Monday, September 1, 2008

Cyber Crime Updates

FEAR : Britain 'under constant attack in cyberwar' : Security Minister

The Government has warned a cyberwar is being waged against Britain with key computer networks coming under attack every day.

By Chris Irvine

23 Aug 2008


Lord West of Spithead, the Security Minister, said a mixture of state-sponsored hackers and "those operating at a terrorist level" regularly tried to break into key networks such as banking, electricity and telecommunications.

Although he said the Government was confident about its cyber-defences, he said: "If you take the whole gamut of threats, from state-sponsored organisations to industrial espionage, private individuals and malcontents, you're talking about a remarkable number of attempted attacks on our system - I'd say in the thousands.

"Some are spotted instantly. Others are much, much cleverer."

Lord West said the most serious threat came from terrorist-backed hackers trying to break into systems such as the National Grid.

Meanwhile state-sponsored organisations were more likely to want to conduct industrial espionage and steal commercial secrets.

He did concede threats to the national infrastructure were assessed as part of the National Risk Register, and the Government was confident about the country's cyber-defences.

Earl Zmijewski, an analyst with Renesys, a company that monitors internet traffic, said: "We're building this house of cards at the moment - connecting elements of our financial systems, as well as the systems which control nuclear power or water distribution, to the internet, and it's a very open environment. I can launch an attack on you from anywhere."

Lord West's warning comes as security experts in the US said they had uncovered evidence of Russia have carried out state-sponsored cyber-warfare against Georgia by attacking government computer networks during the recent conflict.

The Russian Government admitted the possibility that individuals based in Russia might have been responsible for the attacks - overloading several sites based in the central town of Gori, causing them to collapse - but denied state involvement.


TREND : US Data breaches already surpass 2007 total

Sue Marquette Poremba

August 26 2008


The number of reported data breaches has already surpassed 2007's total, according to a report from Identity Theft Resource Center.

Jay Foley, the nonprofit's executive director, told SCMagazineUS.com on Tuesday that so far in 2008, there have been 449 breaches reported by businesses, government, and universities, compared to 446 for all of last year.

“The breach list, however, doesn't reveal exactly how many records were compromised,” Foley said.

The reason the 2008 number is so high has to do with changes in regulations.

“More states and organizations are required to report breaches,” he said, “and more consumers want to hear about them.”

More than 40 states have enacted breach notification laws.

The increasing numbers of reported breaches is a result of a confluence of factors, said Alexander Southwell, a former federal prosecutor and cybercrime expert.

“They include an increasing number of data breach notification laws, increasing enforcement of privacy and data integrity issues by regulators, law enforcement, and civil plaintiffs' attorneys, and the ongoing digitization of society, where more and more personal identifying information is captured and stored,” he said.

Kevin Mandia, founder of security intelligence firm Mandiant, told SCMagazineUS.com that the number of data compromises is increasing.

“That increase is likely due to the development of SQL injections, which made breaches much easier to do,” Mandia said. “Human intervention is not as necessary for data theft as it once was.”

He added that compliance regulations are forcing more companies to discover breaches.

“Instead of the ‘ignorance is bliss' approach that was the norm in the past, firms are becoming more diligent about investigating breaches,” Mandia said.


CARELESS : Probe after one million bank customers sold on eBay

By Dan Newling

Daily Mail

27th August 2008


The eBay computer scandal which saw the loss of personal data on a million bank customers is to be investigated by the Information Commissioner.

The firms involved - the Royal Bank of Scotland, NatWest and American Express - have also promised to launch probes.

The Mail revealed today that the data was found on a second-hand computer sold for £35 in an eBay auction.

'A thief's treasure chest': Andrew Chapman with the hard disk drive he bought on eBay containing the private bank details of more than a million people

It had belonged to Graphic Data, which stores financial information for organisations at its archive in Shoeburyness, Essex.

A spokesman for Mail Source, which owns Graphic Data, put the situation down to an 'honest mistake'.

She added: 'We know which employee took the server and sold it, but we believe it was an honest mistake and it was not intentional to sell it without the server being cleared.

'We want to stress that this is an isolated incident and we are investigating how the server was removed and sold.

'This is a very unfortunate incident and we are taking measures to ensure it will never happen again.'

The Mail Source employee sold the computer to Andrew Chapman, a 56-year-old IT manager from Oxford.

It held account numbers, phone numbers, signatures and other personal details, none of which are thought to have been handed to any third parties.

RBS, NatWest and American Express are expected to contact customers once they have analysed the data at risk.

The Information Commissioner's Office is investigating an apparent breach of the Data Protection Act.

A spokesman said: 'A data breach is very serious. Our investigation will look at the circumstances of how this happened, and we will be seeking an urgent explanation from Graphic Data to establish what has gone wrong and the steps that are being taken to prevent a similar incident occurring.'

American Express said it was working 'as a matter of priority' to establish which of its card holders could have been affected.

A spokesman said: 'We have strict guidelines for suppliers around the security of information. We are currently working as a matter of priority to establish exactly what data is impacted and identify the card members who may be affected.'

An RBS spokesman said: 'We take this issue extremely seriously and are working to resolve this regrettable loss with Graphic Data as a matter of urgency.'

The computer and a second server sold with it to Mr Chapman were tonight returned to Graphic Data.

Identity fraud is one of the fastest growing areas of crime in Britain and Home Office figures show it costs the economy £1.3billion a year.

But Marc Kirby, an IT lecturer at Cranfield University, said today that some firms did not realise how hard it was to delete computer files.

'You can't escape leaving a data trail in the 21st century, and it will only get worse,' he warned. 'People think they have deleted emails or documents but it is usually very easy to retrieve them.

