Friday, February 6, 2009

Quote of the day

Quote of the day

All progress has resulted from people who took unpopular positions.

Adlai E. Stevenson

New IT Term of the day

New IT Term of the day

User Account Control (UAC)

Abbreviated as UAC. In Windows Vista, User Account Control is a feature that was designed to prevent unauthorized changes to your computer. When functions that could potentially affect your computer's operation are made, UAC will prompt for permission or an administrator's password before continuing with the task. There are four different alert messages associated with User Account Control:

* Windows needs your permission to continue

* A program needs your permission to continue

* An unidentified program wants access to your computer

* This program has been blocked

Market Down Crimes Up

RELATIONSHIP : Market Down Crimes Up

Data scams have kicked into high gear as markets tumble

By Byron Acohido and Jon Swartz,


02 Feb 2009


Cybercriminals have launched a massive new wave of Internet-based schemes to steal personal data and carry out financial scams in an effort to take advantage of the fear and confusion created by tumbling financial markets, security specialists say.

The schemes — often involving online promotions touting fake computer virus protection, get-rich scams and funny or lurid videos — already were rising last fall when financial markets took a dive. With consumers around the world panicking, the number of scams on the Web soared.

The number of malicious programs circulating on the Internet tripled to more than 31,000 a day in mid-September, coinciding with the sudden collapse of the U.S. financial sector, according to Panda Security, an Internet security firm.

It wasn't a coincidence, says Ryan Sherstobitoff, chief corporate evangelist at Panda.

"The criminal economy is closely interrelated with our own economy," he says. "Criminal organizations closely watch market performance and adapt as needed to ensure maximum profit."

Among those caught in the most recent barrage of scams was Justin Terrazas, 27, a beverage merchandiser from Seattle. He clicked on a Web link that infected his MacBook Pro laptop with a data-stealing program. Not realizing the laptop was compromised, Terrazas later typed his Bank of America debit card number and PIN to pay his Verizon cellphone bill online. The data-stealer swiftly siphoned his information.

A few days later, someone used Terrazas' debit card account to make a $501.41 online purchase from Modabrand.com, a designer clothing store. The merchandise was shipped to London, leaving Terrazas to unravel a big mess.

"This is definitely something you don't need in your life," he says.

The boom in cyberthreats that occurred during the last three months of 2008 could accelerate, especially if the economy continues to falter, security specialists say. Organized cybercrime groups have become increasingly efficient at assembling massive networks of infected computers, called botnets, and deploying them to amass large caches of stolen data, according to several surveys and dozens of interviews with security and privacy analysts. Meanwhile, scammers have honed the trickery used to turn stolen data into cash.

"There is a well-funded, well-educated horde continually probing for cracks and finding their way in" to consumers' financial information, says Roger Thornton, chief technology officer of security firm Fortify Software.

"They are breaching … the highest levels of the global finance infrastructure and a majority of our home computers."

Last fall, virulent programs called Trojans began to circulate more widely in e-mail and instant-message spam, got embedded in tens of thousands popular Web pages and spread in a widening barrage of online ads. Click on the wrong thing, and you would download an invisible Trojan crafted to steal sensitive data and allow the attacker to control your computer.

All types of con games — from e-mail phishing scams, which try to trick you into typing sensitive data at fake websites, to cyberhijacking, in which crooks use stolen user names and passwords to pilfer online accounts — increased, according to security firms, government regulators and law enforcement officials.

Targeting data storehouses

Hackers also are intensifying attacks on data storehouses.

Last week, Heartland Payment Systems disclosed that intruders cracked into the system it uses to process 100 million payment card transactions a month.

And Tuesday, Monster.com announced it would impose a mandatory password change for all North American and Western European users of its popular employment website. Thieves recently broke into Monster's databases to steal user IDs, passwords and other data that could be useful in a variety of scams.

"There are limitless opportunities in data of this quality," says Robert Sandilands, anti-virus director at the security firm Authentium.

To cybergangs, the implosion of the financial markets and widespread job cuts have translated into more opportunities.

Not long after banking giant Wachovia failed, phishing e-mail began circulating asking current and former customers to type in personal information to a website to complete mandatory installation of a new Internet security certificate. The website was a counterfeit, and some users who fell for the scam had their computers infected with the Gozi Trojan, which funnels stolen data to a computer server equipped to instantly sell the data to other criminals, according to the security firm SecureWorks.

Some thieves have stuck to the path of least resistance, snaring account user names, passwords and Social Security numbers. Cybercrime groups have gone further, sending tainted links in e-mail and instant messages, and spreading viruses via the direct messaging systems used on the social-networking websites Facebook, MySpace and Twitter.

Facebook encourages users to report any suspicious messages, but there's only so much it — and the other networking sites — can do to stop cybercriminals.

"We'll investigate and take appropriate action, which may include disabling the sender's account and blocking certain links from being posted," says Facebook spokesman Barry Schnitt.

But cybergangs now routinely activate hundreds of accounts by the minute, dedicating them to criminal pursuits.

Tainted links also are increasingly turning up in routine search queries on Google, Yahoo search and Windows Live search. The search companies also say they can do little to stem the rising tide of cybercrime. Google spokesman Jay Nancarrow says only that the search giant has "strict policies" against fraudulent practices, which it takes pains to enforce.

The FBI and Secret Service have created partnerships with police agencies around the world to combat cybercrimes. U.S. agents have been able to infiltrate several organized crime groups to make dozens of arrests, says Shawn Henry, assistant director of the FBI Cyber Division. Even so, "The offense tends to outpace the defense," Henry says. "The cyberthieves are extremely creative."

The threat from insiders

Some cybercriminals have begun to spread malicious programs by corrupting online banner ads. Security firm Finjan reports that new tools being sold on criminal forums can be used to infect online ads that use Adobe's popular Flash player.

The wide availability of such tools — and the fact that thousands of tech-savvy workers are being laid off in today's economy — is raising concerns that some of the jobless might see cybercrime as a way to survive.

