Quote of the day

Quote of the day

---

When we seek to discover the best in others, we somehow bring out the best in ourselves.

New IT Term of the day

---

pluggable authentication module (PAM)

---

A UNIX programming interface that enables third-party security methods to be used. By using PAM, multiple authentication technologies, such as RSA, DCE, Kerberos, smart card and S/Key, can be added without changing any of the login services, thereby preserving existing system environments.

1 Million Chinese PCs Hijacked by Criminals

BOTNET : 1 Million Chinese PCs Hijacked by Criminals

FIRST told of Chinese PC hijack explosion

Frank Wintle

WEBWIRE

June 25, 2008

http://www.webwire.com/ViewPressRel.asp?aId=68776

VANCOUVER, CANADA, JUNE 25. The number of innocent individuals in China whose personal computers were hijacked by criminals rose by a staggering 2125 per cent between 2006 and 2007, delegates were told here today at the 20th annual conference of FIRST, the Forum of Incident Response and Security Teams.

During sessions when the need for sophisticated approaches to combat the increasing sophistication of Internet crime rode high on the conference agenda, Dr Minghua Wang [MINGHUA WANG] who heads China’s Computer Emergency Response Team Co-ordination Centre, revealed that while the number of PC’s hijacked for remote Trojan hosting was already relatively high at 44,717 at the end of 2006, twelve months later the number had exploded to nearly a million – 995,154.

“Malicious websites have become a major threat to normal Internet users in China,” he said.

“We now have web-based Trojan networks, driven by economic profit and launched by experienced and well organised black hats, with hundreds of malicious hosts at different locations within China, and even abroad.

“We need co-operation between computer emergency response teams and law enforcers.”

UK Gov calls on white hat hackers to spot data leaks

F1 : UK Gov calls on white hat hackers to spot data leaks

By Chris Williams

25th June 2008

http://www.theregister.co.uk/2008/06/25/cabinet_office_data_handling_report/

The civil service's systems will be subjected to new attacks by independent white hat hackers in a bid to spot weaknesses in government data handling before catastrophic losses occur, it was announced today.

The white hat programme is one of a suite of targets, training and scrutiny measures that Cabinet Secretary Gus O'Donnell hopes will bring about a "culture change" across the civil service and restore public faith in the government's competence in handling sensitive data.

He said: "The risk we must counter is that citizens and business lose trust in the Government to handle their data effectively. It would be foolish not to acknowledge that the lapses in data security have affected this confidence."

O'Donnell revealed the new programme as he published his office's final report on data handling in government. The internal inquiry ran parallel to the independent Poynter report, also published on Wednesday.

Both investigations were launched in the wake of a series of government data losses last year. The blundering run was topped by HMRC's disappearing unencrypted CDs, which contained 25 million child benefit records. Poynter looked specifically at the HMRC incident, while the Cabinet Office report sets a strategy for improving data handling throughout government.

O'Donnell argued that the government's stores of personal data have brought great benefits to the public. "Yes we have lots of data on individuals," he protested to reporters. "And that is, for individuals, good."

All government departments are in the process of scrambling laptop hard drives after the Cabinet Office, which oversees the civil service, banned unencrypted machines in January.

O'Donnell also said the government's many outsourced data contracts would be amended to insist that private contractors abide by the new data regime. He claimed the response from outsourcing firms to the new rules had been positive.

Proposed new data-based public services will be subject to a Privacy Impact Assessment, which will judge the risks that collecting or sharing the necessary data could have. The UK's privacy watchdog, Information Commissioner Richard Thomas, is planning his first use of new civil service spot check powers granted to him following last year's embarrassing rash of data losses.

Announcing formal action against HMRC and the MoD (over laptop losses, reported on today by Sir Edmund Burton) Thomas described the government's handling of data as "deplorable". He said: "Whilst these breaches have been highly publicised and involve big numbers, sadly they are not isolated cases. It is deeply worrying that many other incidents have been reported, some involving even more sensitive data. It is of fundamental importance that lessons are learned from these breaches."

ICO enforcement notices have been issued to the MoD and HMRC requiring them to follow the Burton and Poynter's recommendations respectively - failure to comply is a criminal offence.

Yet another ongoing review of how the government handles information, this time on paper, is currently being led by Sir David Ormand. He was asked to investigate after top secret intelligence documents were left on a Surrey commuter train.

The Cabinet Office today said it will report government progress on data handling to parliament annually. You can read the full report here (pdf) (http://www.cabinetoffice.gov.uk/~/media/assets/www.cabinetoffice.gov.uk/csia/dhr/dhr080625%20pdf.ashx).

Fired IT Director of Organ Bank accused of hacking

ACCUSED : Fired IT Director of Organ Bank accused of hacking

By CINDY GEORGE

June 24, 2008

http://www.chron.com/disp/story.mpl/headline/metro/5854484.html

The fired technology director of a Houston organ donation company has been accused of hacking into its computer system and deleting records.

A federal indictment alleges that over two days in November 2005, Danielle Duann illegally accessed and damaged LifeGift Organ Donation Center's database.

The agency recovers organs and tissue from the deceased for distribution in 109 Texas counties. Recipients live in a broad swath of the state including Houston, Fort Worth, Lubbock and Amarillo.

After Duann, 50, was fired as the agency's director of information technology, she is accused of accessing the system and issuing commands that wiped out organ donor information and accounting files.

"There was no interruption in clinical operations as a result of the deletion of files, therefore no lives of transplant candidates were in jeopardy," LifeGift spokeswoman Catherine Burch Graham said Tuesday afternoon.

The agency recovered the information from a backup system.

"All of the files were back within several months of the hacking and clinical operations were not affected in any way," Graham said.

Duann is charged under a statute that makes it a federal crime to use technology to impair, or potentially impair, medical examination, diagnosis, treatment and care.

Graham said she could not elaborate on the reason why Duann was fired after a 2 1/2-year tenure.

The intrusion cost the center, which coordinates organs and tissue donations to 200 hospitals in the Southwest, $70,000.

