This section is devoted to featuring late-breaking cyber security news stories.
C Y B E R I S E C U R I T Y I N E W S
All text displayed in connection with these stories is quoted directly from the source.
Jan. 5, 2010 - Daphne Larkin
NORTHFIELD, Vt. – Norwich University officials announced today a program of collaboration with Adaptive Cyber Security Instruments, Inc. (ACSI) to provide real-world educational opportunities for NU students and resources to develop and test ACSI’s cyber situational awareness products.
NU also intends to create new courses in the emerging field of cyber conflict, information warfare and information operations. ACSI’s products were conceived to meet the challenges of this field including cyber intelligence, and the theory behind them will form the core of this curriculum.
Jan. 31, 2010
The Department of Foreign Affairs (DFA) was attacked by a cyber spy network.
DFA officials admitted that it was taking these reports seriously. The cyber attack on DFA was reported by the Toronto based Information Welfare Monitor.
The Philippines is one of the 103 countries where classified documents from government and private organizations, including the computers of the Dalai Lama and Tibetan exiles, have been hacked into, said IWM.
Jan. 29, 2010
The chief of naval operations (CNO) officially established U.S. Fleet Cyber Command (FCC) and recommissioned U.S. 10th Fleet during a ceremony at Fort George G. Meade, Md., Jan. 29.
At the ceremony, Adm. Gary Roughead, CNO, also named Vice Adm. Bernard J. McCullough III the commander of both FCC and 10th Fleet.
The new FCC and 10th Fleet are headquartered at Fort George G. Meade, taking advantage of existing Naval Network Warfare Command infrastructure, communications support and personnel already in place.
Jan. 29, 2010 - J. Nicholas Hoover
A worldwide survey that shows widespread cyber attacks on critical infrastructure companies finds that the role of government in working to stop those attacks is up in the air. Indeed, a majority of respondents believes governments to be among the culprits.
Overall, more than half of the 600 industry executives surveyed by the Center for Strategic and International Studies, with support from security vendor McAfee, think their nation's laws aren't strong enough to deter cyber attacks, and 45% believe that their countries are incapable of preventing attacks.
Jan. 29, 2010 - Tim Wilson
The U.S. House of Representatives is investigating the hacking of as many as 49 Websites of Republican and Democratic lawmakers following the president's State of the Union address on Wednesday.
The sites were all defaced with a single, one-line message, offering a rude epithet and claiming credit for the Red Eye Crew, a Brazilian hacker group.
A number of the sites were pulled down following the hack, and several of them stayed down for more than a day, according to news reports.
Jan. 29, 2010 - P. Parameswaran
The United States said Thursday that Google's problems in China with cyberattacks could deter US companies from investing in the Asian economic powerhouse amid rising trade tensions.
"Recent events, specifically the well-publicized Google incident, have reminded us of the continued challenges faced by foreign and US companies operating in China," US Commerce Secretary Gary Locke told a meeting of the US China Business Council in Washington.
He called on China to continue making strides to be "more transparent, predictable and committed to the rule of law" to reassure American firms.
Jan. 27, 2010 - William Jackson
The electric power grid has emerged as one of the most critical elements of our nation’s critical infrastructure, and efforts to create an interoperable Smart Grid with two-way communications and power flow are highlighting the need for security. However, there also is a need for more critical thinking about the grid’s vulnerability, according to at least one expert. It might not be as fragile as it appears.
Terry Michalske, director of energy and security systems at Sandia National Laboratories, expressed the conventional wisdom at a recent conference on cybersecurity policy hosted in Washington by the Stevens Institute of Technology.
(Click here to read commentary)
Jan. 27, 2010 - John E. Dunn
Most voice encryption systems can be tapped in minutes by installing a voice-recording Trojan on the target computer, a security researcher has confirmed after testing a range of well-known products.
Although this type of attack has been known about for some time, the scale of the issue uncovered by researcher ‘Notrax' is still surprising. In all, the unnamed engineer was able to intercept calls made using twelve popular encryption programs and hardware systems using an easily available $100 wiretapping utility called FlexiSPY. This tapped the voice stream in real time before any encryption was applied to the data.
