Monday, May 18, 2009
'Cybersquatting' crooks profit on marketers' brand names
'Cybersquatting' crooks profit on marketers' brand names
Yahoo!
Teresa Howard, USA TODAY
As advertisers spend more online, brand name firms increasingly are seeing their names, customers and millions of dollars in sales hijacked by shady marketers.
Instances of deceptive marketing to build traffic for rogue sites or to sell faux-branded products rose 17% last year, according to MarkMonitor, whose software tracks digital marketing infringement.
Shady marketers are using so-called cybersquatting to do their digital stealing. They drive people to a "squatted" site via e-mails or through paid search. Once they've led someone there, they hope to steal credit card information, spur clicks on ads to skim revenue from online ad networks or sell fake products, such as pharmaceuticals or pricey handbags.
The tactics target electronics, sports apparel, luxury brands and pharmaceutical brands the most and cost marketers about $175 billion worldwide in lost revenue, says Fred Felman of MarkMonitor.
"When the economy goes south, white-collar criminals don't quit," Felman says. The company's "Brand Jacking Index" report shows that daily incidences of cybersquatting against 30 of the top global brands rose to 449,484 last year vs. 382,246 in 2007. A first-time study coming out today in conjunction with industry group Chief Marketing Officer Council addresses how marketers are coping with the surge in cybersquatting.
"We're at a point in which marketers need a wake-up call in what's happening to their brand," says Liz Miller, vice president, programs and operations for the council. "Marketing is in the dark, and cybercriminals are ramping up their game."
Incidents are up as marketers increasingly use search engine optimization to reach consumers online, where ad spending is expected to top $24 billion this year. While ad expenditures overall are expected to fall by as much as 10%, digital advertising in 2009 is expected to be up about 4.5% over 2008, according to online marketing tracker eMarketer.
As businesses fight for a share of dwindling dollars, rogue marketers are getting more aggressive. The CMO study says that marketers see their brands as more vulnerable to infringement online than in other media, with 29.5% of the 300 marketers reporting brand infringement on the Web vs. 22.6% in other media.
Despite the big cost to marketers, few of them invest in protecting their brands online. The CMO study reports 52% of respondents spend less than $100,000 on brand protection annually. Just 2.7% say they spend $5 million or more.
Yahoo!
Teresa Howard, USA TODAY
As advertisers spend more online, brand name firms increasingly are seeing their names, customers and millions of dollars in sales hijacked by shady marketers.
Instances of deceptive marketing to build traffic for rogue sites or to sell faux-branded products rose 17% last year, according to MarkMonitor, whose software tracks digital marketing infringement.
Shady marketers are using so-called cybersquatting to do their digital stealing. They drive people to a "squatted" site via e-mails or through paid search. Once they've led someone there, they hope to steal credit card information, spur clicks on ads to skim revenue from online ad networks or sell fake products, such as pharmaceuticals or pricey handbags.
The tactics target electronics, sports apparel, luxury brands and pharmaceutical brands the most and cost marketers about $175 billion worldwide in lost revenue, says Fred Felman of MarkMonitor.
"When the economy goes south, white-collar criminals don't quit," Felman says. The company's "Brand Jacking Index" report shows that daily incidences of cybersquatting against 30 of the top global brands rose to 449,484 last year vs. 382,246 in 2007. A first-time study coming out today in conjunction with industry group Chief Marketing Officer Council addresses how marketers are coping with the surge in cybersquatting.
"We're at a point in which marketers need a wake-up call in what's happening to their brand," says Liz Miller, vice president, programs and operations for the council. "Marketing is in the dark, and cybercriminals are ramping up their game."
Incidents are up as marketers increasingly use search engine optimization to reach consumers online, where ad spending is expected to top $24 billion this year. While ad expenditures overall are expected to fall by as much as 10%, digital advertising in 2009 is expected to be up about 4.5% over 2008, according to online marketing tracker eMarketer.
As businesses fight for a share of dwindling dollars, rogue marketers are getting more aggressive. The CMO study says that marketers see their brands as more vulnerable to infringement online than in other media, with 29.5% of the 300 marketers reporting brand infringement on the Web vs. 22.6% in other media.
Despite the big cost to marketers, few of them invest in protecting their brands online. The CMO study reports 52% of respondents spend less than $100,000 on brand protection annually. Just 2.7% say they spend $5 million or more.
Comedian sneaks into US State department
Comedian sneaks into US State department
Comedian Armando Iannucci got past security guards at the US State department in Washington with a pass which "could have been produced by a child", in what he described as "probably international espionage".
Last Updated: 10:28AM BST 08 May 2009
The identification he had with him was an amateurish BBC pass with his face show by a print out of a picture of him from the internet Photo: PAUL GROVER
Mr Iannucci was researching his latest film, the US-British political drama 'In the Loop', when he visited the department's headquarters in the Foggy Bottom neighbourhood of the US political capital.
The identification he had with him was an amateurish BBC pass with his face show by a print out of a picture of him from the internet.
Armando Iannucci latest victim of fake Twitter accountHe flashed the card at the guards in the main reception of the building, said he had an appointment and was waved through.
The comedian then spent an hour walking around the building taking photographs, which were later used to help with the set designs for the film.
The writer, who also created political satire-cum-farce The Thick Of It for BBC4, said: "I had a terrible, amateur BBC identity pass, with basically my face printed off Google and my name under it.
"A child could have produced it in 20 seconds. I wandered up to the front reception of the State department and said 'BBC. I'm here for the 12. 30.'
"They showed me in. I spent an hour wandering round the building with my camera taking photos for our designer.
"Part of me thought it was fun, another part thought it was probably international espionage."
Comedian Armando Iannucci got past security guards at the US State department in Washington with a pass which "could have been produced by a child", in what he described as "probably international espionage".
Last Updated: 10:28AM BST 08 May 2009
The identification he had with him was an amateurish BBC pass with his face show by a print out of a picture of him from the internet Photo: PAUL GROVER
Mr Iannucci was researching his latest film, the US-British political drama 'In the Loop', when he visited the department's headquarters in the Foggy Bottom neighbourhood of the US political capital.
The identification he had with him was an amateurish BBC pass with his face show by a print out of a picture of him from the internet.
Armando Iannucci latest victim of fake Twitter accountHe flashed the card at the guards in the main reception of the building, said he had an appointment and was waved through.
The comedian then spent an hour walking around the building taking photographs, which were later used to help with the set designs for the film.
The writer, who also created political satire-cum-farce The Thick Of It for BBC4, said: "I had a terrible, amateur BBC identity pass, with basically my face printed off Google and my name under it.
"A child could have produced it in 20 seconds. I wandered up to the front reception of the State department and said 'BBC. I'm here for the 12. 30.'
"They showed me in. I spent an hour wandering round the building with my camera taking photos for our designer.
"Part of me thought it was fun, another part thought it was probably international espionage."
Virginia Health Data Potentially Held Hostage
Virginia Health Data Potentially Held Hostage
An extortion demand seeks $10 million to return more than 8 million patient records allegedly stolen from Virginia Department of Health Professions.
By Thomas Claburn, InformationWeek
May 4, 2009
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=217201397
An extortion demand posted on WikiLeaks seeks $10 million to return more than 8 million patient records and 35 million prescriptions allegedly stolen from Virginia Department of Health Professions.
The note reads: "ATTENTION VIRGINIA I have your sh**! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :("
The note goes on to demand $10 million within seven days, presumably from the time the data was apparently seized on April 30, in exchange for the key to decrypt the encrypted backup.
"If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid," the note says.
It's not immediately clear whether this note is genuine. The Virginia DHP hasn't responded to repeated calls and e-mail messages seeking comment.
However, a notice posted on the DHP Web site on Monday morning acknowledged that the site "is currently experiencing technical difficulties which affect computer and e-mail systems."
A spokesperson for the Virginia Attorney General's Office said the agency could neither confirm nor deny any knowledge of an extortion demand.
A note sent to the Yahoo Mail address listed in the ransom demand also has gone unanswered.
Extortion demands of this sort have become relatively common in data breach cases. Last October, for instance, Express Scripts, a prescription drug management company based in St. Louis, received a letter that threatened the release of millions of patient records. A month earlier, a man from Solana Beach, Calif., was arrested for allegedly hacking into a Maserati dealership Web site, accessing customer data, and then threatening to release the information unless the company paid him.
The attack technique -- capturing data, encrypting it, then selling access to the former owner -- has become popular enough to earn its own name: cryptoviral extortion.
An extortion demand seeks $10 million to return more than 8 million patient records allegedly stolen from Virginia Department of Health Professions.
By Thomas Claburn, InformationWeek
May 4, 2009
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=217201397
An extortion demand posted on WikiLeaks seeks $10 million to return more than 8 million patient records and 35 million prescriptions allegedly stolen from Virginia Department of Health Professions.
The note reads: "ATTENTION VIRGINIA I have your sh**! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :("
The note goes on to demand $10 million within seven days, presumably from the time the data was apparently seized on April 30, in exchange for the key to decrypt the encrypted backup.
"If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid," the note says.
It's not immediately clear whether this note is genuine. The Virginia DHP hasn't responded to repeated calls and e-mail messages seeking comment.
However, a notice posted on the DHP Web site on Monday morning acknowledged that the site "is currently experiencing technical difficulties which affect computer and e-mail systems."
A spokesperson for the Virginia Attorney General's Office said the agency could neither confirm nor deny any knowledge of an extortion demand.
A note sent to the Yahoo Mail address listed in the ransom demand also has gone unanswered.
Extortion demands of this sort have become relatively common in data breach cases. Last October, for instance, Express Scripts, a prescription drug management company based in St. Louis, received a letter that threatened the release of millions of patient records. A month earlier, a man from Solana Beach, Calif., was arrested for allegedly hacking into a Maserati dealership Web site, accessing customer data, and then threatening to release the information unless the company paid him.
The attack technique -- capturing data, encrypting it, then selling access to the former owner -- has become popular enough to earn its own name: cryptoviral extortion.
Sunday, May 17, 2009
Energy company customers' information compromised
Energy company customers' information compromised
Wednesday, April 01, 2009 | 6:46 PM HOUSTON (KTRK) -- If you are a customer of Gexa Energy, your personal information may have been compromised.
The personal information was compromised a year ago, but the company is only now sending out letters to consumers. Gexa officials say that's because law enforcement asked the company to remain quiet during the investigation.
Gexa officials say they do not know how many customers' personal information was compromised, but they are sending the letter to customers past and present and even to those who may have enrolled in a Gexa plan, but didn't ultimately end up choosing the provider.
Indictments are pending against the person at the center of the investigation and the computers used have been seized. Further, Gexa says the company knows of no unauthorized use of this personal information.
Story continues belowAdvertisementGexa says while the breach included names, addresses and Social Security numbers, no credit card numbers were compromised.
As for consumers, the company says they can call the credit reporting agencies to monitor their accounts.
- Headlines at a glance
(Copyright ©2009 KTRK-TV/DT. All Rights Reserved.)
Wednesday, April 01, 2009 | 6:46 PM HOUSTON (KTRK) -- If you are a customer of Gexa Energy, your personal information may have been compromised.
The personal information was compromised a year ago, but the company is only now sending out letters to consumers. Gexa officials say that's because law enforcement asked the company to remain quiet during the investigation.
Gexa officials say they do not know how many customers' personal information was compromised, but they are sending the letter to customers past and present and even to those who may have enrolled in a Gexa plan, but didn't ultimately end up choosing the provider.
Indictments are pending against the person at the center of the investigation and the computers used have been seized. Further, Gexa says the company knows of no unauthorized use of this personal information.
Story continues belowAdvertisementGexa says while the breach included names, addresses and Social Security numbers, no credit card numbers were compromised.
As for consumers, the company says they can call the credit reporting agencies to monitor their accounts.
- Headlines at a glance
(Copyright ©2009 KTRK-TV/DT. All Rights Reserved.)
Other banks' data on stolen computers
Other banks' data on stolen computers
Just 1 was identified when theft revealed
By J. Harry Jones Union-Tribune Staff Writer
2:00 a.m. April 11, 2009
Six laptop computers stolen from an Orange County accounting firm may contain personal financial information from far more people than first reported.
The theft prompted Borrego Springs Bank to send letters to all its customers this week warning that they could be at risk for identity theft.
Yesterday, the accounting firm acknowledged that the computers contained information from “multiple” banks, not just Borrego Springs Bank.
According to the Orange County Sheriff's Department, the laptops were stolen between 4:30 p.m. March 4 and 7 a.m. March 5 from the Laguna Hills office of the accounting firm Vavrinek, Trine, Day and Co.
Sheriff's spokesman Jim Amormino said a window was broken to gain entry. No arrests have been made and the computers have not been located.
In the 36 days since then, there has been no indication that any of the records have been used for nefarious purposes, Ron White, the managing partner of the accounting firm, said yesterday.
The financial information contained in the laptops was not encrypted, White said, but access to it required the use of two passwords.
White said he is not authorized to reveal what other banks are involved, whether any besides Borrego Springs Bank are based in San Diego County, or even the number of banks the firm had as clients.
