Friday, May 30, 2008

Daily Report

• WUSA 9 reports that FBI estimates cargo theft and trailer hijackings to net $30 billion a year for thieves and to be relatively low risk. This has raised concerns that it may be an easy option for terrorists trying to raise money. (See item 13)

• The Associated Press reports that federal investigators arrived Thursday at the tracks outside Boston where two commuter trains collided and derailed during rush hour Wednesday, killing one person and injuring more than a dozen others. (See item 15)

Banking and Finance Sector

10. May 29, Boston Globe – (Massachusetts) Identity-theft services face legal test. IdentityTruth Inc. says it will reimburse customers up to $2 million if they are victims of identity theft. But a Phoenix lawyer says the identity-protection company’s promise is not worth nearly that much. IdentityTruth charges $10 a month or $100 a year to insure people against unauthorized use of their personal information. The privately held company posts fraud alerts with credit reporting agencies on behalf of its customers. These alerts warn banks and other businesses not to open new accounts unless they confirm the identity of the customer. In addition, IdentityTruth scours the Internet and a host of private and government-run databases, looking for evidence that somebody out there is pretending to be the customer. The company does not actually prevent identity theft. The IdentityTruth website states, “if you are a member of our service and are a victim of identity theft resulting in the loss of your money, we will reimburse you up to $2 million.” But a Phoenix law firm official said the fine print of the IdentityTruth guarantee belies this assertion. He recently filed a lawsuit in the US District Court of Arizona against a rival service, LifeLock Inc. of Tempe. The suit, which seeks class-action status, claims LifeLock’s $1 million guarantee is fraudulent because it contains loopholes that make it far less generous. He said the same loopholes are present in the IdentityTruth guarantee. For instance, the guarantee covers damages caused by a failure of the IdentityTruth service. But banks often ignore fraud alerts. If that happens and an IdentityTruth customer gets stung, the company is not liable, because the bank failed, not IdentityTruth. The president of Javelin Strategy said consumers should not be too quick to sign on with any identity theft preventers. Source: http://www.boston.com/business/articles/2008/05/29/identity_theft_services_face_legal_test/

11. May 28, Originator Times – (California) Home foreclosure ring scam broken up. San Diego and state officials announced that a huge real estate fraud scheme has been broken up after victimizing potentially 400 homeowners in San Diego County alone, with additional victims in other counties. There are many more victims throughout the state who have not yet come forward or do not yet realize they have been scammed. “The defendants preyed on mostly non-English speaking, Hispanic homeowners who were in foreclosure, claiming to offer assistance in preventing the victims from losing their home,” a District Attorney said. The defendants are facing more than 100 felony charges and that number is expected to increase. The defendants were allegedly engaged in a widespread foreclosure rescue scam by which they acquired grant deeds to homes in foreclosure based on untrue or misleading statements that their “land grant program” would prevent homeowners from losing their homes through foreclosure. Two methods were used for inducing owners of residences in foreclosure to participate in a so-called land grant program. One method required homeowners to pay a one-time fee of up to $10,000 to put their property in a land grant. The second method was a lease back scheme in which homeowners paid the suspects $500 or more and then transferred their property via grant deeds to the defendants for no consideration and then made monthly payments to the defendants, purportedly to rent their homes back from the defendants. In both scenarios, the homeowner was typically evicted from their property at the completion of foreclosure proceedings and retained no legally recognized title to their property. While the total loss is still being tallied, the defendants probably got away with hundreds of thousands of dollars. Source: http://originatortimes.com/content/templates/standard.aspx?articleid=3190&zoneid=5

12. May 27, Daily Local – (Pennsylvania) Data breach concerns residents. News of a teenager being arrested for hacking into the school district’s computer system and obtaining Social Security numbers has left some district residents wondering if their identity is in danger. Borough, Pennsylvania, police arrested the 15-year-old male connected with the computer breach on May 21. The student accessed a school district computer server, copied and duplicated computer data and transferred that data to his home computer. According to police, the files contained more than 41,000 taxpayers’ names and personal information including Social Security numbers and more than 15,000 students’ names and personal information. The district sent out letters to 16,595 residents whose names were included in the file. Personal information of 71 employees at one of the district’s schools was included in these files. Police have isolated another student that may have received part of the copied files from the arrested student. Source: http://www.dailylocal.com/WebApp/appmanager/JRC/Daily?_nfpb=true&_pageLabel=pg_article&r21.pgpath=%2FDLN%2FHome&r21.content=%2FDLN%2FHome%2FTopStoryList_Story_2110534

Information Technology

30. May 29, Register – (International) Comcast hack leaves users without email. The portal of U.S. communications giant Comcast was hacked on Wednesday night in an assault that left subscribers unable to access their emails for several hours. The comcast.net front page was replaced by a greeting from hackers on Wednesday night (28 May). The defacement was removed around two hours later. Before the site was restored in the early Thursday morning, users encountered a “page under construction” message. The site remained intermittently unavailable even after this time. Hackers calling themselves KRYOGENICS EBK and DEFIANT claimed the defacement. As a result of the attack, Comcast subscribers were unable to access their email or other services through the portal for more than two hours. The exact mechanism of the attack is unclear. However, an injected iFrame that served up content from sites under the control of hackers is suspected. Some form of DNS redirection attack may also have been involved. Normally defacement attacks simply involve the spraying of digital graffiti on a website. However, in the case of the Comcast attack it seems some attempt may have been made to snoop on its users’ login credentials. “There is still a lot of speculation about the details of this and why this happened,” said a Comcast user. “But it is clear now that a group of people (according to the hacker’s message) somehow rerouted the IP and DNS values of Comcast to an off site. (http://www.freewebs.com/kryogeniks911/).” “It appears there was no malicious codes or script being run but a lot of people are saying that ports were being ‘listened’ to which could have led to the compromising of username/passwords,” the user added. Source: http://www.theregister.co.uk/2008/05/29/comcast_hack/

31. May 28, Computerworld – (National) Apple updates Leopard, issues 68 fixes. More than three months after it last updated Mac OS X, Apple Inc. today released 10.5.3, an upgrade for its Leopard operating system that boasts nearly 70 stability, compatibility, and security improvements and fixes. Apple did not include patches for two of three iCal vulnerabilities that were made public a week ago, however. Mac OS X 10.5.3, the third upgrade to Leopard since Apple launched the current in October 2007, addresses issues in several components and bundled applications, ranging from the Address Book and Automator to Time Machine and VoiceOver. Apple also listed a baker’s dozen under a “General” category that included a fix for hard drives that would not show in the Finder; an improvement in Spotlight, the OS’s built-in search tool, for searches done on AFP volumes; and a patch for stuttering audio and video playback from certain USB-based hardware. AirPort, Apple’s label for its wireless technology, got a pair of fixes: one to improve wireless reliability in general, the other to boost reliability when used with the company’s relatively new Time Capsule router-cum-backup-device that debuted earlier this year. Apple also tucked eight fixes for iCal, its personal scheduling program, into the 10.5.3 update, but failed to patch two of the three security vulnerabilities disclosed last week by Core Security Technologies. It appears Apple did patch the most serious of the three – dubbed CVE-2008-1035 – which Core said was the only one of the three it had proven could be used to insert malicious code into a Mac. Source:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9090338&taxonomyId=17&intsrc=kc_top