Jan. 27, 2010 - Kim Zetter
A data breach at the National Archives and Records Administration is more serious than previously believed. It involved sensitive personal information of 250,000 Clinton administration staff members, job applicants and White House visitors, as well as the Social Security number of at least one daughter of former Vice President Al Gore.
The data, which included more than 100,000 Social Security numbers, was stored on a computer hard drive that the NARA discovered missing last April from a data processing room in Maryland. It’s unknown if the drive was lost or stolen.
Jan. 26, 2010 - Dan Olds
In the wake of the Google vs. China dustup, we’re starting to see some discussion of the greater implications for computing, both in general and the cloudy Google way.
The fact that some Gmail accounts were accessed by hackers looking for dissidents raises some questions about the security of Gmail specifically and the entire cloud model as well.
Jan. 26, 2010 - Tim Wilson
The cost of data breaches continues to rise, and malicious attacks accounted for more of them in 2009 than in previous years, according to a study published today.
In conjunction with study sponsor PGP Corp., Ponemon Institute today released the results of its fifth annual "U.S. Cost of a Data Breach" report. The news isn't good, according to the research firm's founder, Larry Ponemon.
Jan. 26, 2010 - Fresh Air from WHYY
Fighting Cybercrime, One Digital Thug at a Time
Attacking corporate Web sites and stealing personal financial information is no longer just the work of hackers. These days the mob is also taking an interest.
Joseph Menn's new book, Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet, follows the evolution of digital crime from small-time thieving to organized gangs — all vying for a piece of a trillion-dollar pie.
Menn follows the book's hero — real-life cybercrime fighter Barrett Lyon — on a global investigation that uncovers alliances between the Russian mafia and the Russian government, and reveals how La Cosa Nostra and the Russians fight it out for control of the Internet's massive spoils.
Listen to the segment HERE.
Jan. 26, 2010 - NewsCorp Australian Papers
Are your passwords secure enough? Compare yours with the just-released list of the 10 most commonly used passwords on the Web to see whether yours are too easy to guess.
The 10 most commonly used passwords on the Web have been revealed as part of an analysis of tens of millions of Internet accounts. Imperva, a data security firm, said it had analyzed around 32 million passwords that had been exposed in a recent hack of the RockYou Web site.
Jan. 25, 2010 - Steve Campbell
...Without a doubt, the biggest challenge to cloud computing is security -- the dark side of the cloud. In the cloud paradigm, the user community does not or should not care about the physical side of business operations. In most cases, the physical infrastructure is housed, managed and owned by a third party, and you pay for resources used just like the electric and gas utilities. Despite all these wonderful capabilities and features, security remains as much of a concern for the HPC community as it does for the consumers concerned about protecting their identity and credit card information.
Jan. 25, 2010 - hawon@joongang.co.kr
Hackers cracked into the credit card processing networks of several popular restaurant chains in Korea from December through early this year, obtaining personal information from customers to make fake cards and ring up millions of won in purchases.
Authorities said the resulting monetary damage could exceed similar high-profile hacking incidents over the past two years, though they did not provide data on the chains involved or the estimated number of consumers affected.
The following stories concern the recent cyberattacks to Google, Adobe and other companies from sources originating in China.
Jan. 25, 2010 - John Markoff, David E. Sanger and Thom Shanker
On a Monday morning earlier this month, top Pentagon leaders gathered to simulate how they would respond to a sophisticated cyberattack aimed at paralyzing the nation’s power grids, its communications systems or its financial networks.
The results were dispiriting. The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. What’s more, the military commanders noted that they even lacked the legal authority to respond — especially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to a conventional war.
(Click here to read article) (Related stories below)
Jan. 25, 2010 - Elinor Mills
People behind the China-based online attacks of Google and other companies looked up key employees on social networks and contacted them pretending to be their friends to get the workers to click on links leading to malware, according to a published report on Monday.
"The most significant discovery is that the attackers had selected employees at the companies with access to proprietary data, then learnt who their friends were," the Financial Times reported. "The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent."
Jan. 25, 2010 - Kelly Jackson Higgins
The attackers who unleashed the recent wave of targeted attacks against Google, Adobe, and other companies, making off with valuable intellectual property and source code, shocking the private sector into the reality of the potential threat of state-sponsored cyberespionage -- but they also made a few missteps along the way that might have prevented far worse damage.
