FBI report issued last week.
Yet despite the increasing sophistication and elusiveness of e-criminals, judges remain reluctant to order much jail time for computer crime, according to some national law enforcement officials and such major companies as Microsoft.
A case in point is Owen Thor Walker, a self-taught computer wizard from New Zealand who, at 18 years old, pleaded guilty last week to criminal charges arising from his development of a vast international network of individual computers that he had hijacked and infected with hidden software or "malware" and remotely controlled.
In the parlance of the trade, he was a "bot herder" who offered his "robot network" for hire to a company in the Netherlands to covertly install their adware. Walker's borderless network first surfaced in an FBI investigation of a computer attack in 2006 that caused the crash of a computer server at the University of Pennsylvania in the United States. The FBI singled out a Pennsylvania student in the attack who ultimately led investigators to Walker, nicknamed Akill.
Walker's sentencing is scheduled for late May, but the judge on the case indicated that he would consider community detention and work release or some home detention for punishment of the teenager, who suffers from Asperger Syndrome, a mild form of autism marked by poor social skills and compulsive behavior.
"Most of the time it's very difficult for a judge to understand what's going on and what the risks are," said Eric Loermans, chief inspector of a Dutch high-tech crime unit, noting though that private companies that are not satisfied can also take civil action against offenders.
Loermans was part of the Council of Europe's cybercrime forum in Strasbourg last week to develop guidelines for closer international cooperation between law enforcement and Internet service providers. More than 200 people representing government agencies and private companies from the Europe, the United States, Africa and South America participated in the conference.
Many came from countries where the police are regrouping: like India, where officers in New Delhi are being sent for cybercrime training in e-mail tracking and digital fraud; or the Netherlands, where the government is spending 14 million, or $22 million, over the next four years on its fight against cybercrime.
The Dutch plainclothes high-tech unit now numbers about 25 people, but the police are also in the process of developing training programs for everyone on the staff down to the officer on the beat, according to Loermans.
"Years ago, we saw cybercrime as a speciality," he said. "Now we have added cybercrime in every form of police training, so we are raising the level of the entire Dutch police force. There's no crime anymore where there are no digital components built in."
The aim is to keep up with an age-old game of cat-and-mouse that is accelerating, with newly emerging tools like the "fast flux" that allows cybercriminals to hide the national location of spamming and phishing Web sites, which surface for minutes on a bot computer in one country before moving within minutes to another infected bot in another country. Phishing is a method of fraudulently acquiring sensitive information, like passwords and credit card numbers, using digital communication.
The advantage of fast flux, according to experts, is that attackers can register a child-pornography site or a fake bank that is not tied to a single domain that can be tracked and shut down. The flux techniques were used in phishing frauds this year that targeted bank customers in England where criminals created fake bank sites mimicking Barclays and Halifax banks and requested personal information.
David Roberts, chief executive of the Corporate IT Forum, which represents 150 companies in Britain, said his group was pressing for a single confidential channel where corporate security chiefs could report cybercrimes. The Conservative Party in Britain has lately seized on the issue, promising a dedicated "e-crime" police unit and the creation of a new government position, a "cybercrime minister."
As it is now, Roberts said that major companies rarely reported crimes because they wanted to protect their own reputation. And he said they might deal with it discreetly in other ways, perhaps by simply paying nuisance attackers to go away.
"Their only recourse at the moment is to quite literally go to their nearest police station and report the crime to the local police constable," Roberts said, adding that the local police are "very good on physical criminals and household thefts and burglaries, but electronic crime is not part of their curriculum."
The fast-flux technique, Roberts said, was a further illustration of how online crime has evolved. "They are professional, large, well organized and they are best called companies."
Microsoft, which has its own teams of private investigators to monitor and combat cyberthreats to the company, is now taking a more "holistic" approach to confront electronic fraud by financing conferences and training programs.
"It's just not sufficient to bring cases to police," said Jean-Christophe Le Toquin, an Internet safety director for Microsoft in Europe, the Middle East and Africa. "It's not sufficient to have conferences on cybercrime. What you have to do is both of these things and then offer training to judges on cybercrime so that the parliament, the police, the judges are all trained at the same time."
Microsoft is also turning its lawyers toward another flaw in e-commerce called typosquatting by challenging individuals for trademark infringement who register domain names with misspelled versions of the Microsoft name to make money from unsuspecting computer users through pay-per-click advertisements.
Last year, according to the company, it recovered more than 2,000 names.
By Doreen Carvajal
Sunday, April 6, 2008
PARIS: There is no storefront or corporate headquarters for Cybercrime Inc., but savvy salesmen in a murky, borderless economy are moving merchandise by shilling credit card numbers - "two for the price one."
"Sell fresh CC," promised one salesman who offered teaser credit card numbers for samples in New Jersey and Canada. "Visa, MasterCard, Amex. Good Prices. Many countries!!!!!"
Electronic crime is maturing, according to security experts, and with its evolution, clever criminals are adopting conventional approaches that reflect cold business sense - from supermarket-style pricing to outsourcing to specialists acting as portfolio managers, coders, launchers, miners, washers and minders of infected "zombie" computers.
"It's a remarkable development of a whole alternative business environment that's occurred over the last couple years," said Richard Archdeacon, a senior director of global services for Symantec, an Internet security company with 11 research centers around the world tracking crime trends. "What's been so astonishing is the speed with which it's developed and the effect with which the market has grown and matured."
In the United States alone, victims of reported Internet fraud lost $239 million in 2007, with average losses running about $2,530 per complaint recorded by a special Web-based hot line operated by the FBI and the National White Collar Crime Center, a nonprofit corporation focusing on electronic crime.
The most common frauds were fake e-mail messages and phony Web pages and the crimes were organized from the United States, England, Nigeria, Canada, Romania and Italy, according to an FBI report issued last week.
Yet despite the increasing sophistication and elusiveness of e-criminals, judges remain reluctant to order much jail time for computer crime, according to some national law enforcement officials and such major companies as Microsoft.
A case in point is Owen Thor Walker, a self-taught computer wizard from New Zealand who, at 18 years old, pleaded guilty last week to criminal charges arising from his development of a vast international network of individual computers that he had hijacked and infected with hidden software or "malware" and remotely controlled.
In the parlance of the trade, he was a "bot herder" who offered his "robot network" for hire to a company in the Netherlands to covertly install their adware. Walker's borderless network first surfaced in an FBI investigation of a computer attack in 2006 that caused the crash of a computer server at the University of Pennsylvania in the United States. The FBI singled out a Pennsylvania student in the attack who ultimately led investigators to Walker, nicknamed Akill.
Walker's sentencing is scheduled for late May, but the judge on the case indicated that he would consider community detention and work release or some home detention for punishment of the teenager, who suffers from Asperger Syndrome, a mild form of autism marked by poor social skills and compulsive behavior.
"Most of the time it's very difficult for a judge to understand what's going on and what the risks are," said Eric Loermans, chief inspector of a Dutch high-tech crime unit, noting though that private companies that are not satisfied can also take civil action against offenders.
Loermans was part of the Council of Europe's cybercrime forum in Strasbourg last week to develop guidelines for closer international cooperation between law enforcement and Internet service providers. More than 200 people representing government agencies and private companies from the Europe, the United States, Africa and South America participated in the conference.
Many came from countries where the police are regrouping: like India, where officers in New Delhi are being sent for cybercrime training in e-mail tracking and digital fraud; or the Netherlands, where the government is spending 14 million, or $22 million, over the next four years on its fight against cybercrime.
The Dutch plainclothes high-tech unit now numbers about 25 people, but the police are also in the process of developing training programs for everyone on the staff down to the officer on the beat, according to Loermans.
"Years ago, we saw cybercrime as a speciality," he said. "Now we have added cybercrime in every form of police training, so we are raising the level of the entire Dutch police force. There's no crime anymore where there are no digital components built in."