"Unemployed IT personnel potentially can find easy income by purchasing and using crimeware," says Finjan CTO Yuval Ben-Itzhak. "We expect a rising number of people will try."

Some novice cybercrooks won't need anything fancier than a Web browser to get rolling. M. Eric Johnson, director of the Center for Digital Strategies at the Tuck School of Business at Dartmouth College, recently tried typing simple search queries, such as "insurance record," in Google and on file-sharing networks Gnutella and LimeWire.

He collected 3,328 files with potentially sensitive medical information; about 5% held data that could be used to fraudulently buy drugs or bill treatments. Data thieves are using such simple steps, too, he says.

Data-stealing gangs could begin reaching out to laid-off or disgruntled employees who know their employers' tech systems, security experts warn. Database security firm Application Security's recent audits of 179 organizations found 56% had suffered at least one data breach in the past 12 months. The survey does not reveal how any particular breach happened.

"It's a three-legged beast," says Pat Clawson, CEO of Lumension Security. "There is an absolute crunch in IT spending, there are more profit-minded hackers, and employees with access to valuable data" are willing to sell access to criminals.

About 75% of the 1,400 tech operations and information management professionals recently surveyed by Lumension and Ponemon Institute said cybercrime remains a major concern, despite efforts to thwart hackers.

"In the next year or two, these challenges will increase in both breadth and depth of threats," says Larry Ponemon, chairman of Ponemon Institute.

'It's so easy'

In a recent episode that reflected the complexity of leading-edge attacks, three different thieves collaborated to steal $99,000 from a credit union, says Tom Miltonberger, CEO of security firm Guardian Analytics.

The first thief pilfered a credit union member's online account user ID and password, and gave it to a second thief. That person then logged on several times to see images of cleared checks and to monitor the balance available on a pre-approved home equity line of credit, says Miltonberger, who investigated the case.

That information went to a third thief, who drew up a forged fax request with instructions to transfer funds from the home equity line of credit into the checking account, and then to wire those funds to another account. Because the forged signature was so good, the credit union carried out the transfer.

No one has been arrested in the case.

In another recent attack, someone acquired the user name and password for a system administrator at CheckFree.com, the nation's largest e-bill payment system. Using those log-in credentials, an intruder gained access to CheckFree's domain name service account — an account that permits the administrator to redirect traffic trying to access CheckFree's home page to other legitimate company pages.

For several hours, the intruder redirected anyone typing www.mycheckfree.com to a Web server in the Ukraine that tried to install a password-stealing Trojan. Although as many as 160,000 customers may have been affected, none had any of his or her data stolen, says Lori Stafford-Thomas, a spokeswoman for Fiserv, the parent company of CheckFree. "CheckFree sites are all up and running properly and securely," she says.

But the attempt was a sign of things to come, says Amit Klein, CTO of security firm Trusteer.

"The moral of this attack is that it's so easy to take over your (website)," Klein says. "I just need to get ahold of your user name and password once. And we all know how easy it is to get your credentials."

Beverage merchandiser Terrazas knows all too well the downside of having one's sensitive data stolen. He says Bank of America covered the illicit charge to his debit card and gave him a new card account number. But he had to alter several other financial accounts to reflect the change, and he no longer trusts using his debit card to pay bills or make purchases online.

"It's a bummer that somebody took my information," he says. "But if I don't want this to happen again, this is what I have to do."

Data Loss Costing Companies $6.6 Million Per Breach

COST : Data Loss Costing Companies $6.6 Million Per Breach

Customers, it seems, lose faith in organizations that can't keep data safe and take their business elsewhere, a Ponemon Institute survey found.

By Thomas Claburn


February 3, 2009


The total average cost of a data breach last year reached $202 per record, a 2.5% increase since 2007, a study published Monday revealed.

The study was conducted by the Ponemon Institute, a privacy and data-protection research group, and PGP, a data-encryption vendor. It was based on the costs incurred by 43 organizations following actual data breaches.

According to the report, the total average cost per company surveyed was more than $6.6 million per breach, up from $6.3 million in 2007 and $4.7 million in 2006. The highest reported total cost among the 43 respondent organizations was $32 million.

Of the average $202 per record cost, $139 was attributable to lost businesses as a result of the breach. As a percentage of the total cost per record, that represents 69%, which is up from 67% in 2007 and 54% in 2006. Customers, it seems, lose faith in organizations that can't keep data safe and take their business elsewhere.

"This finding reinforces the message delivered by leading enterprise IT managers and industry analysts that organizations must focus on proactively protecting their data instead of relying exclusively on written policies, procedures, and training," the report says.

Of particular note for many organizations will be the finding that third-party data breaches have become more common and that they cost more than internal breaches. Breaches that originated with outsourcing companies, contractors, consultants, and business partners accounted for 44% of the breach total, up from 40% in 2007. Third-party breaches cost an average of $231 per record, compared with $179 for breaches originating from within the organization that owns the data.

At the same time, it's insider negligence that's the biggest cause of breaches. According to the study, more than 88% of the breaches studied in 2008 arose from an insider's mistakes. At least such breaches tend to be less expensive, at $199 per record, than breaches arising from malicious acts, at $225 per record.

In terms of preventive measures, the top three employed by respondents were training programs, additional manual procedures or controls, and the expanded use of encryption. PGP, as it happens, sells encryption products and services to businesses.

Long viewed as more trouble than it was worth, encryption may finally have become a necessity. Heartland Payment Systems, which in mid-January disclosed a potentially massive data breach that could affect more than 100 million accounts, said just last week that it was accelerating its effort to deploy end-to-end encryption to protect its transaction data. Better late than never, but pre-breach deployment would have been better still.

Data-loss prevention products can protect your intellectual property from internal mishandling. InformationWeek has published an independent review of some of the leading products.

Two-thirds of UK's top IT security jobs unfilled

GAP : Two-thirds of UK's top IT security jobs unfilled

It's all about the skills

by Nick Heath

3 February 2009


An IT skills shortage has been blamed for two-thirds of the top computer security jobs available in the UK remaining unfilled.