The case is being prosecuted by lawyers from the local U.S. Attorney's Office and the Justice Department's computer crime and intellectual property section.

Duann's face was wet as she was escorted by a U.S. Marshal Tuesday afternoon and she was unable to respond to questions.

If convicted, the former computer chief faces up to 10 years in prison and a $250,000 fine.

Cyber Attack on Pacific Island Internet Infrastructure

ATTACK : Cyber Attack on Pacific Island Internet Infrastructure

Marshalls internet still affected after cyber attack

25 June, 2008

http://www.rnzi.com/pages/news.php?op=read&id=40547

http://www.yokwe.net/index.php?name=News&file=article&sid=2211/

The general manager of the Marshall Islands National Telecommunications Authority, the NTA, says it may be a few days yet before its email system is back to normal.

An unprecedented cyber attack on the monopoly Internet provider this week caused a complete shutdown of email traffic to the country.

A local information technology expert said someone person unleashed infected computers to flood the NTA with mail leading to the shutdown of the system.

The NTA’s general manager, Tony Muller, says technicians are still working on the problem.

“We were able to, sort of, bring it back to normal, we are seeing that out traffic is back to normal, when four times it was before, and they are still working on it.”

Tony Muller says in the meantime, they have built two-back up servers to avoid this problem again.

Vista, Internet Explorer and Outlook tips

Internet Explorer

Is tabbed browsing cluttering up your life?
In the Tools menu, select Internet Options. In the General tab, under Tabs, click the Settings button. Uncheck the topmost checkbox, which is labelled Enable Tabbed Browsing (requires restarting Internet Explorer), and click OK. To enable the tabbed browsing function later, just go back and select this option, and save your preferences.

Find on the Web Page
If you want to search for a particular word or phrase on the web page you�re viewing and can�t be bothered to read through every paragraph just press Ctrl and F together and type the word or phrase you want.

Display the Address bar history
A handy short cut to display the address bar history on the Internet Explorer is to press F4.

Open the Organize Favourites Dialog Box
To open the Organize Favourites Dialog box, press Ctrl and B together.

Windows Vista

Search for a file in Windows Vista
One of the ways to search for a file on Windows is the Search box available in every folder. You can type in any word associated with the file you�re looking for; Windows will look for that word in the file names, file contents, and file properties of all the files in the current view. To filter your search, say by files modified on a particular date, you can type �modified: � in the Search box. Similarly, to search only by file name, type �name: �.

Now launch programs by searching for them
Starting up an application was never easier or quicker. No need to go through the Start menu and then several sub-menus. Just start typing the name of the program into the bar at the bottom and have Vista bring up the name of the program you need instantly!

A quicker way to launch your programs
Windows Vista assigns shortcuts to all the items in your Quick Launch toolbar, on its own, depending on the icons� positions in the sequence. So if you want to open the program whose icon is the fourth in your Quick Launch bar, just press the Windows key + 4.

Clear up your Windows Sidebar
Is your Sidebar cluttering up your life? To get in a little breathing room, right-click gadgets that you don�t use frequently and change their opacity settings to 40 percent. These gadgets will now fade out of view when you are not using them.

Set a new theme for your PC
To change your Windows Vista theme, right-click your desktop and select Personalise. Next, click Themes; in the dropdown menu, choose the theme you want, and click Apply.

Clean up your temporary files
If you�ve recently been doing something with your computer that generates a lot of temporary files, you may want to make sure all those files are cleaned out of your system to free up precious space. To do this, just enter %TEMP% into your Start menu search box and press Enter. The temporary files folder will open, allowing you to delete files and prevent unnecessary clutter.

Speed up your system
Is your PC running slowly? Go to your Power Options control panel and look for the Power Saver setting that is set at 50 percent (default setting in Vista). Change this setting to High Performance and let your PC run faster.

Check for memory issues with your PC
Worried about memory defects in your PC? You can use Vista�s in-built tool to diagnose issues. Enter the word �memory� into your Start menu search box, and you will be taken to the Memory Diagnostics Tool. A dialog box will open and ask you whether you want to reboot your PC immediately or later. Vista will then run the Memory Diagnostic Tool while starting up.

Resize icons on the fly
If you want to resize the icons quickly in Windows Vista Explorer, press and hold the Ctrl key, and scroll up or down with the mouse wheel.

Faster shortcuts in Vista
Go to the Control Panel and search for the term �underline�. In your search results, you�ll get a link for Underline keyboard shortcuts and access keys. Click this, and in the next screen, go to the checkbox for Make it easier to use keyboard shortcuts. Select this. Now, whenever you go to any menu, the access keys for each function will be underlined. Pressing Alt with this key would enable the function.

Outlook

Track when your messages are read
If you�ve sent out an important e-mail and want to ensure that the recipient has received and read it, you can set an option in Outlook to do so. Once you�ve composed the message in Outlook 2007, go to the Options tab and the Tracking group. To know that your message was delivered, click Request a Delivery Receipt. To know that the message was read, click Request a Read Receipt.

Add Contacts quickly in Outlook 2007
From an open email message, you can add the name and email address of the sender to your Contacts. Right-click the name of the sender in the message and click Add to Contacts in the menu that appears.

Use the Mini toolbar for speedy formatting
The Mini toolbar in Word, Excel, PowerPoint and Outlook (2007) helps you to format selected text in these programs�you can work with fonts, alignment, bullets, and other features. The toolbar is semi-transparent when you select text in any of these programs. You can take your pointer to the toolbar and click the option that you want to use.

Change the Font size of your message list
Do you have to strain your eyes to read your email headers in Outlook 2003? Click on the View menu. Under Arrange by, select Current View, and then Customize Current View. Now click on Other Settings. Select Row Fonts and change the font to the one that you desire. Click OK.

E-mail signature in Outlook
Go to the Tools menu and select Options. Under Options, click on the Mail Format tab. Go to the Signatures tab. Click New and type in a name for the new email signature you are creating. Click on Next. Type in your desired email signature; choose the font style and sizes. Click OK.