The aim is to keep up with an age-old game of cat-and-mouse that is accelerating, with newly emerging tools like the "fast flux" that allows cybercriminals to hide the national location of spamming and phishing Web sites, which surface for minutes on a bot computer in one country before moving within minutes to another infected bot in another country. Phishing is a method of fraudulently acquiring sensitive information, like passwords and credit card numbers, using digital communication.
The advantage of fast flux, according to experts, is that attackers can register a child-pornography site or a fake bank that is not tied to a single domain that can be tracked and shut down. The flux techniques were used in phishing frauds this year that targeted bank customers in England where criminals created fake bank sites mimicking Barclays and Halifax banks and requested personal information.
David Roberts, chief executive of the Corporate IT Forum, which represents 150 companies in Britain, said his group was pressing for a single confidential channel where corporate security chiefs could report cybercrimes. The Conservative Party in Britain has lately seized on the issue, promising a dedicated "e-crime" police unit and the creation of a new government position, a "cybercrime minister."
As it is now, Roberts said that major companies rarely reported crimes because they wanted to protect their own reputation. And he said they might deal with it discreetly in other ways, perhaps by simply paying nuisance attackers to go away.
"Their only recourse at the moment is to quite literally go to their nearest police station and report the crime to the local police constable," Roberts said, adding that the local police are "very good on physical criminals and household thefts and burglaries, but electronic crime is not part of their curriculum."
The fast-flux technique, Roberts said, was a further illustration of how online crime has evolved. "They are professional, large, well organized and they are best called companies."
Microsoft, which has its own teams of private investigators to monitor and combat cyberthreats to the company, is now taking a more "holistic" approach to confront electronic fraud by financing conferences and training programs.
"It's just not sufficient to bring cases to police," said Jean-Christophe Le Toquin, an Internet safety director for Microsoft in Europe, the Middle East and Africa. "It's not sufficient to have conferences on cybercrime. What you have to do is both of these things and then offer training to judges on cybercrime so that the parliament, the police, the judges are all trained at the same time."
Microsoft is also turning its lawyers toward another flaw in e-commerce called typosquatting by challenging individuals for trademark infringement who register domain names with misspelled versions of the Microsoft name to make money from unsuspecting computer users through pay-per-click advertisements.
Last year, according to the company, it recovered more than 2,000 names.
Labels: Cybercrime Inc.
Hackers steal financial information from auto parts retailer
Hackers steal financial information from auto parts retailer
56,000 customers of Advanced Auto Parts believed to be affected
Sophos has reminded companies of the dangers of hackers breaking into their corporate systems, following the latest announcement from a firm that it has been the victim of a data breach.
US motoring parts retailer, Advance Auto Parts, has announced on its website that hackers have gained access to the financial information of 56,000 of its customers, through an attack which affected 14 of its stores worldwide.
Details of how the information was stolen have not been made public, and the identities of the hackers are currently unknown. Advance Auto Parts says it is working with the authorities to assist in the investigation.
According to the company, the affected stores are based in Atlanta (Georgia), College Park (Georgia), Columbus (Ohio), Covington (Louisiana), Canal Fulton (Ohio), Garden City (Georgia), Gretna (Louisiana), Mansfield (Ohio), Memphis (Tennessee), Natchez (Mississippi), Norcross (Georgia), Paoli (Indiana), Richmond (Virginia), and Syracuse (New York).
Advance Auto Parts has published an advisory to affected customers.
News of Advance Auto Parts' data breach has followed in the footsteps of other higher profile incidents such as the loss by Hannafords supermarket chain of 4.2 million credit card details, and last year's announcement by TJ Maxx that hackers had stolen information on 45 million credit card transactions.
"Advance Auto Parts joins a growing list of companies who have suffered from an embarrassing data breach, and this news may rattle the confidence of customers," said Graham Cluley, senior technology consultant for Sophos. "All firms would be wise to look long and hard at their own security to make sure that they are doing everything possible to reduce the chances that they will be the next to fall victim."
Advance Auto Parts has published an advisory on its website, and set up a hotline for potentially affected customers to call: 1-800-704-1154.
"We sincerely apologize for any inconvenience this attack on our network may cause. Advance Auto Parts has been dedicated for the past 75 years to earning customer trust and for providing legendary customer service," said Darren Jackson, President and Chief Executive Officer of Advance Auto Parts in a statement published on the retailer's website. "We strive to serve each and every customer better than anyone else.”
Credit and debit card customers who might be affected by the data breach are advised by Sophos to take the following steps:
Carefully review the statements for their debit and credit cards for unauthorized transactions. Open your statements promptly, and compare your receipts to your billing statements.
If you detect any unauthorized or suspicious use of your card, contact your credit card issuer or issuing bank immediately. By law, you will have no liability for unauthorized use if your credit card number, but not the card itself, has been stolen.
56,000 customers of Advanced Auto Parts believed to be affected
Sophos has reminded companies of the dangers of hackers breaking into their corporate systems, following the latest announcement from a firm that it has been the victim of a data breach.
US motoring parts retailer, Advance Auto Parts, has announced on its website that hackers have gained access to the financial information of 56,000 of its customers, through an attack which affected 14 of its stores worldwide.
Details of how the information was stolen have not been made public, and the identities of the hackers are currently unknown. Advance Auto Parts says it is working with the authorities to assist in the investigation.
According to the company, the affected stores are based in Atlanta (Georgia), College Park (Georgia), Columbus (Ohio), Covington (Louisiana), Canal Fulton (Ohio), Garden City (Georgia), Gretna (Louisiana), Mansfield (Ohio), Memphis (Tennessee), Natchez (Mississippi), Norcross (Georgia), Paoli (Indiana), Richmond (Virginia), and Syracuse (New York).
Advance Auto Parts has published an advisory to affected customers.
News of Advance Auto Parts' data breach has followed in the footsteps of other higher profile incidents such as the loss by Hannafords supermarket chain of 4.2 million credit card details, and last year's announcement by TJ Maxx that hackers had stolen information on 45 million credit card transactions.
"Advance Auto Parts joins a growing list of companies who have suffered from an embarrassing data breach, and this news may rattle the confidence of customers," said Graham Cluley, senior technology consultant for Sophos. "All firms would be wise to look long and hard at their own security to make sure that they are doing everything possible to reduce the chances that they will be the next to fall victim."
Advance Auto Parts has published an advisory on its website, and set up a hotline for potentially affected customers to call: 1-800-704-1154.
"We sincerely apologize for any inconvenience this attack on our network may cause. Advance Auto Parts has been dedicated for the past 75 years to earning customer trust and for providing legendary customer service," said Darren Jackson, President and Chief Executive Officer of Advance Auto Parts in a statement published on the retailer's website. "We strive to serve each and every customer better than anyone else.”
Credit and debit card customers who might be affected by the data breach are advised by Sophos to take the following steps:
Carefully review the statements for their debit and credit cards for unauthorized transactions. Open your statements promptly, and compare your receipts to your billing statements.
If you detect any unauthorized or suspicious use of your card, contact your credit card issuer or issuing bank immediately. By law, you will have no liability for unauthorized use if your credit card number, but not the card itself, has been stolen.
Labels: Advanced Auto Parts
Hannaford Data Breach Blamed On Malware
Hannaford Data Breach Blamed On Malware
The grocer said the data breach involved malicious software that was found on computer servers at about 300 of the company's stores.
By Thomas Claburn
InformationWeek
April 1, 2008 04:30 PM
The theft of an estimated 4.2 million credit and debit card numbers from Hannaford Bros. grocery stores in the New England area appears to be the result of malware.
In a letter cited by The Boston Globe from Hannaford Bros. to Massachusetts Attorney General Martha Coakley and the state's Office of Consumer Affairs and Business Regulation, the company said that the data breach it disclosed on March 17 involved malicious software that was found on computer servers at about 300 of the company's stores.
The software reportedly intercepted credit card data during checkout and sent captured information overseas, according to the letter.
