Friday, January 30, 2009

Quote of the day

Quote of the day

Live truth instead of professing it.

Elbert Hubbard

New IT Term of the day

New IT Term of the day

Turing Number

Abbreviated as TN, turning number is a randomly generated security code, usually a series of digits, displayed as an image that users may need to read and copy into a form field in order to submit or validate a form submission online via a Web browser. Turing numbers are used to ensure there is a human user instead of automated (bot) submissions. Turing numbers are commonly used on e-commerce Web sites or promotional or contest Web sites —anywhere there is a need to avoid automated submissions by bots.

The 7 dirty secrets of the security industry

MIRROR : The 7 dirty secrets of the security industry

By Joshua Corman

Network World

January 27, 2009


Do you ever get the feeling your security providers are failing to tell you the whole truth? We entrust the industry to protect us from unacceptable risk. But we must confront the underlying truth: The goal of the security market is to make money.

Here are the seven dirty secrets of the security industry and practical ways to command honesty from your trusted security providers.

  1. Antivirus certification omissions. The dirtiest secret in the industry is that, while antivirus tools detect replicating malicious code like worms, they do not identify malcode such as nonreplicating Trojans. So, even though Trojans have been around since the beginning of malicious code, there is no accountability in antivirus certification tests. Today Trojans and other forms on nonreplicating malcode constitute 80% or more of the threats businesses are likely to face. Antivirus accountability metrics are simply no longer reflective of the true state of threat.

  1. There is no perimeter. If you still believe in the perimeter, you may as well believe in Santa Claus. That isn't to say there is no perimeter. But we need to define what the perimeter is. The endpoint is the perimeter, the user is the perimeter. It's more likely that the business process is the perimeter, or the information itself is the perimeter too. If you design your security controls with no base assumption of a perimeter, when you have one you are more secure. The mistake we tend to make is, if we put the controls at the perimeter, then we will be fine. For many threats, we couldn't be more wrong.

  1. Risk management threatens vendors. Risk management really helps an organization understand its business and its highest level of risk. However, your priorities don't always map to what the vendors are selling. Vendors focus on individual issues so you will continue to buy their individual products. If you don't have a clear picture of your risk priorities, vendors are more than happy to set them for you. Trusted security partners will provide options for assessing your risk posture and help you develop plans to make the most security impact for the least cost and complexity. Security needs to conform to and support your business priorities. Too often, vendors want your business to conform to their portfolio.

  1. There is more to risk than weak software. The lion's share of the security market is focused on software vulnerabilities. But software represents only one of the three ways to be compromised, the other two being weak configurations and people. The latter is the largest uncovered area of risk. This is malicious code that doesn't leverage a vulnerability but rather leverages the person. For example, downloading a dancing skeleton for 'a spooky good time' (this was a trick employed by Storm), social engineering, spear phishing, etc. While we still need to find vulnerabilities and patch them, we must understand that an organization is only as strong as its weakest link. And more attention needs to be paid in mitigating the other two ways beyond software.

  1. Compliance threatens security. Compliance in and of itself is not a bad thing. But, compliance in and of itself does not equal security. At the very least it's a resource and budget conflict, and it splits our focus. Compliance is supposed to raise the minimum standard of security, but it just gets us to do what we are required to do and nothing else.

What's more, that which is easy to measure is not necessarily that which is most valuable. So if there were 15 software vulnerabilities last month, we can measure that 12 of them have been patched. It is much harder to measure how effective end user training was to make administrators immune to social engineering attacks. The lesson is you need to be compliant, but your entire risk strategy cannot be based on it.

  1. Vendor blind spots allowed for Storm. Storm is being copied and improved. The Storm era of botnets is alive and well, nearly two years from when it first appeared. How is this possible? 1. Botnets thrive in the consumer world where there is little money for innovation, a fact Storm and its controllers know. They are making money off of everything from spam to pump-and-dump stock scams. 2. They eat antivirus for breakfast. A lot of the techniques and innovations used by Storm are not new; they are just being leveraged artfully against the blind spots of antivirus certifications and antivirus vendors. 3. Malcode does not need vulnerabilities. Most of the Storm recruitment drives have leveraged social engineering and play off of a holiday or sporting event.

