Home
News
E-mail Newsletters
Blogs
Tech Dispenser
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Print Subscriptions

Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 

Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Security highlights from around the Web

Marian Prokop and Sharon Machlis   Today’s Top Stories    or  Other Security Stories  
 

Sign up to receive Security Resource Alerts

May 24, 2005 (Computerworld) -- Now it's 'ransom-ware'
Here's another scheme to keep IT security managers up at night: Hackers have come up with another form of extortion to get quick cash from companies, the Associated Press reports via the Detroit News. In the scheme, hackers "lock up" data on a company's computer and leave a ransom note demanding money to get the data back. Experts call the stunt "ransom-ware." In one incident, a security researcher was able to unlock the data without paying the $200 ransom, but the fear is that the attacks will become more difficult as hackers refine their skills. "This is equivalent to someone coming into your home, putting your valuables in a safe and not telling you the combination," said Symantec Corp security manager Oliver Friedrichs.


The story of a cybercrime bust
For a compelling story on how a U.S. cybercrime unit snared 28 members of a worldwide gang of cybercriminals known as the Shadow.crew, check out this article in BusinessWeek. The article gives a detailed account of how Secret Service agents and the FBI investigated the gang, which was reported to be involved in identity theft, bank fraud and other crimes. A raid on the group in October 2004 yielded arrests of Shadowcrew members in eight states and six countries and netted "1.7 million credit-card numbers, access data to more than 18 million e-mail accounts, and identity data for thousands of people including counterfeit British passports and Michigan driver's licenses."
While the arrests were a big disruption of organized crime, the investigators recognize the arrests are a drop in the bucket as more crime moves to the Web.


A socialite and social engineering
The whole exploit involving the posting of celebrity Paris Hilton's cellular phone address book was in part the result of a classic case of social engineering, involving a phone call to a T-Mobile store in Southern California. In this account in The Washington Post, an unidentified hacker, who claimed he was involved in the theft, gave details of the caper to a reporter via "online text conversations." The hacker told how he and a hacker's group duped a T-Mobile sales rep into giving out proprietary information that ultimately enabled the hackers to steal information from the socialite's phone. One of the hackers called the store pretending to be a T-Mobile supervisor, and the employee divulged all the information requested.
The story is a reminder of the importance of instructing employees on security awareness, as Doug Schweitzer pointed out in a recent column. While his article came about from the appearance of variants to the Sober worm on the Internet, he also says, "Procedures for identity verification must be put into everyday practice, and employees need to be aware that no matter who is requesting information, be it a fellow employee or a higher-up in the organization, the requester's identity must be verified."



Jail time for software pirates

Three men in the U.K. will spend 18 months to two-and-a-half years in prison after they were convicted of software piracy, the BBC reports. The men were part of the "Drink Or Die" network, a group known for cracking digital copyright protections and illegally distributing the pirated software over the Internet. Four men in the U.S. pleaded guilty to similar crimes in 2003 (See story).

Can a security consultant be too paranoid?

In an article on SecurityFocus.com, author Mark Burnett pondered the question, which he was asked by a colleague. Granted he says he uses three firewalls and it takes five passwords to boot up his laptop and check e-mail. Among other telling comments: "I require my kids to use at least 14 character passwords on our home network" and "I don't just throw out shredded documents; I spread the shredded bits into my garden to use as mulch." Burnett doesn't view it as paranoia, but as strong security practices, or as he puts it "meticulous precaution." While his practices may be understandable for someone in the security field, where he regularly sees the disastrous results of poor security, you have to wonder whether it makes sense for everyone. There's a wide variety of opinion in the discussion at the end of the article.


Hello, it's me
Business Week reports on biometric technologies that may be available in the next year or so to help in the war against identity theft . One is a voice-verification tool that would be useful at call centers. The way it works is the customer's voice is first recorded. When the customer calls again, the technology can compare the customer's voice with the original recording to see if it matches.
The other device is a voice-verification tool that would be used to activate a new credit card. The user's credit card has an embedded sensor with his voice previously recorded in digital form. When it's time to replace the old card, the user speaks a password into the new card. If the voices match, the card is activated. While there are issues with both devices, (what if the user has a cold or can't speak for some reasons?), these tools could be new weapons in the arsenal against ID theft.


A just reward:
The Mozilla Foundation paid $2,500 to a German computer researcher who found five flaws in its open-source Web browser, vnunet.com reports. Michael Krax was given $500 for each bug and also received a Mozilla T-shirt. The reward is part of Mozilla's security bug bounty program, which offers incentives for users who report flaws in the software.