“We've approached this very, very seriously,” White said. All the banks involved have been notified and each is making its own decisions about whether to notify its customers and how to otherwise handle the situation, he said.
White said at first it was thought seven computers had been taken but it was later determined to be six. He said there have been similar burglaries recently in the the Laguna Hills area of the same type of equipment.
Borrego Springs Bank sent letters earlier this week to all its customers saying the laptops may have contained customer files that included bank account numbers, names and balances. It advised everyone to monitor their accounts for any unusual activity for one to two years.
White said he thinks some of the other banks involved have also sent out such warnings, but he isn't sure.
Just 1 was identified when theft revealed
By J. Harry Jones Union-Tribune Staff Writer
2:00 a.m. April 11, 2009
Six laptop computers stolen from an Orange County accounting firm may contain personal financial information from far more people than first reported.
The theft prompted Borrego Springs Bank to send letters to all its customers this week warning that they could be at risk for identity theft.
Yesterday, the accounting firm acknowledged that the computers contained information from “multiple” banks, not just Borrego Springs Bank.
According to the Orange County Sheriff's Department, the laptops were stolen between 4:30 p.m. March 4 and 7 a.m. March 5 from the Laguna Hills office of the accounting firm Vavrinek, Trine, Day and Co.
Sheriff's spokesman Jim Amormino said a window was broken to gain entry. No arrests have been made and the computers have not been located.
In the 36 days since then, there has been no indication that any of the records have been used for nefarious purposes, Ron White, the managing partner of the accounting firm, said yesterday.
The financial information contained in the laptops was not encrypted, White said, but access to it required the use of two passwords.
White said he is not authorized to reveal what other banks are involved, whether any besides Borrego Springs Bank are based in San Diego County, or even the number of banks the firm had as clients.
“We've approached this very, very seriously,” White said. All the banks involved have been notified and each is making its own decisions about whether to notify its customers and how to otherwise handle the situation, he said.
White said at first it was thought seven computers had been taken but it was later determined to be six. He said there have been similar burglaries recently in the the Laguna Hills area of the same type of equipment.
Borrego Springs Bank sent letters earlier this week to all its customers saying the laptops may have contained customer files that included bank account numbers, names and balances. It advised everyone to monitor their accounts for any unusual activity for one to two years.
White said he thinks some of the other banks involved have also sent out such warnings, but he isn't sure.
FBI: Internet Fraud Rates Rose 33% Last Year
FBI: Internet Fraud Rates Rose 33% Last Year
Internet fraud complaints to the FBI by consumers increased more than 33 percent in 2008 over the previous year, according to figures released this week.
Some 275,284 complaints were filed last year with the Internet Crime Complaint Center (IC3), a partnership between the FBI and the National White Collar Crime Center. In 2007, the IC3 received 206,844 complaints.
The report shows that the nation's capital appears to be home to the largest concentration of online con artists in the country. The District of Columbia ranks #1, just ahead of Nevada and Washington State, in terms of online fraud perpetrators per 100,000 residents, the IC3 found.
The non-delivery of merchandise and/or payment was by far the most reported offense, accounting for nearly one-third of all referred cases, the IC3 reports. Internet auction fraud made up 25.5 percent of referred complaints, while credit/debit card fraud comprised 9 percent.
The total dollar loss from all 72,940 cases of fraud referred to federal, state and local law enforcement was $246.6 million, with a median dollar loss of $931 per complaint -- up from $239.1 million in total reported losses in 2007. The highest median dollar losses came from check fraud ($3,000), confidence fraud ($2,000), and Nigerian (West African 419) "advance fee" scams ($1,650).
Ironically, many of the victims who reported fraud to the IC3 were taken in by scam e-mails made to appear as though they were sent by the FBI, falsely claiming that the agency needed the recipient's personal and banking data to investigate a pending financial transaction.
"Recipients are told that if they do not comply with the FBI's request for information, they will be prosecuted or suffer some other financial penalty," the IC3 report concludes. "In some cases, recipients are led to believe that they will become the subject of a terrorist investigation if they fail to cooperate."
Internet fraud complaints to the FBI by consumers increased more than 33 percent in 2008 over the previous year, according to figures released this week.
Some 275,284 complaints were filed last year with the Internet Crime Complaint Center (IC3), a partnership between the FBI and the National White Collar Crime Center. In 2007, the IC3 received 206,844 complaints.
The report shows that the nation's capital appears to be home to the largest concentration of online con artists in the country. The District of Columbia ranks #1, just ahead of Nevada and Washington State, in terms of online fraud perpetrators per 100,000 residents, the IC3 found.
The non-delivery of merchandise and/or payment was by far the most reported offense, accounting for nearly one-third of all referred cases, the IC3 reports. Internet auction fraud made up 25.5 percent of referred complaints, while credit/debit card fraud comprised 9 percent.
The total dollar loss from all 72,940 cases of fraud referred to federal, state and local law enforcement was $246.6 million, with a median dollar loss of $931 per complaint -- up from $239.1 million in total reported losses in 2007. The highest median dollar losses came from check fraud ($3,000), confidence fraud ($2,000), and Nigerian (West African 419) "advance fee" scams ($1,650).
Ironically, many of the victims who reported fraud to the IC3 were taken in by scam e-mails made to appear as though they were sent by the FBI, falsely claiming that the agency needed the recipient's personal and banking data to investigate a pending financial transaction.
"Recipients are told that if they do not comply with the FBI's request for information, they will be prosecuted or suffer some other financial penalty," the IC3 report concludes. "In some cases, recipients are led to believe that they will become the subject of a terrorist investigation if they fail to cooperate."
Kaiser fires 15 workers for snooping in octuplet mom's medical records
Kaiser fires 15 workers for snooping in octuplet mom's medical records
Another eight hospital employees disciplined for improperly accessing Nadya Suleman's files
Jaikumar Vijayan
March 31, 2009 (Computerworld) A Kaiser Permanente hospital located in a Los Angeles suburb has fired 15 employees and reprimanded eight others for improperly accessing the personal medical records of Nadya Suleman, the California woman who gave birth to octuplets in January.
The unauthorized accessing of Suleman's electronic records at the medical center in Bellflower, Calif., violated a California law designed to safeguard the privacy of health care data, according to Kaiser spokesman Jim Anderson, who said the snooping incidents have been reported to the California Department of Public Health.
The improper activities were discovered as a result of increased network monitoring procedures that the hospital implemented in anticipation of the huge public interest in Suleman following the birth of the octuplets, Anderson said.
"We have known since she came into the hospital that at some point, this would be a fairly widely reported story," he said, adding that Kaiser also conducted extra training before Suleman was admitted to the hospital to remind employees about the importance of keeping patient data confidential.
Anderson said Suleman was first notified of the breaches about 10 days ago, initially to inform her that eight people had accessed her records without authorization. She later was told that Kaiser had found that an additional 15 employees had done so. There is little evidence thus far that any of the fired or disciplined workers accessed the files for any reason other than personal curiosity, Anderson said.
An Associated Press story published today quoted Suleman's attorney as saying that she has no plans to sue Kaiser over the data breaches.
Suleman shot into the public and media spotlight when she became only the second person in the U.S. known to have delivered a set of living octuplets. At the time, Suleman was already the mother of six children — a fact that added an element of controversy to the births, fueling even more interest in her.
Data-snooping incidents such as the one at the Kaiser Permanente Bellflower Medical Center highlight the lack of adequate security controls that hospitals and other entities in the health care industry have for protecting patient records, said Deborah Peel, founder and chair of Patient Privacy Rights, a watchdog group in Austin.
"The state of health IT access controls is abysmal, atrocious and outdated," Peel said. She claimed that what happened at Kaiser "can and does happen" on a broad scale at hospitals across the U.S. because of their continued reliance on "primitive" security controls that haven't been updated in decades.
Unlike in industries such as the financial services sector, where role-based access control is the norm rather than the exception, a wide range of workers at health care providers can get access to patient data whether they need to have such access or not, according to Peel.
Large enterprises such as Kaiser, she noted, can have thousands of individuals with the ability to access sensitive data about patients. "Think what would happen if all the employees at Bank of America had access to all of the customer accounts at all times," Peel said.
Last April, the medical center at the University of California, Los Angeles, disclosed that as many as 165 doctors and other employees had improperly accessed the medical records of numerous celebrities, including Tom Cruise, Farah Fawcett and Britney Spears, over a period of as many as 13 years.
But such incidents aren't solely restricted to the health care industry. In January 2008, federal officials disclosed that employees and contract workers at the U.S. Department of State had repeatedly accessed without authorization the passport records of then-Sen. Barack Obama and his presidential rivals Hillary Clinton and John McCain.
Three people have pleaded guilty to unauthorized computer access charges in connection with the events at the State Department, which also involved snooping in the passport files of other politicians as well as actors, musicians, athletes and media members.
Jay Cline, a Computerworld columnist and president of Minnesota Privacy Consultants, said incidents such as the ones at Kaiser, UCLA and the State Department often cause companies to move employee snooping up higher on their lists of potential data risks. "As a result, they'll impose more pervasive logging and monitoring controls," Cline said via e-mail, adding that he sees that as an "unfortunate" consequence of the breaches.
Cline thinks that the various snooping incidents are at least partly the result of what he described as the "Facebook effect." Social network users "have become used to poking through other people's Facebook and LinkedIn profiles, and they see no ethical difference doing the same thing with employee and customer databases that they [can] access at work," he said.
According to Cline, that makes it incumbent upon IT and security managers to make the following three things clear to employees: "Our systems are not Facebook. We're watching system usage closely. Use them for authorized purposes only, or you may be fired."
Another eight hospital employees disciplined for improperly accessing Nadya Suleman's files
Jaikumar Vijayan
March 31, 2009 (Computerworld) A Kaiser Permanente hospital located in a Los Angeles suburb has fired 15 employees and reprimanded eight others for improperly accessing the personal medical records of Nadya Suleman, the California woman who gave birth to octuplets in January.
The unauthorized accessing of Suleman's electronic records at the medical center in Bellflower, Calif., violated a California law designed to safeguard the privacy of health care data, according to Kaiser spokesman Jim Anderson, who said the snooping incidents have been reported to the California Department of Public Health.
The improper activities were discovered as a result of increased network monitoring procedures that the hospital implemented in anticipation of the huge public interest in Suleman following the birth of the octuplets, Anderson said.
"We have known since she came into the hospital that at some point, this would be a fairly widely reported story," he said, adding that Kaiser also conducted extra training before Suleman was admitted to the hospital to remind employees about the importance of keeping patient data confidential.
Anderson said Suleman was first notified of the breaches about 10 days ago, initially to inform her that eight people had accessed her records without authorization. She later was told that Kaiser had found that an additional 15 employees had done so. There is little evidence thus far that any of the fired or disciplined workers accessed the files for any reason other than personal curiosity, Anderson said.
An Associated Press story published today quoted Suleman's attorney as saying that she has no plans to sue Kaiser over the data breaches.
Suleman shot into the public and media spotlight when she became only the second person in the U.S. known to have delivered a set of living octuplets. At the time, Suleman was already the mother of six children — a fact that added an element of controversy to the births, fueling even more interest in her.
Data-snooping incidents such as the one at the Kaiser Permanente Bellflower Medical Center highlight the lack of adequate security controls that hospitals and other entities in the health care industry have for protecting patient records, said Deborah Peel, founder and chair of Patient Privacy Rights, a watchdog group in Austin.
"The state of health IT access controls is abysmal, atrocious and outdated," Peel said. She claimed that what happened at Kaiser "can and does happen" on a broad scale at hospitals across the U.S. because of their continued reliance on "primitive" security controls that haven't been updated in decades.
Unlike in industries such as the financial services sector, where role-based access control is the norm rather than the exception, a wide range of workers at health care providers can get access to patient data whether they need to have such access or not, according to Peel.
Large enterprises such as Kaiser, she noted, can have thousands of individuals with the ability to access sensitive data about patients. "Think what would happen if all the employees at Bank of America had access to all of the customer accounts at all times," Peel said.
Last April, the medical center at the University of California, Los Angeles, disclosed that as many as 165 doctors and other employees had improperly accessed the medical records of numerous celebrities, including Tom Cruise, Farah Fawcett and Britney Spears, over a period of as many as 13 years.
But such incidents aren't solely restricted to the health care industry. In January 2008, federal officials disclosed that employees and contract workers at the U.S. Department of State had repeatedly accessed without authorization the passport records of then-Sen. Barack Obama and his presidential rivals Hillary Clinton and John McCain.
Three people have pleaded guilty to unauthorized computer access charges in connection with the events at the State Department, which also involved snooping in the passport files of other politicians as well as actors, musicians, athletes and media members.
Jay Cline, a Computerworld columnist and president of Minnesota Privacy Consultants, said incidents such as the ones at Kaiser, UCLA and the State Department often cause companies to move employee snooping up higher on their lists of potential data risks. "As a result, they'll impose more pervasive logging and monitoring controls," Cline said via e-mail, adding that he sees that as an "unfortunate" consequence of the breaches.