32. May 28, IDG News Service – (National) Symantec backtracks on Adobe Flash warning. After warning on Tuesday that hackers were exploiting an unpatched bug in Adobe Systems’ Flash Player software, Symantec has backtracked from this claim, saying the flaw is “very similar” to another vulnerability that was patched last month. Symantec’s initial warning described a disturbing threat – a previously unknown and unpatched flaw that was being exploited on tens of thousands of Web pages. The flaw allowed attackers to install unauthorized software on a victim’s machine and was being used to install botnet programs and password-logging software, Symantec said. Now Symantec believes that the bug was previously known and patched by Adobe on April 8, said a senior research manager with Symantec Security Response. However, the Linux version of Adobe’s stand-alone Flash Player, version 9.0.124, is vulnerable to the attack. On Tuesday Symantec researchers saw that the attack worked on Linux and that it caused Flash Player to crash on Windows XP, so they reasoned that they had a new bug that was just not working properly on the Windows platform, possibly due to a programming error by the hackers. “We thought it was a problem with the exploit,” he said. Now Symantec believes that the vulnerability was simply not properly patched in this one version of Adobe’s software, he said. Source: http://www.networkworld.com/news/2008/052808-symantec-backtracks-on-adobe-flash.html

Communications Sector

33. May 29, Register – (International) Hackers start poking holes in NFC. A researcher from the Fraunhofer Institute for Secure Information Technology used the recent EUSecWest event to demonstrate progress in attacking Near Field Communications (NFC) applications. Near Field Communications is the radio frequency identification (RFID)-based standard being built into mobile phones to allow them greater interaction with the physical world. NFC-enabled handsets can be used to pay for bus or train journeys, replacing existing contactless cards, and can read tags embedded in (Smart) posters that trigger a URL to be loaded or a phone number to be called. Currently, only Nokia sells an NFC-enabled handset, the 6131NFC, though they have another model planned for later this year. But NFC is compatible with previous contactless standards such as MiFare and Felica. Therefore, the Fraunhofer Institute for Secure Information Technology created a toolkit that turns a 6131NFC into a generic toolkit for testing deployments of those technologies, as well as looking at functionality unique to NFC deployments. Two hacks involved replacing the NFC tag on a vending machine, and spoofing a uniform resource identifier (URI) in a Smart Poster to connect the user to somewhere other than they wished. The vending machines in question are in Vienna where a phone is waved near the machine and an NFC connection asks the phone to send an SMS message. This premium-rate SMS message is used to pay for the snack. The hacker simply switches NFC tags between two machines and collects what is paid for using the other machine. It is also possible to display one URI to the phone’s user, while trigging the handset to connect to a different one. The Fraunhofer Institute for Secure Information Technology told Nokia about the problems last month; Nokia is already working on a fix. Source: http://www.theregister.co.uk/2008/05/29/first_nfc_hack/

Thursday, May 29, 2008

Daily Report

• The Associated Press reports that an Iranian-born naturalized U.S. citizen who worked as an engineer at the Palo Verde Nuclear Generating Station was convicted of illegally accessing a protected computer. The man quit his job in 2006 and brought a laptop to Iran containing training software with design schematics and other plant details. (See item 5)

• The Telegraph reports that CDC researchers have discovered a strain of the bird flu that appears to be moving towards developing traits that make human transmission more possible. The virus shows “the same strong sugar binding properties” that have characterized previous pandemics (See item 27)

Banking and Finance Sector

10. May 28, Boston Globe – (Massachusetts) Secretary of State issues scam warning. The Massachusetts Secretary of State is warning consumers about a scam that offers the promise of winning a $250,000 sweepstakes but seems to be a scheme to obtain personal financial information. The official indicated that he was prompted to issue the warning following reports to the Securities Division of his office by people who said they have received letters with a $4,620 check in them with instructions to call a “service tax” agent and provide financial information. The check, which is supposed to be used to pay a “non-resident government service tax,” appears to be “fake,” the secretary’s office said. The current version of the scam claims to come from Newfoundland, and it announces a “compensation draw” for the “Sweepstakes Association of North America,” the official’s office said. “Unsolicited notices like this should always raise an immediate red flag” he said in a statement. Source: http://www.boston.com/business/ticker/2008/05/galvin_issues_s_3.html

Information Technology

34. May 28, Silicon Republic – (International) ‘Digital 9/11’ unless EU network security heightened. Europe is in danger of experiencing a ‘digital 9/11’ if problems in national security approaches are not addressed, a European IT security organization has warned. ENISA, the EU Agency for European Network and Information Security, outlined some of the dangers posed by cyber attacks, spam and social networking misuse in its summary of its General Report 2007. The agency said EU member states have a long way to go to safeguard the European digital economy. It said that while spam cost business €64.5bn in 2007, double the figure for 2005, the fact that only 6 percent of spam reaches mailboxes gives the false impression that the problem is under control. However, ENISA noted that spam is growing in quantity, size and bandwidth and remains a costly problem, with the unseen 94 percent being an invisible part of the ‘iceberg.’ “Europe must take security threats more seriously and invest more resources in network and information security,” said the executive director at ENISA. “ENISA calls for the EU to introduce mandatory reporting on security breaches and incidents for business, just as the US has already done.” “The member states should undertake concerted efforts to reduce the imbalances in security levels, through more cross-border co-operation. ENISA is confident that the need for secure networks to safeguard the European economy is a distinct driving force for member states to co-operate more closely,” he added. Source: http://www.siliconrepublic.com/news/news.nv?storyid=single11127

35. May 27, IDG News Service – (National) New Adobe flaw being used in attacks, says Symantec. An unpatched bug in Adobe Systems’ Flash Player software is being exploited by online criminals, Symantec reported Monday. Few details on the bug are available, but the flaw lies in the latest version of the Adobe Flash Player browser plugin, which is widely used by Internet surfers to view animated Web pages. The flaw affects both the recently released Flash Player version 9.0.124 .0 and version 9.0.115.0, according to an advisory posted Monday to Symantec’s Security Focus Web site. The flaw lets attackers run unauthorized software on the PC, and if the attack fails for some reason it will likely crash the browser, Security Focus said. Symantec is not aware of any vendor-supplied patches for the flaw, the advisory states. Flash bugs have lately been a favorite of attackers. Adobe last month patched seven bugs in Flash Player, including the one that allowed a hacker to win a laptop and US$5,000 for hacking into a Windows Vista machine in a March contest at the CanSecWest security conference. In January, Adobe and other Web-development-tool vendors had to fix bugs in their development tools that created buggy Shockwave Flash (.swf) files that could be exploited in a cross-site scripting attack. This attack can be used by phishers, but it also gives the bad guys a nearly undetectable route into a victim’s bank account or almost any type of Web service. Source: http://www.networkworld.com/news/2008/052708-new-adobe-flaw-being-used.html

36. May 27, Security Focus – (International) Microsoft: Kraken nearly Storm’s size. While researchers have disagreed as to the size and importance of the Kraken botnet, the malicious software has compromised roughly the same number of computers as a more famous bot program, Storm, Microsoft’s security response team stated last week in a blog post. Early data from Microsoft’s Malicious Software Removal Tool indicates that the Kraken botnet, which the company refers to as Oderoor, reached about 80 percent of the size of the Storm botnet, the team stated. In the first week following the inclusion of Kraken into its Malicious Software Removal Tool, Microsoft detected nearly 464,000 instances of the program and cleaned 254,000 machines. For the Storm Worm, which Microsoft refers to as Nuwar, the company detected 537,000 copies and deleted the program from nearly 320,000 machines in its first week. Source: http://www.securityfocus.com/brief/743?ref=rss

