Security highlights from around the Web

Computerworld - Now it's 'ransom-ware'
Here's another scheme to keep IT security managers up at night: Hackers have come up with another form of extortion to get quick cash from companies, the Associated Press reports via the Detroit News. In the scheme, hackers "lock up" data on a company's computer and leave a ransom note demanding money to get the data back. Experts call the stunt "ransom-ware." In one incident, a security researcher was able to unlock the data without paying the $200 ransom, but the fear is that the attacks will become more difficult as hackers refine their skills. "This is equivalent to someone coming into your home, putting your valuables in a safe and not telling you the combination," said Symantec Corp security manager Oliver Friedrichs.


The story of a cybercrime bust
For a compelling story on how a U.S. cybercrime unit snared 28 members of a worldwide gang of cybercriminals known as the Shadow.crew, check out this article in BusinessWeek. The article gives a detailed account of how Secret Service agents and the FBI investigated the gang, which was reported to be involved in identity theft, bank fraud and other crimes. A raid on the group in October 2004 yielded arrests of Shadowcrew members in eight states and six countries and netted "1.7 million credit-card numbers, access data to more than 18 million e-mail accounts, and identity data for thousands of people including counterfeit British passports and Michigan driver's licenses."
While the arrests were a big disruption of organized crime, the investigators recognize the arrests are a drop in the bucket as more crime moves to the Web.


A socialite and social engineering
The whole exploit involving the posting of celebrity Paris Hilton's cellular phone address book was in part the result of a classic case of social engineering, involving a phone call to a T-Mobile store in Southern California. In this account in The Washington Post, an unidentified hacker, who claimed he was involved in the theft, gave details of the caper to a reporter via "online text conversations." The hacker told how he and a hacker's group duped a T-Mobile sales rep into giving out proprietary information that ultimately enabled the hackers to steal information from the socialite's phone. One of the hackers called the store pretending to be a T-Mobile supervisor, and the employee divulged all the information requested.
The story is a reminder of the importance of instructing employees on security awareness, as Doug Schweitzer pointed out in a recent column. While his article came about from the appearance of variants to the Sober worm on the Internet, he also says, "Procedures for identity verification must be put into everyday practice, and employees need to be aware that no matter who is requesting information, be it a fellow employee or a higher-up in the organization, the requester's identity must be verified."