Of the 14 chief security officer positions that have become vacant in the UK over the past four months, only about one-third had been taken up, according to chairman of the Institute of Information Security Professionals (IISP) Paul Dorey.

The IISP - the IT security industry members' association - runs a scheme checking skills among security professionals in the private sector and from April will also take over responsibility for accrediting expertise among security specialists and contractors working in Whitehall.

Dorey said the difficulty in filling the 14 posts in both the public and private sector is due to the size of the talent pool.

"The reason it is taking so long to fill those 14 jobs is that the employers are all fishing for the same people," Dorey told silicon.com.

"The genuine issue is that there is a shortage of appropriate security professionals and we need more processes to provide proper accreditation in the field to give them the training and monitoring they need.

"It is about skilling people up more and more, so they are able to do the higher end jobs, and increasing the size of the talent pool."

This year the IISP expects that the number of computer security specialists to achieve its highest level of security accreditation will reach 500.

Sharon Wiltshire is chairman of the Infosec Training Paths & Competencies (ITPC) scheme at the Central Sponsor for Information Assurance, a unit within the Cabinet Office.

The ITPC is the government's in-house training scheme for information security professionals working for Whitehall, the accreditation portion of which will transfer to IISP in April.

Wiltshire told silicon.com that as more people passed through the accreditation scheme, it would help better meet the UK's demand for skilled computer security staff.

"Having a qualification that goes beyond the basic level is going to be a help [for organisations] and will also help promote a better career path for individuals," she said.

Under the IISP, Whitehall security staff will be able to pit their skills against a more rigorous testing regime than before, including an interview with their peers to test their IT security expertise.

Wiltshire said the accreditation process will remain voluntary for most Whitehall security staff but added that some departments already demand ITPC accreditation, including some parts of the Ministry of Defence and The National Technical Authority for Information Assurance.

Cybersecurity vendors own network caught virus

HIT WICKET : Cybersecurity vendors own network caught virus

When this server's a-rockin'...

By Dan Goodin in San Francisco

4th February 2009


SRA International, a government contractor that provides cybersecurity and privacy services, has warned its employees their personal information may have been stolen after hackers planted a virus on its computer network.

The malware was installed on the same network that stored employees' personal data including names, addresses, dates of birth, health information and social security numbers, according to a letter filed with Maryland's Office of Attorney General. Information might also include personal employee details included in security position questionnaires.

Company investigators don't know whether the information has been intercepted but decided it was appropriate to warn employees of the possibility, the letter said. The firm has offered the services of a credit monitoring company to mitigate the chances of identity theft. The breach was reported earlier by IDG News.

The letter didn't say how the virus made its way into a presumably secure network.

"We have shared our findings with our anti-virus vendor and they have updated their virus definitions to detect the virus files we identified," the letter stated. "While we have no specific information, we believe that the security issue may affect more than just SRA."

The letter went on to admonish employees that news of the breach "is company proprietary and should not be discussed externally."

SRA had close to 6,500 employees as of June 30, according to the company's annual shareholder report. The same document went on to praise its computer security savvy.

Wednesday, February 4, 2009

25 Most Shocking Crimes in Social Media History

25 Most Shocking Crimes in Social Media History

By Laura Milligan

The popularity and near necessity of social media sites has grown tremendously in the last few years, helping small businesses make connections, giving freelancers and students the chance to network with people they’d never be able to meet otherwise, and allow a place for all kinds of interest groups to chat and make friends online–from gardeners to book lovers to sports junkies. There is a dangerous and corrupt side to social media creators and users; however, and the ability to create fake profiles and violate privacy and copyright rules is still more than possible. Read below for 25 of the most shocking crimes in social media history.

Copyright, Hacking and Blackmail

From Facebook’s big lawsuits to MySpace hackers demanding pay-back from celebrities, these copyright, privacy and blackmail cases can get ugly.

