Monday, June 18, 2007

Daily Highlights

USA TODAY reports data thieves and con artists are increasingly targeting military personnel, at risk since the Department of Defense uses Social Security numbers for everything from dog tags to chow−line rosters. (See item 10)
MyFox Colorado reports Longmont, Colorado, police found a small bomb factory of chemicals, explosives, and compounds in a home and believe they may have solved a year−long investigation into small explosions. (See item 33)

Banking and Finance Sector

June 15, InfoWorld — PayPal, eBay offer Security Key to U.S. customers. PayPal unveiled a new Security Key on Friday that will add an additional layer of security to user accounts and help prevent online criminals from gaining access to them. The PayPal Security Key is a small electronic token that generates a unique code that can be used in addition to a user name and password when users sign in to their PayPal account. The company announced the news as part of eBay's week−long Developer Conference in Boston. It provides PayPal customers with so−called "two factor" authentication that makes it harder for online criminals to raid accounts, even if they do trick users into giving up their user name and password using online "phishing" scams, according to Michael Barrett, chief information security officer at PayPal. "This is something that will help the community to be more secure," Barrett told InfoWorld. PayPal and parent company eBay are top targets for online scam artists, who use dummy Websites in so−called "phishing" attacks that attempt to trick users into revealing their user name and password. Those accounts can then be raided or used to fraudulently purchase goods.

10. June 14, USA TODAY — Military personnel prime targets for ID theft. The Department of Defense since the late '60s has used Social Security numbers for everything from dog tags to chow−line rosters. Now, data thieves and con artists have begun to increasingly target military personnel, data security experts say. Data thieves in the past year have grabbed computers containing sensitive data for nearly 30 million active and retired service members from four Veterans Affairs offices. That's a big portion of the more than 100 million personal records reported lost or stolen in the U.S. since 2006, based on a USA TODAY analysis of data compiled by the Privacy Rights Clearinghouse. Statistics on financial fraud as a result of these breaches are hard to pin down, but defense officials acknowledge the rising risk. The Defense Department has made it a priority to tighten data−handling policies and has increased training on theft prevention, department spokesperson Maj. Stewart Upton said. ID cards are being upgraded as they expire, using bar codes, magnetic stripes and other electronic authentication tools. No cost estimate is available; a complete overhaul will take years.

Information Technology and Telecommunications Sector

28. June 15, eWeek — Botnet battle a game of Whack−a−Mole. Officials at Sunnyvale, CA−based Mi5 Networks reported seeing bots that connect to multiple command and control servers as well as bots that scan internal networks for different vulnerabilities and then only deliver the exploit payload for which the specific machine is vulnerable. Battling botnets, said Mi5 CEO Doug Camplejohn, has officially turned into a "game of Whack−a−mole." "Our findings show that we've entered the second phase of botnet evolution in that there's no longer just a single C&C [command and control] head to cut off," he said. "Even if you do cut off all the C&C heads, bots keep collecting data and distributing it via peer−to−peer networks." Finjan Chief Technology Officer Yuval Ben−Itzhak said botnet operators are utilizing a new technique he called "evasive attack" to infect users while keeping their profiles low. "Basically, the hacker stores the IP address of search engine crawlers and URL filtering crawlers in their databases, so when they visit the hacker's site for classification, the hacker server presents legitimate content," he said. As a result, malicious sites are misclassified as normal, Ben−Itzhak explained. But when users visit the site, malicious code is served.

29. June 14, IDG News Service — After hacker dissection, Safari beta is patched. Three days after releasing Safari 3.0, Apple has issued its first patch of the beta software. The 3.0.1 update, released early Thursday morning, June 14, fixes three flaws in the browser including bugs that were discovered earlier last week by researchers Thor Larholm and Aviv Raff. Apple released the 3.0 beta on Monday, and hackers started digging up bugs within hours. In fact, some researchers suggested that Apple should have done a better job of checking the browser for vulnerabilities before releasing the beta code. But even Apple's critics give the company credit for pushing out a quick update to its browser.

30. June 14, Information Week — Global co−op feeds FBI's botnet fight. Officials with the FBI claim that global law enforcement partnerships are playing a significant role in its ongoing efforts to stomp out botnets and other computer−borne crimes. Security researchers have long maintained that one of the most significant obstacles to shutting down botnets is the distributed global nature of the individuals responsible for operating the networks of zombie PCs. The conventional wisdom has been that U.S. law enforcement officials have struggled to find the budget and manpower necessary to track down cyber−criminals operating on their own turf, let alone find a way to identify and arrest people distributing malware code or operating botnets who are based in foreign nations. However, FBI officials said that international cooperation is playing an increasingly important role in helping it stomp out cyber−crime. "We've been successful in building relationships with foreign law enforcement officials and have agents in 60 countries around the globe working full time on cyber−crime along with police departments and other agencies," said Shawn Henry, deputy assistant director of the Cyber Division at the FBI.