Security experts say while the attacks indeed were potent in their outcome, they were discovered relatively quickly by Google, and the malware used to attack Google, Adobe, and other as-yet unnamed companies wasn't especially sophisticated nor unique other than the fact that it was a zero-day exploit. The attacks -- which Google says came out of China -- had been under way for, on average, nearly a month, and Google found them out in mid-December.
Jan. 25, 2010 - John Zyskowski
When "The Official Google Blog" went public two weeks ago with news that a cyberattack originating in China had targeted its corporate servers and customers’ e-mail accounts, including those of several human rights activists, it served as the latest reminder of where U.S. and Chinese national interests will increasingly compete — politically, economically and militarily — now and into the future.
For the moment, there is little that the U.S. government can do in response to the situation, other than condemn the hacking and ask the Chinese government for an explanation.
Jan. 25, 2010 - Mark Clayton
At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage.
The oil and gas industry breaches, the mere existence of which has been a closely guarded secret of oil companies and federal authorities, were focused on one of the crown jewels of the industry: valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide, sources familiar with the attacks say and documents obtained by the Monitor show.
Jan. 24, 2010 - Steven Musil
After warning of strained U.S.-China relations, China's government has issued statements denying any state involvement in the cyberattacks on Google and defending its online censorship.
The statements, issued Monday Beijing time and carried on the state news agency Xinhua, come nearly two weeks after Google threatened to pull out of the country after finding that e-mail accounts belonging to human rights activists had been compromised and separately deciding it was no longer interested in self-censoring search results.
Jan. 24, 2010 - Jason Lewis
The confidential records of millions of British gamblers who bet with top bookmaker Ladbrokes have been offered for sale to The Mail on Sunday.
The huge data theft is now at the centre of a criminal investigation after this newspaper was given the personal information of 10,000 Ladbrokes customers and offered access to its database of 4.5 million people in the UK and abroad.
Jan. 22, 2010 - Brian Krebs
The cyber attacks against Google, Adobe and a raft of other top U.S. corporations late last year were by most accounts sophisticated and targeted attempts to steal proprietary data. But lost in all of the resulting media hoopla over who the remaining victims were and whether Chinese hackers or indeed the Chinese government itself were responsible is the simple, terrifying truth that individual hackers now have access to the same arsenal of cyber weapons once reserved only for nation states.
The weapons at issue are, of course, botnets -- agglomerations of remotely controlled, hacked computers that are used for a variety of criminal purposes, from spam, to high-powered, distributed online attacks against virtual targets. In these attacks, the botnets acted as a sort of "cloud" data collection and storage network.
Jan. 22, 2010 - Jaikumar Vijayan
Malicious hackers have begun using the recent cyberattacks against Google and more than 30 other companies as lures for launching even more targeted attacks, security firm F-Secure said in a blog post today.
The company reported spoofed e-mails purporting to contain details on the alleged Chinese attacks that contain a PDF attachment. When opened, it installs and runs the Acrobat.exe backdoor on the user's machine.
Jan. 18, 2010 - Tania Branigan
Google is investigating whether one or more of its employees in China helped launch the cyber attack against it last month, according to reports.
It is thought the line of inquiry is a routine part of its investigation into the attack, which Google says was sophisticated, originated in China and targeted intellectual property and the email accounts of human rights activists.
According to Reuters news agency, citing two unidentified sources, the attack, which targeted people with access to specific parts of Google networks, might have been helped by employees in the company's offices in China. It has several hundred staff on the mainland.
(Click here to read news) (Related story)
Jan. 18, 2010 - John Leyden
Unidentified hackers are running an ongoing cyber-espionage attack targeting US military contractors. Booby-trapped PDF files, posing as messages from the US Department of Defense, were emailed to US defence contractors last week. The document refers to a real conference due to be held in Las Vegas in March.
Opening the malicious PDF file attached to the spoofed emails triggers an attempt to exploit an Adobe Reader vulnerability only patched by the software firm last Tuesday (12 January).
Jan. 17, 2010 - Steve Lohr
The recent computer attacks on the mighty Google left every corporate network in the world looking a little less safe.