  1. ConnectU vs. Facebook: Facebook founders Mark Zuckerberg, Eduardo Saverin, Dustin Moskovitz, Andrew McCollum and Christopher Hughes got in big trouble in 2007 when their former Harvard friends filed a lawsuit claiming that Facebook was a rip-off of their brand ConnectU. Zuckerberg did programming work for ConnectU during its start up and is accused of stealing the business model and basic codes to form Facebook. Because Facebook is such a popular social media site, the case garnered a lot of attention, but ConnectU’s charges of copyright infringement didn’t hold much weight, since "the majority of the allegations date back to the days before either Facebook or ConnectU was a formal corporation," according to CNET UK. In April 2008, though, Facebook settled, awarding ConnectU founders "an undisclosed sum of cash and stock," Boston.com reported.
  2. Miss New Jersey blackmail case: During the summer of 2007, then Miss New Jersey Amy Polumbo was scandalized when private Facebook photos were published in tabloids. The pictures were acquired as part of a blackmail attempt and featured Polumbo in PG-13 poses with her boyfriend and drinking at parties. The Miss America organization did not decide to dethrone Polumbo, but she decided to release the photos herself anyway, to clear the air.
  3. Facebook vs. Montreal spammer: In November 2008, Facebook won its CAN-SPAM lawsuit against Canadian Adam Guerbuez, a spammer who clogged account holders’ pages with pornographic websites and other unsavory pitches. Guerbuez and the 26 others accused of spamming Facebook users were found guilty, and Facebook was awarded $873 million.
  4. Chang v. Virgin Mobile USA, LLC: In January 2009, a Texas teenager and her mother sued Virgin Mobile for using one of her personal photos uploaded on Flickr for an Australian advertisement. The lawsuit insisted that Allison Chang’s right of publicity had been exploited and that the use of her photo violated the Creative Commons Attribution 2.0 license she attached to her photo. The case was thrown out due to a discrepancy in jurisdiction, and no court could decide where to hold the case.
  5. Allison Stokke vs. WithLeather.com: Allison Stokke was just a regular California pole vaulter ready to start college when she became a sex symbol and Internet sensation after the blog WithLeather.com posted her photo. The photo in question was taken during a competition and showed Stokke resting with her pole across her shoulder in a skimpy, but standard, track and field uniform. After the photo was featured online by various bloggers, Stokke received thousands of MySpace messages and e-mails and had a competition video posted on YouTube. The Washington Post reports that the photo eventually found its way to Matt Ufford of WithLeather.com, who wrote, "meet pole vaulter Allison Stokke. . . . Hubba hubba and other grunting sounds." The original photographer threatened to sue Ufford and someone even created a fake Facebook page for Stokke–which was eventually taken down–but no criminal charges could ever be filed.
  6. Twitter hijacking: Twitter users generally enjoy a pretty straightforward social media experience, but a scam in 2008 hacked major celebrity accounts, including Bill O’Reilly, Barack Obama and Britney Spears. CNN anchor Rick Sanchez’s account was also hacked and featured fake tweets that said "i am high on crack right now might not be coming into work today." Gawker’s ValleyWag points out that this scam was virtually pointless, as the hackers didn’t profit financially from the phishing.
  7. Facebook phishing scam: This phishing scam posted messages on users’ profiles warning friends that they were going to delete their profiles and that friends should click on a link to the new profile. The new profile link, however, was really a fake login page that tricked Facebook users into logging in and letting hackers steal their information.
  8. Soulja Boy vs. MySpace hackers: Soulja Boy got mad when his MySpace was hacked and e-mail password was published online. The hackers left obscene messages on his MySpace page "where Soulja Boy purportedly declared his homosexuality" and insulted fans. The rapper was scammed by members of 4chan, who demanded that Soulja Boy pay them $2,500 "in order to regain control over his account," Cyber Crimes reports. Soulja Boy’s record company contacted MySpace, who returned his account.
  9. Miley Cyrus MySpace hacker: Teen actress and singer Miley Cyrus has had her share of scandals, and when her MySpace page was hacked and photos of her midriff were circulated around the Internet, parents got mad. But whatever you think of Miley, her hacker Josh Holly was the real one to blame and was eventually caught in an FBI raid on October 2008.
  10. Shaun Harrison and Saverio Mondelli: Long Island friends Shaun Harrison and Saverio Mondelli were caught when they tried to track MySpace users through e-mail by creating their own code, demanding that the social media network pay them $150,000 as a consulting fee. Under their plan, MySpace users would be able to view the IP and e-mail addresses of all the visitors to their profile, but MySpace’s terms of agreement prevents that sort of monitoring. MSNBC reports that "two counts of attempted extortion and another illegal computer access count were dropped in the deal," however.
  11. Universal vs. MySpace: In November 2006, Universal Music Group sued MySpace for copyright infringement. Universal claimed that "that Myspace has looked the other way as users unlawfully uploaded copyright music videos," and facilitated the easy spread of unlawful music sharing across the site, according to CNET News. Although MySpace had already been trying to cut back on copyright infringement for music sharing, Universal believed that MySpace was still exploiting artists and the company.
  12. Facebook v. Power.com: This lawsuit is shocking according to TechDirt because it simply doesn’t make sense. Facebook sued Power.com, a social networking aggregator that lets users manage all of their social media profiles at once, for copyright and trademark infringement, unlawful competition and violation of the computer fraud and abuse act. According to TechDirt, Power.com does not try to trick anyone to believing they are using the original Facebook and actually serves to "actually improve the value of Facebook, rather than diminish it."

Sex Crimes, Assault and Murder

Tragically, social media sites like MySpace serve as an easy venue for sex predators and bullies to track their victims. These grisly crimes have affected innocent teenagers and kids.