Change meetings or events created in Outlook 2007
Once you�ve scheduled a meeting or event using Outlook 2007, you can change its subject, location or time if needed. This can be done for a standalone event, for a whole series of recurring events, or one event of a series of recurring events.

To change the time, location or subject of an individual event, you first need to open the event. Go to the Appointment tab and make the necessary changes. Click Save and Close.

If you�re working with a series of events or a recurring event; open the event. In the Open Recurring Item dialog box, select Open this occurrence if you want to make changes to only the current occurrence. Select Open the series if you want to make changes to the entire series. For only the current occurrence, make the necessary changes in the Appointment tab and click Save and Close. To make changes for the entire series, use the Appointment tab again to change the location, time or subject. Then, if you want to change the recurrence options as well, click Recurrence in the Options group of the same tab. Change the options as needed and click OK.

Add or delete holidays in Outlook 2007
You may like your Outlook 2007 Calendar to display holidays for the current year. You can do this for not only your own region, but also the region in which key business partners operate.

To add holidays, go to Tools, click Options, and then click Calendar Options. In Calendar Options, click Add Holidays. You will see a list of countries�click the check box next to each country whose holidays you want to display in your calendar. Click OK.

To delete holidays, click Calendar. On the View menu, go to Current View and click Events. You will see a list of holidays. Click the calendar icon next to each row that you want to delete. To select multiple rows, keep the CTRL key pressed and click each row. Click Delete when you have finished selecting.

Add RSS feeds in Outlook 2007
There are several ways in which you can add an RSS feed to Outlook 2007. If you use Internet Explorer 7, you will see the RSS feed icon next to the Home button on the browser. Clicking the RSS feed icon will display the list of available feeds on the Web page. Click the feed that you want to add.

You can also do this within Outlook 2007. In the Tools menu, click Account Settings. On the RSS Feeds tab, click New. The New RSS Feed dialog box will open. You can type the URL of the RSS feed here or use CTRL+C and CTRL+V to copy and paste the URL from the address bar of your browser. Click Add and then click OK.

If you receive an invitation to an RSS feed via e-mail, you can click Add this RSS Feed on the Reading Pane to add it. If you�ve opened the message, go to the Share tab and the Open group. Click Add this RSS Feed and then click OK.

Schedule a new meeting in Outlook 2007

In Outlook 2007, go to File, click New, and select New Meeting Request. Type appropriate descriptions in the Subject and Location boxes, and choose start and end times of the meeting using the Start Time and End Time lists. You can also type any information or attach files that you want to share with the recipients of the meeting request. For help with scheduling the best time for your meeting, go to the Meeting tab, and click Scheduling Assistant in the Show group. Then, click Add Others and select Add Others from Address Book. You can now search and select attendees and resources for the meeting, by going to the Select Attendees and Resources dialog box and entering the name of the person in the Search box. The results list will show the concerned people�you can click Required, Optional, or Resources and click OK. After this, the Suggested Times pane will show the best times for your meeting, that is, the times at which most attendees are available. You can also manually pick a time from the free/busy grid. Go to the Meeting tab and click Appointment in the Show group. Click Send.

Print your Contacts in Outlook 2007

Outlook 2007 gives you the option of printing out your list of Contacts in various styles�memo, visiting card, phone directory, small booklet or medium booklet. You can also customize these styles. You can print a single Contact, all your Contacts or some of them.

To print out all your Contacts, open the Contacts view, go to File and click Print. In the Print dialog box, select the style you want to print in using the Print Styles box. Click Define Styles to customize the printing style. Click OK to print, after setting the number of copies and other necessary options.

To print out some of your Contacts, open the Contacts view, go to the View menu, take your cursor to Current View and click Customize Current View. Click Filter and use the available options to narrow down the list of Contacts to only those that you want to print. Then, go to File, click Print and follow the same steps as above.

Redirect Incoming Email to your Mobile Phone

With Outlook 2007, you can redirect incoming email and calendar entries to your mobile phone, by configuring your Outlook Mobile Service account. To do this, you have to select the redirection conditions in Outlook Mobile Service. For this, go to Tools and click Options. On the Preferences tab, click Notifications under Mobile. Under Message Notifications, click the checkbox against Forward messages that meet all of the selected conditions. Select the conditions from those listed. In the Forward to mobile numbers box, type the mobile phone number(s) to which you want messages to be forwarded. Click OK.

Use Instant Search in Outlook 2007

You can quickly search for messages in Outlook. Click the folder you want to search in Mail. Type the text you want to search for in the Instant Search box. The Instant Search Results pane will display all messages that contain your search text.

Print an e-mail with attachment

Select the e-mail in the message list, but don�t open it. On the File menu, click Print. In Print options, click the Print attached files check box. Ensure that you don�t open the message when you want to print it, or the option to print the attachment will not be displayed.

Use Outlook 2007 to send a Word 2007 document for review

To e-mail a Word 2007 document for review, open and save the document and click Send for Review on the Quick Access Toolbar. A new e-mail message will open with the document attached; the default text in the message is "Please review the attached document". Make changes in the message if you want, type the addresses of the recipients in the To field of the message, and click Send.

Add commands to the Quick Access Toolbar

In Office 2007, you can customize the Quick Access Toolbar to contain your most frequently used commands. On the Ribbon, click the tab or group to display the command that you want. Right-click the command and click Add to Quick Access Toolbar

New webcams from Microsoft

Microsoft Hardware launched two new Web cams -- LifeCam VX-500 and LifeChat LX-2000, earlier this week.

The Life Cam VX-500 sports a compact design enabling users work seamlessly with laptop and desktop PCs. It's equipped with special features including true VGA video for brilliant video quality. The other new Web cam, LifeChat LX-2000, can be used for music, gaming, online chatting, and more, claims Microsoft Hardware. Its unique design allows folding it into a more compact shape for improved portability.

Both Web cams can be easily used with major instant messaging programs. Setting them up doesn't require any additional software.