Carol Eleazer, VP of marketing for Hannaford Bros., confirmed that a letter had been sent to the Massachusetts attorney general and that the facts reported were essentially accurate. She noted that the fix deployed involved software, and not the replacement of hardware. "It was a software problem and it took a software fix," she said.
Eleazer had no further information to provide about the incident, citing ongoing law enforcement and internal forensic investigations.
The breach occurred between Dec. 7 and March 10. Hannaford Bros. said it detected the breach on Feb. 27.
Coakley last month urged consumers who made a purchase at Hannaford stores during this period to watch out for unauthorized use of their credit or debit card numbers and to take steps to safeguard their personal information.
While Hannaford has acknowledged that up to 4.2 million credit and debit card numbers were compromised, it said there's no evidence to indicate that cardholder names and addresses were stolen. The company has said it continues to investigate the incident. The Secret Service is conducting its own investigation.
"In this case, it looks like the hackers exploited the weakest link," said Chris Andrew, VP of security technology at Lumension, a security management company.
Slavik Markovich, CTO of database security company Sentrigo, observes that the attack is unusual in that the thieves attacked the endpoints of the network, rather than accessing the endpoints to reach a central data repository. He said he believes the attack was specially crafted to affect Hannaford's systems.
In its letter, according to The Boston Globe, Hannaford said it had been certified in February to be compliant with the Payment Card Industry security standard, known as PCI.
But Lumension's Andrew cautioned that PCI standards are just guidelines that are open to interpretation. He said stores still need to invest in their own security programs. "Retail is a sector which is not known for high-security in particular," he said. "It's not military networks, it's not banks."
Maybe it should be. Fred Pinkett, VP of product management at security auditing company Core Security Technologies, expects that the retail industry will be targeted with similar attacks in the future. "It's where the money is," he said. "The security landscape has shifted from people trying to make a name for themselves to people trying to keep hidden. You definitely will see more attacks."
Pinkett argues that penetration testing is critical. "We would suggest that companies have a good penetration regime in place so they can find the vulnerabilities in their systems before the hackers do," he said.
Sentrigo's Markovich advised that companies hoping to avoid a similar fate use standard tools to encrypt all of their network traffic, rather than select traffic, as Hannaford reportedly did. He also suggested using activity-monitoring systems on the network and database, in conjunction with periodic network and endpoint audits.
The grocer said the data breach involved malicious software that was found on computer servers at about 300 of the company's stores.
By Thomas Claburn
InformationWeek
April 1, 2008 04:30 PM
The theft of an estimated 4.2 million credit and debit card numbers from Hannaford Bros. grocery stores in the New England area appears to be the result of malware.
In a letter cited by The Boston Globe from Hannaford Bros. to Massachusetts Attorney General Martha Coakley and the state's Office of Consumer Affairs and Business Regulation, the company said that the data breach it disclosed on March 17 involved malicious software that was found on computer servers at about 300 of the company's stores.
The software reportedly intercepted credit card data during checkout and sent captured information overseas, according to the letter.
Carol Eleazer, VP of marketing for Hannaford Bros., confirmed that a letter had been sent to the Massachusetts attorney general and that the facts reported were essentially accurate. She noted that the fix deployed involved software, and not the replacement of hardware. "It was a software problem and it took a software fix," she said.
Eleazer had no further information to provide about the incident, citing ongoing law enforcement and internal forensic investigations.
The breach occurred between Dec. 7 and March 10. Hannaford Bros. said it detected the breach on Feb. 27.
Coakley last month urged consumers who made a purchase at Hannaford stores during this period to watch out for unauthorized use of their credit or debit card numbers and to take steps to safeguard their personal information.
While Hannaford has acknowledged that up to 4.2 million credit and debit card numbers were compromised, it said there's no evidence to indicate that cardholder names and addresses were stolen. The company has said it continues to investigate the incident. The Secret Service is conducting its own investigation.
"In this case, it looks like the hackers exploited the weakest link," said Chris Andrew, VP of security technology at Lumension, a security management company.
Slavik Markovich, CTO of database security company Sentrigo, observes that the attack is unusual in that the thieves attacked the endpoints of the network, rather than accessing the endpoints to reach a central data repository. He said he believes the attack was specially crafted to affect Hannaford's systems.
In its letter, according to The Boston Globe, Hannaford said it had been certified in February to be compliant with the Payment Card Industry security standard, known as PCI.
But Lumension's Andrew cautioned that PCI standards are just guidelines that are open to interpretation. He said stores still need to invest in their own security programs. "Retail is a sector which is not known for high-security in particular," he said. "It's not military networks, it's not banks."
Maybe it should be. Fred Pinkett, VP of product management at security auditing company Core Security Technologies, expects that the retail industry will be targeted with similar attacks in the future. "It's where the money is," he said. "The security landscape has shifted from people trying to make a name for themselves to people trying to keep hidden. You definitely will see more attacks."
Pinkett argues that penetration testing is critical. "We would suggest that companies have a good penetration regime in place so they can find the vulnerabilities in their systems before the hackers do," he said.
Sentrigo's Markovich advised that companies hoping to avoid a similar fate use standard tools to encrypt all of their network traffic, rather than select traffic, as Hannaford reportedly did. He also suggested using activity-monitoring systems on the network and database, in conjunction with periodic network and endpoint audits.
Labels: Hannaford Bros.
FTC settles breach case with Reed Elsevier and Seisint
FTC settles breach case with Reed Elsevier and Seisint
Jim CarrMarch 28 2008
In addition to settling its case against discount retailer TJX, the Federal Trade Commission (FTC) on Thursday announced a settlement with data brokers Reed Elsevier and Seisint on charges that they failed to provide reasonable and appropriate security for sensitive consumer information, leading to identity theft.
In its action against Reed Elsevier and Seisint, the FTC alleged that Reed Elsevier, through its LexisNexis data broker business, and Seisint allowed customers to use easy-to-guess passwords to access Seisint's Accurint databases, which contained sensitive consumer information, including drivers' license numbers and Social Security numbers.
The FTC said identity thieves exploited these security failures and -- via multiple breaches -- accessed sensitive information of about at least 316,000 consumers from the Accurint databases.
The ID thieves used the stolen data to activate credit cards and open new accounts and made fraudulent purchases on the cards and new accounts.
Reed Elsevier acquired Seisint in late 2004, and the breaches continued for at least nine months after Reed Elsevier controlled Seisint's databases, according to the FTC.
Under the terms of the settlement, the FTC ordered the two companies to hire third-party security auditors to assess their security programs on a biennial basis for the next 20 years. The FTC requires the auditors to certify that the companies' security programs meet or exceed the requirements of the FTC's orders. The audit must also prove that the companies are providing "reasonable assurance that the security of consumers' personal information is being protected."
The settlement also contains bookkeeping and record-keeping provisions to allow the agency to monitor compliance with its orders. As it did with TJX, the FTC ordered the companies to designate an employee to be responsible for the security program and identify risks to personal data, deploy safeguards to mitigate that risk, work out agreements with service providers that handle customer data, and evaluate and adjust its security program to meet operation changes.
The FTC said it worked with the Hayward, Calif. Police Department and the REACT (Rapid Enforcement Allied Computer Team) Task Force in its investigation of Reed Elsevier and Seisint. This was the FTC's 19th challenge of data security practices.
The FTC is prohibited by law to assess fines.
Jim CarrMarch 28 2008
In addition to settling its case against discount retailer TJX, the Federal Trade Commission (FTC) on Thursday announced a settlement with data brokers Reed Elsevier and Seisint on charges that they failed to provide reasonable and appropriate security for sensitive consumer information, leading to identity theft.
In its action against Reed Elsevier and Seisint, the FTC alleged that Reed Elsevier, through its LexisNexis data broker business, and Seisint allowed customers to use easy-to-guess passwords to access Seisint's Accurint databases, which contained sensitive consumer information, including drivers' license numbers and Social Security numbers.
The FTC said identity thieves exploited these security failures and -- via multiple breaches -- accessed sensitive information of about at least 316,000 consumers from the Accurint databases.