Communications Sector

37. May 27, Computerworld Singapore – (International) IT managers daunted by mobile device security. IT managers are reluctant to take on the responsibility of managing the mobile devices that employees are increasingly using and integrating with enterprise applications, according to a new report by Datamonitor in London. The report “Enterprise Mobility: Trend Analysis to 2012” also predicts global enterprise expenditures on mobile devices. According to the study, mobile devices will grow from $6 billion today to an estimated $17 billion by 2012. The report highlights that this kind of growth underlines the need for IT managers to begin to implement mobile device policies. “Enterprises are fighting a losing battle against employees when it comes to mobile devices, and they should consider supporting a limited selection of devices rather than banning them outright,” said an analyst at Datamonitor and the report’s author. Security concerns are the largest barrier to mobility deployments, according to the author. In March 2007, Datamonitor conducted a survey of 467 IT managers, CIOs and IT decision-makers to establish issues that are currently preventing enterprises from investing in mobility products. It found that the majority of the respondents rated security as the greatest barrier to adopting those products. According to the study, as mobile devices like the iPhone are increasingly becoming popular among end users, enterprises are finding that employees want to be able to integrate their personal devices with their corporate e-mail account and other applications. They do not want one device for personal use and an IT-issued device for work. However, according to the report, so far very few IT departments have yielded to these changing scenarios and are refusing to be responsible for managing such a wide variety of mobile devices. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9089539&source=rss_topic15

Wednesday, May 28, 2008

Daily Report

• The Associated Press reports that a new Government Accountability Office (GAO) report finds that gaps in port security make the U.S. vulnerable to a terrorist attack. (See item 11)

• ComputerWorld reports that a penetration tester was able to hack into a major FBI database in six hours using lapses in infrastructure design and patch management. (See item 34)

Banking and Finance Sector

7. May 27, Salt Lake Tribune – (National) D.A.: Rearrest fraud suspect. The U.S. district attorney wants to rearrest a man accused of creating a fake bank in Utah and taking millions of dollars from banks, investors and casinos nationwide, even while he was in jail. The suspect surrendered to the FBI in March after he allegedly tried to buy part of a Utah company with a $535,000 counterfeit check. He was released after a detention hearing and his assurances to make good on the payment. The scheme now appears to be part of a complex web of phony bank transactions backed by fake cashier’s checks, according to U.S. District Court documents. Authorities say the illegal acts continued after the man’s release. More than 50 victims have been identified, and authorities think there may be more. The plot started in November 2007, when the man created the First Mutual Bank, portraying it on a Web site as an international bank based in London with locations in New York, Los Angeles and Salt Lake City. First Mutual and several other false banks with similar names were based in South Jordan and never were legitimate. The man allegedly printed three boxes of cashier’s checks in the First Mutual name. Using a variety of schemes, he swindled collateral payments from banks, credit unions and at least one real estate investor. After his release, documents state, he “continued unabated,” representing himself with a false name to new investors and reassuring others that he was not under investigation. On May 16, the U.S. Attorney’s Office released the results of its continued investigation and asked that his release be revoked. The man, according to court documents, had committed similar crimes in Switzerland. Source: http://www.sltrib.com/ci_9388897

8. May 27, Pittsburgh Post-Gazette – (Pennsylvania) Scam artists play ‘dialing for dollars.’ The latest telephone and text message scam to surface in Philadelphia spread into Wilkes-Barre and Scranton and then into Harrisburg, Pennsylvania. “It may be moving into your area next,” said the deputy press secretary for Attorney General, referring to Pittsburgh and other cities and towns in Western Pennsylvania. “The scammers are using boiler rooms [no-frills call centers] and working their way through the state’s area codes.” The latest attempt to separate Pennsylvanians from their money is an international long-distance telephone scam with two variations: Consumers receive phone or text messages asking them to call what appears to be an ordinary long-distance number to confirm a lottery or sweepstakes prize. The other, more insidious variation of the scam asks consumers to call the number to get information about a relative who purportedly has been injured in an accident or is hospitalized. “Unsuspecting consumers who return these messages are actually calling international long-distance numbers, mainly in the Caribbean, and can be charged hundreds of dollars per minute for the calls,” said the official. He said the crooks are taking advantage of the fact that some international numbers, such as 876 (Jamaica), 345 (the Cayman Islands), 284 (the British Virgin Islands) and 809 (the Dominican Republic), look like ordinary domestic area codes. Consumers should call directory assistance or an operator to check on the location for any unfamiliar number, and ask what the per-minute charges are for the number. They also should carefully review their monthly phone bills and immediately contact their phone company to dispute any unauthorized charges. Source: http://www.post-gazette.com/pg/08148/885034-94.stm

9. May 26, Examiner – (District of Columbia) D.C. finance office workers took thousands in funds, report says. Employees in the District of Columbia’s finance office helped themselves to thousands of dollars from an emergency cash fund that was supposed to help city workers, the Examiner has learned. Three employees, including a high-ranking finance official, have been fired in the wake of the scandal, sources familiar with an ongoing investigation said. Employees were taking petty cash from boxes around the city, the sources said. They were also keeping cash and checks from payments back into the fund to cover themselves in case their drawers were short. The allegations are detailed in a report from the D.C. Auditor office that is still being drafted. The city’s inspector general is also investigating. It is unclear how extensive the damage was. Records are scattershot, and the cash advance program did not have internal controls to spot trouble, the sources said. Source: http://www.examiner.com/a-1408996~D_C__finance_office_workers_took_thousands_in_funds__report_says.html

10. May 24, The Day – (Connecticut) Troopers’ office warns of bank check scam. The Montville, Connecticut, Resident Troopers’ Office said citizens are receiving fraudulent bank checks for promising to return 10 percent of the funds to a third party. A Resident State Troop sergeant said phone solicitation is also on the rise, with parties calling to claim they are bank representatives. He said anyone who receives such a call should hang up and immediately call his or her bank branch directly. Source: http://www.theday.com/re.aspx?re=adf15fbf-194d-42f3-871b-be0680adfb6d

Information Technology

34. May 27, ComputerWorld – (National) Six hours to hack the FBI. A penetration tester at PatchAdvisor Inc. hacked his way into a major FBI crime database within a mere six hours. He used “security lapses in both infrastructure design and patch management.” He said that during a routine network scan, he discovered a series of unpatched vulnerabilities in the civilian government agency’s Web server, as well as other parts of the enterprise. He then used a hole in the Web server to pull down usernames and passwords that were reused on a host of enterprise systems. In those systems, he found further account details that allowed him to get Windows domain administrator privileges. Using this privileged access, he was able to gain full control of almost all Windows-based systems in the enterprise, including workstations used by the on-site police force. He noticed that several police workstations had a second networking card installed that used the SNA protocol to directly talk to an IBM mainframe. By covertly installing remote control software on those workstations, he found programs on their desktops that automatically connected the workstations to the FBI’s NCIC database. “That software, coupled with a keystroke capture program, would allow an attacker to grab the credentials needed to log into the FBI’s National Crime Information Center database,” he says. Like most vulnerabilities he’s found over his years of paid ethical hacking, this one could have easily been eliminated with some basic security strategies, he says. For instance, the police network should have been firewalled off from the main enterprise network, and the investigators’ workstations kept out of the larger domain. Also, he says the agency should not have allowed those workstations both NCIC and general enterprise network access, since they were connected to something with such obvious national security implications. Finally, the system administrators should have monitored and blocked the common reuse of passwords. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9087441&pageNumber=1