LifeCam VX-500 and LifeChat LX-2000 are available across computer hardware retail stores in the country. They are priced at Rs 850 for the LifeCam VX-500 and Rs 999 for the LifeChat LX-2000. Both Web cams enjoy a three-year limited hardware warranty from Microsoft. Both the cams were launched early this week.

Quote of the day

Quote of the day

---

It's not that I'm so smart, it's just that I stay with problems longer.

Albert Einstein

(1879-1955)

New IT Term of the day

---

platform security

---

A security model that is used to protect an entire platform and secures the entire span of software or devices on that platform, removing the need to incorporate individual or multiple security measures for different programs on the system. Security at the platform level makes the security process simplified for IT and developers. However, once the security is cracked the entire platform is vulnerable. Trusted Platform Module, designed to secure an entire notebook is a type of platform security.

Smart Phone Viruses – a threat to your network?

THREAT : Smart Phone Viruses – a threat to your network?

John Cox

Network World

June 23, 2008

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9102298&source=NLT_SEC&nlid=38

All evidence points to the fact that smart phone viruses will be a threat to your network even though they aren't at this moment. After all, the latest mobile devices are packed with more and more applications and corporate data, are enabled for real Web browsing and online collaboration, and can access corporate servers. What's more, they live outside your firewall and often make use of three wireless networks (Bluetooth, Wi-Fi and cellular).

"It's definitely something I worry about a lot," says Sam Lamonica, CIO of Rulph & Sletten, a Redwood City, Calif., general contractor. "With the proliferation of smart phones throughout our business, it poses a great risk if and when hackers get good at pumping malware through those devices."

A 2007 survey of 450 IT managers found Lamonica is not alone. Eighty percent had antivirus products installed. Yet about 40% had been hit by a worm or virus in the past 12 months Of those that were hit, 30% said that being unable to reach mobile users who were disconnected from the network contributed to the intrusion or failure that allowed a virus onto their network.

"The phone has advanced exponentially, while users have not caught up and realized that they are walking around with a computer," says Mark Olson, Manager, Beth Israel Deaconess Medical Center in Boston.

That's shown by the success of Apple's iPhone. Its users are among the first to do intensive and extensive mobile Web browsing, enabled by the performance of the phone's Safari browser. But Web browsing also enables a range of malware for smart phones in general.

"If you go to Twitter [on the Web], you have to rely on Twitter security," says Tom Henderson, a Network World Clear Choice tester, and managing director for ExtremeLabs in Indianapolis. "You can get cross-site exploits that can dive down into the phone's browser. Then, it's a problem."

"Anything that is network connected and can be altered is a potential threat," says Rob Enderle, principal analyst for Enderle Group, a technology advisory firm in San Jose. The growing "socialableness" of smart phones, via everything from e-mailing to instant messaging and even texting, all provide opportunities for tricking users into downloading malware, he says.

To date, major malware outbreaks on smart phones, on the scale of PC infections of past years, are almost unheard of. Early mobile phone viruses, such as Cabir, Skulls and Fontal, targeted a specific operating system, usually Symbian, and required users to accept a download and then actually install files. Infections were limited to a few score of devices typically.

But if those few score smart phones are all yours, it's actually worse than some malware romping through millions of PCs. As companies standardize on a specific smart phone platform, they run a growing risk of malware reaching a significant percentage of those devices, Olson says.

"Most of the known viruses and Trojans will propagate through Bluetooth or Multimedia Messaging [MMS]," Olson says. "So all it takes is one person walking into a meeting with an infected device, and the rest of the room now needs a dose of 'penicillin.'"

Now is the time to start thinking systematically about these issues, because there is no simple, formulaic solution to the problem of smart phone security.

"It's really important in planning a mobile deployment of devices outside your firewall, that you establish a mobile security strategy, including application security," says Scott Totzke, vice president of the Global Security Group for Research in Motion. That means creating a comprehensive security scheme that can be monitored and enforced through a collection of software products, enforceable policies, and user awareness and training.

A key element in this strategy is handling the software that users can, or can't, load on these devices, Totzke says. "You create an approved list of applications, and the privileges they have when they're running on the handset," he says.

Unauthorized downloads can be blocked, and so can unauthorized actions by "legal" applications.

One emerging option, already established in Europe, says Stan Schatt, vice president for wireless connectivity at ABI Research, is a managed service for mobile security, such as the one recently unveiled by Sprint. For a monthly fee, the carrier pushes out regular patches and security fixes. Some vendors, such as Fiberlink Communications, offer a managed service for mobile security.

88% businesses failing on PCI data security standard

EXPOSED : 88% businesses failing on PCI data security standard

Long term commitment needed to tackle problem, survey says

By Leo King

24 June 2008

http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=9731

The vast majority of businesses are still failing to comply with the Payment Card Industry’s data security standard, over two years after it became compulsory, according to a report.

Some 88 percent have not complied with the rule, and over half are unable to say when they will be compliant, says a survey by security management software vendor NetIQ.

The PCI DSS standard concerns security management, policies, procedures, network architecture, software design and other protection measures.

Many companies were set to be left even further behind, NetIQ said, because on 30 June version 6.6 of the rule will come into place, concerning new security measures to protect web applications. All merchants accepting payment card transactions will be expected to either use a specialised firewall or have completed a web application software code review for finding and fixing vulnerabilities.

Europe is behind the US in DSI compliance, where a similar NetIQ survey showed nearly twice the proportion of companies were compliant, at 23 percent.

But, according to the European survey of 65 IT managers, firms found that the road to compliance was complex. Nearly half had been working for over six months to become compliant. Some 93 percent felt fines would either not typically be issued, or exceptions would be made.

Adam Evans, senior security specialist at NetIQ, said compliance required “a significant long-term commitment of resources”, but warned that the cost of a security breach and reputational damage “could be far greater”.

Millions Stolen from Citibank ATM using Stolen Data

HACKED : Millions Stolen from Citibank ATM using Stolen Data

A unique breach of bank information has hit one of the world's largest banks.