The ID thieves used the stolen data to activate credit cards and open new accounts and made fraudulent purchases on the cards and new accounts.
Reed Elsevier acquired Seisint in late 2004, and the breaches continued for at least nine months after Reed Elsevier controlled Seisint's databases, according to the FTC.
Under the terms of the settlement, the FTC ordered the two companies to hire third-party security auditors to assess their security programs on a biennial basis for the next 20 years. The FTC requires the auditors to certify that the companies' security programs meet or exceed the requirements of the FTC's orders. The audit must also prove that the companies are providing "reasonable assurance that the security of consumers' personal information is being protected."
The settlement also contains bookkeeping and record-keeping provisions to allow the agency to monitor compliance with its orders. As it did with TJX, the FTC ordered the companies to designate an employee to be responsible for the security program and identify risks to personal data, deploy safeguards to mitigate that risk, work out agreements with service providers that handle customer data, and evaluate and adjust its security program to meet operation changes.
The FTC said it worked with the Hayward, Calif. Police Department and the REACT (Rapid Enforcement Allied Computer Team) Task Force in its investigation of Reed Elsevier and Seisint. This was the FTC's 19th challenge of data security practices.
The FTC is prohibited by law to assess fines.
Labels: Reed Elsevier and Seisint
Obama, Clinton, McCain Passport Breaches Expose Human, Not Tech Weakness
Obama, Clinton, McCain Passport Breaches Expose Human, Not Tech Weakness
The unauthorized access was caught by a monitoring system that was tripped when three State Department contractors accessed the electronic records.
By K.C. Jones
InformationWeek
March 21, 2008 05:09 PM
Access to personal passport information from presidential hopefuls Sens. Barack Obama, Hillary Rodham Clinton, and John McCain may not have been preventable, the U.S. State Department said this week.
The incident highlights the need for greater data access controls for employees and contractors in the IT sector and the government.
Three State Department contractors had taken unauthorized looks at the electronic files of each of the candidates, although each had clearance to use the database, Undersecretary for Management Patrick F. Kennedy said Thursday. Obama's file was accessed three times: Jan. 9, Feb. 12, and March 14. It was disclosed later that the files of Clinton and McCain were also reviewed by the contractors.
Two workers were fired. State Department leaders have said they believe that the workers accessed the files out of curiosity. Secretary of State Condoleezza Rice on Friday issued an apology to Obama and Clinton and was scheduled to speak with McCain.
Kennedy said during a press briefing Thursday that all three people suspected of viewing the candidates' passport information had access to the database for one reason or another. He declined to state their job titles or explain specific functions that required the access, except to say that State Department workers must be able to look up information when people call about their passports.
"They were in a variety of functions that required them, in order to do their tasks, to have the access to the computer system," he said.
He also said it was impossible to provide that access and simultaneously deny it to prevent people from snooping for no reason. Kennedy did say, however, that the computer monitoring system (PDF) worked properly by flagging the workers' activities after the fact. That's when supervisors were notified and took action, he said.
The Security Technology Worked
"One thing I want to emphasize, in each of these three cases, the system that was set up to detect any unauthorized access of these kinds of records worked," Kennedy said. "These unauthorized accesses were detected by the State Department and they were immediately acted upon. In each of these cases, the unauthorized access was caught by a monitoring system that was tripped when, in each of these cases, an employee accessed the record of a high-profile individual. When the monitoring system is tripped, we immediately seek an explanation for the record access. If the explanation is not satisfactory, the supervisor is notified. And that is the case in each of these three individual cases."
Kennedy has acknowledged, however, that the incidents should have been reported higher up the chain of command by insiders. Reporters first brought the data breach to the attention of senior members of the State Department.
The Bureau of Consular Affairs is in charge of monitoring database access, Kennedy said.
A department spokeswoman contacted Friday did not know immediately who designed the database or the monitoring system, which, according to Kennedy, has been in place for several years. It appears unlikely that technology is to blame for the invasion of the candidates' privacy, according to Kennedy's statements. Rather, it appears that the problem stems from a breach of trust by three of more than 50,000 employees.
The State Department restricts access to passport records, performs background checks on employees and contractors, and trains workers about privacy policies. Each time a worker logs on to the system, the worker acknowledges that the records are protected by the Privacy Act and that they are only available on a need-to-know basis, Kennedy said. Transaction logs provide a record of activity.
"They were supposed to use their access to -- for the purposes of the task that they were assigned," Kennedy said during the briefing. "They violated that trust, and that is, and they were caught in the monitoring system that we have. When you produce, as I said earlier, when you produce 18 million passports a year and there are numbers of passports that are lost every year, people call in and ask, "Where is my passport in the system?"
The Office of the Inspector General is investigating the incident, and authorities have not ruled out involvement by the Department of Justice. The logical areas of examination for both entities: e-mail folders, hard drives, and servers, but Kennedy said he hasn't told investigators where to look because he doesn't tell them how to do their job.
Kennedy said that the State Department will consider whether it's possible to "lock out" access to high-profile individuals' records, while still allowing workers to respond to inquiries. The information contained in passport files comes from applications and may contain additional information gleaned from research used to determine whether issue the passport. It is shared with a variety of law enforcement and other agencies for investigation.
One of the more sensitive pieces of information contained in the file is a Social Security number, which can be used for identity theft or to access more information from other sources.
The unauthorized access was caught by a monitoring system that was tripped when three State Department contractors accessed the electronic records.
By K.C. Jones
InformationWeek
March 21, 2008 05:09 PM
Access to personal passport information from presidential hopefuls Sens. Barack Obama, Hillary Rodham Clinton, and John McCain may not have been preventable, the U.S. State Department said this week.
The incident highlights the need for greater data access controls for employees and contractors in the IT sector and the government.
Three State Department contractors had taken unauthorized looks at the electronic files of each of the candidates, although each had clearance to use the database, Undersecretary for Management Patrick F. Kennedy said Thursday. Obama's file was accessed three times: Jan. 9, Feb. 12, and March 14. It was disclosed later that the files of Clinton and McCain were also reviewed by the contractors.
Two workers were fired. State Department leaders have said they believe that the workers accessed the files out of curiosity. Secretary of State Condoleezza Rice on Friday issued an apology to Obama and Clinton and was scheduled to speak with McCain.
Kennedy said during a press briefing Thursday that all three people suspected of viewing the candidates' passport information had access to the database for one reason or another. He declined to state their job titles or explain specific functions that required the access, except to say that State Department workers must be able to look up information when people call about their passports.
"They were in a variety of functions that required them, in order to do their tasks, to have the access to the computer system," he said.
He also said it was impossible to provide that access and simultaneously deny it to prevent people from snooping for no reason. Kennedy did say, however, that the computer monitoring system (PDF) worked properly by flagging the workers' activities after the fact. That's when supervisors were notified and took action, he said.
The Security Technology Worked
"One thing I want to emphasize, in each of these three cases, the system that was set up to detect any unauthorized access of these kinds of records worked," Kennedy said. "These unauthorized accesses were detected by the State Department and they were immediately acted upon. In each of these cases, the unauthorized access was caught by a monitoring system that was tripped when, in each of these cases, an employee accessed the record of a high-profile individual. When the monitoring system is tripped, we immediately seek an explanation for the record access. If the explanation is not satisfactory, the supervisor is notified. And that is the case in each of these three individual cases."
Kennedy has acknowledged, however, that the incidents should have been reported higher up the chain of command by insiders. Reporters first brought the data breach to the attention of senior members of the State Department.
The Bureau of Consular Affairs is in charge of monitoring database access, Kennedy said.
A department spokeswoman contacted Friday did not know immediately who designed the database or the monitoring system, which, according to Kennedy, has been in place for several years. It appears unlikely that technology is to blame for the invasion of the candidates' privacy, according to Kennedy's statements. Rather, it appears that the problem stems from a breach of trust by three of more than 50,000 employees.