Cline thinks that the various snooping incidents are at least partly the result of what he described as the "Facebook effect." Social network users "have become used to poking through other people's Facebook and LinkedIn profiles, and they see no ethical difference doing the same thing with employee and customer databases that they [can] access at work," he said.
According to Cline, that makes it incumbent upon IT and security managers to make the following three things clear to employees: "Our systems are not Facebook. We're watching system usage closely. Use them for authorized purposes only, or you may be fired."
Retailers: Credit card data inadequately protected
Retailers: Credit card data inadequately protected
by Stephanie Condon
WASHINGTON--The self-regulatory system credit card companies have created to protect consumer data sacrifices some consumer protections for the sake of conveniencing the credit card companies and their financial institution partners, retail representatives told Congress Tuesday.
In light of recent data breaches that have compromised consumer information, such as the potentially massive 2008 Heartland Payment Systems breach, some congressmen are questioning whether the Payment Card Industry Data Security Standards, created and regulated by credit card companies, are sufficiently protecting information.
The credit card industry maintained at a congressional hearing Tuesday that self-regulation is effective, pointing out that since the PCI standards were published, security breaches have occurred only when an entity is not fully in compliance with the standards.
"I have no doubt that compliance to PCI standards are the best line of defense," said Robert Russo, director of the PCI Data Security Standards Council. "We have never found a breached entity to be in full compliance at the time of breach."
Yet representatives of the retail industry told a panel of the House Homeland Security Committee that when the credit card industry established the PCI standards in 2004, it did so mainly to reallocate its own fraud costs.
"In our view, if you peel off all the layers around PCI data security standards, you will see it for what it is," said Dave Hogan, senior vice president and chief information officer for the National Retail Foundation. "In significant part, (it is) a tool to shift risk off the banks' and credit card companies' balance sheets and place it on others."
Michael Jones, the CIO for Michaels Stores, backed up Hogan's comments with the fact that the credit card companies' financial institutions do not accept encrypted transactions, even though the PCI standards generally call for all credit card data to be encrypted.
Transferring this data unencrypted can lead to breaches like the Heartland breach, or the 2007 TJX breach that compromised 45.7 million customer accounts, Jones said. Michaels has been asking for the past three years for the ability to encrypt transaction information, he said.
"The need is not there," to encrypt the information, given other security steps the PCI calls for, Russo said. "Why put merchants through the expense?"
Joseph Majka, head of fraud control and investigations for Visa, said the industry is exploring new technologies, including end-to-end encryption, that could provide a solution.
"I wouldn't call (encryption) an emerging technology," Jones responded. "I feel that it should have been in the standard long ago."
Hogan said the PCI Security Standards Council has ignored a number of other recommendations from the retail industry, such as allowing consumers to enter a personal identification number for credit card transactions.
The Council should consider updating its standards more frequently, said Rita Glavin, acting assistant attorney general in the criminal division of the Justice Department. It should also consistently inform federal law enforcement when breaches occur, she said.
"It helps us get a sense of what's going on so that we can get in front of the problem," Glavin said.
Even though it may not be perfect, she said the PCI standards are beneficial.
"Having any security system and uniform systems are going to help," Glavin said. "It's a floor and a way to begin the process of preventing breaches."
by Stephanie Condon
WASHINGTON--The self-regulatory system credit card companies have created to protect consumer data sacrifices some consumer protections for the sake of conveniencing the credit card companies and their financial institution partners, retail representatives told Congress Tuesday.
In light of recent data breaches that have compromised consumer information, such as the potentially massive 2008 Heartland Payment Systems breach, some congressmen are questioning whether the Payment Card Industry Data Security Standards, created and regulated by credit card companies, are sufficiently protecting information.
The credit card industry maintained at a congressional hearing Tuesday that self-regulation is effective, pointing out that since the PCI standards were published, security breaches have occurred only when an entity is not fully in compliance with the standards.
"I have no doubt that compliance to PCI standards are the best line of defense," said Robert Russo, director of the PCI Data Security Standards Council. "We have never found a breached entity to be in full compliance at the time of breach."
Yet representatives of the retail industry told a panel of the House Homeland Security Committee that when the credit card industry established the PCI standards in 2004, it did so mainly to reallocate its own fraud costs.
"In our view, if you peel off all the layers around PCI data security standards, you will see it for what it is," said Dave Hogan, senior vice president and chief information officer for the National Retail Foundation. "In significant part, (it is) a tool to shift risk off the banks' and credit card companies' balance sheets and place it on others."
Michael Jones, the CIO for Michaels Stores, backed up Hogan's comments with the fact that the credit card companies' financial institutions do not accept encrypted transactions, even though the PCI standards generally call for all credit card data to be encrypted.
Transferring this data unencrypted can lead to breaches like the Heartland breach, or the 2007 TJX breach that compromised 45.7 million customer accounts, Jones said. Michaels has been asking for the past three years for the ability to encrypt transaction information, he said.
"The need is not there," to encrypt the information, given other security steps the PCI calls for, Russo said. "Why put merchants through the expense?"
Joseph Majka, head of fraud control and investigations for Visa, said the industry is exploring new technologies, including end-to-end encryption, that could provide a solution.
"I wouldn't call (encryption) an emerging technology," Jones responded. "I feel that it should have been in the standard long ago."
Hogan said the PCI Security Standards Council has ignored a number of other recommendations from the retail industry, such as allowing consumers to enter a personal identification number for credit card transactions.
The Council should consider updating its standards more frequently, said Rita Glavin, acting assistant attorney general in the criminal division of the Justice Department. It should also consistently inform federal law enforcement when breaches occur, she said.
"It helps us get a sense of what's going on so that we can get in front of the problem," Glavin said.
Even though it may not be perfect, she said the PCI standards are beneficial.
"Having any security system and uniform systems are going to help," Glavin said. "It's a floor and a way to begin the process of preventing breaches."
Security breach under scrutiny at the Clark County auditor's office
Security breach under scrutiny at the Clark County auditor's office
By MATT KOESTERS
Matt.Koesters@newsandtribune.com
April 04, 2009 08:26 pm
— Concerns over applications installed on a computer in the Clark County auditor’s office have prompted an internal investigation, but law enforcement officials have not been asked to get involved.
Yet.
In a Thursday e-mail obtained by The Evening News, Clark County government systems administrator Matt Dyer told the county commissioners he received a phone call Monday indicating that there were concerns about applications on one of the computers in the auditor’s office.
Dyer said he believed the two programs — “Cain & Abel” and “LCP” — could be used to breach security and discover user passwords on the county network.
“Due to the nature of these programs, this kind of activity cannot be tolerated and is illegal,” Dyer wrote. “If the administrator password is compromised, then that person would have full access to all county office computers and servers.
“Due to the severity of this situation, and our liability if information protected by HIPAA laws and state laws becomes compromised, I have spoken with [Auditor] Keith Groth and have informed him on all the details, including the persons that may be involved.”
When contacted for comment, Groth said between two and three employees were in the office when the incident is alleged to have occurred, and that the incident remains under investigation.
“It’ll probably be the middle or latter part of next week until I can sit down with the … people involved,” Groth said. “I need to sit down and talk with them to get their side of the story.”
The county auditor’s office is normally open from 8:30 a.m. until 4:30 p.m., but overtime has occasionally kept the office open later, Groth said.
Ed Meyer, president of the county commissioners, said he and the other commissioners were aware of the situation, but that he would have to learn more about the incident before taking action.
“I’ve investigated a little bit,” Meyer said. “I only learned of this late [Thursday].”
If a special meeting of the commissioners were to be convened, Meyer would be responsible for calling the meeting. Meyer said law-enforcement involvement was a possibility.
Commissioner Mike Moore called the possibility of a security breach a “very serious matter,” and said he would leave it to the experts to discover exactly what had been done.
“The breach in security that sounds like has taken place is far more serious than anything internally that we’ve dealt with since I’ve been a commissioner,” Moore said. “It needs to be dealt with immediately.”
Programs like the ones alleged to have been used in the incident are not illegal, but the way in which they could be put to use are, said Tito Villalobos, a Columbus, Ohio-based network security expert and certified ethical hacker.
“They’ll sniff passwords used for network log-ins, and then run cracks against them, basically,” Villalobos said. “‘Dictionary attacks’ and ‘brute-force’ attacks.”
A dictionary attack uses common words and likely possibilities from an exhaustive list to determine a user’s password. A brute-force attack systematically plugs in large numbers of password possibilities.
Lt. Charles Cohen, commander of special investigations sections for the Indiana State Police, said he could not speak directly to the incident without it having been referred to law enforcement. Generally, accessing a computer network without permission is illegal, he said.
“When we do an investigation involving an allegation that someone has accessed information they didn’t have permission to access, there are a couple things we look for,” Cohen said. “One thing we look for is whether or not in fact someone did that without authorization, and we also look at what information, if any, was compromised. The last thing we look at is what they did with that information if it was compromised.”
State law prohibits computer trespass, and can be investigated by any law enforcement agency in Indiana, Cohen said. Additionally, there could be federal law enforcement involvement in some cases, depending on the nature of the intrusion.
By MATT KOESTERS
Matt.Koesters@newsandtribune.com
April 04, 2009 08:26 pm
— Concerns over applications installed on a computer in the Clark County auditor’s office have prompted an internal investigation, but law enforcement officials have not been asked to get involved.
Yet.
In a Thursday e-mail obtained by The Evening News, Clark County government systems administrator Matt Dyer told the county commissioners he received a phone call Monday indicating that there were concerns about applications on one of the computers in the auditor’s office.
Dyer said he believed the two programs — “Cain & Abel” and “LCP” — could be used to breach security and discover user passwords on the county network.
“Due to the nature of these programs, this kind of activity cannot be tolerated and is illegal,” Dyer wrote. “If the administrator password is compromised, then that person would have full access to all county office computers and servers.
“Due to the severity of this situation, and our liability if information protected by HIPAA laws and state laws becomes compromised, I have spoken with [Auditor] Keith Groth and have informed him on all the details, including the persons that may be involved.”
When contacted for comment, Groth said between two and three employees were in the office when the incident is alleged to have occurred, and that the incident remains under investigation.
“It’ll probably be the middle or latter part of next week until I can sit down with the … people involved,” Groth said. “I need to sit down and talk with them to get their side of the story.”
The county auditor’s office is normally open from 8:30 a.m. until 4:30 p.m., but overtime has occasionally kept the office open later, Groth said.
Ed Meyer, president of the county commissioners, said he and the other commissioners were aware of the situation, but that he would have to learn more about the incident before taking action.
“I’ve investigated a little bit,” Meyer said. “I only learned of this late [Thursday].”
If a special meeting of the commissioners were to be convened, Meyer would be responsible for calling the meeting. Meyer said law-enforcement involvement was a possibility.
Commissioner Mike Moore called the possibility of a security breach a “very serious matter,” and said he would leave it to the experts to discover exactly what had been done.
“The breach in security that sounds like has taken place is far more serious than anything internally that we’ve dealt with since I’ve been a commissioner,” Moore said. “It needs to be dealt with immediately.”
Programs like the ones alleged to have been used in the incident are not illegal, but the way in which they could be put to use are, said Tito Villalobos, a Columbus, Ohio-based network security expert and certified ethical hacker.
“They’ll sniff passwords used for network log-ins, and then run cracks against them, basically,” Villalobos said. “‘Dictionary attacks’ and ‘brute-force’ attacks.”
A dictionary attack uses common words and likely possibilities from an exhaustive list to determine a user’s password. A brute-force attack systematically plugs in large numbers of password possibilities.
Lt. Charles Cohen, commander of special investigations sections for the Indiana State Police, said he could not speak directly to the incident without it having been referred to law enforcement. Generally, accessing a computer network without permission is illegal, he said.
“When we do an investigation involving an allegation that someone has accessed information they didn’t have permission to access, there are a couple things we look for,” Cohen said. “One thing we look for is whether or not in fact someone did that without authorization, and we also look at what information, if any, was compromised. The last thing we look at is what they did with that information if it was compromised.”
State law prohibits computer trespass, and can be investigated by any law enforcement agency in Indiana, Cohen said. Additionally, there could be federal law enforcement involvement in some cases, depending on the nature of the intrusion.
Insider Threat: How to Minimize Risks from Vendors
Insider Threat: How to Minimize Risks from Vendors
With Greater Access Comes Greater Responsibility for Protecting Critical Systems, Data
Linda McGlasson, Managing Editor
April 6, 2009
When is an outsider really an insider? That is the question every financial institution has to answer when reconciling security issues and the use of third-party service providers.
At Central Bank, Lexington, KY, Chris Schum, IT Security Manager, Technology Services, says the bank uses port lockdown software to prevent data from 'walking off" with visitors. This measure also ensures that only those who need access to devices such as USB drives use them. "This software also has the added benefit of logging what files are put onto USB drives for review if necessary," Schum says.
The $1.8 billion asset bank also uses intrusion detection software to constantly monitor the network for anomalous activity that could signal an attempted attack.
The lessons Schum and his team have learned from implementing these systems include: "Even while you may believe you know exactly what's going on your network, there are a lot of surprises. Whether it be how many users have unsupported and unauthorized devices such as IPods and USB thumb drives or how insecurely some software transmits information across the internal network. Since we implemented them several years ago, these systems have been invaluable in helping us prevent, monitor and remediate security risks to our organization."