35. May 27, Reuters – (International) Hackers make way for criminals in cyberspace. Attacking the European Union’s Internet backbone is now the preserve of organized crime, not young hackers out to prove a point, the executive director of the European Network and Information Security Agency (ENISA) said, adding that public authorities have been able to hold their own in the contest – so far. There is a continuous struggle between the attackers and the increases in protection of information systems. “It’s a contest,” he told Reuters. The economy of the EU’s 27 nations, like elsewhere in the world, increasingly depends on a trouble-free Internet to operate, but there have been reminders of what can go wrong. Last year, government websites in Estonia crashed with the Baltic state accusing Russia of being behind what many saw as the first major cyber attack in Europe. But with a budget of just $12.6 million a year and a staff of 50, ENISA needs more resources, ENISA’s director added. Source: http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=208400171

36. May 27, Search Engine Watch – (International) CAPTCHA hacks for Gmail, Blogspot, Craigslist causing problems. Hackers seem to have found a way to work around CAPTCHA – the once great hope of stopping bots from spamming. A Search Engine Watch Forum member noted that there are now programs being offered that work around the filter. Source: http://www.hackinthebox.org/index.php?name=News&file=article&sid=26803

Communications Sector

37. May 27, Wall Street Journal – (National) Do hackers pose a threat to smart phones? Like computers, smart phones are vulnerable to viruses and other types of malicious software. By all accounts, the risk of a smart-phone attack is low, but as people start using the devices for more sensitive tasks – handling customer data and transferring corporate files – security experts say smart phones may become more vulnerable. So companies are working to protect both the devices and the networks behind them. At the corporate level, IT departments are cracking down, mainly by limiting access these devices have to internal networks. On the consumer front, computer-security companies are selling antivirus software that scans for rogue applications. Smart phones are used mainly by professionals who want to access corporate email and send documents on-the-go. But the market for these high-end devices is growing. So far, there are about 300 to 500 known versions of malicious software, or malware, written for phones – a small number compared to those that attack personal computers. Malware infects phones through email attachments and text messages that ask users to download an application. They also can be delivered over wireless connections using Bluetooth technology. The majority of mobile malware has been written for phones using the Symbian operating system, which is found in about 65 percent of the global smart-phone market, according to ABI Research. Phones that run Symbian include some models made by Nokia, Samsung and Sony Ericsson. Regardless of the operating system, the greatest risk of infection comes from third-party applications, such as games and ringtones. Beyond downloading software only from trusted companies, individuals who own personal smart phones can protect themselves with antivirus software. Source: http://online.wsj.com/article/SB121184343416921215.html?mod=googlenews_wsj

38. May 25, Financial Mail – (International) Huge security alert over BT broadband. Hundreds of thousands of British Telecom (BT) broadband customers are at risk of massive breaches of their computer security because of a flaw in the Home Hub wireless network systems installed by the telecoms giant. BT has 4.4m broadband customers and it is believed most of those supplied with wifi boxes are vulnerable to hacking. Only the latest versions of the BT system are safe from attack. And though BT has been aware of the problem for months, it has not written to customers to warn them of the risk and the simple fix. Computer experts last week demonstrated to Financial Mail how easy it was for a hacker to use a free computer program to join a household network without being told the password. It took five minutes for the program to probe the wi-fi hub and gain access. From there, more skilled computer criminals could access and seize vital personal data from individual computers. Source: http://www.thisismoney.co.uk/bbphone/article.html?in_article_id=442103&in_page_id=182&ct=5

Tuesday, May 27, 2008

Daily Report

• According to CBS News, a major supplier of material used in military and commercial cargo-carrying aircraft may be endangering passengers with products that do not meet specifications and can leave behind contaminants that weaken finished parts. (See item 20)

• Reuters reports that U.S. federal agencies must do a better job of sharing information with each other as well as state, local, and private organizations to combat deadly bacteria such as E. coli that threaten thousands of people each year, according to a study by the Centers for Disease Control and Prevention released on Thursday. (See item 28)

Banking and Finance Sector

13. May 23, Republican-American – (National) Security breach could involve more banks. A security breach at the Bank of New York Mellon Corp. may have compromised the information of customers at several other banks, Connecticut’s attorney general said Thursday. A preliminary investigation indicated that computer tapes that disappeared in February included data from the Bank of New York Mellon and People’s United Bank of Bridgeport. It also may have included the data of customers of Webster Bank, and Wachovia, the attorney general said. People’s has acknowledged sharing its customers’ information with the New York bank. It was unclear why the Bank of New York Mellon had information on other two banks’ customers. The tapes contained millions of Social Security numbers, names and addresses and possibly bank account numbers and balances, he said. Source: http://www.rep-am.com/news/doc4836b62357510423039668.txt

14. May 23, Tech World – (National) Banker: Payment collaboration to curb Internet fraud. With the business of Internet banking changing and online threats growing, the industry needs to adapt and integrate security technology across more channels and be more collaborative to reduce fraud, according to a Standard Chartered Bank consumer banking risk advisor. He said there is a problem with payment security in general and even the recent trend of two-factor authentication is not a remedy. During his keynote address on implementing multi-factor authentication for Internet banking at this year’s AusCERT security conference, the specialist spoke of how his personal experience with electronic payments spurred his professional interest. As far as the fraudsters are concerned, the theft of funds needs to be automated, which means they need to have some form of straight-through processes of their own. As they do this the banks are moving to faster payments due to demand from customers. The specialist used the term “Payment Security 1.0” to describe the next evolution in electronic financial transactions which involves more contextual information from the user and the bank. “Two-factor authentication does improve security, but it could be better. You should know what’s going on in the transaction and authorization can be a multi-party dilemma,” he said, adding there could be times when the bank is involved. Standard Chartered has now implemented two-factor authentication in five countries with plans to extend it to twenty. Of the two-factor authentication methods - including tokens, display and “bingo” cards, SMS, and IVR call back - Standard Chartered is deploying them in various ways in different countries. Source: http://www.networkworld.com/news/2008/052108-banker-payment-collaboration-to-curb.html

15. May 23, Insurance Journal – (National) FBI says fighting financial crimes a priority; insurance cases top 200. The Federal Bureau of Investigation pursued 529 financial crime cases in its most recent fiscal year, including 209 insurance fraud cases. The FBI said it expects the number of cases and subsequent arrest and conviction statistics to rise in the near future as more fraud is uncovered in the wake of Hurricane Katrina. The insurance fraud cases are included in the FBI’s Financial Crimes Report to the Public, Fiscal Year 2007, which discusses corporate fraud, securities and commodities fraud, health care fraud, mortgage fraud, insurance fraud, mass marketing fraud, and asset forfeiture/money laundering. “Financial crimes affect the economic security of millions of Americans, and the FBI is dedicated to working with our partners in industry and law enforcement to combat these offenses,” said Assistant Director, FBI Criminal Investigative Division. Some key findings presented in the report include: As of the end of FY 2007, 529 corporate fraud cases were being pursued by the FBI, several of which involve losses to public investors that individually exceed $1 billion; 2,493 health care fraud cases; 1,204 pending mortgage fraud cases; and 548 money laundering. The report said the FBI considers insurance fraud an investigative priority, due in large part to the insurance industry’s significant status in the U.S. economy. The Coalition Against Insurance Fraud (CAIF) estimates that the cost of fraud in the industry is as high as $80 billion each year. This cost is passed on to consumers in the form of higher premiums. Source: http://www.insurancejournal.com/news/national/2008/05/23/90276.htm