  1. Megan Meier suicide: The tragic suicide of Missouri teenager Megan Meier was a top news story in 2006 and 2007. Meier was the victim of a prank that involved a classmate’s mother, Lori Drew, who set up a fake MySpace account and pretended to be a boy named Josh, who befriended Meier online. Drew apparently wanted to know whether or not Meier was gossiping about her own daughter and became close with her under false pretenses. "Josh" eventually said "he didn’t want to be [Meier's] friend anymore, that he had heard she wasn’t nice to her friends," according to Fox News. "Josh" continued to post messages taunting Meier, even calling her "fat" and a "slut." Meier hanged herself in her bedroom, and six weeks later, her parents found out about the fraudulent MySpace account. In May 2008, Drew was indicted on three counts of accessing protected computers without authorization to obtain information to inflict emotional distress, and one count of criminal conspiracy, according to Wikipedia.
  2. Middletown, CT, sex assaults: In 2006, seven teenage girls from Middletown, CT, reported to authorities that they had had consensual sex or engaged in sexual relations "with men who turned out to be older than they claimed," according to MSNBC. The girls, all under the age of 18 and as young as 12, met the men on MySpace.
  3. Kara Borden and David Ludwig: Pennsylvania teenager Kara Borden had to run away from home after she watched her boyfriend, David Ludwig shoot and kill her parents. The pair were tracked down by people who found their MySpace profiles and Xanga blog, and left obscene messages on their pages. Both Kara and David’s social media pages served as a platform for the public and journalists to speculate over their innocence or guilt.
  4. Doe v. MySpace: In this case, a minor and her mother sued MySpace after she was sexually assaulted by a nineteen-year-old man she contacted on the social media site. The lawsuit claimed that MySpace did not support or protect minors from predators, but it was eventually dismissed from Texas and New York federal courts.
  5. Judy Cajuste murder: Judy Cajuste’s murder is another example of MySpace predators who take advantage of vulnerable teens online. In January 2006, 14-year-old Cajuste was strangled to death in New Jersey and dumped in a dumpster. Friends believe Cajuste had already met the man offline before he allegedly killed her, saying that "she felt comfortable with him," already.
  6. The Olivia Haters Club: The new phenomenon called cyber bullying was the focus of a thirteen-year-old girl’s existence in 2006. Olivia Gardner has epilepsy, and inspired a mean girls’ club called "Olivia Haters" that kids from her middle school set up on MySpace. Gardner’s family could not charge the girls with any sort of crime, but it was still a shocking revelation for them.
  7. Teens charged with child pornography: Teenagers aren’t immune from being charged with child pornography, and in March 2006 in Providence, RI, 19-year-old Elizabeth Muller and a 16-year-old girl were charged for uploading pornographic pictures of themselves on MySpace.
  8. Lewis & Clark College sex assault: The campus at Lewis & Clark College in Portland, OR, became involved in a complicated sex assault case after sophomore Helen Hunter reported being sexually assaulted. In response to the assault, students set up a Facebook group that gossiped about the case and posted hostile messages towards her alleged assaulter, Morgan Shaw-Fox, even though Hunter never submitted a formal complaint. After Shaw-Fox made his own complaint about the Facebook page, he was suspended but never charged with a crime.
  9. Michael Macalindong blackmail and child pornography: In October 2008, Michael Macalindong was sentenced to 34 years in federal prison for posing as a teenage girl, soliciting a teenage boy, and trying to blackmail him for not posting sexual videos of himself on Facebook. After striking up a friendship with the boy, the Chicago Tribune reports that Macalindong, 25, "told the teen he could have sex with her" but only if the teen had sex with her male friend first. Macalindong was that male "friend," police said.
  10. Fontana, CA MySpace sting: California teenagers who set up a fake MySpace profile as a joke ended up luring a sex predator and having him arrested. The boys created a fake profile for a 15-year-old girl, which attracted a man who sent sexually explicit message to "her." Eventually, the boys agreed to meet the man in a park, "and, when the man arrived, they called police," according to MSNBC.
  11. Andrew Lubrano: Wired writer Kevin Poulsen created a code that would find sex predators on MySpace, a controversial tactic that actually helped catch Andrew Lubrano. Lubrano was arrested and convicted of sex crimes in the 1980s and 90s but was eventually released. In 2005, he signed up for MySpace, where he found teenage boys to "friend." Poulsen directed Long Island police to Lubrano’s page, letting them conduct an investigation, which results in his arrest.
  12. Amanda Knoble shooting: Cyber bullying became an almost-deadly reality for Amanda Knoble in 2008, when another teenage girl, 15-year-old Andrea Haskins, threatened to kill her in a message on MySpace. Haskins shot Knoble in the leg after sending her the message and was charged as an adult for attempted first-degree intentional homicide.
  13. Florida teens beat-down: This serious beating of a teenage girl started on MySpace. The victim’s father, reports ABC News 24, says the girls wanted to create a video that would become popular on You Tube. But the mother of one of the arrested teens says the victim provoked the attack by threatening and insulting the girls on My Space. The victim was jumped by six girls who gave her a concussion, bruises and injured her eye and ear while two boys stood watch. All eight teenagers were arrested.

Source: http://www.mastersincriminaljustice.com/blog/2009/25-most-shocking-crimes-in-social-media-history/

Quote of the day

Quote of the day

The true perfection of man lies, not in what man has, but in what man is...Nothing should be able to harm a man but himself. Nothing should be able to rob a man at all. What a man really has is what is in him. What is outside of him should be a matter of no importance.

Oscar Wilde

New IT Term of the day

New IT Term of the day

Unified Threat Management

Unified Threat Management (UTM) is a term first used by IDC to describe a category of security appliances which integrates a range of security features into a single appliance. UTM appliances combine firewall, gateway anti-virus, and intrusion detection and prevention capabilities into a single platform. UTM is designed protect users from blended threats while reducing complexity.

New disk encryption standards could complicate data recovery

ISSUE : New disk encryption standards could complicate data recovery

So, what do you do if you lose your password?

By Lucas Mearian


February 2, 2009


When the world's largest disk-makers joined last week to announce a single standard for encrypting disk drives, the move raised questions among users about how to deal with full-disk encryption once it's native on all laptop or desktop computers.

For example, what happens if a user loses a password -- essentially leaving the drive filled with data that can no longer be unencrypted? Or what if a drive becomes corrupted or damaged, the data has to be recovered by a third party -- and your password is on the drive?

"Then you have just killed yourself," said Dave Hill, an analyst at research firm Mesabi Group.

The Trusted Computing Group (TCG), made up of disk hardware and software vendors, last week published three encryption specifications to cover storage devices in consumer laptops and desktop computers as well as enterprise-class drives used in servers and disk storage arrays.

Some industry observers believe that within five years, all disk drive manufacturers will be offering drives -- both hard disk and solid-state disk -- that use the specifications for firmware-based encryption.

While enterprises using drives with full-disk encryption, such as the Seagate Momentus 5400 FDE.2 drive or Fujitsu's 2.5 7200rpm self-encrypting drive, would monitor them through a central access administrator with a master password to unencrypt, consumers purchasing laptops or desktops with drives would face a more daunting scenario: They would need to either back up their data and their passwords, or lose their drives and data.

Robert Thibadeau, chief technologist at Seagate Technology LLC and chairman of the TCG, said the current disk-encryption specifications allow users to create more than one password to access data, so that if a user were to lose one, he could still access his hard drive with a backup password.

"Furthermore, with some password settings, you can provide a password that allows erasure so you can put the drive back into use, but the data will be gone," Thibadeau said.

If a drive were to become corrupted or the hardware damaged and a data recovery firm needed to retrieve a user's disk, Thibadeau said, the recovery firm could use the password to recover data from the damaged hardware. The TCG is also working with data recovery firms to create a technique that would allow them to recover encrypted data on drives using the standards, without requiring a user password.

Currently, however, if a user loses his password and a drive becomes damaged or corrupted, the data is not recoverable, Thibadeau admitted.

David Virkler, CIO at AdaptaSoft Inc., a payroll systems software and services company, said that administration of drives with hardware-based encryption is easy and that he has seen no I/O slowdown. Virkler installed Seagate's self-encrypting, 2.5-in. Momentus 5400.2 drives in October 2007 on his company's Dell laptops in order to protect customer financial data that his company often deals with in its service capacity. He paid a $40 premium for each self-encrypting drive, spending about $120 total for each 80GB drive.

