More and Bigger than last year – Oh Yeah

Sorry that I haven’t posted in a while, but my company is in the process of several audits – including PCI, and so, I’ve been a bit busy.  But I did run across this little tidbit in Informationweek…………….

With four months to go in 2008, the number of data breaches on the Identity Theft Resource Center’s 2008 breach list has already surpassed the 446 breaches reported by the organization for all of 2007.
As of the morning of Aug. 22, the number of data breaches reported had reached 449.
As to whether things are getting worse, ITRC founder Linda Foley is cautious. “This is a little frightening, knowing that we’re four months ahead of last year,” she said.  However, Foley also noted that her organization and others are finding out about more breaches now than they did in the past. Rather than indicating a deteriorating security situation, the rising number of reported data breaches may just mean corporate security auditors are better at finding compromised systems, she suggested.
The Identity Theft Resource Center points out that the actual number of breaches this year is probably higher than 449 so far because of underreporting and because breaches affecting multiple businesses tend to be reported as a single event. According to the ITRC, in 40% of breach events, the number of records affected is not reported or fully disclosed.
In June, following the release of a Verizon (NYSE: VZ) Business Security survey about data breaches, Bryan Sartin, VP of investigative response at Verizon, told InformationWeek that publicly reported breaches are “just the tip of iceberg.” He said that less than 5% of the more than 500 cases covered in the Verizon study involved some form of disclosure.
(Foley observed that Verizon’s study does not distinguish between breaches involving personal information, which can be used for identity theft, and breaches involving proprietary corporate data, which many not affect consumers.)
In any event, it appears that hard numbers about data breaches are hard to come by. According to survey of about 300 attendees at this year’s RSA Conference, more than 89% of security incidents went unreported in 2007.
Security incidents, as defined by the RSA study, represent “an unexpected activity that brought sudden risk to the organization and took one or more security personnel to address.” Clearly not all “security incidents” are data breaches, but certainly some underreporting of breaches is going on.
In addition to the underreporting of breaches, assessing the actual impact of a breach may be difficult because there’s disagreement about the number of data records involved. On Monday, for example, Glasgow’s The Sunday Herald reported that Best Western’s reservation system had been hacked and 8 million customer records had been stolen. Best Western disputes The Sunday Herald’s story, saying that only 13 customer records appear to have been compromised.
InformationWeek also recently published its 2008 Security Survey entitled “We’re Spending More, But Data’s No Safer Than Last Year.” Download the report here (registration required).
In short, numbers may be fuzzy. But those following the issue nonetheless believe action is warranted.
“The number of attacks, in addition to publicly disclosed breaches, continues to escalate as criminal networks mushroom around the world, while economies weaken,” said Avivah Litan, a VP at Gartner in a statement. “A more concerted effort is required among companies to secure and protect customer data, regardless of regulatory oversight.”
Foley is hopefully that before too long, more complete data about data breaches will lead to a better understanding of such incidents. Her goal, she said, is not to point fingers but to help organizations devise better data security regimes.

 http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=210200622&subSection=News

Cyberwarfare threatens the US

CNN is reporting on the cyberthreat to the United States, showing that the mainstream media has at least some interest in this frightening phenomena………

The next large-scale military or terrorist attack on the United States, if and when it happens, may not involve airplanes or bombs or even intruders breaching American borders.
Instead, such an assault may be carried out in cyberspace by shadowy hackers half a world away. And Internet security experts believe that it could be just as devastating to the U.S.’s economy and infrastructure as a deadly bombing.
Experts say last week’s attack on the former Soviet republic of Georgia, in which a Russian military offensive was preceded by an Internet assault that overwhelmed Georgian government Web sites, signals a new kind of cyberwar, one for which the United States is not fully prepared.
“Nobody’s come up with a way to prevent this from happening, even here in the U.S.,” said Tom Burling, acting chief executive of Tulip Systems, an Atlanta, Georgia, Web-hosting firm that volunteered its Internet servers to protect the nation of Georgia’s Web sites from malicious traffic.
“The U.S. is probably more Internet-dependent than any place in the world. So to that extent, we’re more vulnerable than any place in the world to this kind of attack,” Burling added. “So much of what we’re doing [in the United States] is out there on the Internet, and all of that can be taken down at once.” Watch experts
“This is such a crucial issue. At every level, our security now is dependent on computers,” said Scott Borg, director of the United States Cyber Consequences Unit, a nonprofit research institute. “It’s a whole new era. Political and military conflicts now will almost always have a cyber component. The chief targets will be critical infrastructure, and the attacks will emerge from within our own computer systems.”