Chuck Miller

June 19 2008

http://www.scmagazineus.com/ATM-hackers-net-millions-using-stolen-information/PrintArticle/111499/

According to a federal grand jury indictment, two hackers, using bank accounts and PINs stolen over the internet, managed to steal millions of dollars from Citibank.

The two charged were a Ukrainian immigrant named Yuriy Ryabinin, and Ivan Biltse. The pair are alleged to be part of a worldwide scam that has made 9,000 fraudulent ATM withdrawals, according to court documents. The money was drained from ATMs in the New York area, authorities said.

“On or about February 1, 2008, Citibank representatives informed the FBI that a Citibank server that processes ATM withdrawals at 7-11 convenience stores had been breached," according to an affidavit filed with a New York federal court by Albert Murray, an FBI special agent.

There were hundreds of ATM withdrawals in New York from October 2007 to March of this year, all using the breached information, authorities said. Some of the illicit withdrawals were videotaped. The criminals used ATM cards encoded with Citibank customer account information to withdraw the money.

Specifically, the indictment charged that the criminals “received over the internet information relating to the bank accounts of multiple Citibank customers, which information had been previously stolen from Citibank.”

A spokeswoman for Citibank did not respond to a request for comment.

WIth correct information, it is very easy to create a counterfeit card, Avivah Litan, Gartner vice president and distinguished analyst, told SCMagazineUS.com on Thursday

"All you have to have is the PIN and enough customer information," she said. "And the criminals have figured out how to get that."

This kind of fraud is becoming an enormous problem for banks, said Litan.

“Criminals have found ways to basically bypass many of the controls that banks have in place," she said. "So ATM and debit card fraud is expected to rise. In our surveys, banks themselves expect the rate of fraud to double over the next two years."

Web browsers face crisis of security confidence

UNSAFE ALWAYS : Web browsers face crisis of security confidence

By Dan Goodin in San Francisco

23 June 2008

http://www.theregister.co.uk/2008/06/23/marginal_browser_security_protections/print.html

User beware. Today's web browsers offer more security protections than ever, but according to security experts, they do little to protect people surfing the net from some the web's oldest and most crippling threats.

Like nuclear stockpiles during the Cold War, new safety features amassed in Firefox, Internet Explorer and Opera are part of an arms-race mentality that leaves online criminal gangs plenty of room to launch attacks. What's more, the new protections often take years to be implemented and months to circumvent. Meanwhile, shortcomings that have bedeviled all browsers since the advent of the World Wide Web go unaddressed.

Earlier this week, Mozilla patted itself on the back for adding a security feature to Version 3 of Firefox that's of only marginal benefit its users. It prevents users from accessing a list of websites known by Google, and possibly others, to be spreading malware. Opera Software, in a move its CEO proclaimed "is reinventing Web-based threat detection," added a similar feature to version 9.5 of its browser released two weeks ago, and Microsoft engineers are building malware blocking into IE 8.

Here's the rub: According to our tests over the past week, the Firefox anti-malware feature frequently failed to block sites compromised by one of the most prevalent SQL injection exploits menacing the web. Outcomes varied from minute to minute, but clicking on results returned from searches led us to dozens of compromised websites even with Firefox's gee-whiz malware protection feature turned on.

Firefox 3 does block nihao11.com and the half-dozen or so other domain names that are referenced in the injection attack, so there is some benefit to the feature. But its inability to flag a huge number of websites that have been compromised shows the limits to such an approach. Similarly, researchers from Websense report that they "found multiple phishing pages that still made it through" anti-phishing mechanisms that have existed for more than a year in Firefox. Because they're based on static blacklists based on behavior reported weeks or months earlier, these features often fail to detect quick-moving threats.

"These little anti-phishing things and anti-malware things, I'm not buying them," says Jeremiah Grossman, CTO of web application security firm WhiteHat Security. "Are we less likely to get hacked as a result of these features? No. If I was really the evil guy, I'll send you to a hacked up blog page with Firefox 3 and you won't have a good day."

Meanwhile, within hours of Firefox 3 being released, researchers reported a security bug that could allow miscreants to execute hostile code on machines running the new browser.

Like IE, Opera and every other browser on the planet, Firefox also remains vulnerable to a variety of attacks that are as old as the World Wide Web. They allow miscreants to inflict all kinds of damage, including stealing a user's browsing history, spoofing trusted websites through cross-site scripting attacks (XSS), stealing user authentication credentials to banking sites and providing easy access to corporate intranets and end-user machines.

Of course, browser makers are by no means alone in shouldering responsibility for these weaknesses. Sharing equal amounts of blame are the eBays, MySpaces and Facebooks of the world for failing to resist the allure of untested features based on Adobe Flash and JavaScript, even when they deliver only minimal convenience over more traditional methods of delivering content. Also culpable are netizens everywhere, who collectively reward all these websites for adding bells and whistles that put our safety in jeopardy.

"I wouldn't tell you not to use the internet, but I would certainly never tell you you're safe, which is a pretty horrible thing to say to someone," says Robert Hansen, CEO of secTheory, a security firm that specializes in security of web applications. "I really don't think people are in a good position from a technology perspective to defend themselves with what they're given by default in a browser."

Crisis of confidence

The situation is so dire in the minds of many security experts that they no longer trust any browser to keep them safe without taking extraordinary security measures. Grossman, for example, uses Firefox with the NoScript, Flashblock, SafeHistory, Adblock Plus and CustomizeGoogle add-ons for most of his web surfing, all to improve on the less-than-ideal state of today's web. When visiting financial sites, he switches to an obscure browser that he refuses to name. By treading off the beaten path, he says, he's less likely to get hit by an exotic zero-day exploit, which can sell on the underground market for tens of thousands of dollars if it targets a popular browser.

The obscure browser "is technically not more or less secure, it's just less targeted, which is the only thing I care about," Grossman says. As extreme as it may sound to some, Grossman says his browsing regimen is less hardcore than other people he knows in the security industry. Indeed, some of the more paranoid have entire physical machines reserved solely for sensitive transactions, employ boot-only browsers via CD-ROMs, or use virtual machines with limited features for the same purpose.