The missing 270,000:
The Mizuho Bank of Japan said this week it had lost personal account information on 270,000 customers. The missing data included "names, account numbers and transaction histories" of customers at the bank's 167 branches, according to Reuters via the Financial Times. The information disappeared over several years and bank officials believe it was accidentally discarded and not stolen. An internal investigation found no evidence that the data had been misused, the article said.
The news is another embarrassment for the bank, which has more than 30 million customers. When three of Japan's largest banks consolidated to become Mizuho Bank Ltd. in 2002, computer glitches disrupted service at the bank's 7,000 ATMs, resulting in 30,000 transaction errors (See story).


Almost four years for hacking:
A man who admitted breaking into the computer systems of Arkansas data company Axciom Corp. was sentenced to 45 months in federal prison, according to SiliconValley.com via the Associated Press. Daniel Baas was a systems administrator at Market Intelligence Group, which had been hired to analyze data at Axciom, when he gained unauthorized access and downloaded 300 encrypted password files of Axciom clients, which he stored on computer disks at his home, the article said. Baas pleaded guilty to hacking charges and said he stole the data between January 2001 and January 2003. The company said the theft cost it $5.8 million.


Pushes for privacy:
With all the hoopla over identity theft recently involving institutions like ChoicePoint, LexisNexis and even Boston College, to name a few, one data broker is listening and said it would limit its sales of Social Security numbers, the Washington Post reports. Westlaw, an online legal research firm, said it would no longer provide corporate clients with access to Social Security numbers, while government offices, except for law-enforcement agencies, would now only receive partial numbers. The article notes that data-broker ChoicePoint and LexisNexis also have taken steps to restrict the amount of Social Security data they make available to clients. Congress has also stepped up and is considering proposals to ban the commercial sale of Social Security numbers.


Wireless woes:
With the popularity of wireless networks and the big stories about identity theft, you would think that more users would be paying attention to security. Not so. A new survey found that a third of companies using wireless networks had their security features turned off, the BBC reports. That figure is worse than last year, when 15% of surveyed companies admitted to not applying basic security. RSA Security, which commissioned Netsurity to conduct the survey, warned that as the popularity of Wi-Fi grows, networks that aren't secured will be detected and exploited. The survey, which involved Wi-Fi networks in London, Frankfurt, New York and San Francisco, also noted that many companies had failed to take such basic security precautions as reconfiguring default network settings.


Mail mess: The Washington Post has a compelling article (registration required) on how a simple clerical error put the confidential financial information of 73 bank customers at risk for identity theft. When a Wachovia Corp. customer started the receiving financial statements of other customers, he contacted the bank and a title company listed on the documents. Still, it took nine months for the problem to be resolved, leaving the personal data -- including the Social Security numbers -- of those customers vulnerable to identity theft. Fortunately, the customer who received the financial statements was an honest man who phoned and e-mailed the bank to correct the situation, but it still took months and a Post investigation to get the matter resolved.
While such cases are rare, they point "to the vulnerabilities in systems that have become so highly automated that small errors in the management of databases can quickly become amplified into major security breaches," say privacy advocates. The error occurred when a Wachovia clerk entered the customer's address incorrectly, causing the company's computer system to link it with other customers who bought real estate through the same title company. Wachovia said it has taken steps to prevent such an incident from happening again.


Banks, beware of phishers: Financial services firms continue to be the biggest target of phishing scams, reaching a new high of 85% of reported incidents in December, the Anti-Phishing Working Group said in its most recent report (PDF format). That's 10 percentage points higher than the previous month. And eight of the nine new brands "hijacked" during this period were financial institutions, the report found. The U.S. was the top location for hosting phishing sites, at 32%, with China (12%) and Korea (11%) following at a distance.

Take hints from consumers: More than 80% of adults said the security and accessibility of their online data are their key concerns when using online services, according to a Harris Interactive poll. About a quarter of those polled said they expect this online data, such as e-mail, music files, photos and financial information, to last forever. The poll results, which were released by Sun Microsystems, show the need for companies that provide these online services to have a solid storage strategy in place, said Mark Canepa, executive vice president of Sun Network Storage. The explosion in online data also explains part of the 3.5% growth in the enterprise disk storage industry in 2004, according to IDC.


Despite the fears after Sept. 11, cybercrime, not cyberterror, is the biggest worry for security managers, according to this article from CNN. The article notes that after Sept. 11 there were fears that terrorists would use the Internet to go after the nation's electronic infrastructure. However, the major security issues are in corporate and private computer networks, where IT managers must fight off spam, spyware and computer worms and viruses. "Although the threat of cyber-terrorism exists, the greatest risk to Internet communication, commerce and security is from cybercrime motivated by profit," said David Perry, global director of education at security company Trend Micro.