Google’s confrontation with China — over government censorship in general and specific attacks on its systems — is an exceptional case, of course, extending to human rights and international politics as well as high-tech spying. But the intrusion into Google’s computers and related attacks from within China on some 30 other companies point to the rising sophistication of such assaults and the vulnerability of even the best defenses, security experts say.
(Click here to read news) (Related story)
Jan. 17, 2010 - PTI
Against the backdrop of concerns over hacking of crucial official websites, central security agencies have again warned the government about the use of multi-tasking blackberry instruments by some of the officials working in sensitive ministries including the Prime Minister’s office.
Agencies have also cautioned against the practice of connecting official computers and laptops with unsecured internet connections by some bureaucrats thus compromising security.
With hackers mainly from China very active and having penetrated deep into the cyber space, the security agencies had asked all ministries especially the Defence, External, Home and the PMO to separate their official computers with those used for internet connection.
Jan. 15, 2010 - Nicola Berkovic
DEFENCE department computers sustained about 2400 cyber attacks last year, Defence Minister John Faulkner revealed today. Launching a new cyber warfare centre in Canberra, Senator Faulkner outlined the scale of electronic attacks against government operations.
He said Defence investigated about 200 “electronic security incidents” a month last year involving its own computers and networks. Defence also responded to about 220 cyber attacks against other areas of the Australian government last year.
Jan. 15, 2010 - Tim Wilson
The names of other companies targeted in the cyber attack disclosed by Google earlier this week have started to emerge. Google reportedly asked the other 33 companies targeted in the attack to come forward.
A Google spokesperson said that while the company provided technical information, that was the extent of its communication to other affected organizations.
Jan. 14, 2010 - Tim Wilson
Lincoln National Corp. (LNC) last week disclosed a security vulnerability in its portfolio information system that could have compromised the account data of approximately 1.2 million customers.
In a disclosure letter (PDF) sent to the attorney general of New Hampshire Jan. 4, attorneys for the financial services firm revealed that a breach of the Lincoln portfolio information system had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source last August. The company was planning to issue notification to the affected customers on Jan. 6, the letter says.
Jan. 13, 2010 - Ben Bain
Secretary of State Hillary Rodham Clinton is looking for an explanation from the Chinese government regarding Google’s accusation that a cyberattack against the company’s infrastructure originated in China, with a primary goal of accessing Chinese human rights activists' Gmail accounts.
“We have been briefed by Google on these allegations, which raise very serious concerns and questions. We look to the Chinese government for an explanation,” Clinton said in a brief statement on Jan. 12. “The ability to operate with confidence in cyberspace is critical in a modern society and economy.”
(Click here to read news) (Related stories below)
Jan. 13, 2010 - Robert McMillan, IDG News Service
A coordinated hacking campaign targeting Google, Adobe Systems and more than 30 other companies raises serious concerns, U.S. Secretary of State Hillary Clinton said Tuesday.
In a statement released late Tuesday night, Clinton said that the U.S. government is taking the attack -- which Google said came from China -- very seriously. "We have been briefed by Google on these allegations, which raise very serious concerns and questions," she said. "We look to the Chinese government for an explanation."
Sources familiar with the situation say that more than 30 U.S. companies, including Adobe Systems, were hit by this targeted attack, which Google first discovered in mid-December. Using an attack that exploited an unpatched bug in widely used software, the attackers were able to gain footholds in these companies and siphon out valuable intellectual property.
Jan. 13, 2010 - Elinor Mills
A U.S. law firm representing a Web content-filtering company in a piracy lawsuit against the Chinese government said on Wednesday that it received malicious e-mails in a targeted attack from China similar to recent attacks on Google and other U.S. companies.
At least 10 employees at Gipson Hoffman & Pancione received the e-mails on Monday and Tuesday, according to Gregory Fayer, a lawyer at the Los Angeles-based firm.
(Click here to read news) (Related story)
Jan. 13, 2010 - Mark Fonseca Rendeiro
The 26th edition of the world's largest annual hacker conference, 26C3, took place in Berlin last week. With about 2,500 attendees, a combined total of 9,000 participants worldwide (via live streams), and an array of features that no other conference in the world can match, it was very much a milestone.