"I have very low confidence in any of the browsers' ability to keep me safe," says Don Jackson, a researcher with security provider SecureWorks. "What I have confidence in is the bad guys." One of the chief problems Jackson identifies with browser design these days: "Functionality is implemented first and security is tacked on."

Quote of the day

Quote of the day

---

The most effectual engines for [pacifying a nation] are the public papers... [A despotic] government always [keeps] a kind of standing army of newswriters who, without any regard to truth or to what should be like truth, [invent] and put into the papers whatever might serve the ministers. This suffices with the mass of the people who have no means of distinguishing the false from the true paragraphs of a newspaper.

Thomas Jefferson

New IT Term of the day

---

PKI

---

Short for public key infrastructure, a system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction. PKIs are currently evolving and there is no single PKI nor even a single agreed-upon standard for setting up a PKI. However, nearly everyone agrees that reliable PKIs are necessary before electronic commerce can become widespread.

A PKI is also called a trust hierarchy.

China arrests hacker spreading quake rumor

ARRESTED : China arrests hacker spreading quake rumor

2008-06-15

http://news.xinhuanet.com/english/2008-06/15/content_8373570.htm

NANNING, June 15 (Xinhua) -- Police in Guangxi Zhuang Autonomous Region in south China have detained a man who allegedly spread earthquake rumors by hacking a government website after the May 12 disaster in Sichuan Province.

The suspect, surnamed Chen, who is from Taicang City in the eastern province of Jiangsu, admitted he had hacked into the official website of the Guangxi earthquake administration and posted quake rumors on its news page, said Tang Bin, vice director of the Public Security Bureau of Nanning, the regional capital.

Chen, 19, worked in a technology company after graduating from junior middle school. He said he hacked the site to show off his computer skills and have "fun," according to the police.

The administration website was found to have been hacked on May31. A notice mourning the victims of the 8.0-magnitude quake had been revised to read: "Please prepare for an earthquake with a magnitude of more than 9.0 in Guangxi," Tang said

The news scroll, meanwhile, had been replaced with a single phrase: "Experts warn of earthquake in Guangxi in the near future," he said.

The hacker also re-entered the website on June 1 and 2, wiping out all the data, police said.

A team was set up immediately to prevent the rumor from sapping public confidence amid quake-relief efforts. Public security bureaus from six provinces and regions co-operated to break the case on June 4, Tang said.

The regional earthquake administration updated its software to avoid further attacks, said Li Weiqi, the administration vice director.

Teen Hacker Hacked Grades - Could Get 38-Years in Jail

KIDS? : Teen Hacker Hacked Grades - Could Get 38-Years in Jail

By Katherine Noyes

E-Commerce Times

June 19 2008

http://www.technewsworld.com/story/security/63483.html

They may be just kids, but two Orange County, Calif., teens are accused of committing a whole bunch of grown-up crimes. The allegations include hacking into school computers to change grades and planting spyware on a district computer. One of them faces 69 felony charges, which could land him in prison for up to 38 years if he's convicted.

Two Orange County, Calif., teens have been charged with breaking into their school late at night and using stolen log-ins to hack into its computer system and change their grades.

Omar Khan, 18, a student at Tesoro High School in Rancho Santa Margarita, now faces 34 felony counts of altering a public record, 11 felony counts of stealing and secreting a public record, seven felony counts of computer access and fraud, six felony counts of burglary, four felony counts of identity theft, three felony counts of altering a book of records, two felony counts of receiving stolen property, one felony count of conspiracy and one felony count of attempted altering of a public record.

He faces a maximum sentence of 38 years and four months in prison if convicted.

Tanvir Singh, 18, a student at the same school, is charged with one felony count each of conspiracy, burglary, computer access and fraud, and attempted altering of a public record. He faces a maximum sentence of three years in prison if convicted.

Multiple Accusations

Kahn is accused of unlawfully breaking and entering into locked rooms at Tesoro High School, where he was a senior, on several occasions late at night and on weekends between January and May of this year to access school computers to change his grades.

He allegedly stole personal log-ins from teachers in order to gain access and alter his test scores from Advanced Placement (AP) classes and school records from previous semesters, often changing grades of "C," "D," or "F" to "A," according to the Orange County District Attorney's Office.

He also allegedly altered the permanent transcript grades of 12 other students, according to the charges.

Spyware Installation

Khan was also accused of cheating on an English test in April, resulting in a failing grade and confiscation of the test. The following weekend, Khan allegedly broke into the school and stole the test back in an attempt to conceal the evidence that he had cheated.

Khan is accused of installing spyware Free Trial. Security Software As A Service From Webroot. on the school computer as well to allow him to access the system from other locations.

On April 21, 2008, Khan allegedly changed his transcripts to increase his grade point average. The next day, he allegedly requested a copy of his official transcripts in order to appeal a denial of admission to the University of California for the fall semester.

Cover-Up Attempt

Late that night, Khan is accused of breaking into the school again, changing additional grades, and backdating the date and time stamp on the grade changes to cover up his crimes.

School administrators alerted law enforcement after noticing a discrepancy in Khan's grades when he requested a copy of his official transcripts. An investigation revealed that Khan was in possession of original tests, test questions and answers, and copies of his altered grades. Khan allegedly stole master copies of tests, some of which were e-mailed to dozens of AP students.

Meanwhile, Singh, who was also a Tesoro High School senior, is accused of exchanging several text messages with Khan in May detailing how the two planned to break into the school that evening to steal a test in preparation for an exam the following day.

Singh and Khan are accused of meeting at the school, breaking into a classroom and fleeing the scene before accessing the test after a night custodian discovered them, according to the District Attorney's office New HP LaserJet P4014n Printer Starting at $699 after $100 instant savings..