While the rollout was easy, he acknowledges that if a company doesn't already have a group policy in place -- a domain name server and an active directory -- then it would be "painful" to roll out. "You'd have to manage each laptop individually," he said.

At AdaptaSoft, Virkler instituted a policy at the time of the rollout that warned workers not to keep critical data on their laptops; they were told to always use the company's network drive instead for the highest-priority information in case of a drive failure. "If laptop crashes, I'm not going expend a lot of energy to get it back. I'd also imagine any data recovery options would be nearly impossible," he said.

Virkler said he's now interested in using self-encrypting drives in his data center, but he's not sure how they would work, since he also runs Citrix and virtualization software.

Ken Waring, IT director at CBI Health in Toronto, said his organization needs encryption on its drives to protect sensitive patient information, but he's also concerned about emerging technologies, including the standardization of full-disk encryption and the problems it might create.

But, as Waring put it, "it's still a million times better than having nothing. And, as a business, you can only take what's available to you."

Mesabi Group's Hill agreed, saying that not only is data with full-disk encryption safe if a computer is stolen or lost, but the technology also automatically puts a company using the drives in compliance with state laws such as California's data breach notification mandate. That law requires companies to notify the public when unencrypted drives are lost or stolen.

CBI Health is a national network of more than 135 community and hospital-based rehabilitation, medical and health care facilities. Three years ago, Waring switched from Lenovo to Dell laptops in order to get hardware-based encryption, replacing a software-based encryption product that he found arduous to manage and unreliable. Waring found that drives encrypted with software would sometimes unencrypt themselves -- leaving the data open to theft. And "we've experienced five drive failures due to the encryption software, but none from hardware," he said.

Today, 90 of CBI Health's 200 laptops use Seagate's Momentus drives with native full-disk encryption. The other users will move to Seagate drives as they are replaced at end of life, Waring said.

CBI Health uses Wave Systems Corp.'s Embassy Suite encryption management software to monitor its encrypted drives, including storing passwords.

Waring understands the concerns about lost passwords and damaged drives but said that Wave's software allows CBI Health to keep a single administrative password to access encrypted drives in case a user loses his password. In addition, Waring backs up all drives, so if one is damaged, the data is not lost.

"Our company as a whole is trying to harden every element of its architecture," he said. "We felt it was prudent to start where we are most vulnerable -- mobile devices that people leave in their cars or have in their homes."

Sony taps veins for better biometrics

R&D : Sony taps veins for better biometrics

Blood vessel layouts scanned

By James Sherwood

2nd February 2009


Sony has unveiled the next step in biometric security: a camera-based system that analyses veins in your fingers.

The user first lays one side of their index finger down on a small pad, after which a series of LEDs shine infrared light onto it. A CMOS sensor sat on the other side of the finger then picks up light scattered off of the veins inside the user’s finger.

An algorithm uses this information to build up a picture of the user’s vein layout. Sony claims that, much like a fingerprint, a person’s vein arrangement is unique and that it doesn’t ever change.

The whole identification process takes less than one second, but it’s unclear if the technology – called Mofiria – can detect if blood’s still pumping through a finger’s veins. So mafia dons needn’t worry yet.

Mofiria could well prove useful as a security system for mobile devices, such as phones, Sony said. It expects to commercialise Mofiria throughout 2009.

50000 malwares per day

FACTORY : 50000 malwares per day

How Do They Make All That Malware?

By Larry Seltzer



Anti-virus vendors are getting more than 50,000 submissions of new malware per day now. How can the malware business be so productive? It turns out the numbers aren't really as big as all that.

I was talking to a head research guy at an anti-virus company recently, and he said that the big anti-virus firms are all getting about 50,000 new malware submissions every day. 50K! How do they, the malware authors, do it? And how is it that the AV companies actually get the malware?

Welcome to the malware generation business model. So you want to be a malware star? Well listen now to what I say. Unfortunately, I will be somewhat vague, but the fact is that anyone who's technically competent and has the will to do so can find the missing pieces of the puzzle I'll lay out.

First, very little malware is lovingly hand-crafted from scratch these days. The name of the game in defeating anti-virus software is volume. You generate huge numbers of slight variants of a malicious program, do things like use different packers on the executable, and some end up different enough that the anti-malware products can't detect them.

So you write or get someone else's malcode generator. These are programs that generate malicious code variants. (No, I won't tell you where to find them.) You can get source to lots of popular malware, make your own changes and make zillions of variants. But the overwhelming majority of these variants will be detected by any decent anti-malware program, and you can't distribute all of then, so how are you to know which are the undetectable ones?

The answer is to use one of the public malware scanning services. The first and most famous one is VirusTotal, but there are several others. You upload a file to these services, and they scan it with a collection of scanners.

You get a report back saying what scanners found the malware, what they detected it as, and which didn't find it. With new malware, the detections will be overwhelmingly generic/heuristic.

The good news is you can see which variants are undetected enough to be useful. The bad news is that when a product does not detect your sample, VirusTotal and the other scanners submit it to the AV companies so that they can add a signature or adjust their heuristics. You won't go undetected for long. And of those 50,000 submissions, probably no more than a few hundred, perhaps much less than that, are ever seen in the wild. Even fewer do real damage.

This arrangement is what makes it worthwhile for the anti-malware companies to cooperate with VirusTotal. It gets them early access to new malware. It's also how the AV companies are getting 50,000 submissions a day: The malware authors are, in effect, sending the new malware directly to the companies. That they will only have a limited window of opportunity to attack protected users with the new malware is just a cost of doing business.

If you want to spend some money to avoid having to inform the industry about your new code, start your own multiproduct scanning lab. You'll need current subscriptions for as many products as you can get, but I'm not sure it would buy you much time. These companies talk to each other, and if a new, undetectable variant came out from the wild, word would spread pretty quickly; soon someone would feed it through VirusTotal or one of the other services, and the jig would be up.