16. May 22, Computerworld – (National) ING looks to help customers secure online transactions. Despite numerous security measures by online banks and e-commerce sites to secure consumer data, few have been able or even willing to directly protect customers using their sites from phishing scams and data-stealing malware. Among those looking to make a change is online bank ING Direct USA, which this week made available a small software tool from Trusteer Inc. that is designed to protect consumers against online fraud and ID theft. Trusteer’s Rapport software, available as a free download, helps protect customers by essentially building a secure connection between a users’ desktop and the Web site he is accessing, said the Trusteer CEO. All communications and transactions between the user and the site are carried out within this secure tunnel, he said. The goal is to prevent the data that is exchanged during an online transaction from being stolen by keystroke loggers and other types of threats such as man-in-the-middle attacks and session hijacking, he said. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9088259&intsrc=hm_list

17. May 22, News-Gazette – (Illinois) ‘Phishing’ scam involves e-mails, phone requests. Credit union and telecommunications officials are warning Champaign-Urbana, Illinois, area residents about recent waves of “phishing” scams trying to get private credit information. The president of Land of Lincoln Credit Union based in Decatur, said members and nonmembers have received e-mails, text messages and direct phone calls since late May 13, all asking for information on credit union accounts, credit cards or debit cards. “We want our members and the general public to know we don’t ask for account information. We already have that information. They need to be careful.” Consolidated Communications, which offers phone, Internet and cable television services, including offices in Charleston and Mattoon, also put out warnings Tuesday to its customers about the scam. The phony calls asked people to call a phone number in the 303 area code, a spokeswoman for Consolidated Communications said. The scam included asking people to complete a survey and receive cash, notices that accounts or cards had been suspended or claims that the credit union on-line banking services were down. In all cases, the messages or calls asked people for their account information or credit or debit card account numbers and personal identification numbers. Source: http://www.redorbit.com/news/technology/1399110/phishing_scam_involves_emails_phone_requests/

Banking and Finance Sector

13. May 23, Republican-American – (National) Security breach could involve more banks. A security breach at the Bank of New York Mellon Corp. may have compromised the information of customers at several other banks, Connecticut’s attorney general said Thursday. A preliminary investigation indicated that computer tapes that disappeared in February included data from the Bank of New York Mellon and People’s United Bank of Bridgeport. It also may have included the data of customers of Webster Bank, and Wachovia, the attorney general said. People’s has acknowledged sharing its customers’ information with the New York bank. It was unclear why the Bank of New York Mellon had information on other two banks’ customers. The tapes contained millions of Social Security numbers, names and addresses and possibly bank account numbers and balances, he said. Source: http://www.rep-am.com/news/doc4836b62357510423039668.txt

14. May 23, Tech World – (National) Banker: Payment collaboration to curb Internet fraud. With the business of Internet banking changing and online threats growing, the industry needs to adapt and integrate security technology across more channels and be more collaborative to reduce fraud, according to a Standard Chartered Bank consumer banking risk advisor. He said there is a problem with payment security in general and even the recent trend of two-factor authentication is not a remedy. During his keynote address on implementing multi-factor authentication for Internet banking at this year’s AusCERT security conference, the specialist spoke of how his personal experience with electronic payments spurred his professional interest. As far as the fraudsters are concerned, the theft of funds needs to be automated, which means they need to have some form of straight-through processes of their own. As they do this the banks are moving to faster payments due to demand from customers. The specialist used the term “Payment Security 1.0” to describe the next evolution in electronic financial transactions which involves more contextual information from the user and the bank. “Two-factor authentication does improve security, but it could be better. You should know what’s going on in the transaction and authorization can be a multi-party dilemma,” he said, adding there could be times when the bank is involved. Standard Chartered has now implemented two-factor authentication in five countries with plans to extend it to twenty. Of the two-factor authentication methods - including tokens, display and “bingo” cards, SMS, and IVR call back - Standard Chartered is deploying them in various ways in different countries. Source: http://www.networkworld.com/news/2008/052108-banker-payment-collaboration-to-curb.html

15. May 23, Insurance Journal – (National) FBI says fighting financial crimes a priority; insurance cases top 200. The Federal Bureau of Investigation pursued 529 financial crime cases in its most recent fiscal year, including 209 insurance fraud cases. The FBI said it expects the number of cases and subsequent arrest and conviction statistics to rise in the near future as more fraud is uncovered in the wake of Hurricane Katrina. The insurance fraud cases are included in the FBI’s Financial Crimes Report to the Public, Fiscal Year 2007, which discusses corporate fraud, securities and commodities fraud, health care fraud, mortgage fraud, insurance fraud, mass marketing fraud, and asset forfeiture/money laundering. “Financial crimes affect the economic security of millions of Americans, and the FBI is dedicated to working with our partners in industry and law enforcement to combat these offenses,” said Assistant Director, FBI Criminal Investigative Division. Some key findings presented in the report include: As of the end of FY 2007, 529 corporate fraud cases were being pursued by the FBI, several of which involve losses to public investors that individually exceed $1 billion; 2,493 health care fraud cases; 1,204 pending mortgage fraud cases; and 548 money laundering. The report said the FBI considers insurance fraud an investigative priority, due in large part to the insurance industry’s significant status in the U.S. economy. The Coalition Against Insurance Fraud (CAIF) estimates that the cost of fraud in the industry is as high as $80 billion each year. This cost is passed on to consumers in the form of higher premiums. Source: http://www.insurancejournal.com/news/national/2008/05/23/90276.htm

16. May 22, Computerworld – (National) ING looks to help customers secure online transactions. Despite numerous security measures by online banks and e-commerce sites to secure consumer data, few have been able or even willing to directly protect customers using their sites from phishing scams and data-stealing malware. Among those looking to make a change is online bank ING Direct USA, which this week made available a small software tool from Trusteer Inc. that is designed to protect consumers against online fraud and ID theft. Trusteer’s Rapport software, available as a free download, helps protect customers by essentially building a secure connection between a users’ desktop and the Web site he is accessing, said the Trusteer CEO. All communications and transactions between the user and the site are carried out within this secure tunnel, he said. The goal is to prevent the data that is exchanged during an online transaction from being stolen by keystroke loggers and other types of threats such as man-in-the-middle attacks and session hijacking, he said. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9088259&intsrc=hm_list

17. May 22, News-Gazette – (Illinois) ‘Phishing’ scam involves e-mails, phone requests. Credit union and telecommunications officials are warning Champaign-Urbana, Illinois, area residents about recent waves of “phishing” scams trying to get private credit information. The president of Land of Lincoln Credit Union based in Decatur, said members and nonmembers have received e-mails, text messages and direct phone calls since late May 13, all asking for information on credit union accounts, credit cards or debit cards. “We want our members and the general public to know we don’t ask for account information. We already have that information. They need to be careful.” Consolidated Communications, which offers phone, Internet and cable television services, including offices in Charleston and Mattoon, also put out warnings Tuesday to its customers about the scam. The phony calls asked people to call a phone number in the 303 area code, a spokeswoman for Consolidated Communications said. The scam included asking people to complete a survey and receive cash, notices that accounts or cards had been suspended or claims that the credit union on-line banking services were down. In all cases, the messages or calls asked people for their account information or credit or debit card account numbers and personal identification numbers. Source: http://www.redorbit.com/news/technology/1399110/phishing_scam_involves_emails_phone_requests/