A bit on the word "hacker", as I know the term might be bothering some of you. I am not using it in the stereotypical way mainstream society often does, to refer to criminal and malicious activity. The hackers I am talking about go back to the origins of the word: one who tinkers, one who deconstructs out of a natural curiosity about how something works and how it could be made to do something it wasn't originally intended to do. Such abilities are akin to the skilled locksmith, and do not automatically make a hacker a criminal. Unfortunately for many who work in mainstream media, the word has been hijacked to be synonymous with "electronic evildoer". Yet, like many words that have been used to keep minority groups down, hackers are taking the label back.
Jan. 13, 2010
A High Court judge is to rule on whether Home Secretary Alan Johnson was wrong to allow the extradition of computer hacker Gary McKinnon.
The judicial review will examine Mr Johnson's decision that a US trial would not breach his human rights.
Mr McKinnon, 43, who has Asperger's syndrome, is accused of breaking into the US military computer system. He says he was seeking evidence of UFOs.
(Click here to read news) (Related story)
Jan. 12, 2010 - Gregg Keizer
Google today said that a "highly sophisticated and targeted" attack against its network last month originated in China, and tried to access the Gmail accounts of Chinese human rights activists.
In a blog post Tuesday, David Drummond, Google's chief legal officer, said that attacks have forced the company to "review the feasibility of our business operations in China." Google, continued Drummond, is "no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all."
Jan. 12, 2010 - Robert McMillan, IDG News Service
The owner of a Dallas-based Internet service provider that was raided last April has been charged with participating in a conspiracy to defraud more than US$15 million from companies such as Verizon, AT&T and XO Communications.
Matthew Simpson, 25, of Red Oak, Texas, is one of 19 people charged in the case, according to a grand jury indictment that was unsealed late last week.
Jan. 12, 2010
China's most popular search engine, Baidu, has been targeted by the same hackers that took Twitter offline in December, according to reports.
A group claiming to be the Iranian Cyber Army redirected Baidu users to a site displaying a political message. The site was down for at least four hours on Tuesday, Chinese media said.
Jan. 12, 2010 - Kelly Jackson Higgins
Romanian hackers continue to have a field day with SQL injection flaws in major Website applications: A vulnerability in a U.S. Army Website that leaves the database wide open to an attacker has now been exposed.
"TinKode," a Romanian hacker who previously found holes in NASA's Website, has posted a proof-of-concept on his findings on a SQL injection vulnerability in an Army Website that handles military housing, Army Housing OneStop. TinKode found a hole that leaves the site, which has since been taken offline, vulnerable to a SQL injection attack. "With this vulnerability I can see/extract all things from databases," he blogged.
Jan. 12, 2010 - Dan Goodin
Hackers have stolen the login credentials for more than 8,300 customers of small New York bank after breaching its security and accessing a server that hosted its online banking system.
The intrusion at Suffolk County National Bank happened over a six-day period that started on November 18, according to a release (PDF) issued Monday. It was discovered on December 24 during an internal security review. In all, credentials for 8,378 online accounts were pilfered, a number that represents less than 10 percent of SCNB's total customer base.
Jan. 11, 2010 - Brian Krebs
January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products.
Evgeny Legerov, founder of Moscow based Intevydis, said he intends to publish the information between Jan 11 and Feb 1. The final list of vulnerabilities to be released is still in flux, Legerov said, but it is likely to include vulnerabilities (and in some cases working exploits) in:
-Web servers such as Zeus Web Server, Sun Web Server (pre-authentication buffer overflows);
-
Databases, including Mysql (buffer overflows), IBM DB2 (local root vulnerability), Lotus Domino and Informix
-
Directory servers, such as Novell eDirectory, Sun Directory and Tivoli Directory
Jan. 11, 2010 - Matt Prigge
Corporate networks face more security threats than ever before. Whether it's the rampant spread of malware, malicious employees, or plain and simple user error, IT administrators must bend over backward to ensure that intruders stay out and corporate data stays in. Tools abound to help you secure your data, but one simple policy -- regardless of which part of your infrastructure you look at -- will invariably protect you more than any single piece of security hardware or software: Deny all, permit some.