The State Department restricts access to passport records, performs background checks on employees and contractors, and trains workers about privacy policies. Each time a worker logs on to the system, the worker acknowledges that the records are protected by the Privacy Act and that they are only available on a need-to-know basis, Kennedy said. Transaction logs provide a record of activity.
"They were supposed to use their access to -- for the purposes of the task that they were assigned," Kennedy said during the briefing. "They violated that trust, and that is, and they were caught in the monitoring system that we have. When you produce, as I said earlier, when you produce 18 million passports a year and there are numbers of passports that are lost every year, people call in and ask, "Where is my passport in the system?"
The Office of the Inspector General is investigating the incident, and authorities have not ruled out involvement by the Department of Justice. The logical areas of examination for both entities: e-mail folders, hard drives, and servers, but Kennedy said he hasn't told investigators where to look because he doesn't tell them how to do their job.
Kennedy said that the State Department will consider whether it's possible to "lock out" access to high-profile individuals' records, while still allowing workers to respond to inquiries. The information contained in passport files comes from applications and may contain additional information gleaned from research used to determine whether issue the passport. It is shared with a variety of law enforcement and other agencies for investigation.
One of the more sensitive pieces of information contained in the file is a Social Security number, which can be used for identity theft or to access more information from other sources.
Labels: Clinton and McCain, Obama
Thieves Steal 4.2 Million Credit And Debit Card Numbers From Supermarket Servers
Thieves Steal 4.2 Million Credit And Debit Card Numbers From Supermarket Servers
Hannaford Bros. CEO Ron Hodge said the data intrusion had been contained and that names and addresses were not accessed.
By Thomas Claburn
InformationWeek
March 18, 2008 03:00 PM
Thieves stole an estimated 4.2 million credit and debit card numbers from the Scarborough, Maine-based Hannaford Bros. and Sweetbay supermarket chains, Hannaford Bros. Co. said on Monday.
In a letter posted on the company Web site, Hannaford Bros. CEO Ron Hodge said that the data intrusion had been contained and that names and addresses were not accessed because the company does not store personally identifiable customer information with transaction data.
As a consequence, the company said it is unable to notify potentially affected customers. The company said it is working with credit and debit card issuers to determine the impact of the stolen data.
"We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry," said Hodge. "The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization."
The use of the word "transmission" in Hodge's statement suggests that data may have been intercepted while being transmitted through a wireless system. The Wall Street Journal, citing an unnamed source, said on Tuesday that investigators are looking at Hannaford's wireless system as a possible point of access.
As many as 1,800 cases of fraud have been linked to the data theft, according to the Associated Press.
Hannaford Bros. did not respond to a request for comment. The company is owned by the Delhaize Group, based in Belgium.
The intrusion affected Hannaford Stores in New England and New York, Sweetbay stores in Florida, and some independently-owned retail stores in the Northeast that sell Hannaford products. Hannaford Brothers said that the intrusion was detected on February 27.
The Massachusetts Bankers Association, which represents about 200 financial institutions in New England, said on Monday that Visa and MasterCard had contacted between 60 and 70 banks in Massachusetts about a large data breach that had occurred at "a major retailer." Visa and MasterCard did not name Hannaford Bros. as a matter of policy.
The Hannaford incident is the largest publicly known data breach in the U.S. since September 2007, when hackers accesses 6.3 million Ameritrade customer name and address records. In January 2007, TJX Companies disclosed that data thieves had accessed its servers during the previous year. An estimated 94 million credit and debit card records were stolen.
In December 2007, the Massachusetts Bankers Association said that it had settled its lawsuit against TJX Companies under undisclosed terms.
Hannaford is advising customers to carefully review their credit and debit card statements over the past three months and to contact the issuing institution immediately in the event of any irregularity.
Hannaford has set up a customer assistance line at 866-591-4580.
Hannaford Bros. CEO Ron Hodge said the data intrusion had been contained and that names and addresses were not accessed.
By Thomas Claburn
InformationWeek
March 18, 2008 03:00 PM
Thieves stole an estimated 4.2 million credit and debit card numbers from the Scarborough, Maine-based Hannaford Bros. and Sweetbay supermarket chains, Hannaford Bros. Co. said on Monday.
In a letter posted on the company Web site, Hannaford Bros. CEO Ron Hodge said that the data intrusion had been contained and that names and addresses were not accessed because the company does not store personally identifiable customer information with transaction data.
As a consequence, the company said it is unable to notify potentially affected customers. The company said it is working with credit and debit card issuers to determine the impact of the stolen data.
"We sincerely regret this intrusion into our systems, which we believe, are among the strongest in the industry," said Hodge. "The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization."
The use of the word "transmission" in Hodge's statement suggests that data may have been intercepted while being transmitted through a wireless system. The Wall Street Journal, citing an unnamed source, said on Tuesday that investigators are looking at Hannaford's wireless system as a possible point of access.
As many as 1,800 cases of fraud have been linked to the data theft, according to the Associated Press.
Hannaford Bros. did not respond to a request for comment. The company is owned by the Delhaize Group, based in Belgium.
The intrusion affected Hannaford Stores in New England and New York, Sweetbay stores in Florida, and some independently-owned retail stores in the Northeast that sell Hannaford products. Hannaford Brothers said that the intrusion was detected on February 27.
The Massachusetts Bankers Association, which represents about 200 financial institutions in New England, said on Monday that Visa and MasterCard had contacted between 60 and 70 banks in Massachusetts about a large data breach that had occurred at "a major retailer." Visa and MasterCard did not name Hannaford Bros. as a matter of policy.
The Hannaford incident is the largest publicly known data breach in the U.S. since September 2007, when hackers accesses 6.3 million Ameritrade customer name and address records. In January 2007, TJX Companies disclosed that data thieves had accessed its servers during the previous year. An estimated 94 million credit and debit card records were stolen.
In December 2007, the Massachusetts Bankers Association said that it had settled its lawsuit against TJX Companies under undisclosed terms.
Hannaford is advising customers to carefully review their credit and debit card statements over the past three months and to contact the issuing institution immediately in the event of any irregularity.
Hannaford has set up a customer assistance line at 866-591-4580.
Labels: Hannaford Bros.
Corporate espionage: Not if, but when
Corporate espionage: Not if, but when
11 Mar 2008 12:48
When it comes to business-to-business theft of information, experts agree — it's best to assume it will happen to your company
Corporate espionage is defined as the theft of commercially valuable information. This may be the secret formulation of a new product, but equally it could be the names and salaries of senior executives or simply the date of your next marketing initiative.
This type of corporate crime costs the world's 1,000 largest companies in excess of $45bn (£22.4bn) every year, according to research from consulting firm PricewaterhouseCoopers.
Some of the world's largest corporations have been targeted: for example, in 2000, Microsoft fell victim to what the company called "a deplorable act of industrial espionage" when hackers broke into the company's system and accessed Windows and Office source code. Hackers had access to the source code for up to three months.
In the pharmaceutical sector, Proctor & Gamble and Unilever became involved in a dispute over corporate espionage when Fortune magazine reported that P&G had been involved in illegal corporate espionage against its archrival. Agents appointed by P&G were alleged to have misrepresented themselves as market researchers and used various other methods to collect information about its rival.
In 2006, two hackers were extradited from the UK to Israel when it was alleged that they had developed and sold spyware which was used by companies to spy on rivals in their native Israel. Three private investigation companies in Israel were alleged to have sent emails with Trojan horse packages designed to evade detection by security tools.
"What you need to know is that this is happening more than ever before, and on a bigger scale than ever before," warns Toralv Dirro, a security strategist with McAfee. "Any business that derives competitive advantage from information should be concerned about this issue."
Corporate espionage has increased rapidly in the past decade, as more information is put onto corporate networks — and potentially within the reach of hackers, Dirro explains. Certainly, PricewaterhouseCoopers reported that corporate espionage losses doubled between 1990 and 2000.