Friday, May 23, 2008

Daily Report

• According to Bloomberg, Swedish bomb technicians found no unusual objects in a nuclear reactor they investigated after police arrested two men yesterday on suspicion of sabotage. The plant was turned off Wednesday and was searched by police Thursday. (See item 3)

• The Day reports that several hundred thousand People’s United Bank customers in Connecticut were hit by a data breach in February when the Bank of New York Mellon lost an unencrypted backup tape provided by People’s Bank. The state’s attorney general’s office said the tape included bank account information, Social Security numbers and other data about depositors and investors tied to the bank, and involved about 4.5 million accounts. (See item 10)

Banking and Finance Sector

10. May 22, The Day – (Connecticut) People’s Bank customers at risk from data breach. Several hundred thousand People’s United Bank customers in Connecticut have been hit by a data breach that potentially exposed their personal information, a state Attorney General said Wednesday. He said the Bank of New York Mellon lost an unencrypted backup tape provided by Bridgeport-based People’s Bank, resulting in the data breach involving about 4.5 million accounts. The tape included bank account information, Social Security numbers and other data about depositors and investors tied to the bank, he said. The official was particularly concerned with the amount of time that elapsed between the discovery of the data breach and the reporting of it. Bank of New York lost the information in February but did not start informing consumers until six weeks ago, the official said. He said the Bank of New York Mellon on February 27 gave an unencrypted backup tape as well as nine other tapes to a storage firm, Archive Systems Inc. of Fairfield, New Jersey, which was assigned to store the information. But when a storage company vehicle arrived at the storage facility, one of the tapes could not be found. According to a letter from the official to the Bank of New York, a lock on the truck was broken, and the truck had been left unattended several times. People’s Bank has 10 locations in southeastern Connecticut and more than 150 locations statewide. Source: http://www.theday.com/re.aspx?re=1a830cf7-5c18-476e-84b5-0d8b0162ff00

11. May 22, Washington Post – (District of Columbia) Banker admits to role in tax office scam. A former Bank of America manager pleaded guilty yesterday to participating in a massive embezzlement at the District of Columbia tax office, admitting that he deposited nearly $18 million in fraudulent checks and helped distribute the stolen money to others in the scam. Authorities say up to $50 million in property tax money was stolen in the form of fraudulent refund checks in a scam allegedly orchestrated by a former tax office manager, who is in jail awaiting trial. She has pleaded not guilty. The theft was the biggest municipal fraud in memory in the Washington area. Only a small fraction of the money has been recovered. Source: http://www.washingtonpost.com/wp-dyn/content/story/2008/05/21/ST2008052102629.html

12. May 21, Reuters – (Idaho) Five indicted in $20 million Idaho mortgage scam. An Idaho bank officer and four others accused of masterminding a mortgage scam were indicted in Boise on Wednesday on charges of defrauding an Idaho bank of $20 million, according to federal prosecutors. Authorities say the accused, including two building contractors, a mortgage broker and a Realtor, all from the Boise, Idaho area, provided false financial data and fraudulently fronted applicants -- known as straw buyers -- in attempt to obtain 49 house loans. The FBI has linked a jump in mortgage fraud to “an ideal climate” created by the slump in the U.S. housing market. Source: http://www.reuters.com/article/domesticNews/idUSN2142808620080522

13. May 21, U.S. World News – (National) Warning: Chinese earthquake scam reported. The FBI is warning consumers to be on the lookout for E-mails purportedly soliciting funds to support the victims of the recent earthquake in China. “Some of the Chinese earthquake scam messages claim to be offering free vacation trips to the largest donors and even use fake logos of legitimate online pay services to fool people,” the FBI said in a release. Similar fraudulent efforts followed other recent tragedies, such as 9/11, Hurricane Katrina, and the shootings at Virginia Tech, the FBI said. Criminals apparently use such events to prey upon the sympathy of individuals. Source: http://www.banktech\.com/aml/showArticle.jhtml?articleID=207800150&cid=RSSfeed_BankTech_News

Information Technology

33. May 22, BetaNews – (National) iCal bugs can lead to DoS and code execution attacks. Researchers with Core Security have found three vulnerabilities in Mac OS X’s calendaring application that could create havoc for users. The most serious vulnerability deals with a memory corruption issue that is triggered by the execution of a specially-crafted .ics file. At the heart of it is a resource liberation bug which is triggered through the file, thus allowing code execution. A user could lose control of his or her Mac through this bug, the firm warned. While it appears the bug needs to be exploited with some intervention from the end-user, Core said it may be exploitable without as well. Both of the remaining flaws deal with denial of service issues, where repeated crashes prevent use of the iCal application. As with the previous bug, a specially-crafted .ics file is launched, which then takes advantage of a null-pointer dereference bug in the software. Core could not find any evidence that this issue could also result in code execution. “Exploitation of these vulnerabilities in a client-side attack scenario is possible with user assistance by opening or clicking on specially crafted .ics file send over email or hosted on a malicious web server; or without direct user assistance if a would-be attacker has the ability to legitimately add or modify calendar files on a CalDAV server,” the firm said in an advisory. The flaw was found on iCal 3.0.1 running on Mac OS X 10.5.1. Upgraded versions of the software are not affected. Source: http://www.betanews.com/article/iCal_bugs_can_lead_to_DoS_and_code_execution_attacks/1211469285

34. May 21, Dark Reading – (National) ‘Hack-and-Pier’ Phishing on the Rise. Researchers have witnessed a growing trend in phishers hacking into legitimate Websites to host their phishing exploits, enabling them to keep their attacks alive longer. In a blog post Wednesday from F-Secure noted a series of so-called ‘hack-and-pier’ phishing exploits that had been reported to phishing clearinghouse PhishTank. “Instead of setting up their own sites, we’re seeing more and more evidence of phishing from hacked sites; legitimate sites that are unknowingly hosting phishing,” the blog said. “And then the site cannot simply be pulled offline without collateral damage to the legitimate business. So the Website’s administrator must be contacted to repair the damage.” According to MarkMonitor, only a small percentage of phishing sites today are created with purchased domain names or hosting. “A study we did in late 2007 showed that over 80 percent of phishing sites were hacked legitimate sites or free Webhosting sites,” says the director of anti-phishing for MarkMonitor. Traditionally, a phisher would register a bogus URL that looked a lot like the real thing, but was a letter or two off, such as “paypol” rather than “paypal,” or a more obscure URL that was less likely to get flagged. But those URLs can be easy to spot and shut down, so phishers have been moving to legit Websites as a way to extend the life of their exploits. An F-Secure representative said in an interview that his firm in the past has seen many examples of hacked legit sites for phishing and other cybercrime uses. “It is a growing trend,” he says. “Like any other technique, practice makes perfect.” As long as there are vulnerable Websites, hack-and-pier phishing isn’t going anywhere. “Until the Website’s vulnerabilities are resolved, the phishers will just continue to hack and pier,” he said. Source: http://www.darkreading.com/document.asp?doc_id=154558