'In most circumstances you can buy software on the internet for £25 that will retrieve almost anything, unless the computer has been totally wiped or the hard drive is destroyed.'

Case study

As someone with a limit of more than £20,000 on his credit card, Christopher Tomlins was shocked to learn that NatWest has lost the information that could give anyone access to his account.

When told about the breach by the Daily Mail, Mr Tomlins, 32, said: 'It is like they have given my house keys to a stranger and then said, "Help yourself".'

Mr Tomlins's personal information is revealed in a photograph of an application for a NatWest 'black' credit card he made on April 14, 2005.

The completed application form contains his name, address, date of birth, mobile phone number and home phone number.

It also reveals his mother's maiden name, signature, annual income, bank account number, bank sort code and the 16-digit number of the credit card he was granted.

Mr Tomlins, who runs his own lighting company in Ealing, West London, said: 'I am amazed that NatWest have let this information get out. If the company looking after the information was getting rid of the computer, they should have destroyed the hard drive.'

Mr Tomlins's details were contained on one of 227 photographs of separate credit card application forms found on just one of 32 computer files containing NatWest card information.


TECHNOLOGY : Road Tolls Hacked

A researcher claims that toll transponders can be cloned, allowing drivers to pass for free.

By Duncan Graham-Rowe

Technology Review 2008.

August 25, 2008


Drivers using the automated FasTrak toll system on roads and bridges in California's Bay Area could be vulnerable to fraud, according to a computer security firm in Oakland, CA.

Despite previous reassurances about the security of the system, Nate Lawson of Root Labs claims that the unique identity numbers used to identify the FasTrak wireless transponders carried in cars can be copied or overwritten with relative ease.

This means that fraudsters could clone transponders, says Lawson, by copying the ID of another driver onto their device. As a result, they could travel for free while others unwittingly foot the bill. "It's trivial to clone a device," Lawson says. "In fact, I have several clones with my own ID already."

Lawson says that this also raises the possibility of using the FasTrak system to create false alibis, by overwriting one's own ID onto another driver's device before committing a crime. The toll system's logs would appear to show the perpetrator driving at another location when the crime was being committed, he says.

So far, the security flaws have only been verified in the FasTrak system, but other toll systems, like E-Z Pass and I-Pass, need to be looked at too, argues Lawson. "Every modern system requires a public security review to be sure there aren't different but related problems," he says. Indeed, in recent weeks, researchers announced flaws in another wireless identification system: the Mifare Classic chip, which is used by commuters on transport systems in many cities, including Boston and London. However, last week, the Massachusetts Bay Transportation Authority (MBTA) filed a lawsuit to prevent students at MIT from presenting an analysis of Boston's subway system.

The Bay Area Metropolitan Transport Commission (MTC), which oversees the FasTrak toll system, maintains that it is secure but says it is looking into Lawson's claims. "MTC is in contact with vendors who manufacture FasTrak lane equipment and devices to identify potential risks and corrective actions," says MTC spokesman Randy Rentschler. "We are also improving system monitoring in order to detect potentially fraudulent activity."

In the past, authorities have insisted that the FasTrak system uses encryption to secure data and that no personal details are stored on the device--just two unique, randomly assigned ID numbers. One of these is used to register the device when a customer purchases it, while the other acts as a unique identifier to let radio receivers at tolls detect cars as they pass by.

But when Lawson opened up a transponder, he found that there was no security protecting these IDs. The device uses two antennas, one to detect a request signal from the toll reader and another to transmit its ID so that it can be read, he says.

By copying the IDs ­­­of the readers, it was possible to activate the transponder to transmit its ID. This trick doesn't have to be carried out on the highway, Lawson notes, but could be achieved by walking through a parking lot and discreetly interrogating transponders.

What's more, despite previous claims that the devices are read only, Lawson found that IDs are actually stored on rewritable flash memory. "FasTrak is probably not aware of this, which is why I tried to get in touch with them," he says. It is possible to send messages to the device to overwrite someone's ID, either wiping it or replacing it with another ID, says Lawson.

"Access to a tag number does not provide the ability to access any other information," says MTC's Rentschler. "We also believe that significant effort would need to be invested in cloning tags." He adds, "If any fraudulent toll activity is detected on a customer's account, the existing toll-enforcement system can be used to identify and track down the perpetrator."

Lawson says that using each stolen ID just once would make it difficult to track down a fraudster. A better solution, he believes, would be to require toll readers and transponders to carry out some form of secure authentication. But this would require changes by MTC. As an alternative, Lawson is working on a privacy kit to let drivers turn their transponders on and off so that they are only vulnerable for a brief period as they pass a toll.

There is another way, he says. "It's probably in the user's best interest to just leave it at home." This is because FasTrak uses license-plate recognition as a backup.

Ross Anderson, a professor of security engineering at Cambridge University, in the U.K., says that "very many embedded systems are totally open to tampering by anyone who can be bothered to spend some time studying them."

Competent use of encryption is the exception rather than the norm, Anderson adds, and the situation is unlikely to change soon. "One industry after another is embracing digital technology, and none of them realize that they need computer security expertise until it's too late and they get attacked," he says.

Bruce Schneier, chief security technology officer at BT, based in Mountain View, CA, says that it is too easy for companies to get away with lousy computer security. "Honestly, the best way is for the transportation companies to sue the manufacturers," he says. "Then they'll think twice about selling shoddy products in the future."


New IT Term of the day

rogue wireless device

A wireless networking term used to describe unauthorized devices connected to the network that poses a significant risk to the organization. Rogue wireless devices can be broken down into two categories: access point (AP) based threats (rogue access points) and computer based threats (rogue peers).


Quote of the day

Only the winners decide what were war crimes

Gary Wills

No comments:

This Day in History

Thanks for your Visit