Friday, June 27, 2008

Crooks Nab Citibank ATM Codes, Steal Millions

Slashdot recounts how Citibank is reissuing ATM cards on the heels of a server breach where hackers stole customer PIN codes. Wired magazine published two related articles about the FBI's arrest of 10 people allegedly involved in stealing over $2 million from Citibank checking and savings accounts, two of which were Ukrainian immigrants each caught with $800,000 in cash stashed in boxes in their homes.

The ATM crime caper is apparently the first to be publicly linked to the breach of a major US Bank's systems, say experts.
"We've never heard of PINs coming out of the bank environment," says Dan Clements, CEO of the fraud watchdog company CardCops, who monitors crime forums for stolen information.

See complete details at WIRED ThreatLevel on June 18th and WIRED ThreatLevel on June 24th.

Thursday, June 26, 2008

Senate Hearing On Laptop Seizures At US Border

Slashdot notes that at a senate hearing, privacy advocates and industry groups will press lawmakers to take action to protect the privacy of Americans returning home to the United States.

According to travel and privacy analysts scheduled to testify before a Senate panel today, U.S. Customs and Border Patrols' routine of seizing laptop computers and other electronic devices from American travelers returning to the United States without notifying them of what will happen to the data could negatively affect the U.S. economy.

Peter Swire, chief counselor for privacy under President Bill Clinton, said he plans to tell the subcommittee how laptop searches are similar to the failed encryption policies of the 1990s.
“The government policy violates good security practices,” he said. “It asks for password and encryption keys, which people are trained to never reveal. It violates privacy, chills free speech and compromises business secrets."
See details at nextgov.

Monday, June 23, 2008

US Court Disconnects Canadian Domain Name Scammers

A post ran in Slashdot about an order by a US District judge to halt the illegal practices of Canadian operators posing as domain name registrars who, according to the Federal Trade Commission send bogus bills to thousands of U.S. small businesses and nonprofit organizations for the annual "Website Address Listing". Many businesses, believing that they would lose their website addresses, pay the invoice.

The FTC says that the Toronto-based Internet Listing Service has been sending fake invoices since 2004 and that most consumers have not received any domain name registration services.

For the complete story, see article by the Federal Trade Commission.

Friday, June 20, 2008

New Intrusion Tolerance Software Fortifies Server Security

ACM TechNews reports that researchers at George Mason University have developed a nonreactive approach for dealing with intrusion detection and prevention.

Arun Sood, professor of computer science and director of the Laboratory of Interdisciplinary Computer Science and Yin Huang, senior research scientist in the Center for Secure Information Systems, make the assumption that someone is trespassing on computers servers. They believe that by limiting the time of continuous connectivity to the Internet and using virtualization technology to create duplicate servers, an online server is periodically cleansed and restored to a known clean state, regardless of whether an intrusion has actually occurred or been detected.

In creating Self Cleansing Intrusion Tolerance (SCIT), Sood and Huang achieve the goal of limiting the exposure time of the server to the Internet.
“This approach of regular cleansings, when coupled with existing intrusion prevention and detection systems, leads to increased overall security,” says Sood. “We know that intrusion detection systems can detect sudden increases in data throughput from a server, so to avoid detection, hackers steal data at low rates. SCIT interrupts the flow of data regularly and automatically, and the data ex-filtration process is interrupted every cleansing cycle. Thus, SCIT, in partnership with intrusion detection systems, limits the volume of data that can be stolen.”
See George Mason University News for further information.

Thursday, June 19, 2008

Can Computer Scientist Dream Team Clean Up E-Voting?

An entry in ACM TechNews states that the Center for Correct, Usable, Reliable, Auditable, and Transparent Elections (ACCURATE) has received a $7.5 million National Science Foundation award to bring the latest research, insight, and innovation from the lab to the voting booth making e-voting systems mores secure.

The organization of computer experts from across the country and academic disciplines find areas that need additional research and determine how to apply existing technology and research findings to voting systems.

One such tool is the open source AttackDog, a threat modeling system developed by David Dill, Co-PI and Professor at Stanford University. According to Dill, AttackDog is a good example of how the ACCURATE project uses computer science tools and techniques to to help local officials improve the security of their elections.
"It's using computers to get a grip on problems that are too complex for the mind to understand unaided," Dill says.

See full article at NETWORKWORLD.

Wednesday, June 18, 2008

Nuclear Warhead Blueprints On Smuggler's Computers

Slashdot reports that, according to leading US researcher David Albright, blueprints for a sophisticated and compact nuclear warhead have been found in computers belonging to the nuclear smuggling network run by rogue Pakistani nuclear scientist Abdul Qadeer Khan. The designs, found in heavily encrypted computer files in Switzerland, are supposed to be in the possession of U.S. authorities and the International Atomic Energy Agency in Vienna. Investigators fear, however, that they could have been extensively and copied to "rogue" states within the nuclear black market

Albright, a physicist, former UN weapons inspector and authority on the nuclear smuggling ring run by Khan, said that the "construction plans" included previously undisclosed designs for a compact warhead that could fit Iran's medium-range ballistic missiles.
"These advanced nuclear weapons designs may have long ago been sold off to some of the most treacherous regimes in the world," wrote Albright.
For more information see this article in the New York Times, as well as another report in .