Communications Sector

35. May 22, IDG News Service – (National) Cisco patches router flaw ahead of rootkit talk. Cisco has issued three security patches, fixing bugs that could crash its products and drawing a warning from the SANS Internet Storm Center. The updates, issued Wednesday, fix denial of service bugs in the SSH (Secure Shell) software in Cisco’s Internetwork Operating System (IOS), used to power its routers, and in the Cisco Service Control Engine, which is provides carrier-grade networking services. Cisco has also patched a privilege escalation vulnerability in its Voice Portal automated telephone customer service software. In its security advisories Cisco said that all of the bugs had been discovered by its own researchers, but SANS warned that researchers are likely reverse-engineering the patches and may release exploit code publicly. These particular updates are getting extra attention from the security community, which is now closely investigating how malicious software might work on IOS, an operating system that has largely evaded serious scrutiny. On Thursday, for example, Core Security is slated to give a widely anticipated presentation on a Cisco rootkit it calls the DIK (Da Ios rootKit) at the EuSecWest conference in London. Cisco recently changed its software update policy, saying it will now only issue IOS patches in March and September each year, unless forced to rush out a fix for serious bugs that were publicly disclosed or which were being actively exploited. Source: http://www.infoworld.com/article/08/05/22/Cisco-patches-router-flaw_1.html

Thursday, May 22, 2008

Daily Report

• According to the Washington Post, a GAO report released Wednesday found that the Tennessee Valley Authority is vulnerable to cyber attacks that could sabotage critical systems that provide electricity to more than 8.7 million people. This is due to the TVA’s Internet-connected corporate network being linked with systems used to control power production. (See item 2)

• KGO 7 San Jose reports that the Communication Workers Union will allow their workers to honor the picket lines of janitors protesting high tech Bay Area companies, potentially delaying the installation and repair of data telephone and fiber optic lines. (See item 39)

Information Technology

36. May 21, Register – (International) Mass SQL injection hits English language websites. Thousands of websites in China have been booby trapped with code written to download Trojan software onto visitors who run vulnerable Windows PCs. Unlike earlier rounds of SQL injection attacks the latest assaults mostly target English language sites (predominantly sites hosted in China but with a .com suffix) and purposefully avoid Chinese government sites, according to net security firm ScanSafe. The latest attacks inject an iFrame onto compromised sites that loads malicious scripts from qiqigm.com, a domain registered on 16 May. These scripts include the text “silent love china” in an apparent greeting to other Chinese hackers. The malicious code exploits well-known RealPlayer and Internet Explorer vulnerabilities to install a password-stealing Trojan that hides its presence on Windows PCs. More than 7,000 sites have been compromised in this way, reports ScanSafe’s senior security researcher. English language Hong Kong stock brokerage kgieworld.com and Kodak camera reviews at digitalcamerareview.com are among the sites hit by the drive-by download attack. The attacks are the latest in a wave of SQL injection attacks against websites that began this month. More than one group, using different sets of tools to inject attack code, is involved, according to F-Secure. The net security firm Trend Micro says two exploits used in the latest SQL injection attacks are related to Chinese-language software, suggesting miscreants are specifically targeting the Chinese speaking world. Source: http://www.theregister.co.uk/2008/05/21/china_sql_injection_attack/

37. May 20, Agence France-Presse – (International) IT chiefs warn of cyber-terrorism threat. The threat of cyber-terrorism is growing and most countries are vulnerable to attacks that can shut down critical infrastructure, global experts told a conference here Tuesday. “The hard reality is that (information technology) has become a tool for cybercrime and cyberterrorism,” said a representative from the United Nations’ International Telecommunications Union. “Cybersecurity must be the cornerstone of every aspect of keeping ourselves, our countries and our world safe,” he told the conference, which the Malaysian hosts are billing as the first on cyber-terrorism and security. The U.N. official dismissed as a dangerous myth the idea that events in the virtual world have only a limited impact on the physical world, saying that technology has “changed the dynamics of terrorism.” Small groups or even individuals are capable of gaining control of millions of computers, “which can be used, for instance, to launch denial-of-service attacks on a nation’s critical infrastructure,” he said. Malaysia said it was launching a global center to combat cyber-terrorism which will provide emergency response to high-tech attacks on economies and trading systems worldwide. The center, which is expected to be built by the end of the year at the nation’s IT hub of Cyberjaya, south of Kuala Lumpur, will be funded by governments and the private sector. Source: http://news.yahoo.com/s/afp/20080520/tc_afp/malaysiaattacksinternet

38. May 20, Computerworld – (National) Phishers point scam at Apple’s iTunes. Phishers have targeted users of Apple Inc.’s iTunes music store with sophisticated identity theft attacks for the first time, a security company said today. People began receiving spam messages yesterday telling them that they must correct a problem with their iTunes account, said an executive at e-mail security vendor Proofpoint Inc. A link in the spam leads to a site posing as an iTunes billing update page, which asks for information, including credit card number and security code, Social Security number and mother’s maiden name. The theft attempt is a new twist on the usual phishing attack, he said. “We’ve gotten used to seeing the usual companies and brands attacked,” he said, “like PayPal, eBay and Citibank. But we’ve never seen Apple as the target.” He also speculated that the identity thieves aimed the new attack at iTunes users because of the service’s perceived demographics. “I wonder if the bad guys are thinking that [iTunes users] are younger than those for some of the other phished sites, like banks and eBay,” he said. “The way that teenagers and young adults use the Internet, they show a certain level of trust or openness when they post their name and age and school on MySpace.” Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9087358&source=rss_news10

Communications Sector

39. May 20, KGO 7 San Jose – (California) Janitors picket Silicon Valley companies. Thousands of janitors working at the biggest Silicon Valley companies began picketing some of the signature buildings in the Silicon Valley and the Bay Area Tuesday, demanding that the tech leaders help the janitors make a livable wage. An estimated 6,000 union workers voted to strike after rejecting the latest offer from their companies. Janitors were said to be walking out of Hewlet Packard and Oracle buildings. There were no new negotiations as of Tuesday, and Teamsters refused to cross the lines in order to pick up the trash at Cisco. On Saturday, more than 6,000 members of the Service Employee International Union voted to walk out of bio tech and high tech buildings all over the Bay Area. The dispute is over health care co-payment increases and a raise. The strike began Tuesday at Yahoo and Cisco is expected to spread throughout the Bay Area. Cisco representatives issued a statement: “Please note that this is a contract dispute between a third-party service provider and its employees. This is not a dispute between Cisco and its employees.” The Communication Workers Union said they will allow their workers honor the picket lines, potentially delaying the installation and repair of data telephone and fiber optic lines until the dispute is resolved. Source: http://abclocal.go.com/kgo/story?section=news/local&id=6153583

Wednesday, May 21, 2008

Daily Report

• According to Bloomberg, a Norwegian workers strike has closed six more airports, bringing the total number to twelve and limiting access to oil drilling platforms off the coast. (See item 1)

• The Dayton Daily News reports that Georgia-based Latex Construction Co, a contractor on the 1,679-mile Rockies Express natural gas pipeline is under federal investigation amid allegations by former project inspectors that crews failed to install required equipment designed to prevent breaches that could trigger explosions on the pipeline (See item 15)