  2. Security has grown well past "do it yourself". Technology without strategy is chaos. The security market is often far too focused on the latest hot box or technology. The shear volume of security products and the rate of change has super-saturated most organizations and exceeded their ability to keep up. Organizations realize only a fraction of the capabilities of their existing investments. Furthermore, the cost of the product is often a fraction of the cost of ownership. There was a time when you could "do it yourself." But the simple days of Virus meets Antivirus are long gone. Highly effective organizations are embracing professional and managed security services to extend and augment their in-house expertise. By focusing your in-house expertise on what you know best -- your business -- scale comes from teaming with third-party expertise. This will be increasingly necessary in these tough economic times.

The primary goals for executives over the next few years is to cut cost and reduce complexity. Today we are seeing a massive convergence in the security market. There are only going to be a few large players left and a bunch of smaller players. Will consolidation lead to better efficiency, or will it lead to vendor lock-in?

As executives simplify, they will face many choices. Simply reducing vendors may fail to balance cost, complexity and risk. Vendors have a responsibility in this equation and must rise to the challenge. True risk management can show where to prune solutions, but the key is risk driven, responsible simplification.

Ex-Fannie Mae worker charged with planting virus

TROJAN : Ex-Fannie Mae worker charged with planting virus

By Freeman Klopott

Examiner Staff Writer

January 29, 2009


A fired Fannie Mae contract employee allegedly placed a virus in the mortgage giant’s software that could have shut the company down for at least a week and caused millions of dollars in damage, prosecutors say.

Rajendrasinh Makwana, an Indian citizen, was indicted Tuesday on computer intrusion charges. The former Gaithersburg resident is out on $100,000 bail, court documents said.

Makwana was fired from his contract position at Fannie Mae on Oct. 24 for changing computer settings without permission from his supervisor, FBI agent Jessica Nye wrote in a sworn statement. He had worked at Fannie Mae for three years as a computer engineer at the Urbana offices, where he had full access to all of the federally created mortgage company’s 4,000 servers. Before leaving work Oct. 24, Makwana allegedly tried to hide a code in server software that was set to activate the morning of Jan. 31, the agent wrote.

“Had this malicious script executed, [Fannie Mae] engineers expect it would have caused millions of dollars of damage and reduced if not shutdown operations at [Fannie Mae] for at least one week,” Nye wrote. “The total damage would include cleaning out and restoring all 4,000 of [Fannie Mae’s] servers, restoring and securing the automation of mortgages, and restoring all data that was erased.”

A spokeswoman for Fannie Mae declined to comment.

According to Nye’s statement, a senior computer engineer discovered the virus Oct. 29. The malicious code was hidden after a blank page, and “it was only by chance” that the senior engineer scrolled down and found the virus, Nye wrote. The engineer locked down Fannie Mae’s servers to determine whether other viruses were hidden inside and where the virus had come from, Nye wrote. Only about 20 Fannie Mae employees and contractors, including Makwana, had access to the server where the virus was stored.

An Internet Protocol address was eventually linked to Makwana’s company-issued laptop, Nye wrote. He was arrested Jan. 7.

The virus was set to execute at 9 a.m. Jan. 31, first disabling Fannie Mae’s computer monitoring system and then cutting all access to the company’s 4,000 servers, Nye wrote. Anyone trying to log in would receive a message saying “Server Graveyard.”

From there, the virus would wipe out all Fannie Mae data, replacing it with zeros, Nye wrote. Finally, the virus would shut down the servers.

Since the virus’s discovery, engineers have double-checked the servers and found no evidence of other malicious codes, Nye wrote.

Makwana’s attorney, Christopher Nieto, did not return calls Wednesday.

DDoS attack boots Kyrgyzstan from net

CYBER-WAR : DDoS attack boots Kyrgyzstan from net

Russian bears blamed

By Dan Goodin in San Francisco

28th January 2009


The central Asian republic of Kyrgyzstan was effectively knocked offline for more than a week by a Russian cybermilitia that continues to flood the country's internet providers with crippling data attacks, a security expert said.