Potential Damage

"As computers form the backbone of commerce and hold countless billions of secret, private and confidential bits of information, it is not surprising that the penalties are becoming higher and reflect the potential damage to society," Washington technology attorney Raymond Van Dyke told the E-Commerce Times.

"Here, there were multiple physical and electronic break-ins of a sophisticated nature, involving dozens of distinct felonies, each of which has a severe penalty -- perhaps some with mandatory sentencing guidelines," Van Dyke added. "Hopefully, the age and immaturity of the parties will mitigate a harsh sentence."

Indeed, hacking into school computers isn't new, but it is a serious crime, Parry Aftab, cybercrime lawyer and executive director of WiredSafety.org, told the E-Commerce Times.

'A Grown-Up Crime'

"Ever since 'War Games' and 'Ferris Bueller's Day Off,' we've seen young people using school computers to improve their grades," Aftab said.

Since those early days, however, the criminal aspects of such activity have become more clear, she added.

"If someone's going to do this -- and especially if they're 18 -- they need to recognize that this is a grown-up crime," she said.

Rather than a prison sentence, however -- which may or may not be plea-bargained, Aftab noted -- there could be other punishments that better fit the crime and take the defendants' technical skills into account, she said.

At WiredSafety.org, for instance, "whenever kids do these kinds of things, we put them to work trying to hack parental control programs" with the permission of the companies involved, she said.

"This is a sad event, but it has to be a serious event," Aftab concluded. "If these kids have gotten into this computer -- these are government databases -- they could have destroyed it all. The potential harm is serious, so we need to teach kids that this is a serious crime."

One In Three IT Staff Snoops On Colleagues

DANGER : One In Three IT Staff Snoops On Colleagues

One in three IT professionals abuses administrative passwords to access confidential data such as colleagues' salary details, personal e-mails, or board-meeting minutes, according to a survey.

by Georgina Prodhan

By Reuters

June 19, 2008

http://www.informationweek.com/story/showArticle.jhtml?articleID=208700605

FRANKFURT, June 19 - One in three information technology professionals abuses administrative passwords to access confidential data such as colleagues' salary details, personal e-mails, or board-meeting minutes, according to a survey.

U.S. information security company Cyber-Ark surveyed 300 senior IT professionals, and found that one-third admitted to secretly snooping, while 47 percent said they had accessed information that was not relevant to their role.

"All you need is access to the right passwords or privileged accounts and you're privy to everything that's going on within your company," Mark Fullbrook, Cyber-Ark's U.K. director, said in a statement released along with the survey results on Thursday.

"For most people, administrative passwords are a seemingly innocuous tool used by the IT department to update or amend systems. To those 'in the know' they are the keys to the kingdom," he added.

Cyber-Ark said privileged passwords get changed far less frequently than user passwords, with 30 percent being changed every quarter and 9 percent never changed at all, meaning that IT staff who have left an organisation could still gain access.

It added that seven out of 10 companies rely on outdated and insecure methods to exchange sensitive data, with 35 percent choosing e-mail and 35 percent using couriers, while 4 percent still relied on the postal system.

Organised e-crime targets students for recruitment

MAFIA : Organised e-crime targets students for recruitment

20 Jun 2008

ZDNet UK

http://news.zdnet.co.uk/security/0,1000000189,39437068,00.htm

Criminals moving from more traditional to online crime are recruiting from universities and security conferences, according to police and security sources

As organised criminals move from more traditional crimes, such as armed robbery, towards e-crime, there is evidence that they are targeting university students, graduates and the tech savvy for recruitment, according to security experts and the Serious Organised Crime Agency.

"We are aware of anecdotal evidence of organised criminals [who are] moving into e-crime targeting people at an academic level," a Serious Organised Crime Agency (Soca) spokesperson told ZDNet.co.uk on Friday.

According to Paul Simmonds, chief information security officer for AstraZeneca, one of the root causes of computer security issues is funding. According to Simmonds, computer criminals are in a far more lucrative trade than security professionals, and are in a position to fund people's computer science courses at university in return for hacking expertise after the course has finished.

"The root cause of the issue is that the bad guys are better funded than we are," said Simmonds. "They have research and development programmes, they are putting people through university, they are calculating return on investment and they have better quality assurance. By comparison, the legitimate security industry is under-funded, under-resourced and constantly on the back foot."

Security vendor Trend Micro told ZDNet.co.uk that it has also seen hacker recruitment in universities, including in China.

"We do see recruitment in universities — so-called 'companies' recruiting talent for hacking," said Eva Chen, chief executive officer of Trend Micro. "They call themselves 'consultancy companies'. We've seen them recruiting in China."

Trend Micro's chief technology officer, Raimund Genes, told ZDNet.co.uk that security conferences also provide recruitment opportunities for organised criminals.

"Yes, they put them through university, and they are clearly recruiting at [security conferences]," said Genes. "Competitions like 'capture the flag' showcase talent. As a forum, there are security specialists, geeks who are not sure whether they want to go to the dark side, and guys [recruiting] who are definitely on the dark side."

Soca said that, while it was "not willing to go into specific detail about which techniques" criminals are using, it was also aware of hacker recruitment at security conferences.

"If [organised criminals] need to employ specialist skills, they will go to sources that cover specialist skills," said the Soca spokesperson.

Trick To Increase Browsing Speed for IE and Firefox

Trick To Increase Browsing Speed for IE and Firefox

You really don’t need to tweak your browser in case you are using Firefox because it is a browser which has been specially designed for optimized and fast browsing but if you can make it even a little more fast that would certainly be a treat for you. Likewise there is a trick to make Internet Explorer 6 fast too. Browsers are designed to work with fast connections but with this trick even dial-up users can experience fast and smooth browsing.

Optimize Firefox and IE Browsing Speed
I shall be teaching you two tricks which work separately on Firefox and Internet Explorer. It doesn’t require you to be some expert rather all you have to do is change some registry values and you are done. I have also included a video tutorial for those who want to see it step by step visually. This is perhaps one of the oldest tricks to optimize Firefox and IE but it still works great.