Central's approach is similar to that of many financial institutions grappling with the same challenge: How do you minimize the insider threat when you're also now maximizing the number of outsiders with access to critical systems and data?
Treat Outsiders as Insiders
When your financial institution uses third-party service providers, they should be treated with the same level of scrutiny that you give your regular employees, says Randy Trzeciak, Senior Member of the Technical Staff for the Threat and Incident Management Team in the CERT Program at Carnegie Mellon University's Software Engineering Institute. Trzeciak and his team study the insider threat and offer suggestions to minimize the risk.
Trzeciak's first recommendation: Include business partners, contractors and subcontractors as part of an institution's enterprise wide view of the insider threat. Handling the insider threat is a difficult one -- institutions need to balance trusting their employees and providing them access to achieve the institution's mission with also protecting critical assets from potential compromise by those same employees. Insiders' access, combined with their knowledge of the organization's vulnerabilities, gives them the ability and opportunity to carry out malicious activity if properly motivated.
This risk only expands with institutions' growing reliance on business partners with whom they contract and collaborate. It is important for organizations to take an enterprise-wide view of information security, first determining its critical assets, then defining a risk management strategy for protecting those assets from both insiders and outsiders.
"Anyone who is allowed access to your systems should be included in your risk assessment for insider threat," Trzeciak says. "Manage them as if they are current employees within your four walls."
An institution needs to know how it is handling and protecting data. "Make sure you are limiting access to only those people who need access, and prevent those who no longer need access from continued access once their work is completed," he advises.
A good place to start is applying the best practices from the Carnegie Mellon CERT Common Sense Guide. "By following them and extending those best practices out to the outside insiders, you'll know to do ask questions such as:
"When vendors terminate employees, do they terminate employee access when they leave?
"Do they let you know that the employee has left their company?
"If that employee was given physical access to your locations, did they take that badge from them before that person left?"
Taking into account electronic access protocols is another area that institutions should pay keen attention to, Trzeciak says. "When giving access to systems to vendors, are you giving only access rights to individuals, not a broad access, and are you removing access when that person either leaves or moves to another position at the vendor?"
At any time, an institution should be able to say "We know who has access to our data, and at what level they have access at. And you should be able to disable their access before they walk out the door," he says.
One area that Trzeciak and others have seen a problem is the creation of group accounts or shared accounts of a single privileged account. "We don't recommend that be the way. For security purposes, you should be able to monitor and see what each individual is accessing. This group account is one way the disgruntled ex-employee or contractor can gain access to systems."
Institutions in Action
Dan Veasey, CISO, Piedmont Credit Union, with $34 million in assets in Danille, VA, says his institution doesn't consider insider threats a huge problem currently, but still controls users by dual controls and logging of Internet and core system activity. He applies the same controls to external vendors with access to the credit union's systems.
His advice to other institutions on thwarting the insider threat is a simple one - "Know each of your employees and treat them well. People are much less likely to steal from people they like. I realize this is easier in a small shop like ours, but even big shops have lots of small shops within them."
One example that Central Bank's Schum points to is an instance where their IDS and web filter alerted us to connections to a Skype-type VoIP service. Upon further investigation the bank's information security response team revealed that someone -- not an employee -- was approved to use a conference rooms for a presentation, but was attempting to check something on this service while they waited for their client. In this instance, connectivity was actually prevented, but it highlights the need for proactive detection/prevention systems as an added protection measure. "While you may believe you know what's going on in your network, often times you do not," Schum says.
Schum's advice: "Every institution should do what is right for their specific business and not just rely on industry standards." One of the most common things he hears from the bank's vendors is "No other bank does it that way."
Schum ignores those vendors and their comments adding, "Putting it bluntly, that really is of no concern to us since what other banks do has no bearing on us or our customers. We feel that we understand our environment and its associated risks better than anyone. Simply maintaining the status quo will ultimately result in a loss of revenue, data and, most importantly, customer confidence."
With Greater Access Comes Greater Responsibility for Protecting Critical Systems, Data
Linda McGlasson, Managing Editor
April 6, 2009
When is an outsider really an insider? That is the question every financial institution has to answer when reconciling security issues and the use of third-party service providers.
At Central Bank, Lexington, KY, Chris Schum, IT Security Manager, Technology Services, says the bank uses port lockdown software to prevent data from 'walking off" with visitors. This measure also ensures that only those who need access to devices such as USB drives use them. "This software also has the added benefit of logging what files are put onto USB drives for review if necessary," Schum says.
The $1.8 billion asset bank also uses intrusion detection software to constantly monitor the network for anomalous activity that could signal an attempted attack.
The lessons Schum and his team have learned from implementing these systems include: "Even while you may believe you know exactly what's going on your network, there are a lot of surprises. Whether it be how many users have unsupported and unauthorized devices such as IPods and USB thumb drives or how insecurely some software transmits information across the internal network. Since we implemented them several years ago, these systems have been invaluable in helping us prevent, monitor and remediate security risks to our organization."
Central's approach is similar to that of many financial institutions grappling with the same challenge: How do you minimize the insider threat when you're also now maximizing the number of outsiders with access to critical systems and data?
Treat Outsiders as Insiders
When your financial institution uses third-party service providers, they should be treated with the same level of scrutiny that you give your regular employees, says Randy Trzeciak, Senior Member of the Technical Staff for the Threat and Incident Management Team in the CERT Program at Carnegie Mellon University's Software Engineering Institute. Trzeciak and his team study the insider threat and offer suggestions to minimize the risk.
Trzeciak's first recommendation: Include business partners, contractors and subcontractors as part of an institution's enterprise wide view of the insider threat. Handling the insider threat is a difficult one -- institutions need to balance trusting their employees and providing them access to achieve the institution's mission with also protecting critical assets from potential compromise by those same employees. Insiders' access, combined with their knowledge of the organization's vulnerabilities, gives them the ability and opportunity to carry out malicious activity if properly motivated.
This risk only expands with institutions' growing reliance on business partners with whom they contract and collaborate. It is important for organizations to take an enterprise-wide view of information security, first determining its critical assets, then defining a risk management strategy for protecting those assets from both insiders and outsiders.
"Anyone who is allowed access to your systems should be included in your risk assessment for insider threat," Trzeciak says. "Manage them as if they are current employees within your four walls."
An institution needs to know how it is handling and protecting data. "Make sure you are limiting access to only those people who need access, and prevent those who no longer need access from continued access once their work is completed," he advises.
A good place to start is applying the best practices from the Carnegie Mellon CERT Common Sense Guide. "By following them and extending those best practices out to the outside insiders, you'll know to do ask questions such as:
"When vendors terminate employees, do they terminate employee access when they leave?
"Do they let you know that the employee has left their company?
"If that employee was given physical access to your locations, did they take that badge from them before that person left?"
Taking into account electronic access protocols is another area that institutions should pay keen attention to, Trzeciak says. "When giving access to systems to vendors, are you giving only access rights to individuals, not a broad access, and are you removing access when that person either leaves or moves to another position at the vendor?"
At any time, an institution should be able to say "We know who has access to our data, and at what level they have access at. And you should be able to disable their access before they walk out the door," he says.
One area that Trzeciak and others have seen a problem is the creation of group accounts or shared accounts of a single privileged account. "We don't recommend that be the way. For security purposes, you should be able to monitor and see what each individual is accessing. This group account is one way the disgruntled ex-employee or contractor can gain access to systems."
Institutions in Action
Dan Veasey, CISO, Piedmont Credit Union, with $34 million in assets in Danille, VA, says his institution doesn't consider insider threats a huge problem currently, but still controls users by dual controls and logging of Internet and core system activity. He applies the same controls to external vendors with access to the credit union's systems.
His advice to other institutions on thwarting the insider threat is a simple one - "Know each of your employees and treat them well. People are much less likely to steal from people they like. I realize this is easier in a small shop like ours, but even big shops have lots of small shops within them."
One example that Central Bank's Schum points to is an instance where their IDS and web filter alerted us to connections to a Skype-type VoIP service. Upon further investigation the bank's information security response team revealed that someone -- not an employee -- was approved to use a conference rooms for a presentation, but was attempting to check something on this service while they waited for their client. In this instance, connectivity was actually prevented, but it highlights the need for proactive detection/prevention systems as an added protection measure. "While you may believe you know what's going on in your network, often times you do not," Schum says.
Schum's advice: "Every institution should do what is right for their specific business and not just rely on industry standards." One of the most common things he hears from the bank's vendors is "No other bank does it that way."
Schum ignores those vendors and their comments adding, "Putting it bluntly, that really is of no concern to us since what other banks do has no bearing on us or our customers. We feel that we understand our environment and its associated risks better than anyone. Simply maintaining the status quo will ultimately result in a loss of revenue, data and, most importantly, customer confidence."
Social networking a potential trap for prospects
Social networking a potential trap for prospects
By Charles Robinson, Yahoo! Sports
Apr 7, 3:35 pm EDT
The woman in the Facebook picture is attractive, with auburn hair and icy blue eyes. She is flanked by several other women, each armed with an inviting smile and curvy features. Along with the photo is a hopeful note from the female “fan” asking to be added to a player’s personal networking profile.
The twist? These women don’t actually exist, at least not in the way that some unsuspecting NFL prospects are led to believe. Indeed, they are a figment of one NFL team’s imagination – a phony Facebook profile, used as a tool by one franchise in the pre-draft vetting process. A Trojan horse that, when used effectively, unlocks a door to a world of Internet pictures and information which most NFL teams are now consistently compiling to help polish their dossiers on draft picks.
“It works like magic,” said a personnel source that was familiar with his team’s tactic of using counterfeit profiles to link to Facebook and Myspace pages of potential draft picks. The source directed Yahoo! Sports to one of the team’s “ghost profiles” – a term he coined because “once the draft is over, they disappear. It’s like they were never there.”
The practice may have an underhanded, back-alley feel to it, but most NFL teams are unapologetic when it comes to picking through the lives of prospective players. And with the tentacles of the Internet extending further than ever into the lives of athletes, online information has offered a wealth of fresh ammunition for teams. Whether it’s networking sites like Facebook, Myspace or Twitter, personal blogs, or just the random bits of information that can be found with an hour of free time and a powerful Internet search engine, NFL teams are gleefully delving into new cracks and corners that didn’t exist even a decade ago.
“Twenty years ago, if you weren’t getting a lot from a [college team’s] coaching staff or a family, you might put weeks into gathering good information on a couple guys,” the personnel source said. “Now, we can do a lot of it in a few days. We can sit down with 20 guys that we might be looking at, and have a pile of pictures and background things to hit them with. And every once in a while you come across something that probably saves you from making a big mistake. Not as much as you might think, but if it happens every couple years, it keeps you ahead of the game.”
Uncovering players’ secrets
Rick Spielman remembers one Myspace page, the kind that makes a personnel man sit up in his seat, reach for a pencil, and push a particular question to the top of his list. He refuses to divulge the name of the player involved, but concedes that the Minnesota Vikings ran into the profile “a year or two ago.” One that the Vikings looked at very closely at the league’s annual scouting combine in Indianapolis, then grilled privately over some of the things he had posted on his networking profile.
“He had a big picture of a bunch of drug money and drugs on a carpet,” the Vikings’ vice president of player personnel said, shaking his head. “It was the kind of thing that, you know, it was under his name. So when we had some time with him, of course we were like ‘What is this all about?’ … It was an interesting conversation. He had a legitimate explanation for what happened and we followed up on it and we believe it was what he said it was. But that’s one of the things that happens [with networking profiles].”
Spielman said the Vikings, like most NFL teams, now have someone assigned to monitoring the profiles of potential picks. Their task is simple: pull together as much information as possible that can be used in interviews or to aid background checks. The more questionable the content found, the better armed NFL teams can be when it comes to making a final call on players.
It has been a lucrative pursuit, too. One NFC North coach said his team has gotten particularly adept at collecting information from networking sites. The team combs through pictures, goes through archived “comments” sections, breezes through friend lists for other potential contacts, and spends untold amounts of time dissecting pages of information based on the potential draft status of a player.
And the process of “ghosting” – creating fake profiles to get added to the private pages of some draft picks – isn’t isolated. Executives from three NFL teams admitted that at one point or another, they had used a similar method to get information. And all three suggested that it was something that was likely used by the investigative sources of all teams.
Sometimes these searches produce nothing. Other times, they pan out with suggestive pictures or interesting tidbits of information that open other doors.
“It all depends on the context,” said Detroit Lions coach Jim Schwartz. “On the surface some things don’t necessarily matter. But if it’s something deeper, if it’s a sign there are some deeper problems, sure, it matters.”
In many ways, NFL teams have no choice but to keep tabs on what has begun to filter out onto websites. With the rise of powerful blogs like Deadspin and ProFootballTalk.com, rarely does an embarrassing photo or damaging information go unnoticed. In recent years, it has become common to see suggestive photos of some of the NFL’s high profile players. Party pictures of high draft picks like Matt Leinart and Vince Young have leaked out over the last two seasons and helped form a media and fan perception of those players. But they haven’t been alone. Look hard enough, and you can find “social” photos of half the league’s starting quarterbacks – Ben Roethlisberger, Eli Manning, Kyle Orton, and many others.