The attacks, which began on January 18, bear the signature of pro-Russian nationalists believed to have launched similar cyber assaults on the republic of Georgia in August, said Don Jackson, a researcher with Atlanta-based security provider SecureWorks. The attacks on Kyrgyzstan were so potent that most net traffic in and out of the country was completely blocked during the first seven days.

Over the past 48 hours, ISP have managed to mitigate some of the damage by relocating the servers of their biggest customers to different IP address ranges and employing a technique known as source filtering, which is designed to block harmful traffic while still allowing friendly packets through. Some media organizations and government opposition groups in the country of 5.3 million have not been so fortunate.

"If you're still one of those online media sites or you're still one of the targets by domain names, it's going to be hit or miss," Jackson told The Register. "A lot of the web services are still unavailable."

Representatives from Kyrgyzstan Domain Registration Service (http://www.domain.kg/) and a service known as www.ns.kg (http://www.ns.kg/) didn't respond to emailed requests for comment. The two services carry about 80 percent of the country's traffic, Jackson said.

The attacks are the latest example of geopolitical disputes spilling into cyberspace, a trend that's been growing in the past few years. Web and email traffic in Estonia came to a standstill in May of 2007 after civil unrest over that country's removal of a Soviet-era memorial was accompanied by attacks on the Baltic nation's internet infrastructure. Attacks on websites belonging to the Georgian government, on Radio Free Europe and cable television network CNN by Chinese hackers follow a similar pattern.

So-called distributed denial of service (DDoS) attacks, which flood a victim with so much malicious data it is unable to respond to legitimate requests, aren't the only weapon in the arsenal of politically motivated hackers. The Israeli Defense Force recently paid a Texas company that specializes in search engine optimization to halt the online backlash generated by its military action in Gaza.

Researchers from Arbor Networks, which monitors worldwide internet traffic for attacks and other anomalies, said they weren't seeing any malicious traffic directed toward Kyrgyzstan. Arbor's Jose Nazario said that was most likely because of a "visibility issue" resulting from the company "not tracking the right botnets."

The culprits in the attacks on Kyrgyzstan are most likely a group of technically capable Russian citizens recruited by Russian officials, Jackson said. The vast majority of the drones that are bombarding the Kyrgyz targets are located in Russia. The geographic concentration makes source blocking a more effective countermeasure than when the bots are scattered throughout the world.

Jackson speculated the attacks are designed to silence opponents of Kyrgyz President Kurmanbek Bakiyev, who are demanding the leader reverse his plans to close an airbase to the US military in its war in Afghanistan. The Russian government wants the base closed, Jackson said.

Indian embassy website serving malware in Spain

HACKED : Indian embassy website serving malware in Spain

Ad ranking scam or massive malware attack?

By John Leyden

29th January 2009

The compromise of legitimate websites with hostile code ultimately designed to serve up malware onto the PCs continues apace, with the latest victims including the Indian embassy in Spain.

Security researchers Ismael Valenzuela* and later Dancho Danchev* discovered that the the Indian Embassy in Spain was serving malware through an injected malicious iFrame.

The assault represents a rare but not unprecedented assault on diplomatic immunity by hackers. Previous victims of embassy malware attacks in the past include the US Consulate in St Petersburg, The Netherlands Embassy in Russia and the Ukraine Embassy Web site in Lithuania.

Analysis of the Indian Embassy assault by Trend Micro* revealed that the attack was part of a wider code injection push that's either an "advertisement scam or a massive malware attack in its early stages".

The code inserted into the compromised websites injects pages that look like blog entries into the compromised sites' domain, linking to illicit pharmaceutical websites. The purpose of the attack could be either to raise the search engine ranking of malvertised websites or a plot to use the legitimate domains of the compromised websites in order to evade spam filters.

Since the websites involved are already compromised, simply modifying tags would turn the seemingly "non-malicious" injection of code into a full-blown malware attack, Trend Micro warns.

In other separate examples of code injection attacks, the Times of India website was infected by malicious code identified by Sophos as Badsrc-C. The Russian Pravda website has also become infected with malicious scripts, Sophos reports, but fortunately this is not pointing at a website currently serving up further malware.