Knowing whether you're at risk of corporate espionage isn't easy, admits Paul King, a senior security advisor with Cisco UK. In fact, you could be a victim of corporate espionage and never even realise it, King says. "At Cisco, we don't ask ourselves why we might be at risk of this stuff, we ask why not?" he says. The company's security experts constantly scan the internet for reports of attacks on other organisations, and assess their own risk to similar attacks.
It's difficult to know exactly how common corporate espionage is because most victims never report the attack to the police, fearful of the consequences of going public, says King. And is a hacker is sufficiently skilled, many companies won't even realise they've been attacked. "I think the best we can do is monitor our systems carefully and if we hear of an attack on another organisation, ensure that it couldn't affect us," he says.
The question isn't whether you know you're vulnerable to corporate espionage, it's knowing how vulnerable you could be, adds King. "If your chief executive says he's not a victim of this stuff, how confident is he? And the only way to be really confident is to be looking hard for it."
The first step in corporate-espionage protection is to close the most obvious loopholes — those that can be exploited by hackers without even breaking the law. "We're seeing massive growth in something called Google hacking," says Rhodri Davies, a technical architect with security specialist Vistorm. "This is the process of using really smart Google searches to find information left open on web servers. It's unsportsmanlike, but definitely not illegal."
With Google hacking, hackers can routinely find information on projects and personnel, and the file names of confidential documents, even if they cannot access the documents themselves. "You can easily automate searches, so that if a document is online even briefly, you'll be emailed that search result," says Davies. The danger is that this information will then be used as the basis of an illegal attack, enabling a hacker to pretend to be inside the company, or to launch a social-engineering attack.
Security companies have seen a dramatic increase in what's known as "spear phishing", a highly targeted phishing attack where a single executive may receive an email that appears to be from an authorised partner or supplier, relating to a project that isn't widely known outside the company. "The usual trick with this sort of email is to encourage the user to open a file, which will launch a Trojan, potentially giving someone access to the whole network," says Toralv Dirro, a security strategist with McAfee. "We have been seeing an awful lot of these in the last year or so."
How do you know if you have been a victim of corporate espionage? In many cases, you'll never know, says Dirro. "If it's a skilled hacker, they will have used Trojans to ensure the intrusion detection system isn't triggered." Security experts recommend regularly conducting penetration testing (including looking for search vulnerabilities) to protect against this kind of attack. However, to protect against illegal hackers attempting corporate espionage, the best advice is to know your data.
Audit your corporate data and identify what information is potentially sensitive and therefore vulnerable to attack, says Dirro. Next, separate this…
…information into dedicated areas of the network, and consider separating highly sensitive information entirely. "If you have a highly confidential R&D project, I would consider putting it on its own network, with no external links whatsoever," says Dirro. "Regardless, you should have a clear idea of your data structure, so you know who is accessing sensitive data and what they're able to do with it."
There isn't a single technical solution to corporate espionage, adds Cisco's King. "If there was, we'd be selling it," he says. However, companies can take steps to minimise the risks it poses. King's key advice is not to rely on reactive security systems, which will warn you only when something specific happens. Although a good intrusion detection system and firewall are essential, they aren't enough. "If you're waiting for an alarm to go off, that's not good enough, and it won't alert you to most corporate espionage," King says.
For example, you may want to investigate the latest data log protection systems. These software tools can "mark" confidential data with a virtual watermark, which prevents it from being copied to a mobile device or distributed via email. "The technology is relatively new, and can be quite difficult to get up and running, but once you've done the upfront work they're highly effective," Dirro says.
In addition, King recommends routinely checking through IDS log files and access logs looking for attacks or patterns of unusual activity. "We have a product that monitors all our log files from routers and firewalls and looks for anomalous behaviour," says King. "It's different from only reacting to something you know has happened."
It's also important to pay attention to less sophisticated forms of information theft. "Educate people on risks that may seem small, like using a laptop on a plane," advises King. Cisco executives are routinely provided with plastic privacy shields that prevent so-called shoulder surfing, and the IT department provides training videos that help make people more aware of the risks in discussing confidential projects in public.
"Sometimes you can be at risk in the most public places," says King. "For example, someone at a trade show might ask you a question that is designed to help them later to do some kind of social engineering." Since producing videos on this topic for the corporate intranet, King's team has received many more calls from employees who say they have received suspicious telephone enquiries.
The vast majority of corporate espionage attacks have the involvement of someone inside the company, argues Mark Schettenhelm, a security consultant with Compuware and a Certified Information Privacy Professional (CIPP). "We've done such a good job of blocking hackers and spam from outside that it's easy to forget the threat from people inside the company who have all the authority and access."
However, King believes it's important to keep corporate espionage in perspective. "We want security to enable the business, and we're not going to lock down systems and stop people doing business," he says. For this reason, Cisco does allow employees to use memory sticks and mobile devices, but with appropriate encryption and other security measures.
The best approach is to accept that providing employees with access to sensitive information will always carry some risk, but to mitigate that risk as far as possible, says Schettenhelm. Compuware provides a range of tools designed for "application auditing", which basically means monitoring who uses software, and what they do with it. One of the biggest challenges of any company that has been hacked is knowing the extent of the breach, and application auditing can also help in this respect, showing which screens and fields of data were viewed by an individual user.
"It means if there is a breach, you can easily see where it happened, who did it, and what was breached," says Schettenhelm. "It also protects employees from false accusations, because it shows where there was no inappropriate action."
Application auditing can be combined with data mining tools to reveal patterns of usage and alert managers to anomalous activities. For example, you could monitor the activity level in a customer service centre to show that a typical agent accessed 100 records per day, while one employee is regularly accessing 500 records. "That type of spike might indicate a problem, and further investigation may show which sort of records he is accessing, and whether it tallies with the number of inbound calls they were handling," says Schettenhelm. "You can then ask, why did you need that screen for that call?"
This type of technology works best when sensitive data is held on separate screens, Schettenhelm adds, so that you can track exactly who is accessing information such as credit-card details or medical records. It will also help in preventing future problems, because auditing will show which screens really are needed to do a specific job — allowing access to be restricted to any information that isn't strictly needed.
Of course, an organisation can't simply block access to all confidential data — developing new products is difficult if the engineers can't access the plans, after all. But analysing network traffic can show who is downloading information and at what times. "A common trigger which might indicate a problem or a hacker is someone accessing files outside office hours, when they can't be seen by colleagues," says Schettenhelm.
Story URL: http://resources.zdnet.co.uk/articles/features/0,1000002000,39365959,00.htm
11 Mar 2008 12:48
When it comes to business-to-business theft of information, experts agree — it's best to assume it will happen to your company
Corporate espionage is defined as the theft of commercially valuable information. This may be the secret formulation of a new product, but equally it could be the names and salaries of senior executives or simply the date of your next marketing initiative.
This type of corporate crime costs the world's 1,000 largest companies in excess of $45bn (£22.4bn) every year, according to research from consulting firm PricewaterhouseCoopers.
Some of the world's largest corporations have been targeted: for example, in 2000, Microsoft fell victim to what the company called "a deplorable act of industrial espionage" when hackers broke into the company's system and accessed Windows and Office source code. Hackers had access to the source code for up to three months.
In the pharmaceutical sector, Proctor & Gamble and Unilever became involved in a dispute over corporate espionage when Fortune magazine reported that P&G had been involved in illegal corporate espionage against its archrival. Agents appointed by P&G were alleged to have misrepresented themselves as market researchers and used various other methods to collect information about its rival.
In 2006, two hackers were extradited from the UK to Israel when it was alleged that they had developed and sold spyware which was used by companies to spy on rivals in their native Israel. Three private investigation companies in Israel were alleged to have sent emails with Trojan horse packages designed to evade detection by security tools.
"What you need to know is that this is happening more than ever before, and on a bigger scale than ever before," warns Toralv Dirro, a security strategist with McAfee. "Any business that derives competitive advantage from information should be concerned about this issue."