And few are typically posted by players. Many are the product of surrounding people using cell phone cameras, then sending the pictures to friends or posting them on blogs or networking sites.
“Nowadays the cameras are everywhere,” said Green Bay Packers coach Mike McCarthy. “You almost expect something is out there with guys, because people are taking pictures of them everywhere they go.”
Explaining the past
This season’s draft picks aren’t immune, either. Former Georgia quarterback Matt Stafford – potentially the No. 1 overall pick in the draft – has been living down photos that where taken during a NASCAR race when a then 19-year old Stafford was captured lifting a beer keg over his head. The pictures were considered relatively harmless, but they were enough to prompt Georgia coach Mark Richt to reprimand his starter.
It was Stafford’s grasp of something else a couple of years ago that brought scrutiny.
And the pictures were something that, two years later, every NFL team has glanced over while preparing for the upcoming draft.
“We know about them. … Everybody went to college,” Green Bay general manager Ted Thompson said with a shrug. “Everybody had fun in college. It sounds like to me, that’s what is popping up with him.”
For his part, Stafford has said that he regretted not thinking about how the pictures would be perceived – or how widely they would be distributed throughout his college career. But with NFL teams using every available resource at their fingertips, he has tried to embrace the opportunity to talk about any misperception.
“You’ve got to understand where they’re coming from,” Stafford said. “There are guys out there that they don’t want as a part of their team. Maybe something like that sets them off. I’ve been completely honest with guys, and just tried to let them know who I am. It’s been a pretty easy part of the process for me, to be honest with you.”
Some players haven’t escaped scrutiny so easily. Some personnel men still talk about the nightmarish rap turned out by the infamous “7th Floor Crew”, a group of former University of Miami football players and students who recorded a song in a dormitory that became something of a cult hit on the Internet.
The song, which was hammered in the national media for its offensive language and depiction of women, was recorded by nine men in a Miami dormitory in 2004. At the time, several of the football players were freshmen. Now, four of them – Jon Beason, Greg Olsen, Tavares Gooden and Darnell Jenkins – have moved on to the NFL. Despite having already apologized after the song was leaked onto the Internet in 2005, Olsen and Beason have both dealt with further media criticism when they moved on to the NFL.
Even now, there are multiple Facebook groups and Myspace pages devoted to the “7th Floor Crew” and the expletive-laden song, which depicts wildly explicit sexual scenes. It can also be found on YouTube, complete with photos of the players in their NFL uniforms. And it serves as a perfect example of a red flag NFL teams are in search for when they are diving into social networking sites for information.
“I was 17 going on 18 [when we recorded it],” said Gooden, a third-round pick of the Baltimore Ravens last year. “We were all freshmen. It wasn’t anything we were going to put out online. We didn’t do that. Somebody actually stole it off this guy’s computer. We were just all kidding around. We did it in a dorm room. We didn’t even do it in a studio. Somebody stole it off this guy’s computer and he found it funny and was like ‘I’ve got some UM players rapping.’ And he puts it online, which violated our privacy. We probably could have sued this kid, because we didn’t put this stuff out there.
“There’s always going to be some stuff out there – it’s just, do you learn from it? For me, personally, I really don’t care. Right now, I’m where I want to be at and just looking forward. My main thing is just not to worry about the past. If somebody else wants to chuckle and laugh about that, they can go right ahead. I’ll just keep getting better and progressing while other people keep [regressing] looking at those things and trying to find some way to hold us down. All of us were young when we made that song. … That taught me, you’ve got to watch that you say, and who you do it around.”
Avoiding the traps
For their part, draft picks are becoming more aware about the NFL’s watchful eye. Part of it stems from college, where the NCAA and most major college programs sit down their athletes and lay out parameters for what they can and can’t put on the Internet. Some colleges have discussed banning social networking sites altogether, but there has yet to be such a move by schools in major conferences like the Big Ten, Pac-10, SEC and others. However, Big 12 rivals Texas and Oklahoma each dismissed players last year after inflammatory items appeared on Facebook and YouTube, respectively.
Most NFL players and draft picks still have their own profiles on social networking sites. Every potential first-round pick in this year’s draft currently maintains a presence on Facebook. But many of them learned long ago to scrub their pages of anything that would give teams ammunition to use against them. Perhaps they followed the lead of their predecessors.
“I have a Facebook page. I’m rarely on it. But when I was in college, I didn’t have anything to hide,” said Houston Texans defensive tackle Amobi Okoye, a 2007 first-rounder. “But I was just mindful of whatever was on there. If you had the slightest doubt that it might create some controversy [it wasn’t on there]. My whole thing is that I live by the phrase ‘You don’t want to give anybody a reason.’ ”
Added Atlanta Falcons ’08 second-round pick Curtis Lofton, “This is a very important time in your life. You’ve got to do everything possible to put yourself in a better situation and your family in a better situation. It would probably be best to just stay off those things until after the draft.”
An investigative draft process is deeper than ever, smarter than ever, and more armed to pick apart draft picks than anytime in history. Whether it was a haunting party photo, a rap song from a dormitory, or merely the hoisting of a keg, nothing in the past stays there for long. And it doesn’t take long for team to find it.
“I didn’t know how deep it was going to go,” Gooden said. “A couple of my high school teachers told me, and a couple of middle school teachers when I went out there, told me that some guys had asked some questions about me and called. That was crazy to me that they knew basically everything about my life and who to get into contact with.”
Undoubtedly, someone from the NFL is always watching, looking, probing. And teams could be looking in from anywhere – even that blue-eyed, auburn-haired beauty who just seems to be another admirer.
By Charles Robinson, Yahoo! Sports
Apr 7, 3:35 pm EDT
The woman in the Facebook picture is attractive, with auburn hair and icy blue eyes. She is flanked by several other women, each armed with an inviting smile and curvy features. Along with the photo is a hopeful note from the female “fan” asking to be added to a player’s personal networking profile.
The twist? These women don’t actually exist, at least not in the way that some unsuspecting NFL prospects are led to believe. Indeed, they are a figment of one NFL team’s imagination – a phony Facebook profile, used as a tool by one franchise in the pre-draft vetting process. A Trojan horse that, when used effectively, unlocks a door to a world of Internet pictures and information which most NFL teams are now consistently compiling to help polish their dossiers on draft picks.
“It works like magic,” said a personnel source that was familiar with his team’s tactic of using counterfeit profiles to link to Facebook and Myspace pages of potential draft picks. The source directed Yahoo! Sports to one of the team’s “ghost profiles” – a term he coined because “once the draft is over, they disappear. It’s like they were never there.”
The practice may have an underhanded, back-alley feel to it, but most NFL teams are unapologetic when it comes to picking through the lives of prospective players. And with the tentacles of the Internet extending further than ever into the lives of athletes, online information has offered a wealth of fresh ammunition for teams. Whether it’s networking sites like Facebook, Myspace or Twitter, personal blogs, or just the random bits of information that can be found with an hour of free time and a powerful Internet search engine, NFL teams are gleefully delving into new cracks and corners that didn’t exist even a decade ago.
“Twenty years ago, if you weren’t getting a lot from a [college team’s] coaching staff or a family, you might put weeks into gathering good information on a couple guys,” the personnel source said. “Now, we can do a lot of it in a few days. We can sit down with 20 guys that we might be looking at, and have a pile of pictures and background things to hit them with. And every once in a while you come across something that probably saves you from making a big mistake. Not as much as you might think, but if it happens every couple years, it keeps you ahead of the game.”
Uncovering players’ secrets
Rick Spielman remembers one Myspace page, the kind that makes a personnel man sit up in his seat, reach for a pencil, and push a particular question to the top of his list. He refuses to divulge the name of the player involved, but concedes that the Minnesota Vikings ran into the profile “a year or two ago.” One that the Vikings looked at very closely at the league’s annual scouting combine in Indianapolis, then grilled privately over some of the things he had posted on his networking profile.
“He had a big picture of a bunch of drug money and drugs on a carpet,” the Vikings’ vice president of player personnel said, shaking his head. “It was the kind of thing that, you know, it was under his name. So when we had some time with him, of course we were like ‘What is this all about?’ … It was an interesting conversation. He had a legitimate explanation for what happened and we followed up on it and we believe it was what he said it was. But that’s one of the things that happens [with networking profiles].”
Spielman said the Vikings, like most NFL teams, now have someone assigned to monitoring the profiles of potential picks. Their task is simple: pull together as much information as possible that can be used in interviews or to aid background checks. The more questionable the content found, the better armed NFL teams can be when it comes to making a final call on players.
It has been a lucrative pursuit, too. One NFC North coach said his team has gotten particularly adept at collecting information from networking sites. The team combs through pictures, goes through archived “comments” sections, breezes through friend lists for other potential contacts, and spends untold amounts of time dissecting pages of information based on the potential draft status of a player.
And the process of “ghosting” – creating fake profiles to get added to the private pages of some draft picks – isn’t isolated. Executives from three NFL teams admitted that at one point or another, they had used a similar method to get information. And all three suggested that it was something that was likely used by the investigative sources of all teams.
Sometimes these searches produce nothing. Other times, they pan out with suggestive pictures or interesting tidbits of information that open other doors.
“It all depends on the context,” said Detroit Lions coach Jim Schwartz. “On the surface some things don’t necessarily matter. But if it’s something deeper, if it’s a sign there are some deeper problems, sure, it matters.”
In many ways, NFL teams have no choice but to keep tabs on what has begun to filter out onto websites. With the rise of powerful blogs like Deadspin and ProFootballTalk.com, rarely does an embarrassing photo or damaging information go unnoticed. In recent years, it has become common to see suggestive photos of some of the NFL’s high profile players. Party pictures of high draft picks like Matt Leinart and Vince Young have leaked out over the last two seasons and helped form a media and fan perception of those players. But they haven’t been alone. Look hard enough, and you can find “social” photos of half the league’s starting quarterbacks – Ben Roethlisberger, Eli Manning, Kyle Orton, and many others.
And few are typically posted by players. Many are the product of surrounding people using cell phone cameras, then sending the pictures to friends or posting them on blogs or networking sites.
“Nowadays the cameras are everywhere,” said Green Bay Packers coach Mike McCarthy. “You almost expect something is out there with guys, because people are taking pictures of them everywhere they go.”
Explaining the past
This season’s draft picks aren’t immune, either. Former Georgia quarterback Matt Stafford – potentially the No. 1 overall pick in the draft – has been living down photos that where taken during a NASCAR race when a then 19-year old Stafford was captured lifting a beer keg over his head. The pictures were considered relatively harmless, but they were enough to prompt Georgia coach Mark Richt to reprimand his starter.
It was Stafford’s grasp of something else a couple of years ago that brought scrutiny.
And the pictures were something that, two years later, every NFL team has glanced over while preparing for the upcoming draft.
“We know about them. … Everybody went to college,” Green Bay general manager Ted Thompson said with a shrug. “Everybody had fun in college. It sounds like to me, that’s what is popping up with him.”
For his part, Stafford has said that he regretted not thinking about how the pictures would be perceived – or how widely they would be distributed throughout his college career. But with NFL teams using every available resource at their fingertips, he has tried to embrace the opportunity to talk about any misperception.
“You’ve got to understand where they’re coming from,” Stafford said. “There are guys out there that they don’t want as a part of their team. Maybe something like that sets them off. I’ve been completely honest with guys, and just tried to let them know who I am. It’s been a pretty easy part of the process for me, to be honest with you.”
Some players haven’t escaped scrutiny so easily. Some personnel men still talk about the nightmarish rap turned out by the infamous “7th Floor Crew”, a group of former University of Miami football players and students who recorded a song in a dormitory that became something of a cult hit on the Internet.
The song, which was hammered in the national media for its offensive language and depiction of women, was recorded by nine men in a Miami dormitory in 2004. At the time, several of the football players were freshmen. Now, four of them – Jon Beason, Greg Olsen, Tavares Gooden and Darnell Jenkins – have moved on to the NFL. Despite having already apologized after the song was leaked onto the Internet in 2005, Olsen and Beason have both dealt with further media criticism when they moved on to the NFL.
Even now, there are multiple Facebook groups and Myspace pages devoted to the “7th Floor Crew” and the expletive-laden song, which depicts wildly explicit sexual scenes. It can also be found on YouTube, complete with photos of the players in their NFL uniforms. And it serves as a perfect example of a red flag NFL teams are in search for when they are diving into social networking sites for information.
“I was 17 going on 18 [when we recorded it],” said Gooden, a third-round pick of the Baltimore Ravens last year. “We were all freshmen. It wasn’t anything we were going to put out online. We didn’t do that. Somebody actually stole it off this guy’s computer. We were just all kidding around. We did it in a dorm room. We didn’t even do it in a studio. Somebody stole it off this guy’s computer and he found it funny and was like ‘I’ve got some UM players rapping.’ And he puts it online, which violated our privacy. We probably could have sued this kid, because we didn’t put this stuff out there.