Circumstantial evidence suggest the three attacks are only related via the use of similar techniques.

"The three attacks are directing people to different malign sites using techniques such as SQL injection, to plant code of legitimate sites left open to attack," explained Graham Cluley, senior technology consultant at Sophos.

* Get details at -






Wednesday, January 28, 2009

Quote of the day

Quote of the day

The injury we do and the one we suffer are not weighed in the same scales

Aesop Fables

New IT Term of the day

New IT Term of the day

Tunneling Virus

A type of virus that attempts installation beneath the antivirus program by directly intercepting the interrupt handlers of the operating system to evade detection.

Trojan Steals Cash From Symbian Phones

MOBILE : Trojan Steals Cash From Symbian Phones

A Trojan targeting Indonesian Symbian users hijacks the SMS system to transfer funds from the user's account to one held by criminals.

By Marin Perez


January 23, 2009


Symbian is the most popular mobile operating system for smartphones with about 45% of the worldwide market. But being the leader also means you're a prime target for hackers, and a security firm said it found an attack that enables malicious programmers to control a user's mobile phone account.

Kaspersky Lab said it has discovered a malicious program aimed at Indonesian Symbian mobile phone users. For the attack to work, the hackers need users to download a Trojan that's written in Python. It then sends SMS messages to a short code number with instructions to transfer money from the user's account to the criminal's account. The average transfer was between 45 and 90 cents, and the security firm said there are five known variants of the Trojan.

"Obviously, the authors of the Trojan want to make money," said Denis Maslennikov, a senior malware analyst at Kaspersky Lab, in a statement. "It seems that the focus on financial fraud in the mobile malware industry will only get more pronounced over time."

Maslennikov said the SMS malware was previously seen as purely a Russian phenomenon, but this latest attack is proof that mobile security is an international issue. Users of Kaspersky Lab's mobile security products are protected from the exploit. Symbian had not verified the exploit as of press time, but an over-the-air update could potentially fix the problem.

Another Symbian exploit recently brought to light could crash a phone's SMS system. The "Curse of Silence" enables hackers to specially format an e-mail to be sent as an SMS, and if the message has more than 32 characters, certain S60 devices would not be able to send or receive other SMS or MMS messages.

While there have yet to be large-scale mobile viruses or attacks, the threat continues to grow as more companies carry sensitive data on smartphones. InformationWeek took a look at how to make sure your smartphone data is secure on the go, and the report can be found here.

Small firms to get specific e-crime advice

AWARENESS : Small firms to get specific e-crime advice

New resource designed to educate and protect against threats

by Phil Muncaster


26 Jan 2009


Government-backed industry body the Cybersecurity Knowledge Transfer Network and the Business Crime Reduction Centre (BCRC) are to launch a guide aimed at helping small and medium-sized businesses (SMBs) to equip themselves against current threats.

The guide, E-crime: What Your Business Needs to Know, features case studies and tips on topics such as email security and spam, data security, phishing, bots and zombies, wireless network security and hacking.

Research by the BCRC in the Yorkshire region prior to compiling the report found that a third of SMBs do not know whether they have anti-virus software installed, while a further 28 per cent do not know whether they have a hardware firewall.

"We first designed what we thought was a basic guide, but took it to focus groups and found out that it was too advanced, so we had to pitch it at a much lower level," said David Stockdale, head of unit at the BCRC.

"E-crime is easy to ignore and there is a real head-in-the-sand approach from a lot of small businesses. We are hoping that the case studies will really get the message out there."

The guide will be available on the BCRC site from 26 January, and has already garnered interest from the Federation of Small Businesses and some police forces, according to Stockdale.

Britain's biggest cyber theft of 4.5m records

THEFT : Britain's biggest cyber theft of 4.5m records

Hackers steal details of 4.5m users of Monster.co.uk in

By Daily Mail Reporter

27th January 2009


Computer hackers have stolen the personal data of 4.5m jobseekers from the Monster.co.uk website.

The personal details of 4.5 million people have been stolen from a recruitment website in Britain's biggest case of cyber theft.

Hackers accessed the confidential information of job seekers registered with Monster.co.uk and now hold electronic copies of their user names, passwords, telephone numbers and email addresses.