Monday, June 16, 2008

EFF To Fight Border Agent Laptop Searches

Slashdot notes that the Electronic Frontier Foundation (EFF) and the Association of Corporate Travel Executives have filed an amicus brief requesting that the 9th Circuit Court of Appeals rehear and reverse a three-judge ruling that permits border agents to routinely search files on laptops and mobile devices.
The random searching of laptops is "widespread," said Lee Tien, senior staff attorney with the EFF. The U.S. Department of Justice "claims that U.S. border agents have the power to do so, no suspicion needed, and there are plenty of reported incidents," he added.
Tien noted that there have been multiple media reports in recent months of laptops or other electronic devices being searched or seized at U.S. borders. In some cases, customs officials have not returned the electronic devices to travelers.

See details at InfoWorld.

Friday, June 13, 2008

Data Breach Study Spanning 500 Break-Ins Released

Slashdot presents a link to a report from Verizon Business that is a summary of what they found in 500 forensic investigations involving 230 million records, with an analysis of hundreds of corporate breaches including 3 of the 5 largest ever reported.

The 2008 Data Breach Investigations Report covers four years and as the first-of-its-kind study, found that 73 per cent of breaches came from external sources versus 18 per cent from insider threats.
“Security breaches and the compromise of sensitive information are very real and growing concerns for organizations worldwide,” said Dr. Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions. “This report can help companies better understand data breaches – how they occur and the commonalities that exist. Most importantly, it urges organizations to be proactive in their approach to security -- the absolute key to safeguarding data.”

See complete article at

Thursday, June 12, 2008

Chinese Government Accused of Hacking Congress

A Slashdot post from yesterday says that Chinese hacking is getting serious Congressional attention.

Two House members said that their Capitol Hill computers, which have information about political dissidents from all over the world, had been hacked by parties apparently working out of China. Both lawmakers have been longtime critics of China's record on human rights. One of them, Virginia Rep. Frank Wolf, says the hacking of computers in his Capitol Hill office started in August 2006.

Wolf suggested the problem is probably even larger.
"If it's been done in the House, don't you think that they're doing the same thing in the Senate?"
See full article at Yahoo News.

Wednesday, June 11, 2008

TSA Bans Flight If You Refuse To Show ID

Slashdot notes CNET's article regarding a press release issued recently by the Transportation Security Administration announcing that passengers refusing to show ID will no longer be able to fly.
"Beginning Saturday, June 21, 2008 passengers that willfully refuse to provide identification at security checkpoint will be denied access to the secure area of airports. This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining their identity."
However, passengers claiming to have lost or forgotten their proof of identity will still be able to fly. To clarify: Passengers who refuse to show ID, citing a constitutional right to fly without ID will be refused passage beyond the checkpoints. Passengers who say they have left their ID at home, will be searched, and then permitted to board their flights.

In other words, TSA's new rules only protect us from a non-existent breed of terrorist who is unable to tell a lie...

See more at cnet

Monday, June 09, 2008

ID Theft In US Continues Apace Despite Data Breach Laws

A Slashdot posting from yesterday points to an article in TechWorld about Carnegie Mellon researchers' published analysis of the ineffectiveness of data breach notification laws adopted by 43 US states.
"There doesn't seem to be any evidence that the laws actually reduce identity theft," said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper's authors.
Nevertheless, they did find that other factors, such as the state's population, gross domestic product and fraud rate did have a significant effect on identity theft rates.

Gartner analyst Avivah Litan points out that it is hard to draw conclusions from the data because FTC reports are incomplete. She notes that while breach laws have made front-page news out of lost laptops, most companies respond to tighter laws and regulations by concentrating on compliance rather than on security.

Often, that's not good enough to protect customers from ID theft, she said.
"If you just meet the letter of the law you may pass an audit, but you have to pass the spirit of the law."
See Techworld for more information.

Tuesday, June 03, 2008

China's Cyber-Militia

Slashdot posted an article about the cover story in the current issue of National Journal that is an in-depth report on China's cyber-aggression toward US government, military, and business networks.

While China's cyber-warfare actions have been discussed on numerous occasions in the past, this report suggests that Chinese cyber-attackers may have been involved in major power outages in the US.

To wit, computer hackers in China, including those working on behalf of the Chinese government and military, have gained access to electric power plants in the United States, possibly triggering two recent widespread blackouts in Florida and the Northeast.

For a discussion of China's People's Liberation Army's likely involvement in the outages, see National Journal Magazine.