(Click here to read commentary)
Jan. 11, 2010 - Grant Gross, IDG News Service
Maryland officials want the state to be the U.S. "epicenter" for fighting cyber attacks, and on Monday they launched an effort to bring more cybersecurity research and jobs to the state.
Maryland has several resources that make it the perfect place to be a national -- and world -- leader in cybersecurity, said Governor Martin O'Malley, speaking at a kick-off event at the U.S. National Institute of Standards and Technology (NIST) in Gaithersburg, Maryland. In addition to the NIST, Maryland is home to the U.S. National Security Agency, 12 major military installations, world-class schools such as Johns Hopkins University and dozens of top cybersecurity vendors, O'Malley and other officials said.
Jan. 11, 2010 - Don Reisinger
The big news that came out of CES was a tsunami of new smartphones and tablet PC designs. But Microsoft, arguably the most important company at the show, could have made security the theme at CES this year. Unfortunately, it didn't. And users are left wondering how to keep their data secure going forward.
Jan. 11, 2010 - Kelly Jackson Higgins
Yet another botnet has been shut down as of today as researchers joined forces with ISPs to cut communications to the prolific Lethic spamming botnet -- a development that illustrates how botnet hunters increasingly are going on the offensive to stop cybercriminals, mainly by disrupting their valuable bot infrastructures.
Jan. 11, 2010 - Robert Westervelt
Facebook and other social networks, in response to constant bombardment from phishers, spammers and other cybercriminals, are beefing up security teams and deploying new cyberdefenses.
The security investments represent a concerted effort by social networks to fight back against attackers, who are hell-bent on exploiting these popular platforms to peddle porn and pharmaceuticals, spread malware or simply extract the potentially lucrative user data contained in them.
Jan. 8, 2010 - Grant Gross, IDG News Service
Heartland Payment Systems will pay up to $60 million to issuers of Visa credit and debit cards for losses they incurred from a 2008 data breach at the large payment processor.
The settlement between Heartland and Visa, announced today, will offer card issuers "an immediate recovery with respect to losses they may have incurred from the Heartland intrusion," Ellen Richey, Visa's chief enterprise risk officer, said in a statement.
Jan. 7, 2010 - Dan Goodin
Yet another domino in the RSA encryption scheme has fallen with the announcement Thursday that cryptographers have broken 768-bit keys using the widely used public-key algorithm.
An international team of mathematicians, computer scientists and cryptographers broke the key though NFS, or number field sieve, which allowed them to deduce two prime numbers that when multiplied together generated a number with 768 bits. The discovery, which took about two-and-a-half years and hundreds of general-purpose computers, means 768-bit RSA keys can no longer be counted on to encrypt or authenticate sensitive communications.
Jan. 7, 2010 - Gregg Keizer
Microsoft today said it will deliver a single security update on Tuesday to patch just one vulnerability in Windows.
However, the company acknowledged that it does not yet have a fix for a crippling bug in Windows 7 that went public nearly two months ago.
Jan. 7, 2010 - Henry Samuel
Juniper Networks is warning customers of a critical flaw in its gateway routers that allows attackers to crash the devices by sending them small amounts of easily-spoofed traffic.
In an advisory sent Wednesday afternoon, the networking company said a variety of devices could be forced to reboot by sending them internet packets with maliciously formed TCP options. The flaw affects versions 3 through 10 of Junos, the operating system that powers devices at ISPs, backbones, and other large networks. Software releases built on or after January 28, 2009 have already fixed the issue.
Jan. 7, 2010 - Henry Samuel
President Sarkozy got to grips with the Teorem phone, which looks like a regular smartphone, while on a visit to the Thales Communication factory in Cholet, western France.
Some 20,000 such devices will be distributed to the president and his entourage as well as government ministers and their advisers early next year. Top military officials will also use them.
Jan. 6, 2010 - Jaikumar Vijayan
Nearly a year after Heartland Payment Systems Inc. disclosed what turned out to be the biggest breach involving payment card data, the incident remains a potent example of how compliance with industry standards is no guarantee of security.