Information such as birth dates, gender and ethnicity was also taken, along with 'basic demographic data'. The victims are mainly professionals.

Monster.co.uk has posted a message on the site advising all customers to change their passwords immediately.

'We regret any inconvenience this may cause you, but feel it is important that you take these preventative measures,' the message said.

Experts today warned the data could be used by gangs to open fake bank accounts or take out loans in the names of customers.

'It's a horrendous breach,' said Graham Cluley of computer security firm Sophos.

'These hackers could now use the passwords to access email and online bank accounts. The information they have can be used to cause all kinds of mischief.'

Mr Cluley said there were growing concerns that criminals could use the information to access people's bank details since users often used the same password.

It is also feared the hackers will use the information to launch so-called phishing attacks, using the information stolen from Monster to trick users into giving out more details.

'One very real risk is that hackers will use the email addresses and personal information they have received to mount a phishing campaign, attempting to gather more sensitive information about victims,' said Mr Cluley.

Social networking sites a hotbed for cyber crime

HOTBED : Social networking sites a hotbed for cyber crime

By Melissa Chua

CIO Asia



The distribution of malware on social networking sites first occurred in small amounts towards the end of 2007, but that trend appears to be on the rise.

According to a report from MessageLabs Intelligence, which specialises in the analysis of messaging security issues and threats, a popular tactic in 2008 among cyber criminals involved the creation of fictitious accounts on social networking sites. These fake accounts were then used to post malicious links, which usually led to a phishing site, to legitimate users.

Scammers would then make use of the phished personal information, such as usernames and passwords, to gain access to legitimate accounts. This access would be used to post blog comments on their pages of their friends, and send messages from the phished accounts to other contacts. These messages usually contained spam, including links to spam sites such as online pharmacies.

"Web 2.0 offers endless opportunities to scammers for distributing their malware--from creating bogus social networking accounts to spoofed videos--and in 2008, the threats targeting social networking environments became very real," said Richard Bowman, regional manager, MessageLabs South Asia.

Trend continues

Another report from security expert Symantec, which owns MessageLabs, showed this trend does not look to be slowing down.

The report, which analysed Web threats for the month of January 2009, said social networking sites continue to be popular premises for cyber criminals seeking potential victims.

According to the Symantec report, January saw the emergence of e-mail spam which closely mimicked legitimate notification e-mails of two major social networking sites. These spam messages, which invited users to join a group on the social networking site, contained a link to a virtual group created on the site by the spammers.

This virtual group would be linked to a free blogging site before redirecting the user to the destination URL. Upon clicking this URL, users would be faced with the request to fill out a form collecting personal information. Information collected could then be sold to marketing companies or used for other malicious purposes.

Sunday, January 25, 2009

Quote of the day

Quote of the day

We never get what we want

We never want what we get

We never have what we like

We never like what we have

And still we Live & Love

This is Life.

New IT Term of the day

New IT Term of the day

Trusted Platform Module

Trusted Platform Module (TPM) is a hardware device that is basically a secure micro-controller with added cryptographic functionalities. It works with supporting software and firmware to prevent unauthorized access to a notebook computer. The TPM contains a hardware engine to perform up to 2048-bit RSA encryption/decryption. The TPM uses its built-in RSA engine during digital signing and key wrapping operations.

OcUK puts £10K bounty on DDoS varmints

REWARD : OcUK puts £10K bounty on DDoS varmints

Wild West response to week-long hack attack

By John Leyden

22nd January 2009


Overclockers.co.uk is offering a £10,000 ($13,830) reward for information leading to the conviction of attackers who have targeted the technology enthusiast site in a DDoS lasting over a week.

In a forum posting on Wednesday, Overclockers.co.uk (OcUK) placed a bounty of the head of cybercrooks who have mounted an attack that has left its online store and forum servers running at a crawl for the last ten days.

The money will be payable to anyone whose information leads to an arrest and conviction against the perpetrators of the attack. Tips can be submitted anonymously, by email.

OcUK stressed that the attacks are simply affecting the availability of servers, which are been flooded with a torrent of junk data as a result of the assault, and not the security of data held by or processed through the site. The site has likely suspects in mind, but needs more evidence to take to the police.