“There’s always going to be some stuff out there – it’s just, do you learn from it? For me, personally, I really don’t care. Right now, I’m where I want to be at and just looking forward. My main thing is just not to worry about the past. If somebody else wants to chuckle and laugh about that, they can go right ahead. I’ll just keep getting better and progressing while other people keep [regressing] looking at those things and trying to find some way to hold us down. All of us were young when we made that song. … That taught me, you’ve got to watch that you say, and who you do it around.”
Avoiding the traps
For their part, draft picks are becoming more aware about the NFL’s watchful eye. Part of it stems from college, where the NCAA and most major college programs sit down their athletes and lay out parameters for what they can and can’t put on the Internet. Some colleges have discussed banning social networking sites altogether, but there has yet to be such a move by schools in major conferences like the Big Ten, Pac-10, SEC and others. However, Big 12 rivals Texas and Oklahoma each dismissed players last year after inflammatory items appeared on Facebook and YouTube, respectively.
Most NFL players and draft picks still have their own profiles on social networking sites. Every potential first-round pick in this year’s draft currently maintains a presence on Facebook. But many of them learned long ago to scrub their pages of anything that would give teams ammunition to use against them. Perhaps they followed the lead of their predecessors.
“I have a Facebook page. I’m rarely on it. But when I was in college, I didn’t have anything to hide,” said Houston Texans defensive tackle Amobi Okoye, a 2007 first-rounder. “But I was just mindful of whatever was on there. If you had the slightest doubt that it might create some controversy [it wasn’t on there]. My whole thing is that I live by the phrase ‘You don’t want to give anybody a reason.’ ”
Added Atlanta Falcons ’08 second-round pick Curtis Lofton, “This is a very important time in your life. You’ve got to do everything possible to put yourself in a better situation and your family in a better situation. It would probably be best to just stay off those things until after the draft.”
An investigative draft process is deeper than ever, smarter than ever, and more armed to pick apart draft picks than anytime in history. Whether it was a haunting party photo, a rap song from a dormitory, or merely the hoisting of a keg, nothing in the past stays there for long. And it doesn’t take long for team to find it.
“I didn’t know how deep it was going to go,” Gooden said. “A couple of my high school teachers told me, and a couple of middle school teachers when I went out there, told me that some guys had asked some questions about me and called. That was crazy to me that they knew basically everything about my life and who to get into contact with.”
Undoubtedly, someone from the NFL is always watching, looking, probing. And teams could be looking in from anywhere – even that blue-eyed, auburn-haired beauty who just seems to be another admirer.
Saturday, May 16, 2009
Senate Legislation Would Federalize Cybersecurity
Senate Legislation Would Federalize Cybersecurity
Rules for Private Networks Also Proposed
By Joby Warrick and Walter Pincus
Washington Post Staff Writers
Wednesday, April 1, 2009; A04
Key lawmakers are pushing to dramatically escalate U.S. defenses against cyberattacks, crafting proposals that would empower the government to set and enforce security standards for private industry for the first time.
The proposals, in Senate legislation that could be introduced as early as today, would broaden the focus of the government's cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. At the same time, the bill would add regulatory teeth to ensure industry compliance with the rules, congressional officials familiar with the plan said yesterday.
Addressing what intelligence officials describe as a gaping vulnerability, the legislation also calls for the appointment of a White House cybersecurity "czar" with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway, the officials said.
How industry groups will respond is unclear. Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, which represents private companies and civil liberties advocates, said that mandatory standards have long been the "third rail of cybersecurity policy." Dempsey said regulation could also stifle creativity by forcing companies to adopt a uniform approach.
The legislation, co-sponsored by Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.) and Sen. Olympia J. Snowe (R-Maine), was drafted with White House input. Although the White House indicated it supported some key concepts of the bill, there has been no official endorsement.
Many of the proposals were based on recommendations of a landmark study last year by the Center for Strategic and International Studies.
Currently, government responsibility for cybersecurity is split: The Pentagon and the National Security Agency safeguard military networks, while the Department of Homeland Security provides assistance to private networks. Previous cybersecurity initiatives have largely concentrated on reducing the vulnerability of government and military computers to hackers.
A 60-day federal review of the nation's defenses against computer-based attacks is underway, and the administration has signaled its intention to incorporate private industry into those defenses in an unprecedented way.
"People say this is a military or intelligence concern, but it's a lot more than that," Rockefeller, a former intelligence committee chairman, said in an interview. "It suddenly gets into the realm of traffic lights and rail networks and water and electricity."
U.S. intelligence officials have warned that a sustained attack on private computer networks could cause widespread social and economic havoc, possibly shutting down or compromising systems used by banks, utilities, transportation companies and others.
The Rockefeller-Snowe measure would create the Office of the National Cybersecurity Adviser, whose leader would report directly to the president and would coordinate defense efforts across government agencies. It would require the National Institute of Standards and Technology to establish "measurable and auditable cybersecurity standards" that would apply to private companies as well as the government. It also would require licensing and certification of cybersecurity professionals.
The proposal would also mandate an ongoing, quadrennial review of the nation's cyberdefenses. "It's not a problem that will ever be completely solved," Rockefeller said. "You have to keep making higher walls."
Last week, Director of National Intelligence Dennis C. Blair told reporters that one agency should oversee cybersecurity for government and for the private sector. He added that the NSA should be central to the effort.
"The taxpayers of this country have spent enormous sums developing a world-class capability at the National Security Agency on cyber," he said.
Blair acknowledged there will be privacy concerns about centralizing cybersecurity, and he said the program should be designed in a way that gives Americans confidence that it is "not being used to gather private information."
Rules for Private Networks Also Proposed
By Joby Warrick and Walter Pincus
Washington Post Staff Writers
Wednesday, April 1, 2009; A04
Key lawmakers are pushing to dramatically escalate U.S. defenses against cyberattacks, crafting proposals that would empower the government to set and enforce security standards for private industry for the first time.
The proposals, in Senate legislation that could be introduced as early as today, would broaden the focus of the government's cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. At the same time, the bill would add regulatory teeth to ensure industry compliance with the rules, congressional officials familiar with the plan said yesterday.
Addressing what intelligence officials describe as a gaping vulnerability, the legislation also calls for the appointment of a White House cybersecurity "czar" with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway, the officials said.
How industry groups will respond is unclear. Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, which represents private companies and civil liberties advocates, said that mandatory standards have long been the "third rail of cybersecurity policy." Dempsey said regulation could also stifle creativity by forcing companies to adopt a uniform approach.
The legislation, co-sponsored by Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.) and Sen. Olympia J. Snowe (R-Maine), was drafted with White House input. Although the White House indicated it supported some key concepts of the bill, there has been no official endorsement.
Many of the proposals were based on recommendations of a landmark study last year by the Center for Strategic and International Studies.
Currently, government responsibility for cybersecurity is split: The Pentagon and the National Security Agency safeguard military networks, while the Department of Homeland Security provides assistance to private networks. Previous cybersecurity initiatives have largely concentrated on reducing the vulnerability of government and military computers to hackers.
A 60-day federal review of the nation's defenses against computer-based attacks is underway, and the administration has signaled its intention to incorporate private industry into those defenses in an unprecedented way.
"People say this is a military or intelligence concern, but it's a lot more than that," Rockefeller, a former intelligence committee chairman, said in an interview. "It suddenly gets into the realm of traffic lights and rail networks and water and electricity."
U.S. intelligence officials have warned that a sustained attack on private computer networks could cause widespread social and economic havoc, possibly shutting down or compromising systems used by banks, utilities, transportation companies and others.
The Rockefeller-Snowe measure would create the Office of the National Cybersecurity Adviser, whose leader would report directly to the president and would coordinate defense efforts across government agencies. It would require the National Institute of Standards and Technology to establish "measurable and auditable cybersecurity standards" that would apply to private companies as well as the government. It also would require licensing and certification of cybersecurity professionals.
The proposal would also mandate an ongoing, quadrennial review of the nation's cyberdefenses. "It's not a problem that will ever be completely solved," Rockefeller said. "You have to keep making higher walls."
Last week, Director of National Intelligence Dennis C. Blair told reporters that one agency should oversee cybersecurity for government and for the private sector. He added that the NSA should be central to the effort.
"The taxpayers of this country have spent enormous sums developing a world-class capability at the National Security Agency on cyber," he said.
Blair acknowledged there will be privacy concerns about centralizing cybersecurity, and he said the program should be designed in a way that gives Americans confidence that it is "not being used to gather private information."
DHS Releases Conficker/Downadup Computer Worm Detection Tool
DHS Releases Conficker/Downadup Computer Worm Detection Tool
Release Date: March 30, 2009
For Immediate Release
Office of the Press Secretary
Contact: 202-282-8010
The U.S. Department of Homeland Security (DHS) announced today the release of a DHS-developed detection tool that can be used by the federal government, commercial vendors, state and local governments, and critical infrastructure owners and operators to scan their networks for the Conficker/Downadup computer worm.
The department's United States Computer Emergency Readiness Team (US-CERT) developed the tool that assists mission-critical partners in detecting if their networks are infected. The tool has been made available to federal and state partners via the Government Forum of Incident Response and Security Teams (GFIRST) Portal, and to private sector partners through the IT and Communications sector Information Sharing and Analysis Centers (ISACs). Additional outreach to partners will continue in the coming days.
Department cyber experts briefed federal Chief Information Officers and Chief Information Security Officers today, as well as their equivalents in the private sector and state/local government via the ISACs and the National Infrastructure Protection Plan framework.
"While tools have existed for individual users, this is the only free tool – and the most comprehensive one – available for enterprises like federal and state government and private sector networks to determine the extent to which their systems are infected by this worm," said US-CERT Director Mischel Kwon. "Our experts at US-CERT are working around the clock to increase our capabilities to address the cyber risk to our nation's critical networks and systems, both from this threat and all others."
In addition to the development of this tool, DHS is working closely with private sector and government partners to minimize any impact from the Conficker/Downadup computer worm. This worm can infect Microsoft Windows systems from thumb drives, network share drives, or directly across a corporate network if network servers are not protected by Microsoft’s MS08-067 patch.
US-CERT recommends that Windows Operating Systems users apply Microsoft security patch MS08-067 (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx) as quickly as possible to help protect themselves from the worm. This security patch, released in October 2008, is designed to protect against a vulnerability that, if exploited, could enable an attacker to remotely take control of an infected system and install additional malicious software.
Home users can apply a simple test for the presence of a Conficker/Downadup infection on their home computers. The presence of an infection may be detected if users are unable to connect to their security solution Web site or if they are unable to download free detection/removal tools.
If an infection is suspected, the system or computer should be removed from the network. In the case of home users, the computer should be unplugged from the Internet.
Instructions, support and more information on how to manually remove a Conficker/Downadup infection from a system have been published by major security vendors. Each of these vendors offers free tools that can verify the presence of a Conficker/Downadup infection and remove the worm:
Symantec:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99
Microsoft:
http://support.microsoft.com/kb/962007
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
Home users may also call Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.
McAfee:
http://www.mcafee.com/us/threat_center/default.asp
US-CERT encourages users to prevent a Conficker/Downadup infection by ensuring all systems have the MS08-067 patch, disabling AutoRun functionality (see http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and maintaining up-to-date anti-virus software.
In addition, US-CERT recommends that computer users and administrators implement the following preparedness measures to protect themselves against this vulnerability, and also from future vulnerabilities:
Keep up-to-date on security patches and fixes for your operating system. The easiest way to do this is to set your system to receive automatic updates, which will ensure you automatically receive security updates issued by Microsoft. If your system does not allow automatic updates, we recommend that you manually install the Microsoft security patch today through Microsoft Update at http://update.microsoft.com/microsoftupdate
Install anti-virus and anti-spyware software and keep them up-to-date
Enable a firewall which will help block attacks before they can get into your computer
To access the alerts for this vulnerability and for additional information on cyber security tips and practices, please visit www.us-cert.gov.
Release Date: March 30, 2009
For Immediate Release
Office of the Press Secretary
Contact: 202-282-8010
The U.S. Department of Homeland Security (DHS) announced today the release of a DHS-developed detection tool that can be used by the federal government, commercial vendors, state and local governments, and critical infrastructure owners and operators to scan their networks for the Conficker/Downadup computer worm.
The department's United States Computer Emergency Readiness Team (US-CERT) developed the tool that assists mission-critical partners in detecting if their networks are infected. The tool has been made available to federal and state partners via the Government Forum of Incident Response and Security Teams (GFIRST) Portal, and to private sector partners through the IT and Communications sector Information Sharing and Analysis Centers (ISACs). Additional outreach to partners will continue in the coming days.
Department cyber experts briefed federal Chief Information Officers and Chief Information Security Officers today, as well as their equivalents in the private sector and state/local government via the ISACs and the National Infrastructure Protection Plan framework.
"While tools have existed for individual users, this is the only free tool – and the most comprehensive one – available for enterprises like federal and state government and private sector networks to determine the extent to which their systems are infected by this worm," said US-CERT Director Mischel Kwon. "Our experts at US-CERT are working around the clock to increase our capabilities to address the cyber risk to our nation's critical networks and systems, both from this threat and all others."