Princeton, N.J.-based Heartland last Jan. 20 disclosed that intruders had broken into its systems and stolen data on what was later revealed to be a staggering 130 million credit and debit cards. That number easily eclipsed the 94 million cards that were compromised in the massive breach disclosed by TJX Companies Inc. in 2007.
Jan. 6, 2010 - John S. Monroe
Nothing irks a security professional more than the suggestion that the federal government could improve security by setting up a standard certification program for agency staff members.
This idea, which is gaining traction in Congress, might sound reasonable. But many security experts say it is a red herring. One such expert is Daniel Castro, a senior analyst at the Information Technology and Innovation Foundation, who wrote a column on the topic for FCW.com.
“If certifications were effective, we would have solved the cybersecurity challenge many years ago,” Castro wrote.
Jan. 6, 2010 - Thomas Claburn
A financial services industry group is planning to simulate a series of cyber attacks to test how well banks, payment processors and retailers deal with online threats.
The Financial Services Information Sharing and Analysis Center (FS-ISAC), a group formed in response to a 1998 Presidential security directive, on Tuesday invited financial institutions, retailers, card processors, and businesses of all sizes to participate in its Cyber Attack against Payment Processes (CAPP) Exercise.
Jan. 6, 2010 - Dan Goodin
On Tuesday, hacker Samy Kamkar demonstrated a way to identify a browser's geographical location by exploiting weaknesses in many WiFi routers. Now, he's back with a simple method to penetrate hardware firewalls using little more than some javascript embedded in a webpage.
By luring victims to a malicious link, the attacker can access virtually any service on their machine, even when it's behind certain routers that automatically block it to the outside world. The method has been tested on a Belkin N1 Vision Wireless router, and Kamkar says he suspects other devices are also vulnerable.
Jan. 5, 2010 - Kelly Jackson Higgins
The researcher who conducted a successful spear-phishing experiment with a phony LinkedIn invitation from "Bill Gates" has revealed the email products and services that failed to filter the spoofed message -- and that list includes Microsoft Outlook 2007, Microsoft Exchange, Outlook Express, and Cisco IronPort.
Joshua Perrymon, CEO of PacketFocus, had previously revealed that the iPhone, BlackBerry, and Palm Pre smartphones had all fallen victim to the spear-phishing exercise.
Jan. 5, 2010 - Brian Krebs
In early 2008, while federal investigators were busy looking into disgraced financier Robert Allen Stanford for his part in an alleged $8 billion fraudulent investment scheme, Eastern European hackers were quietly hoovering up tens of thousands of customer financial records from the Bank of Antigua, an institution formerly owned by the Stanford Group.
According to a fraud investigator with firsthand knowledge of the break-in, the hackers responsible infiltrated a component of the Stanford Group’s network by exploiting vulnerabilities in the company’s web servers and databases. On the condition of anonymity, the investigator shared with this author files recovered from the breach, which were stored in plain text for at least several weeks on a website controlled by the attackers. This source said he forwarded the same information on to the FBI shortly after discovering it in early 2008.
Jan. 5, 2010 - Giles Tremlett
The resemblance is, if anything, in the way their eyebrows arch. But that was enough for a computer hacker's caricature of the prime minister, José Luis Rodríguez Zapatero, as Mr Bean to spoil Spain's launch week as holder of the European Union's presidency.
The beaming face of Rowan Atkinson's bumbling comic fool was transplanted on to the Spanish presidency's website yesterday.
Jan. 5, 2010 - Joan Goodchild
Several hardware-encrypted USB memory sticks are now part of a worldwide recall and require security updates because they contain a flaw which could allow hackers to easily gain access to the sensitive information contained on the device.
When USB maker SanDisk first received news of the problem last month, the vendor issued a security bulletin that warned customers its Cruzer Enterprise series of USB flash drives contained a vulnerability in the access control mechanism. SanDisk offered a product update online to address the issue and made sure to note the problem only applied to the application running on the host, not the device hardware or firmware.
Jan. 3, 2010 - Ellen Nakashima
The Pentagon's plan to set up a command to defend its global network of computer systems has been slowed by congressional questions about its mission and possible privacy concerns, according to officials familiar with the plan.
As a result, the Defense Department failed to meet an Oct. 1 target launch date and has not held a confirmation hearing for the command's first director.