Trick to Increase Firefox Speed

1. Open firefox and in the address bar write about:config and press enter
2. Double click network.http. pipelining and set it to True
3. Double click network.http. pipelining. maxrequests and set value to 10 from 4
4. Right click and create a new string nglayout.initialpai nt.delay and set its value to 0

You are done. Enjoy lightning fast Firefox browsing and now for IE.

Trick to Increase Internet Explorer Speed

1. Go to Start –> Run and type regedit
2. Select HKEY_CURRENT_ USER –> Software –> Microsoft –> Windows –> Current Version –> Internet Settings
3. Increase the values (DECIMAL) from default to a higher value e.g. 10

See the difference in speed of IE

Contributed by: Girish Kumar. M

Understanding IP addresses in computers

Internet Protocol or IP addresses are common in today's world of networked computers. That's because every computer connected to a single network has an IP.

Washington: An IP address is a number that uniquely identifies a computer on a network. Every computer that's connected to a network, whether that network is the Internet or a private home or office network, has a unique IP address.

IP addresses consist of four sets of numbers, with each set separated by a period (dot), such as 192.168.100. 111. Every domain name, such as www. microsoft.com, maps to a particular IP address.

IP addresses are meted out either as static or dynamic. A static IP address never changes. It's the type used by most major websites. A dynamic IP address is automatically assigned to a computer when you log on to a network. Most Internet Service Providers (ISPs) assign dynamic IP addresses to their customers.

There are two types of IP addresses, internal and external.

An internal IP address is also typically referred to as "non routable". That means that it's an IP address which usually is not exposed to the outside world. Each computer in a home or office network has an internal IP address, and it's that address that you would use to make one computer in an office network, for example, talk to talk to another computer within the same network.

To find your internal IP address, open the Windows Start menu, and select Run. On Windows Vista, simply press Windows Key-R. The Run dialog box opens. Type "cmd," without the quotation marks, in the Run dialog box, and press Enter. A DOS command prompt opens.

From the command prompt, type "ipconfig," without the quotation marks, and press Enter. In a second, Windows will return a small report labelled "Windows IP Configuration. " Note that one of those lines, labelled "IP Address," provides your internal IP address. Write those numbers down. To exit the command window, type "exit," and press Enter.

Note that if your computer is configured to obtain an IP address automatically, as many are, this number could change periodically, especially if you must unplug the network cable and then plug it in to another outlet somewhere in a corporation or your home. Therefore, remember this procedure for retrieving your IP address.

An external IP address has also assigned by your ISP to the computer or router that's connected to the ISP.

An IP address is normally no secret. Websites, your Internet Service Provider (ISP), and others can track your IP address, allowing or forbidding access to certain resources if they wish.

You can hide your IP address, however, by using one of the many so-called cloaking services available on the Internet. Cloaking services use what's known as a proxy server to conceal your identity online by providing you with a temporary fake IP address.

To use a cloaking service, you typically log on to the cloaking site and use a form field to type in the address of the website you'd like to visit. Once you click "go," you're taken to the website through the cloaking service, and your IP address is hidden. It not only disguises your IP but also allows you to determine the level of security you'd like.

Contributed by: Girish Kumar. M

Cyber crime helplines

A victim of Cyber Crime? Here's help

Have you ever been stalked online, blackmailed or received email threats? If your answer is "yes", you are among the thousands today who are being attacked by Net criminals.

Like other parts of the world, India too is constantly under the threat of these heinous acts. Those of us who use our computers at home without proper security measures are often the easy victims for these crimes. In the physical world, if a crime is committed, we usually know what to do. Usually the nearest police station comes to the rescue. But what should you do for something you have no real proof, or someone who is not even visible? We bring you some tips which will help you get help quickly.

Cyber stalking or online harassment

This is one of the most common cyber crimes in India. If you are being stalked or harassed, don’t take it as a passing phase. Act fast.

• Avoid all contact with the stalker. Be assertive and diplomatic while communicating with him/her.

• Don’t change your phone number; instead let your answering machine or voice mail take the calls. This will prevent him from adapting ulterior contact strategies.

• Safeguard any evidence of threats like letters, email and voice messages. All this would be needed for legal action.

• Report it to the nearest cyber crime cell.

• If attempts of physical attack take place, file an FIR immediately.

Online Fraud

If you suddenly find out that your money has disappeared from your bank account or there have been discrepancies in your credit statements, your accounts might have been compromised.

• Contact your bank and start the process to ensure that you don’t lose any more money. Ask your bank how you can dispute charges and recover funds.

• Set up a fraud alert with cyber crime cell.

• Watch your credit card and other statements and see if there are transactions that you have not made. This is to ensure that there has been no identity theft.

• File a police report in your area

Spam/Abuse

If obnoxious unsolicited emails fill your inbox every day and refuse to go away, the simple solution is not just to delete them. Effective reporting of spam will ensure prosecution, fining or even jailing of spammers.

Report to: Coalition Against Unsolicited Commercial Email, India (CAUCE India)

Web: www.india.cauce. org

Hacking

If you find out that you have been hacked, there are broadly two ways to fix the problem.

Rollback: Backup all your important data and reinstall Windows.

System clean: You may also use freely downloadable utilities like Fport, TCP View, etc to clean up the files left by the hacker), but this is not recommended for the novice computer user since it requires a certain degree of technical know-how.

However, it is best to start afresh by reinstalling the operating system so that you can be sure that you machine is void of any infection. Call your service engineer for this. But if you have lost data, or credit card and other critical numbers, it’s best to speak with your banks and get necessary changes done to ensure no money loss occurs.

Cyber crime helplines

a) Superintendent of Police, Cyber Crime Investigation Cell (CCIC); Web: http://cbi.nic. in; Email: cbiccic@bol. net.in

b) Resource Center for Cyber Forensics (RCCF); Web: www.cdactvm. in; Email: cyber@cdactvm. in

c) India Computer Emergency Response Team (CERT-In): www.cert-in. org.in

Contributed by: Girish Kumar. M