Information Technology

29. May 20, vnunet.com – (National) Mass website hacks here to stay. McAfee Security experts have warned that the recent rash of large-scale website attacks may not be a fleeting trend. A McAfee researcher believes that the attacks, which simultaneously target hundreds of thousands of web pages, could be a sign of things to come. The nature of the attacks makes them very hard to prevent, and simply removing the exploit code may not protect sites from further infection. His assessment follows several SQL injection attacks in recent months. The attackers are believed to have used automated scripts to run input-validation attacks on pages. The script embeds a small section of JavaScript on the compromised page. Users attempting to access the pages are silently routed to a third-party site run by the attacker. This page then attempts to execute a number of browser exploits in an effort to install malware. Source: http://www.vnunet.com/vnunet/news/2217001/mass-hacks-here-stay

30. May 20, Computerworld – (National) New attack trend pushes POS encryption to the fore. The relatively scant attention that retailers have paid to securing their point-of-sale systems over the past few years is making the POS setups increasingly attractive targets for cybercrooks who are looking to steal payment card data. Hoping to help merchants address that situation are a handful of vendors who have begun offering new products aimed at making POS environments a lot harder to crack. The biggest of those vendors is VeriFone Holdings Inc., which last month released a security tool designed to let merchants encrypt credit and debit card data from the moment a card is swiped at a merchant’s PIN entry device all the way to the systems of the company’s external payment processor. VeriFone’s VeriShield Protect software is based on patented technology from Semtek Innovative Solutions Corp., which makes appliances for securely decrypting data. VeriFone said that Semtek’s technology, called the Hidden Triple Data Encryption Standard, can be used to encrypt personal account numbers and the so-called Track 2 data stored on the magnetic stripe located on the back of payment cards. That information includes card numbers and their expiration dates. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9086898&taxonomyId=17&intsrc=kc_top

31. May 20, IDG News Service – (National) XP SP3 hit by new networking bug. The latest service pack for Windows XP continues to cause problems for users. According to an online user forum, the latest glitch in Windows XP Service Pack 3 (SP3) is with the remote desktop access feature of Windows Home Server. Windows XP users running Windows Home Server, Microsoft’s home storage and local networking server, report that SP3 has been cutting off their access to the server from their PCs. The remote desktop access feature would ask users to add their home server’s website address in order to access it even after they already had, users reported.
Source:
http://www.techworld.com/opsys/news/index.cfm?newsID=101547&pagtype=all

Communications Sector

32. May 20, OneStopClick – (International) Smartphone use by businesses ‘increases security threat.’ The increasing use of smartphones by businesses is leading to higher security threats as handset theft grows, according to a survey by Airwide Solution. Figures from the Home Office showed that 800,000 mobile phones were reported as stolen in the UK in 2006. Airwide Solutions has said that as information like bank details, PIN codes, passwords, and company and personal details are held on the smartphones, they present a significant security risk if lost. The company believes one way to combat this threat is to use software which locks and wipes data on the device if it is stolen. Source: http://www.onestopclick.com/news/Smartphone-use-by-businesses-’increases-security-threat’_18601254.html

Tuesday, May 20, 2008

Daily Report

• The Washington Post reports that security specialists and members of Congress fear that the new State Department issued RFID electronic passport cards pose a security risk as they “will be vulnerable to alteration or counterfeiting.” (See item 21)

• According to the Canadian Press, the U.S. military in Naples, Italy, is sampling tap water and soil for pesticides and other pollutants because of worries that tons of uncollected garbage poses a health risk for its personnel based in the city. (See item 28)

Information Technology

35. May 19, IDG News Service – (National) Service Researchers find new ways to steal data. In two separate pieces of research, teams at the University of California (UC), Santa Barbara, and at Saarland University in Saarbrucken, Germany, describe attacks that seem ripped from the pages of spy novels. In Saarbrucken, the researchers have read computer screens from their tiny reflections on everyday objects such as glasses, teapots, and even the human eye. The UCSB team has worked out a way to analyze a video of hands typing on a keyboard in order to guess what was being written. Computer security research tends to focus on the software and hardware inside the PC, but this kind of “side-channel” research, which dates back at least 45 years, looks at the physical environment. UC researcher’s “Clear Shot” can analyze video of hand movements on a computer keyboard and transcribe them into text. It’s far from perfect – a graduate student at UCSB says the software is accurate about 40 percent of the time – but it is good enough for someone to get the gist of what was being typed. Source: http://www.infoworld.com/article/08/05/19/Researchers-find-new-ways-to-steal-data_1.html

36. May 19, IDG News Service – (International) Update: Mass SQL injection attack targets Chinese Web sites. First detected on May 13, a large scale SQL attack is coming from a server farm inside China, which has made no effort to hide its IP (Internet Protocol) addresses, said the chief executive officer of Armorize Technologies, in Taipei. “The attack is ongoing, ... even if they can’t successfully insert malware, they’re killing lots of Web sites right now, because they’re just brute-forcing every attack surface with SQL injection, and hence causing lots of permanent changes to the victim Web sites,” he said. A screenshot of a Web site belonging to the Mackay Memorial Hospital in Hsinchu, Taiwan, showed the rendering of the site had been affected and displayed the SQL string injected by the attack, he said. Thousands of Web sites have been hit by the attack, he said, noting that 10,000 servers alone were infected by malware last Friday. Most of those servers are located in China, while some are in Taiwan. The attackers appear to be using automated queries to Google’s search engine to identify Web sites vulnerable to the attack, he said. Among the sites hit on Friday were Soufun, a real estate Web site, and Mycar168, a site for automobile enthusiasts. The attackers are not targeting a specific vulnerability. Instead they are using an automated SQL injection attack engine that is tailored to attack Web sites using SQL Server. The malware the attack injects comes from 1,000 different servers and targets 10 vulnerabilities in Internet Explorer and related plugins that are popular in Asia, he said. Source: http://www.infoworld.com/article/08/05/19/Mass-SQL-injection-attack-targets-Chinese-Web-sites_1.html

Communications Sector

37. May 17, CNet News Blog – (National) Cell phone, VoIP technologies lack security, experts say. Be careful what you say over that mobile phone or VoIP system. The most widely used mobile phone standard, GSM, is so insecure that it is easy to track peoples’ whereabouts and with some effort even listen in on calls, a security expert said late on Saturday at the LayerOne security conference. “GSM security should be come more secure or at least people should know they shouldn’t be talking about (sensitive) things over GSM,” said the expert, who has cracked the encryption algorithm the phones use. “Somebody could possibly be listening over the line.” GSM is used in Nokia and other phones from carriers AT&T and T-Mobile, for instance. For as little as $900, someone can buy equipment and use free software to create a fake network device to see traffic going across the network. “You can see all the cell phones connected to the base station,” he said. “You can’t see calls, but people associated with the calls. You can also do location tracking. If you know somebody is on the network you can see how close to the base station they are.” That is possible because the subscriber identifier, which is basically the user identification number, can easily be seen on the traffic, although the identifiers are never supposed to be transmitted in plain text, he said. “I know exactly where you are on the network.” Earlier in the day, attendees learned about issues with VoIP systems, which can reduce communications costs for corporations and consumers but typically “have little to no security,” said a senior security consultant with security firm Netspi. VoIP systems based on open standards are not encrypting the traffic, which leaves them at risk for eavesdropping, forged or intercepted calls and bogus voice messages, he said, adding that there are numerous tools for doing that, with names like “Vomit” and “Cain and Abel.”
Source:
http://www.news.com/8301-10784_3-9946665-7.html