None of this is news and shouldn't be surprising. The moral of it all, and this too should not be news to you, is that anti-malware should not be your only line of defense. Many people call it useless because some attacks get through, and now you know how, but no line of defense is perfect. Anti-malware needs to be combined with other forms of defense, like a firewall, an intrusion prevention product, running your system with least privileged access and not clicking on links in e-mails (or at least being very careful about doing so).

This is what is referred to as defense-in-depth, and if you're good about practicing it and careful online, you should be safe.

$ 9 mn Coordinated Global Attack on ATMs

HACK-MAFIA : $ 9 mn Coordinated Global Attack on ATMs

FBI Uncovers Worldwide $9M ATM Card Scam


February 03, 2009


Hackers orchestrated a highly coordinated, global attack on ATM cards involving the theft of a staggering $9 million from bank customers — and they could strike again, according to an investigation by FOX 5 TV in New York.

Customers' personal information might also have been compromised in what federal agents are calling one of the most well-coordinated such schemes they've seen, MyFOXNY.com reported.

The FBI said it uncovered the plot and is investigating. The alleged hackers are still at large and could orchestrate another attack.

In a matter of hours, thieves struck ATMs from 49 different cities — including New York, Atlanta, Chicago, Moscow and Montreal — just after 8 p.m. EST on Nov. 8, according to the FBI.

Part of the heist was caught on security camera images obtained by the TV station. The photos show people the FBI calls "cashers" — low-level participants in the plot who allegedly used bogus ATM cards with stolen information — at the machines.

The scheme worked as follows: Plotters hacked into a computer system for a company called RBS WorldPay, which allows employers to transfer workers' pay directly to a payroll card.

The scam artists were then able to infiltrate the system and steal personal data needed to make duplicate ATM cards.

"We've seen similar attempts to defraud a bank through ATM machines but not anywhere near the scale we have here," FBI Agent Ross Rice told FOX 5. "We've never seen one this well coordinated."

The FBI has no suspects and has made no arrests thus far.

An Atlanta attorney filed a class-action lawsuit against RBS WorldPay for the alleged security breach.

The company told FOX 5 they'd hired a security firm to investigate and try to prevent identity theft in the future.

Monday, February 2, 2009

Quote of the day

Quote of the day

Try not to become a man of success but rather try to become a man of value.

Albert Einstein


New IT Term of the day

New IT Term of the day


A slang term used to describe an above and beyond, an exaggerated, an omnipresent 24/7 electronic surveillance. Not only does the term suggest a surveillance that is always on but also surveillance that is always with you, referring to a surveillance technology that is embedded within the human body (e.g. Big Brother on the inside, looking out). May also be seen written as √úberveillance.

U.S. Feds Warn of Cyber Security Meltdown

CONCERN : U.S. Feds Warn of Cyber Security Meltdown

January 31, 2009


Computer attacks pose the biggest risk “from a national security perspective, other than a weapon of mass destruction or a bomb in one of our major cities,” said Shawn Henry, assistant director of the FBI’s cyber division told the International Conference on Cyber Security in New York . According to multiple reports Henry went on to say terrorist groups aim for an online 9/11, “inflicting the same kind of damage on our country, on all our countries, on all our networks, as they did in 2001 by flying planes into buildings.”

“The cyber infrastructure of the U.S. government is closely linked to the national cyber infrastructure that we all know and use. And that infrastructure is largely made up of privately owned networks. Moreover, our economic security is quickly becoming linked to our ability to protect information in cyberspace. Even if the government wanted to devise cyber security policies without private input, these policies would have limited reach, and would not reach many of the most critical potential vulnerabilities in the United States, said Deputy Attorney General Mark Filip at the International Conference on Cyber Security.”For instance, electrical grids depend on cyber components to function, and the banking system and Wall Street rely on computers and Internet-based transactions. The crown jewels of our technology and intellectual property rights - held in corporations and research universities - are similarly affected by such vulnerabilities. These and many more like examples make clear that we cannot have a rational national cyber security policy without thinking long and hard about how to protect private networks.”

“I can’t tell you how strongly I believe, how much I’ve been convinced by my colleagues in the FBI, and the rest of the Executive Branch, that we must secure our cyber infrastructure in a manner that addresses threats from foreign armies, adversary intelligence services, criminals, and terrorists,” Filip said. “It’s hard to exaggerate how important this is or how hard it is to accomplish fully.”

Filip went on to say that the US, partners abroad and private industry have made substantial progress at battling cyber crime despite the challenges that cyber operations and investigations present. For example:

v The Department of Justice chairs the G-8 High Tech Crime Group, which now includes over 50 countries. The group is designed to facilitate parallel criminal investigations with law enforcement agencies abroad and allow for quick cooperation on emerging and exigent cyber crime matters.

v The United States ratified the International Convention on Cybercrime. The Convention provides a basic framework for substantive and procedural laws to allow greater cooperation among nations in the investigation and prosecution of cybercrime, and sets minimum levels for substantive cyber laws, procedural laws, and standards of cooperation with other nations.

v The Department of Justice, in cooperation with other government agencies, helps train foreign police, prosecutors, and judges on investigating and prosecuting cybercrime and the importance of obtaining and preserving electronic evidence.

v The FBI has created InfraGard, a partnership between the government and private industry that encourages information sharing to better protect America’s physical and electronic infrastructure, including banks, water and food supplies, and transportation and communications networks. InfraGard, includes federal, state, and local law enforcement; military officials; business executives; entrepreneurs; and academics. FBI agents are able to provide threat alerts and warnings, investigative updates, and other information, and private sector partners share expertise and information that helps law enforcement track down criminals and terrorists.

Texas lawyer sues Citibank over fake cheque scam

LAW : Texas lawyer sues Citibank over fake cheque scam

'I'm a capital 'D' Dumbass', admits fleeced victim of Lads from Lagos

By Lester Haines

30th January 2009


A Houston lawyer is suing Citibank after being taken for $182,500 by email scammers claiming to be a debt-chasing Japanese company, Texas Lawyer reports.

Richard T Howell Jr, of Buckley, White, Castaneda & Howell, fell for a classic cheque fraud scam. His "Japanese" contacts claimed they were pursuing four outstanding debts in the US - a total of $3.6m of which Howell would collect a healthy percentage for helping process the funds.