Corporate espionage has increased rapidly in the past decade, as more information is put onto corporate networks — and potentially within the reach of hackers, Dirro explains. Certainly, PricewaterhouseCoopers reported that corporate espionage losses doubled between 1990 and 2000.
Knowing whether you're at risk of corporate espionage isn't easy, admits Paul King, a senior security advisor with Cisco UK. In fact, you could be a victim of corporate espionage and never even realise it, King says. "At Cisco, we don't ask ourselves why we might be at risk of this stuff, we ask why not?" he says. The company's security experts constantly scan the internet for reports of attacks on other organisations, and assess their own risk to similar attacks.
It's difficult to know exactly how common corporate espionage is because most victims never report the attack to the police, fearful of the consequences of going public, says King. And is a hacker is sufficiently skilled, many companies won't even realise they've been attacked. "I think the best we can do is monitor our systems carefully and if we hear of an attack on another organisation, ensure that it couldn't affect us," he says.
The question isn't whether you know you're vulnerable to corporate espionage, it's knowing how vulnerable you could be, adds King. "If your chief executive says he's not a victim of this stuff, how confident is he? And the only way to be really confident is to be looking hard for it."
The first step in corporate-espionage protection is to close the most obvious loopholes — those that can be exploited by hackers without even breaking the law. "We're seeing massive growth in something called Google hacking," says Rhodri Davies, a technical architect with security specialist Vistorm. "This is the process of using really smart Google searches to find information left open on web servers. It's unsportsmanlike, but definitely not illegal."
With Google hacking, hackers can routinely find information on projects and personnel, and the file names of confidential documents, even if they cannot access the documents themselves. "You can easily automate searches, so that if a document is online even briefly, you'll be emailed that search result," says Davies. The danger is that this information will then be used as the basis of an illegal attack, enabling a hacker to pretend to be inside the company, or to launch a social-engineering attack.
Security companies have seen a dramatic increase in what's known as "spear phishing", a highly targeted phishing attack where a single executive may receive an email that appears to be from an authorised partner or supplier, relating to a project that isn't widely known outside the company. "The usual trick with this sort of email is to encourage the user to open a file, which will launch a Trojan, potentially giving someone access to the whole network," says Toralv Dirro, a security strategist with McAfee. "We have been seeing an awful lot of these in the last year or so."
How do you know if you have been a victim of corporate espionage? In many cases, you'll never know, says Dirro. "If it's a skilled hacker, they will have used Trojans to ensure the intrusion detection system isn't triggered." Security experts recommend regularly conducting penetration testing (including looking for search vulnerabilities) to protect against this kind of attack. However, to protect against illegal hackers attempting corporate espionage, the best advice is to know your data.
Audit your corporate data and identify what information is potentially sensitive and therefore vulnerable to attack, says Dirro. Next, separate this…
…information into dedicated areas of the network, and consider separating highly sensitive information entirely. "If you have a highly confidential R&D project, I would consider putting it on its own network, with no external links whatsoever," says Dirro. "Regardless, you should have a clear idea of your data structure, so you know who is accessing sensitive data and what they're able to do with it."
There isn't a single technical solution to corporate espionage, adds Cisco's King. "If there was, we'd be selling it," he says. However, companies can take steps to minimise the risks it poses. King's key advice is not to rely on reactive security systems, which will warn you only when something specific happens. Although a good intrusion detection system and firewall are essential, they aren't enough. "If you're waiting for an alarm to go off, that's not good enough, and it won't alert you to most corporate espionage," King says.
For example, you may want to investigate the latest data log protection systems. These software tools can "mark" confidential data with a virtual watermark, which prevents it from being copied to a mobile device or distributed via email. "The technology is relatively new, and can be quite difficult to get up and running, but once you've done the upfront work they're highly effective," Dirro says.
In addition, King recommends routinely checking through IDS log files and access logs looking for attacks or patterns of unusual activity. "We have a product that monitors all our log files from routers and firewalls and looks for anomalous behaviour," says King. "It's different from only reacting to something you know has happened."
It's also important to pay attention to less sophisticated forms of information theft. "Educate people on risks that may seem small, like using a laptop on a plane," advises King. Cisco executives are routinely provided with plastic privacy shields that prevent so-called shoulder surfing, and the IT department provides training videos that help make people more aware of the risks in discussing confidential projects in public.
"Sometimes you can be at risk in the most public places," says King. "For example, someone at a trade show might ask you a question that is designed to help them later to do some kind of social engineering." Since producing videos on this topic for the corporate intranet, King's team has received many more calls from employees who say they have received suspicious telephone enquiries.
The vast majority of corporate espionage attacks have the involvement of someone inside the company, argues Mark Schettenhelm, a security consultant with Compuware and a Certified Information Privacy Professional (CIPP). "We've done such a good job of blocking hackers and spam from outside that it's easy to forget the threat from people inside the company who have all the authority and access."
However, King believes it's important to keep corporate espionage in perspective. "We want security to enable the business, and we're not going to lock down systems and stop people doing business," he says. For this reason, Cisco does allow employees to use memory sticks and mobile devices, but with appropriate encryption and other security measures.
The best approach is to accept that providing employees with access to sensitive information will always carry some risk, but to mitigate that risk as far as possible, says Schettenhelm. Compuware provides a range of tools designed for "application auditing", which basically means monitoring who uses software, and what they do with it. One of the biggest challenges of any company that has been hacked is knowing the extent of the breach, and application auditing can also help in this respect, showing which screens and fields of data were viewed by an individual user.
"It means if there is a breach, you can easily see where it happened, who did it, and what was breached," says Schettenhelm. "It also protects employees from false accusations, because it shows where there was no inappropriate action."
Application auditing can be combined with data mining tools to reveal patterns of usage and alert managers to anomalous activities. For example, you could monitor the activity level in a customer service centre to show that a typical agent accessed 100 records per day, while one employee is regularly accessing 500 records. "That type of spike might indicate a problem, and further investigation may show which sort of records he is accessing, and whether it tallies with the number of inbound calls they were handling," says Schettenhelm. "You can then ask, why did you need that screen for that call?"
This type of technology works best when sensitive data is held on separate screens, Schettenhelm adds, so that you can track exactly who is accessing information such as credit-card details or medical records. It will also help in preventing future problems, because auditing will show which screens really are needed to do a specific job — allowing access to be restricted to any information that isn't strictly needed.
Of course, an organisation can't simply block access to all confidential data — developing new products is difficult if the engineers can't access the plans, after all. But analysing network traffic can show who is downloading information and at what times. "A common trigger which might indicate a problem or a hacker is someone accessing files outside office hours, when they can't be seen by colleagues," says Schettenhelm.
Story URL: http://resources.zdnet.co.uk/articles/features/0,1000002000,39365959,00.htm
Labels: Corporate espionage
Chinese hackers: No site is safe
Chinese hackers: No site is safe
Story Highlights
Chinese hackers claim to have broken into Pentagon's system
The hackers met with CNN on an island near a Chinese naval hub
Hackers say Beijing secretly pays them at times, something the government denies
Official: "The Chinese government does not do such a thing"
By John Vause
CNN
ZHOUSHAN, China (CNN) -- They operate from a bare apartment on a Chinese island. They are intelligent 20-somethings who seem harmless. But they are hard-core hackers who claim to have gained access to the world's most sensitive sites, including the Pentagon.
In fact, they say they are sometimes paid secretly by the Chinese government -- a claim the Beijing government denies.
"No Web site is one hundred percent safe. There are Web sites with high-level security, but there is always a weakness," says Xiao Chen, the leader of this group.
"Xiao Chen" is his online name. Along with his two colleagues, he does not want to reveal his true identity. The three belong to what some Western experts say is a civilian cyber militia in China, launching attacks on government and private Web sites around the world. Watch hackers' clandestine Chinese operation »
If there is a profile of a cyber hacker, these three are straight from central casting -- young and thin, with skin pale from spending too many long nights in front of a computer.
