Monthly Archive for October, 2009
The federal regulations telling agencies how to secure their computer networks are overdue for an overhaul: Even the author of the 2002 law now admits that it needs updating to reflect today's threats from hackers, viruses and cyber spies. Critics of the Federal Information Security Management Act (FISMA) long have complained that the way it has been implemented often amounts to a massive paperwork exercise. Yet somehow that criticism seems so much more valid when you actually see all of the resulting paperwork piled up one place. John Streufert, the chief information security officer at the U.S. Department of State, told a Senate Homeland Security and Governmental Affairs subcommittee Thursday that the department spent $133 million over the past six years on certification and accreditation (C&A) reports, a process whereby agencies evaluate every three years what defensive security protections are in place to secure federal systems. Streufert said that money
The Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT) is warning BlackBerry users about a spyware program that allows attackers to turn a target's handset into a microphone that can be accessed remotely. PhoneSnoop is a free, remote spying application designed for BlackBerry phones. The app works by intercepting phone calls from a predetermined 'trigger' number. When PhoneSnoop detects an incoming call from that number, it accepts the call and turns on the BlackBerry's speaker phone, effectively allowing the caller to listen in on the target's surroundings. There are some very real limitations of this spying app: For starters, an attacker would need to have physical access to the victim's phone in order to install the app. PhoneSnoop also can't listen in on the victim's phone calls, and it leaves a conspicuous new program icon in the victim's app list. Still, the alert serves as a useful reminder
Spam e-mails mimicking the Federal Deposit Insurance Corp. and warning of additional bank failures are instead the latest bid by cyber crooks to empty your bank account, security experts warn. The messages arrive with subjects such as "FDIC has officially named your bank a failed bank," and "Check your Bank Deposit Insurance Coverage." The missives warn: "You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets." Recipients are instructed to click a link that opens one of dozens of Web sites with names crafted to look like fdic.gov. The links lead to a counterfeit FDIC page that offers a copy of "your personal FDIC insurance file" to see whether your coverage has been impacted. The files are offered as Adobe PDF
A security researcher shunned by the anti-virus community for violating its unwritten rules has attempted to turn the tables, erecting a Web service that virus writers could use to make their creations more stealthy and undetectable for longer periods of time. At issue is a new site called avtracker.info, which aims to keep tabs on the different automated analysis services used by the security industry, such as Virustotal, ThreatExpert, and Norman Sandbox. Researchers who unearth new malicious code samples often submit them to these services to learn more about how the malware behaves and to see whether the samples are currently detected by anti-virus products. The results of each scan are shared broadly within the security industry, allowing anti-virus makers that don't detect the malware to incorporate detection for them in future updates that are pushed out to customer PCs Enter AV Tracker. Armed with up-to-date information about these automated
A hacker's claim that he compromised the successor to President Obama's campaign Web site appears to be a hoax, according to information that surfaced since the matter came to light early Monday. The kerfuffle started when a hacker and blogger with a history of posting evidence of security vulnerabilities in popular and high-traffic Web sites published evidence indicating that poor security at barackobama.com had exposed internal databases at the site. The hacker, identified only as "Unu," claimed that a security flaw in barackobama.com allows anyone to view the user names and passwords needed to administer the site. With that access, an attacker could view database information, upload content to the site - including malicious software - or simply deface the landing page with digital graffiti. Barackobama.com is now managed by the Democratic National Committee's Organizing for America. Hari Sevugan, national press secretary for the DNC, dismissed the claim, and said
Cyber criminals have stolen at least $40 million from small to mid-sized companies across America in a sophisticated but increasingly common form of online banking fraud, the FBI said this week. According to the FBI and other fraud experts, the perpetrators have stuck to the same basic tactics in each attack. They steal the victim's online banking credentials with the help of malicious software distributed through spam. The intruders then initiate a series of unauthorized bank transfers out of the company's online account in sub-$10,000 chunks to avoid banks' anti-money-laundering reporting requirements. From there, the funds are sent to so-called "money mules," willing or unwitting individuals recruited over the Internet through work-at-home job scams. When the mules pull the cash out of their accounts, they are instructed to wire it (minus a small commission) via services such as MoneyGram and Western Union, typically to organized criminal groups operating in countries
Security Fix is debuting "Nastygram," a short, hopefully regular feature alerting readers about some of the latest, sneakier e-mail scams. Each report will include a graphic at the top like the one in this blog post, which explains what readers should do with these missives. One particularly insidious and persistent nastygram of late is a message that will look like it was sent by your company's internal IT folks, and carries the subject "A new settings file for the [insert address of someone on your employer's network]". To increase the appearance of legitimacy, the message includes your company's domain name throughout the message. The link embedded in the message is made to appear as though it will take you somewhere on your employer's domain. In the old days, you could tell where a link was leading just by hovering over it with your mouse. Nowadays, the bad guys make
A pair of Security Fix blog posts last week urging businesses to consider using something other than Microsoft Windows when banking online elicited strong reactions from readers. Most said they thought it was a fresh perspective and sound advice, while others criticized me for going too far or for failing to recommend less drastic alternatives. Let me be clear: The advice was aimed not at consumers, but at small to mid-sized companies that may not have a full-time IT/security staff, and who rely on one or two people to handle their bank accounts and payroll online. That said, I wanted to respond to a couple of specific alternatives suggested by readers, because I felt they fell short of the level of security that these companies need to avoid becoming the next victim. For example, some readers emphasized the importance of ensuring that employees' Windows computers are running under a limited
ChoicePoint Inc., one of the nation's consumer data brokers, agreed to pay $275,000 to federal regulators as a result of a data breach last year that exposed Social Security numbers and other personal information on 13,750 people. The agreement comes in response to claims by the Federal Trade Commission that ChoicePoint violated the terms of a settlement reached following a separate data breach at the company in 2005 that led to hundreds of cases of identity theft. In 2006, ChoicePoint - now a subsidiary of Reed Elsevier Inc - paid $15 million to settle charges that it violated federal consumer protection laws when it allowed criminals to purchase sensitive financial and personal data on at least 163,000 Americans. The FTC had sued ChoicePoint, charging that the incident led to at least 800 confirmed identity theft crimes. ChoicePoint was supposed to take steps to protect consumer data. But the FTC alleged
President Obama this week issued a short video address discussing the importance of cyber security awareness. The three-minute clip offers little in the way of startling revelation or news. But it is probably the most the president has had to say publicly about the topic since May, when he delivered a 16-minute speech saying he planned to create a new cyber security office at the White House that would be led by an as-yet-unappointed coordinator. In this latest remarks, Obama said he would soon appoint someone to that position, and offered thoughts about the need for a "public private partnership," to secure America's cyber infrastructure. The president closed with some basic tips that regular Internet users can observe to keep their corner of the Web safe and secure. Obama said he has designated October as Cyber Security Awareness Month. Indeed, he signed a proclamation on Oct. 1 declaring it to