The scammers duly informed Howells that one debtor had agreed to stump part of what it owed, $367,500, and a "Citibank Official Check" for that amount subsequently arrived, which Howells deposited into one of his firm's account at the Sterling Bank in Houston.

Howell claims that an employee of his firm "telephoned Citibank and verified that check number 310096829 in the amount of $367,500 was paid". Howell then made a "wire transfer of $182,500 to a supplier of [the Japanese company] in Hong Kong".

Shortly afterwards, Sterling Bank informed him the cheque had been returned as "counterfeit", by which time it was too late to stop the wire transfer. Howells said he then "emailed the client but got no reply".

He admitted: "I'm a capital 'D' Dumbass."

While Howell has no chance of retrieving the lost cash, he is taking Citibank to task over the dodgy cheque. In December last year, his firm "sued Citibank in state court in Houston, alleging the New York bank was negligent and engaged in negligent misrepresentation when it represented to Howell that a $367,000 check - that was supposed to be a payment to Howell's client from a customer - had cleared when, in fact, it was a bogus check".

Howell is seeking "$182,500 in actual damages for Citibank's alleged negligence" plus "a minimum of $367,000 in punitive damages".

Citibank has denied the allegations and wants a "take-nothing judgment". The bank's attorney, Yasmin Atasi, insisted: "We are not liable for those funds."

The case is due to be heard in July.

For further details see “Texas Lawyer” http://www.law.com/jsp/article.jsp?id=1202427717175.

Corporate Data theft is trillion dollars in 2008

STUDY : Corporate Data theft is trillion dollars in 2008


31 January 2009


SAN FRANCISCO (AFP) — Workers turned "cyber moles" and crime syndicates armed with malicious software are looting digital data from businesses as losses reportedly topped a trillion dollars in 2008.

California computer security firm McAfee presented the findings Thursday at the World Economic Forum in Davos, Switzerland, with a warning that the world's dismal financial straits are exacerbating data theft woes.

"Based on the survey findings McAfee conservatively estimates that the global damage from data loss to top one trillion dollars," said McAfee chief executive Dave DeWalt.

"This report is a wake-up call because the current economic crisis is poised to create a global meltdown in vital information."

Insights for the first-ever worldwide study "on the security of information economies" were gathered from more than 800 chief information officers in Japan, China, India, Brazil, Britain, Dubai, Germany and the United States.

The companies surveyed estimated they lost a combined 4.6 billion dollars worth of intellectual property last year, and spent approximately 600 million dollars repairing damage from data breaches.

"Companies are grossly underestimating the loss, and value, of their intellectual property," said Eugene Spafford, a US university computer science professor who is executive director of The Center for Education and Research in Information Assurance and Security (CERIAS).

"Just like gold, diamonds or crude oil, intellectual property is a form of currency that is traded internationally, and can have serious economic impact if it is stolen."

Pressure on firms to cut costs is resulting in weakened computer security measures, making them more tempting targets for information thieves, according to CERIAS, which analyzed responses in the study.

Thirty-nine percent of the CIOs in the study said they believe vital company information is more vulnerable because of current economic conditions.

There has been an increase in "cyber mafia gangs" breaking into corporate databases, according to the study.

"Cybercriminals are increasingly targeting executives using sophisticated phishing techniques," the study states.

"Phishing" refers to deceptive emails or other online ruses that trick people into revealing passwords, account numbers, or other sensitive information.

Such attacks customized to harpoon specific powerful executives are often referred to as "whaling."

The dour economy also raises the chances of companies being looted by employees out to supplement shrinking paychecks or improve job prospects with future employers.

"An increasing number of financially challenged employees are using their corporate data access to steal vital information," the study contends.

"As the global recession continues and legitimate work disappears, desperate job seekers or 'cyber moles' are stealing valuable corporate data to make themselves more valuable in the job market."

The study also pinpointed China, Pakistan, and Russia as data theft "trouble zones" because of legal, cultural or economic factors.

This site may harm your computer - Google

HUMAN ERROR : This site may harm your computer - Google

"This site may harm your computer" on every search result on Google

Ankur Goyal


01 Feb 2009

On Saturday, Google search users were surprised and puzzled to find the message "This site may harm your computer" on every search result. This happened at about Indian Standard Time (IST) 7 pm on Saturday 31 January 2009 and lasted for about 1 hour.

Even many powers users thought that their computer has been hacked, compromised or made part of Botnet.

Later Marissa Mayer, VP, Search Products & User Experience of Google clarified that it was a HUMAN ERROR, which let to worldwide scare between 06:27 am PST (Californian Time) and 07:25 am. PST.

The URL of '/' was mistakenly checked in as a value to the file and '/' expands to all URLs

Following is the clarification from Google –

If you did a Google search between 6:30 a.m. PST and 7:25 a.m. PST this morning, you likely saw that the message "This site may harm your computer" accompanied each and every search result. This was clearly an error, and we are very sorry for the inconvenience caused to our users.

What happened? Very simply, human error. Google flags search results with the message "This site may harm your computer" if the site is known to install malicious software in the background or otherwise surreptitiously. We do this to protect our users against visiting sites that could harm their computers. We maintain a list of such sites through both manual and automated methods. We work with a non-profit called StopBadware.org to come up with criteria for maintaining this list, and to provide simple processes for webmasters to remove their site from the list.

We periodically update that list and released one such update to the site this morning. Unfortunately (and here's the human error), the URL of '/' was mistakenly checked in as a value to the file and '/' expands to all URLs. Fortunately, our on-call site reliability team found the problem quickly and reverted the file. Since we push these updates in a staggered and rolling fashion, the errors began appearing between 6:27 a.m. and 6:40 a.m. and began disappearing between 7:10 and 7:25 a.m., so the duration of the problem for any particular user was approximately 40 minutes.

See this explanation at http://googleblog.blogspot.com/2009/01/this-site-may-harm-your-computer-on.html

This Day in History

Thanks for your Visit