One hacker says he is a former computer operator in the People's Liberation Army; another is a marketing graduate; and Xiao Chen says he is a self-taught programmer.
"First, you must know about the Web site you want to attack. You must know what program it is written with," says Xiao Chen. "There is a saying, 'Know about both yourself and the enemy, and you will be invincible.'"
CNN decided to withhold the address of these hackers' Web site, but Xiao Chen says it has been operating for more than three years, with 10,000 registered users. The site offers tools, articles, news and flash tutorials about hacking.
Private computer experts in the United States from iDefense Security Intelligence, which provides cybersecurity advice to governments and Fortune 500 companies, say the group's site "appears to be an important site in the broader Chinese hacking community."
Arranging a meeting with the hackers took weeks of on-again, off-again e-mail exchanges. When they finally agreed, CNN was told to meet them on the island of Zhoushan, just south of Shanghai and a major port for China's navy.
The apartment has cement floors and almost no furniture. What they do have are three of the latest computers. They are cautious when it comes to naming the Web sites they have hacked.
On camera, Xiao Chen denies knowing anyone who has targetted U.S. government Web sites. But off-camera, in conversations over three days, he claims two of his colleagues -- not the ones with him in the room -- hacked into the Pentagon and downloaded information, although he wouldn't specify what was gleaned. CNN has no way to confirm if his claim is true.
"They would not publicize this," he says of someone who hacks the U.S. Defense Department. "It is very sensitive."
This week, the Pentagon said computer networks in the United States, Germany, Britain and France were hit last year by what they call "multiple intrusions," many of them originating from China.
At a congressional hearing in Washington last week, administration officials testified that the government's cyber initiative has fallen far short of what is required. Most alarming, the officials said, there has never been a full damage assessment of federal agency networks. Watch Pentagon bans Google from bases »
"We are here today because we must do more," said Robert Jamison, a top official in the U.S. Department of Homeland Security. "Defending the federal system in its current configuration is a significant challenge."
U.S. officials have been cautious not to directly accuse the Chinese military or its government of hacking into its network.
But David Sedney, the deputy assistant secretary of defense for East Asia, says, "The way these intrusions are conducted are certainly consistent with what you would need if you were going to actually carry out cyber warfare."
Beijing hit back at that, denying such an allegation and calling on the United States to provide proof. "If they have any evidence, I hope they would provide it. Then, we can cooperate on this issue," Qin Gang, a spokesman for the Chinese Foreign Ministry, said during a regular press briefing this week.
But again off-camera, Xiao Chen says after the alleged Pentagon attack, his colleagues were paid by the Chinese government. CNN has no way to independently confirm if that is true.
His allegations brought strenuous denials from Beijing. "I am telling you honestly, the Chinese government does not do such a thing," Qin said.
But if Xiao Chen is telling the truth, it appears his colleagues launched a freelance attack -- not initiated by Beijing, but paid for after the fact. "These hacker groups in my opinion are not agents of the Chinese state," says James Mulvenon from the Center for Intelligence Research and Analysis, which works with the U.S. intelligence community.
"They are sort of useful idiots for the Beijing regime."
He adds, "These young hackers are tolerated by the regime provided that they do not conduct attacks inside of China."
One of the biggest problems experts say is trying to prove where a cyber attack originates from, and that they say allows hackers like Xiao Chen to operate in a virtual world of deniability.
And across China, there could be thousands just like him, all trying to prove themselves against some of the most secure Web sites in the world.
Story Highlights
Chinese hackers claim to have broken into Pentagon's system
The hackers met with CNN on an island near a Chinese naval hub
Hackers say Beijing secretly pays them at times, something the government denies
Official: "The Chinese government does not do such a thing"
By John Vause
CNN
ZHOUSHAN, China (CNN) -- They operate from a bare apartment on a Chinese island. They are intelligent 20-somethings who seem harmless. But they are hard-core hackers who claim to have gained access to the world's most sensitive sites, including the Pentagon.
In fact, they say they are sometimes paid secretly by the Chinese government -- a claim the Beijing government denies.
"No Web site is one hundred percent safe. There are Web sites with high-level security, but there is always a weakness," says Xiao Chen, the leader of this group.
"Xiao Chen" is his online name. Along with his two colleagues, he does not want to reveal his true identity. The three belong to what some Western experts say is a civilian cyber militia in China, launching attacks on government and private Web sites around the world. Watch hackers' clandestine Chinese operation »
If there is a profile of a cyber hacker, these three are straight from central casting -- young and thin, with skin pale from spending too many long nights in front of a computer.
One hacker says he is a former computer operator in the People's Liberation Army; another is a marketing graduate; and Xiao Chen says he is a self-taught programmer.
"First, you must know about the Web site you want to attack. You must know what program it is written with," says Xiao Chen. "There is a saying, 'Know about both yourself and the enemy, and you will be invincible.'"
CNN decided to withhold the address of these hackers' Web site, but Xiao Chen says it has been operating for more than three years, with 10,000 registered users. The site offers tools, articles, news and flash tutorials about hacking.
Private computer experts in the United States from iDefense Security Intelligence, which provides cybersecurity advice to governments and Fortune 500 companies, say the group's site "appears to be an important site in the broader Chinese hacking community."
Arranging a meeting with the hackers took weeks of on-again, off-again e-mail exchanges. When they finally agreed, CNN was told to meet them on the island of Zhoushan, just south of Shanghai and a major port for China's navy.
The apartment has cement floors and almost no furniture. What they do have are three of the latest computers. They are cautious when it comes to naming the Web sites they have hacked.
On camera, Xiao Chen denies knowing anyone who has targetted U.S. government Web sites. But off-camera, in conversations over three days, he claims two of his colleagues -- not the ones with him in the room -- hacked into the Pentagon and downloaded information, although he wouldn't specify what was gleaned. CNN has no way to confirm if his claim is true.
"They would not publicize this," he says of someone who hacks the U.S. Defense Department. "It is very sensitive."
This week, the Pentagon said computer networks in the United States, Germany, Britain and France were hit last year by what they call "multiple intrusions," many of them originating from China.
At a congressional hearing in Washington last week, administration officials testified that the government's cyber initiative has fallen far short of what is required. Most alarming, the officials said, there has never been a full damage assessment of federal agency networks. Watch Pentagon bans Google from bases »
"We are here today because we must do more," said Robert Jamison, a top official in the U.S. Department of Homeland Security. "Defending the federal system in its current configuration is a significant challenge."
U.S. officials have been cautious not to directly accuse the Chinese military or its government of hacking into its network.
But David Sedney, the deputy assistant secretary of defense for East Asia, says, "The way these intrusions are conducted are certainly consistent with what you would need if you were going to actually carry out cyber warfare."
Beijing hit back at that, denying such an allegation and calling on the United States to provide proof. "If they have any evidence, I hope they would provide it. Then, we can cooperate on this issue," Qin Gang, a spokesman for the Chinese Foreign Ministry, said during a regular press briefing this week.
But again off-camera, Xiao Chen says after the alleged Pentagon attack, his colleagues were paid by the Chinese government. CNN has no way to independently confirm if that is true.
His allegations brought strenuous denials from Beijing. "I am telling you honestly, the Chinese government does not do such a thing," Qin said.
But if Xiao Chen is telling the truth, it appears his colleagues launched a freelance attack -- not initiated by Beijing, but paid for after the fact. "These hacker groups in my opinion are not agents of the Chinese state," says James Mulvenon from the Center for Intelligence Research and Analysis, which works with the U.S. intelligence community.
"They are sort of useful idiots for the Beijing regime."
He adds, "These young hackers are tolerated by the regime provided that they do not conduct attacks inside of China."
One of the biggest problems experts say is trying to prove where a cyber attack originates from, and that they say allows hackers like Xiao Chen to operate in a virtual world of deniability.
And across China, there could be thousands just like him, all trying to prove themselves against some of the most secure Web sites in the world.
Labels: Chinese hackers