Over the last 10 days OcUK servers have been subject to sustained DDoS attacks that have disrupted our on-line store and forums servers. Instigating these kind of attacks is a serious criminal offence and whilst we have strong suspicions who is behind them we need more evidence.

I am offering £10,000 to anyone who can provide evidence that leads to a conviction. You can provide this information anonymously if you want to via jobs@overclockers.co.uk but the evidence must be something that SOCA (Serious Organised Crime Agency) can use. If you do reveal your identity we will only disclose it to the Police with your permission.

I'd like to apologise to all our customers and forum members for any inconvenience caused. I cannot discuss what action is being taken to protect OcUK from these attacks but I assure you wheels are in motion.

OcUK is applying unspecified security measures, which likely involve traffic filtering by its ISP and the application of DDoS mitigation tools to defend against the attack. Distribute denial of service attacks are nowadays almost always run from networks of compromised machines (botnets), hired for the purpose.

It would take a considerable outlay of money and effort to mount a week-long attack, so we can speculate that the perpetrators either have a serious beef against OcUK or they are attempting to mount a blackmail scam. Either way this would help OcUK to narrow down the list of potential suspects.

Offering a reward for information leading to the arrest of denial of service miscreants represents a rare move by OcUK, although not unprecedented. German tech publication Heise offered a €10,000 ($13,011) reward for the low-down on attackers who hit the site in February 2005.

Microsoft has also offered such a reward. In 2003, it put up $250,000 for tips leading to the arrest and conviction of the VXer behind the infamous SoBig and Blaster worms, as part of a wider Anti-virus Reward Program. Informants, erstwhile college friends of the later convicted perp, turned in the creator of the later Sasser worm, Sven Jaschan, as part of the program in 2004.

OcUK is a hybrid hardware hacker enthusiast site and online computer kit reseller set up back in 1999 by Web designer Mark Proudfoot and PC reseller Peter Radford.

Obama Admin Outlines Cyber Security Strategy

STRATEGY : Obama Admin Outlines Cyber Security Strategy

By Brian Krebs

January 22, 2009


President Barack Obama's administration has sketched out a broad new strategy to protect the nation's most vital information networks from cyber attack and to boost investment and research on cyber security.

The key points of the plan closely mirror recommendations offered late last year by a bipartisan commission of computer security experts, which urged then president-elect Obama to set up a high-level post to tackle cyber security, consider new regulations to combat cyber crime and shore up the security of the nation's most sensitive computer networks.

The strategy, as outlined in a broader policy document on homeland security priorities posted on the Whitehouse.gov Web site Wednesday, states the following goals:

v Strengthen Federal Leadership on Cyber Security: Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.

v Initiate a Safe Computing R&D Effort and Harden our Nation's Cyber Infrastructure: Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure.

v Protect the IT Infrastructure That Keeps America's Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience.

v Prevent Corporate Cyber-Espionage: Work with industry to develop the systems necessary to protect our nation's trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate.

v Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime.

v Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches: Partner with industry and our citizens to secure personal data stored on government and private systems. Institute a common standard for securing such data across industries and protect the rights of individuals in the information age.

While it remains to be seen what resources the Obama administration may devote to these goals, it is an encouraging sign to see the new White House give the vital challenges of cyber security such prominence so soon.

Movie Inspired Hackers to Keylogger Bank

INSPIRE : Movie Inspired Hackers to Keylogger Bank

Hackers accused of plot to swindle Japanese Bank

ByMegan Murphy, Law Courts Correspondent

January 22 2009


Computer hackers used sophisticated password-detection software in an attempt to swindle £229m ($317m) from one of Japan’s largest banking groups, a court heard on Wednesday.

In a plot seemingly cribbed from a Hollywood film, a “dishonest, bold” gang of cyber-crooks raided the City premises of Sumitomo Mitsui Banking at night to install “keylogger” programmes to record employees’ log-in details, prosecutors allege.