FBI project shelved: A draft report from the Inspector General's office for the Justice Department concludes that the FBI's Virtual Case File project will not succeed, Government Computer News reports. The FBI has already spent $170 million on the VCF project, which was intended to enable agents to conduct rapid, paperless information sharing (See Computerworld story). The GCN article, citing the report, said the project would be replaced by the "Federal Investigative Case Management System." The article said, "Technological developments since the beginning of the case management project in mid-2001 and the FBI's approach of adapting older systems to provide VCF components" means the agency wouldn't use any of the VCF technology for the new system. The FBI confirmed it had received the report, but had no comment on it, the article said.

December

Fighting cybercrime in the East: Computer security experts in India are working with Russian IT officials to fight cybercrime. The Hindustan Times reports that India's Cyber Emergency Response Team (CERT) has already signed a protocol with Russia on information security and that the two nations plan to work on preventing attacks from viruses, worms and malicious hackers. Russia is eager to learn about India's success in the software industry, so it can duplicate the efforts at home. "We want to retain talent within Russia, and Indian companies can work on projects in our country for customers in third countries like Europe and America," said Russian IT Minister Leonid D Reiman.

Quit blaming users: Web usability expert Jakob Nielsen has an insightful column on why it's unreasonable to place the burden for computer security on users. Rather than user education, he recommends changing the technology to make it simpler and more automated. "Computer security is too complicated and the bad guys are too devious and inventive," Nielsen writes. "It's simply unrealistic to assume that average users can keep up with them." He also cites "stupid security warnings that people don't understand," such as "The security certificate has expired or is not yet valid. What does that mean to a normal person?" The article has some sensible suggestions on what security managers should do, such as using encryption, digital signatures and automated updates.


Security center at UT/Austin: The University of Texas at Austin is opening a Center for Information Assurance and Security with the goal of tackling the nation's growing cybersecurity problems.

Continued...
1 | 2 | 3 | 4 | 5 | NEXT  



Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story

Security highlights from around the Web

Blogs

"Your Kevin Mitnicks, your Frank Abagnales, your Jerome Kerviels -- what are we supposed to do with our hackers, especially..." Read more...
"What can I say? For me, XP SP3 was the cat's meow, the best Windows client operating system ever. But,..." Read more...
Read more Security posts or See all Blogs

Powerset unveils test version of Google-killer
IPhone out of stock 'companywide,' say Apple sales reps
Microsoft to limit capabilities of cheap laptops
More top stories...
FBI worried as DOD sold counterfeit networking gear
Update: Microsoft to appeal $1.3B EU fine
XP SP3 cripples some PCs with endless reboots

5 easy ways to commit career suicide
Mistakes such as putting down co-workers or burning bridges when you resign are surefire ways to darken your career prospects. Here's how to avoid them
Opinion: Get ready for these 6 game-changing technologies
Hype and promises abound in the IT world, but these six breakthroughs really will change your life, says author and former IT manager John Brandon.
What brain drain?
Baby boomers are retiring and taking their knowledge with them. Why do so few in IT seem to care?
Tales from the crypt: Our first computers
Computerworld editors share stories of their first PCs, including some classics and some real clunkers -- then we ask readers to share their early-PC tales.

FROM THE BLOGOSPHERE

Windows Vista A to Z
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
IT Careers 2010
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Enterprise-Class Security Zone
Enterprise Solutions Zone
The File Data Management Zone
Grid Computing on Windows Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Storage Virtualization Zone
The Data Center Management Zone


Ads by TechWords

See your link here
Long Tail Supplier Collaboration - What's In It For You?
Long Tail Supplier Collaboration - What's In It For You?
Download this webcast, free, compliments of Sterling Commerce
Go to the webcast 
Computerworld Executive Bulletin: Building a Robust Antivirus Defense
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
(Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more.
Download this executive briefing download
Eliminate SPAM, Gain Productivity
Get this white paper now!
(Source: MessageLabs) Learn all about the dangers and the costs of spam in all its forms - from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses - and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
New Fujitsu High-End Itanium Windows- and Linux-Based PRIMEQUEST Servers Offer the Utmost in High Availability
New Fujitsu High-End Itanium-Based PRIMEQUEST Servers Offer Industry-Leading System Management for Linux and Windows
Symantec State of the Data Center Report 2007
View more whitepapers