In addition to the development of this tool, DHS is working closely with private sector and government partners to minimize any impact from the Conficker/Downadup computer worm. This worm can infect Microsoft Windows systems from thumb drives, network share drives, or directly across a corporate network if network servers are not protected by Microsoft’s MS08-067 patch.
US-CERT recommends that Windows Operating Systems users apply Microsoft security patch MS08-067 (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx) as quickly as possible to help protect themselves from the worm. This security patch, released in October 2008, is designed to protect against a vulnerability that, if exploited, could enable an attacker to remotely take control of an infected system and install additional malicious software.
Home users can apply a simple test for the presence of a Conficker/Downadup infection on their home computers. The presence of an infection may be detected if users are unable to connect to their security solution Web site or if they are unable to download free detection/removal tools.
If an infection is suspected, the system or computer should be removed from the network. In the case of home users, the computer should be unplugged from the Internet.
Instructions, support and more information on how to manually remove a Conficker/Downadup infection from a system have been published by major security vendors. Each of these vendors offers free tools that can verify the presence of a Conficker/Downadup infection and remove the worm:
Symantec:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99
Microsoft:
http://support.microsoft.com/kb/962007
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
Home users may also call Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.
McAfee:
http://www.mcafee.com/us/threat_center/default.asp
US-CERT encourages users to prevent a Conficker/Downadup infection by ensuring all systems have the MS08-067 patch, disabling AutoRun functionality (see http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and maintaining up-to-date anti-virus software.
In addition, US-CERT recommends that computer users and administrators implement the following preparedness measures to protect themselves against this vulnerability, and also from future vulnerabilities:
Keep up-to-date on security patches and fixes for your operating system. The easiest way to do this is to set your system to receive automatic updates, which will ensure you automatically receive security updates issued by Microsoft. If your system does not allow automatic updates, we recommend that you manually install the Microsoft security patch today through Microsoft Update at http://update.microsoft.com/microsoftupdate
Install anti-virus and anti-spyware software and keep them up-to-date
Enable a firewall which will help block attacks before they can get into your computer
To access the alerts for this vulnerability and for additional information on cyber security tips and practices, please visit www.us-cert.gov.
Electrical 'Smart Grid' Not Yet Smart Enough to Block Hackers
Electrical 'Smart Grid' Not Yet Smart Enough to Block Hackers
Tuesday , March 31, 2009
By James Osborne
President Obama's plans to accelerate the development of an electrical "smart grid" could leave the nation's power supply dangerously vulnerable to attacks by computer hackers, security analysts are warning.
The "smart grid" is projected to be a nationwide system of automated meters and advanced sensors that integrates new alternative-energy sources with traditional power plants.
Once online, utilities will be able to adjust their rates to the immediate supply and demand for power, and customers will be able to choose to operate their appliances during the hours when consumption — and prices — are at their lowest.
Obama's economic stimulus package allocates $4.5 billion to modernize the nation's electricity system and put smart-grid technology on the fast track.
But creating a two-way line of communication between homes and the grid — however "smart" it may be — has its risks, experts say.
"With smart grid, anybody with an eBay account and $80 can go and buy a smart meter, reverse-engineer it and figure out how to attack the grid," said Josh Pennell, president and CEO of IOActive, a technology research firm in Seattle, who testified before the Department of Homeland Security last week.
On the other hand, he said, "If people are going to attack a power grid right now, it would need to be a very well-funded operation."
Pennell envisions low-level hackers trying to steal customer data for the purposes of fraud — or an international terrorist group infiltrating the grid and causing a massive power blackout.
There have already been several instances of hackers breaking into foreign power grids and holding the electricity supply for ransom, a CIA analyst told a conference of utility engineers last year, according to the Associated Press.
Hank Kenchington, deputy assistant secretary of research and development at the Department of Energy, said officials are taking steps to secure the "smart grid" as it goes online.
"This isn't the first time we're hearing about this," he said. "We're addressing these issues with the utilities."
Among computer security experts, there is a general understanding that no system is foolproof.
Data encryption and other technologies must constantly evolve to stay ahead of hackers, said Ron Ambrosio, a senior researcher within IBM's energy and utilities division, who works on "smart grid" projects around the world.
But the idea that "smart grid" networks are lagging behind is simply wrong, he said.
"The smart grid is about leveraging information technology, and there's a lot that's been done in the IT industry already," he said. "We don't have to reinvent everything from scratch."
The great hope of a "smart grid" is that it will not only help reduce the nation's energy consumption, but that it will provide an avenue for transmitting mass quantities of electricity from one side of the country to another — something that is impossible with the current grid.
"Today, the electricity we use is carried along a grid of lines and wires that date back to Thomas Edison," Obama told a crowd in Denver last month.
He called the smart grid "an investment that takes the important first step towards a national transmission superhighway that will connect our cities to the windy plains of the Dakotas and the sunny deserts of the Southwest."
In Boulder, Colo., more than half the city's homes are already being fitted with "smart meters," along with various other devices to help residents conserve energy, in a pilot project that could soon see "smart grid" extending across eight states.
Construction on the first wave of government-funded "smart grid" projects is expected to begin this summer, Kenchington said.
But it's the speed of the deployment that concerns Pennell and his colleagues, who say not enough time is being left for security tests.
"In any kind of emerging market this is typical. People are racing to see who can get their products out faster," Pennell said, calling for further scrutiny of the risks involved in digitizing the country's electrical grid.
"It's time to do it now before [smart meters are] bolted onto every house in the country."
Tuesday , March 31, 2009
By James Osborne
President Obama's plans to accelerate the development of an electrical "smart grid" could leave the nation's power supply dangerously vulnerable to attacks by computer hackers, security analysts are warning.
The "smart grid" is projected to be a nationwide system of automated meters and advanced sensors that integrates new alternative-energy sources with traditional power plants.
Once online, utilities will be able to adjust their rates to the immediate supply and demand for power, and customers will be able to choose to operate their appliances during the hours when consumption — and prices — are at their lowest.
Obama's economic stimulus package allocates $4.5 billion to modernize the nation's electricity system and put smart-grid technology on the fast track.
But creating a two-way line of communication between homes and the grid — however "smart" it may be — has its risks, experts say.
"With smart grid, anybody with an eBay account and $80 can go and buy a smart meter, reverse-engineer it and figure out how to attack the grid," said Josh Pennell, president and CEO of IOActive, a technology research firm in Seattle, who testified before the Department of Homeland Security last week.
On the other hand, he said, "If people are going to attack a power grid right now, it would need to be a very well-funded operation."
Pennell envisions low-level hackers trying to steal customer data for the purposes of fraud — or an international terrorist group infiltrating the grid and causing a massive power blackout.
There have already been several instances of hackers breaking into foreign power grids and holding the electricity supply for ransom, a CIA analyst told a conference of utility engineers last year, according to the Associated Press.
Hank Kenchington, deputy assistant secretary of research and development at the Department of Energy, said officials are taking steps to secure the "smart grid" as it goes online.
"This isn't the first time we're hearing about this," he said. "We're addressing these issues with the utilities."
Among computer security experts, there is a general understanding that no system is foolproof.
Data encryption and other technologies must constantly evolve to stay ahead of hackers, said Ron Ambrosio, a senior researcher within IBM's energy and utilities division, who works on "smart grid" projects around the world.
But the idea that "smart grid" networks are lagging behind is simply wrong, he said.
"The smart grid is about leveraging information technology, and there's a lot that's been done in the IT industry already," he said. "We don't have to reinvent everything from scratch."
The great hope of a "smart grid" is that it will not only help reduce the nation's energy consumption, but that it will provide an avenue for transmitting mass quantities of electricity from one side of the country to another — something that is impossible with the current grid.
"Today, the electricity we use is carried along a grid of lines and wires that date back to Thomas Edison," Obama told a crowd in Denver last month.
He called the smart grid "an investment that takes the important first step towards a national transmission superhighway that will connect our cities to the windy plains of the Dakotas and the sunny deserts of the Southwest."
In Boulder, Colo., more than half the city's homes are already being fitted with "smart meters," along with various other devices to help residents conserve energy, in a pilot project that could soon see "smart grid" extending across eight states.
Construction on the first wave of government-funded "smart grid" projects is expected to begin this summer, Kenchington said.
But it's the speed of the deployment that concerns Pennell and his colleagues, who say not enough time is being left for security tests.
"In any kind of emerging market this is typical. People are racing to see who can get their products out faster," Pennell said, calling for further scrutiny of the risks involved in digitizing the country's electrical grid.
"It's time to do it now before [smart meters are] bolted onto every house in the country."
Vast Spy System Loots Computers in 103 Countries
Vast Spy System Loots Computers in 103 Countries
By JOHN MARKOFF
TORONTO — A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded.
In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved.
The researchers, who are based at the Munk Center for International Studies at the University of Toronto, had been asked by the office of the Dalai Lama, the exiled Tibetan leader whom China regularly denounces, to examine its computers for signs of malicious software, or malware.
Their sleuthing opened a window into a broader operation that, in less than two years, has infiltrated at least 1,295 computers in 103 countries, including many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lama’s Tibetan exile centers in India, Brussels, London and New York.
The researchers, who have a record of detecting computer espionage, said they believed that in addition to the spying on the Dalai Lama, the system, which they called GhostNet, was focused on the governments of South Asian and Southeast Asian countries.
Intelligence analysts say many governments, including those of China, Russia and the United States, and other parties use sophisticated computer programs to covertly gather information.
The newly reported spying operation is by far the largest to come to light in terms of countries affected.
This is also believed to be the first time researchers have been able to expose the workings of a computer system used in an intrusion of this magnitude.
Still going strong, the operation continues to invade and monitor more than a dozen new computers a week, the researchers said in their report, “Tracking ‘GhostNet’: Investigating a Cyber Espionage Network.” They said they had found no evidence that United States government offices had been infiltrated, although a NATO computer was monitored by the spies for half a day and computers of the Indian Embassy in Washington were infiltrated.
The malware is remarkable both for its sweep — in computer jargon, it has not been merely “phishing” for random consumers’ information, but “whaling” for particular important targets — and for its Big Brother-style capacities. It can, for example, turn on the camera and audio-recording functions of an infected computer, enabling monitors to see and hear what goes on in a room. The investigators say they do not know if this facet has been employed.
The researchers were able to monitor the commands given to infected computers and to see the names of documents retrieved by the spies, but in most cases the contents of the stolen files have not been determined. Working with the Tibetans, however, the researchers found that specific correspondence had been stolen and that the intruders had gained control of the electronic mail server computers of the Dalai Lama’s organization.
The electronic spy game has had at least some real-world impact, they said. For example, they said, after an e-mail invitation was sent by the Dalai Lama’s office to a foreign diplomat, the Chinese government made a call to the diplomat discouraging a visit. And a woman working for a group making Internet contacts between Tibetan exiles and Chinese citizens was stopped by Chinese intelligence officers on her way back to Tibet, shown transcripts of her online conversations and warned to stop her political activities.
The Toronto researchers said they had notified international law enforcement agencies of the spying operation, which in their view exposed basic shortcomings in the legal structure of cyberspace. The F.B.I. declined to comment on the operation.
Although the Canadian researchers said that most of the computers behind the spying were in China, they cautioned against concluding that China’s government was involved. The spying could be a nonstate, for-profit operation, for example, or one run by private citizens in China known as “patriotic hackers.”
“We’re a bit more careful about it, knowing the nuance of what happens in the subterranean realms,” said Ronald J. Deibert, a member of the research group and an associate professor of political science at Munk. “This could well be the C.I.A. or the Russians. It’s a murky realm that we’re lifting the lid on.”
A spokesman for the Chinese Consulate in New York dismissed the idea that China was involved. “These are old stories and they are nonsense,” the spokesman, Wenqi Gao, said. “The Chinese government is opposed to and strictly forbids any cybercrime.”
The Toronto researchers, who allowed a reporter for The New York Times to review the spies’ digital tracks, are publishing their findings in Information Warfare Monitor, an online publication associated with the Munk Center.
At the same time, two computer researchers at Cambridge University in Britain who worked on the part of the investigation related to the Tibetans, are releasing an independent report. They do fault China, and they warned that other hackers could adopt the tactics used in the malware operation.
“What Chinese spooks did in 2008, Russian crooks will do in 2010 and even low-budget criminals from less developed countries will follow in due course,” the Cambridge researchers, Shishir Nagaraja and Ross Anderson, wrote in their report, “The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement.”
In any case, it was suspicions of Chinese interference that led to the discovery of the spy operation. Last summer, the office of the Dalai Lama invited two specialists to India to audit computers used by the Dalai Lama’s organization. The specialists, Greg Walton, the editor of Information Warfare Monitor, and Mr. Nagaraja, a network security expert, found that the computers had indeed been infected and that intruders had stolen files from personal computers serving several Tibetan exile groups.
Back in Toronto, Mr. Walton shared data with colleagues at the Munk Center’s computer lab.
One of them was Nart Villeneuve, 34, a graduate student and self-taught “white hat” hacker with dazzling technical skills. Last year, Mr. Villeneuve linked the Chinese version of the Skype communications service to a Chinese government operation that was systematically eavesdropping on users’ instant-messaging sessions.