Assisted by an “inside man” who worked as a security supervisor at the bank, the thieves then attempted to make more than 20 electronic transfers involving multi-million pound sums from the accounts of big Sumitomo customers, including Nomura Asset Management and Toshiba, it is alleged.

The money was intended for accounts set up in locations such as Dubai and Singapore, but the men failed to realise that the keylogging software had inadvertently captured an error, jurors at Snaresbrook Crown Court in east London were told.

Several members of the gang, including two computer experts and the Sumitomo security guard, have pleaded guilty to conspiracy to steal.

The Crown is now pursuing three other people suspected of serving as “fronts” for the companies and bank accounts set up to receive the stolen funds in September and October 2004.

“The attempt was made by surreptitiously entering the bank at night, by corrupting its computer system and by attempting to electronically transfer money,” said prosecutor Simon Farrell, QC. “A number of people were involved in different ways to steal the money and some were closely connected to its distribution around the world.”

Hugh Rodley, David Nash and Inger Malmros deny the charges in what is expected to be a six-week trial. Bernard Davies, another defendant, died last weekend.

Jurors were told how the keylogger software could capture staff passwords and log-in details surreptitiously by taking frequent pictures of their computer screens. The fraudsters would then return to the bank to retrieve the screen shots and plug the information into electronic transfer requests.

“Fortunately for the bank, those transfers failed,” said Mr Farrell. Staff discovered the plot after realising their computers had been tampered with.

Payment System Security Breached

BREACH : Payment System Security Breached

Heartland Payment Systems, Forcht Bank Discover Data Breaches

Both Companies Might be Victims of Larger Fraud Schemes

January 21, 2009

Linda McGlasson, Managing Editor


Heartland Payment Systems, the sixth-largest payments processor in the U.S., announced Monday that its processing systems were breached in 2008, exposing an undetermined number of consumers to potential fraud.

Meanwhile, Forcht Bank, one of the 10 largest banks in Kentucky, told its customers it would begin reissuing 8,500 debit cards after being informed by its own card processor of a possible breach.

In the case of Heartland, while the company continues to assess the damages inflicted by the attack, Robert Baldwin, the company's president and CFO, says law enforcement has already noted that the attack against his company is part of a wider cyber fraud operation.

"The indication that it is tied to wider cyber fraud operation comes directly from conversations with the Department of Justice and the U.S. Secret Service," Baldwin says. The company says it believes the breach has been contained.

Heartland, headquartered in Princeton, NJ, handles approximately 100 million transactions per month, although the number of unique cardholders is much lower. "It is still a question as to the percentage of the data flow they were able to get," Baldwin says, adding he would not speculate on the number of cards potentially exposed.

Specifics surrounding when the breach occurred are still being analyzed. But Baldwin says two forensic auditing teams have been working on the breach analysis and investigation since late 2008, after Heartland received the notification from Visa and MasterCard. The investigation began immediately after the credit card companies told Heartland they saw suspicious activity surrounding processed card transactions. Described by Baldwin as "quite a sophisticated attack," he says it has been challenging to discover exactly how it happened.

The forensic teams found that hackers "were grabbing numbers with sniffer malware as it went over our processing platform," Baldwin says. "Unfortunately, we are confident that card holder names and numbers were exposed."

Data, including card transactions sent over Heartland's internal processing platform, is sent unencrypted, he explains, "As the transaction is being processed, it has to be in unencrypted form to get the authorization request out."

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland's check management systems. The company delivers credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide Baldwin says the company moved quickly to announce the breach. "It is important to get it out, but leaves us with incomplete information for our customers until the investigation is complete," he says. For more information on the breach, the company has set up a website: www.2008breach.com. Heartland advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers.

Forcht Bank: "Not Isolated"

In a statement to Forcht Bank's customers, COO Tyronica Crutcher says that the bank's debit card processor, STAR, informed the bank that a retail merchant processor's information may have been compromised, and that some unknown persons are possibly creating duplicate debit cards.

"According to STAR, there are several other banks affected, and this is not isolated to Forcht Bank customers," says Crutcher.

Forcht Bank has 34 branches in 11 counties, with more than $1 billion in assets.

Also see-

Payment Processor Breach May Be Largest Ever


This Day in History

Thanks for your Visit