Early this month, Mr. Villeneuve noticed an odd string of 22 characters embedded in files created by the malicious software and searched for it with Google. It led him to a group of computers on Hainan Island, off China, and to a Web site that would prove to be critically important.
In a puzzling security lapse, the Web page that Mr. Villeneuve found was not protected by a password, while much of the rest of the system uses encryption.
Mr. Villeneuve and his colleagues figured out how the operation worked by commanding it to infect a system in their computer lab in Toronto. On March 12, the spies took their own bait. Mr. Villeneuve watched a brief series of commands flicker on his computer screen as someone — presumably in China — rummaged through the files. Finding nothing of interest, the intruder soon disappeared.
Through trial and error, the researchers learned to use the system’s Chinese-language “dashboard” — a control panel reachable with a standard Web browser — by which one could manipulate the more than 1,200 computers worldwide that had by then been infected.
Infection happens two ways. In one method, a user’s clicking on a document attached to an e-mail message lets the system covertly install software deep in the target operating system. Alternatively, a user clicks on a Web link in an e-mail message and is taken directly to a “poisoned” Web site.
The researchers said they avoided breaking any laws during three weeks of monitoring and extensively experimenting with the system’s unprotected software control panel. They provided, among other information, a log of compromised computers dating to May 22, 2007.
They found that three of the four control servers were in different provinces in China — Hainan, Guangdong and Sichuan — while the fourth was discovered to be at a Web-hosting company based in Southern California.
Beyond that, said Rafal A. Rohozinski, one of the investigators, “attribution is difficult because there is no agreed upon international legal framework for being able to pursue investigations down to their logical conclusion, which is highly local.”
By JOHN MARKOFF
TORONTO — A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded.
In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved.
The researchers, who are based at the Munk Center for International Studies at the University of Toronto, had been asked by the office of the Dalai Lama, the exiled Tibetan leader whom China regularly denounces, to examine its computers for signs of malicious software, or malware.
Their sleuthing opened a window into a broader operation that, in less than two years, has infiltrated at least 1,295 computers in 103 countries, including many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lama’s Tibetan exile centers in India, Brussels, London and New York.
The researchers, who have a record of detecting computer espionage, said they believed that in addition to the spying on the Dalai Lama, the system, which they called GhostNet, was focused on the governments of South Asian and Southeast Asian countries.
Intelligence analysts say many governments, including those of China, Russia and the United States, and other parties use sophisticated computer programs to covertly gather information.
The newly reported spying operation is by far the largest to come to light in terms of countries affected.
This is also believed to be the first time researchers have been able to expose the workings of a computer system used in an intrusion of this magnitude.
Still going strong, the operation continues to invade and monitor more than a dozen new computers a week, the researchers said in their report, “Tracking ‘GhostNet’: Investigating a Cyber Espionage Network.” They said they had found no evidence that United States government offices had been infiltrated, although a NATO computer was monitored by the spies for half a day and computers of the Indian Embassy in Washington were infiltrated.
The malware is remarkable both for its sweep — in computer jargon, it has not been merely “phishing” for random consumers’ information, but “whaling” for particular important targets — and for its Big Brother-style capacities. It can, for example, turn on the camera and audio-recording functions of an infected computer, enabling monitors to see and hear what goes on in a room. The investigators say they do not know if this facet has been employed.
The researchers were able to monitor the commands given to infected computers and to see the names of documents retrieved by the spies, but in most cases the contents of the stolen files have not been determined. Working with the Tibetans, however, the researchers found that specific correspondence had been stolen and that the intruders had gained control of the electronic mail server computers of the Dalai Lama’s organization.
The electronic spy game has had at least some real-world impact, they said. For example, they said, after an e-mail invitation was sent by the Dalai Lama’s office to a foreign diplomat, the Chinese government made a call to the diplomat discouraging a visit. And a woman working for a group making Internet contacts between Tibetan exiles and Chinese citizens was stopped by Chinese intelligence officers on her way back to Tibet, shown transcripts of her online conversations and warned to stop her political activities.
The Toronto researchers said they had notified international law enforcement agencies of the spying operation, which in their view exposed basic shortcomings in the legal structure of cyberspace. The F.B.I. declined to comment on the operation.
Although the Canadian researchers said that most of the computers behind the spying were in China, they cautioned against concluding that China’s government was involved. The spying could be a nonstate, for-profit operation, for example, or one run by private citizens in China known as “patriotic hackers.”
“We’re a bit more careful about it, knowing the nuance of what happens in the subterranean realms,” said Ronald J. Deibert, a member of the research group and an associate professor of political science at Munk. “This could well be the C.I.A. or the Russians. It’s a murky realm that we’re lifting the lid on.”
A spokesman for the Chinese Consulate in New York dismissed the idea that China was involved. “These are old stories and they are nonsense,” the spokesman, Wenqi Gao, said. “The Chinese government is opposed to and strictly forbids any cybercrime.”
The Toronto researchers, who allowed a reporter for The New York Times to review the spies’ digital tracks, are publishing their findings in Information Warfare Monitor, an online publication associated with the Munk Center.
At the same time, two computer researchers at Cambridge University in Britain who worked on the part of the investigation related to the Tibetans, are releasing an independent report. They do fault China, and they warned that other hackers could adopt the tactics used in the malware operation.
“What Chinese spooks did in 2008, Russian crooks will do in 2010 and even low-budget criminals from less developed countries will follow in due course,” the Cambridge researchers, Shishir Nagaraja and Ross Anderson, wrote in their report, “The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement.”
In any case, it was suspicions of Chinese interference that led to the discovery of the spy operation. Last summer, the office of the Dalai Lama invited two specialists to India to audit computers used by the Dalai Lama’s organization. The specialists, Greg Walton, the editor of Information Warfare Monitor, and Mr. Nagaraja, a network security expert, found that the computers had indeed been infected and that intruders had stolen files from personal computers serving several Tibetan exile groups.
Back in Toronto, Mr. Walton shared data with colleagues at the Munk Center’s computer lab.
One of them was Nart Villeneuve, 34, a graduate student and self-taught “white hat” hacker with dazzling technical skills. Last year, Mr. Villeneuve linked the Chinese version of the Skype communications service to a Chinese government operation that was systematically eavesdropping on users’ instant-messaging sessions.
Early this month, Mr. Villeneuve noticed an odd string of 22 characters embedded in files created by the malicious software and searched for it with Google. It led him to a group of computers on Hainan Island, off China, and to a Web site that would prove to be critically important.
In a puzzling security lapse, the Web page that Mr. Villeneuve found was not protected by a password, while much of the rest of the system uses encryption.
Mr. Villeneuve and his colleagues figured out how the operation worked by commanding it to infect a system in their computer lab in Toronto. On March 12, the spies took their own bait. Mr. Villeneuve watched a brief series of commands flicker on his computer screen as someone — presumably in China — rummaged through the files. Finding nothing of interest, the intruder soon disappeared.
Through trial and error, the researchers learned to use the system’s Chinese-language “dashboard” — a control panel reachable with a standard Web browser — by which one could manipulate the more than 1,200 computers worldwide that had by then been infected.
Infection happens two ways. In one method, a user’s clicking on a document attached to an e-mail message lets the system covertly install software deep in the target operating system. Alternatively, a user clicks on a Web link in an e-mail message and is taken directly to a “poisoned” Web site.
The researchers said they avoided breaking any laws during three weeks of monitoring and extensively experimenting with the system’s unprotected software control panel. They provided, among other information, a log of compromised computers dating to May 22, 2007.
They found that three of the four control servers were in different provinces in China — Hainan, Guangdong and Sichuan — while the fourth was discovered to be at a Web-hosting company based in Southern California.
Beyond that, said Rafal A. Rohozinski, one of the investigators, “attribution is difficult because there is no agreed upon international legal framework for being able to pursue investigations down to their logical conclusion, which is highly local.”
19,000 UK credit card details posted on the Net...and accessible on Google
19,000 UK credit card details posted on the Net...and accessible on Google
By Sean Poulter and Jonathan Weinberg
Last updated at 10:38 AM on 28th March 2009
The credit card details of up to 19,000 British shoppers were published on the internet - where they could be found using a simple search on Google.
The details apparently originated from the website of a criminal gang in the Far East.
The list, obtained by the Mail, includes the names, home addresses and full card details of thousands of Visa, Mastercard and American Express customers.
Google's high-powered search engine inadvertently picked up the list during a 'crawl' of the web - allowing it to be seen and copied.
The credit card details of thousands of Brits could be accessed through search-engine Google
It was still viewable a few days ago, but a spokesman for the banking industry trade body APACS said that many of the cards on the list had already been stopped and others had expired.
However, these users' home addresses - including door numbers and postcodes - were clearly shown, creating the risk of identity theft.
APACS also revealed that banks had merely put a warning flag on the accounts of those customers whose cards were still active, in order to monitor any unusual use.
Disturbingly, however, these customers have not been warned of the security breach.
Details of Visa, Mastercard and American Express customers could be viewed online
Conservative MP Nigel Evans, chairman of the All Party Group on Identity Fraud, said: 'This is hugely worrying. The credit card companies have a duty of care to inform all those involved that they are at risk of identity fraud.'
Any criminals who came across the list could have used them to make purchases worth millions of pounds. Some customers' card details were stolen after making purchases over the internet, while others are known to have been victims of fraud.
It is believed the details were originally on an unsecured server in Vietnam which was linked to a website belonging to the fraudsters. Criminal gangs typically use such websites to trade in stolen card details.
The server was closed down in February by authorities investigating cyber crimes but Google's powerful indexing technology had already located the list and made a copy.
Rik Ferguson, of web security firm Trend Micro, said: 'To find this amount of data on a server which is publicly accessible is a rare event. Organised crime usually protect their ill-gotten gains behind password-protected links on encrypted machines.'
Mr Ferguson also told how he had infiltrated internet forums used by the crooks, where just £250 would buy details of 100 UK cards. Internet banking logins and fake passports were also on sale.
He added: 'The existence of these kinds of carding forums illustrates the booming trade in stolen financial details such as cards and bank accounts.
'Perhaps the greatest surprise to the casual observer will be the relatively low prices for this information. This is driven by the ease of access and the sheer numbers available.'
A spokesman for APACS said: 'The banking industry takes every data breach extremely seriously. We'd like to remind all online businesses of their responsibility to store card details securely.'
The details have now been removed from Google and a spokesman said they could not comment on the specific case.
But he added: 'Search engines such as Google do not have the ability to remove content directly from the internet.'
By Sean Poulter and Jonathan Weinberg
Last updated at 10:38 AM on 28th March 2009
The credit card details of up to 19,000 British shoppers were published on the internet - where they could be found using a simple search on Google.
The details apparently originated from the website of a criminal gang in the Far East.
The list, obtained by the Mail, includes the names, home addresses and full card details of thousands of Visa, Mastercard and American Express customers.
Google's high-powered search engine inadvertently picked up the list during a 'crawl' of the web - allowing it to be seen and copied.
The credit card details of thousands of Brits could be accessed through search-engine Google
It was still viewable a few days ago, but a spokesman for the banking industry trade body APACS said that many of the cards on the list had already been stopped and others had expired.
However, these users' home addresses - including door numbers and postcodes - were clearly shown, creating the risk of identity theft.
APACS also revealed that banks had merely put a warning flag on the accounts of those customers whose cards were still active, in order to monitor any unusual use.
Disturbingly, however, these customers have not been warned of the security breach.
Details of Visa, Mastercard and American Express customers could be viewed online
Conservative MP Nigel Evans, chairman of the All Party Group on Identity Fraud, said: 'This is hugely worrying. The credit card companies have a duty of care to inform all those involved that they are at risk of identity fraud.'
Any criminals who came across the list could have used them to make purchases worth millions of pounds. Some customers' card details were stolen after making purchases over the internet, while others are known to have been victims of fraud.
It is believed the details were originally on an unsecured server in Vietnam which was linked to a website belonging to the fraudsters. Criminal gangs typically use such websites to trade in stolen card details.
The server was closed down in February by authorities investigating cyber crimes but Google's powerful indexing technology had already located the list and made a copy.
Rik Ferguson, of web security firm Trend Micro, said: 'To find this amount of data on a server which is publicly accessible is a rare event. Organised crime usually protect their ill-gotten gains behind password-protected links on encrypted machines.'
Mr Ferguson also told how he had infiltrated internet forums used by the crooks, where just £250 would buy details of 100 UK cards. Internet banking logins and fake passports were also on sale.
He added: 'The existence of these kinds of carding forums illustrates the booming trade in stolen financial details such as cards and bank accounts.
'Perhaps the greatest surprise to the casual observer will be the relatively low prices for this information. This is driven by the ease of access and the sheer numbers available.'
A spokesman for APACS said: 'The banking industry takes every data breach extremely seriously. We'd like to remind all online businesses of their responsibility to store card details securely.'
The details have now been removed from Google and a spokesman said they could not comment on the specific case.
But he added: 'Search engines such as Google do not have the ability to remove content directly from the internet.'