Hackers mounted coordinated assaults on Georgian government, media, banking and transportation sites in the weeks before Russian troops invaded. Known as distributed denial of service, the attacks employ multiple computers to flood networks with millions of simultaneous requests, overwhelming servers and crippling Web sites.
Hackers shut down the Web site of the Georgian president, Mikheil Saakashvili, for 24 hours and defaced the Georgian parliament site with images of Adolf Hitler. Saakashvili blamed Russia for the attacks, although the Russian government said it was not involved.
Web sites and computer networks have been targeted by hackers for decades, although large-scale, coordinated cyberattacks are still a relatively new phenomenon. Some Internet-security experts believe that the Georgia conflict marks the first time a known cyberattack has coincided with a ground war, but others said that similar computer attacks have accompanied military operations in the Middle East and elsewhere.
The challenge to U.S. security experts is that such attacks can be mounted anonymously, and relatively cheaply, from anywhere in the world. Georgia’s attackers employed “botnets,” or malicious automated programs that take root undetected in far-flung computers and barrage their targets with useless data. By last Friday, some of those botnets were originating from Comcast Internet addresses in the United States, Burling said.
“It only takes a couple of experts; it doesn’t take a whole cyber infantry division to pull something like this off,” said Don Jackson, director of threat intelligence for SecureWorks, an Atlanta-based computer security firm. “For a very small investment in resources, you can have a huge impact.”
In the United States, government computer networks parry millions of attempted intrusions every day, Internet-security experts say. The U.S. Department of Homeland Security created a National Cybersecurity Center this year to coordinate federal cyberdefense efforts and quicken responsiveness. However, a recent Homeland Security Department intelligence report, obtained by The Associated Press, concluded that there are no effective means to prevent a coordinated attack on U.S. Web sites.
“When it comes to our government IT security, we’re pretty strong in protecting against [attacks],” Homeland Security spokesman William R. Knocke told CNN. “But I wouldn’t say … we’re 100 percent impenetrable.”
So what would a cyberattack on the United States look like? And where is the U.S. most vulnerable? It depends on who you talk to.
Borg does not believe that the U.S. is susceptible to the kind of attacks launched at Georgia.
“We can command so much bandwidth that it’s hard to overwhelm our servers,” he said. “We are vulnerable to more sophisticated attacks, but right now most of the people who want to do us harm don’t have those capabilities.”
The Web sites of key government security agencies, such as the Pentagon and the Central Intelligence Agency, are difficult to bring down, experts said. So are the computer networks of large American banks. But experts say a successful, large-scale attack on U.S. computer systems could hobble electric-power grids, transportation networks and industrial-supply chains.
“You’d see some disruption of essential services, like electricity. You’d definitely see espionage,” said James A. Lewis, a senior fellow at the Center for Strategic and International Studies in Washington. “Would it be decisive? No. Nobody’s going to win a conflict with the United States in cyberspace. But would it be disruptive and irritating? Yes.”
Federal researchers who launched an experimental cyberattack last year in Idaho caused a generator to self-destruct, prompting fears about the effect of a real attack on the nation’s electrical supply.
And a May report by the Government Accountability Office found that the Tennessee Valley Authority, which supplies power to almost 9 million people in the southeastern U.S., had not installed sufficient cybersecurity measures. Spokesman Jim Allen said the TVA, the nation’s largest publicly owned utility company, is “on track” to correct the problems.
What frustrates computer-security experts is that the features that make the Internet such an invaluable resource — its openness and interconnectedness — also make it easier for hackers to do harm. As a staple of 21st-century warfare, cyberattacks will become increasingly sophisticated, forcing governments and private industry to build ever-stronger firewalls and other defenses, experts said.

Also, vague international laws and a lack of accountability will continue to make tracking down and prosecuting cyberattackers difficult.
“We don’t know quite what the rules are for this kind of conflict. If it’s spying, it’s illegal. But is it an act of war? And who do you arrest?” Lewis asked. “We’re much safer [in the U.S.] than we were a year ago. But we still have a long way to go.”

 But, as usual it will probably wind up being one of the things where the barn door gets shut after the livestock gets out.  HEADS WILL ROLLLLLL………

http://edition.cnn.com/2008/TECH/08/18/cyber.warfare/index.html

Gangs and ID theft………..

And the risk to the consumer just keeps on growing………

AUGUST 15, 2008 | It’s not just Eastern European or Asian cyber gangs — gangs from the streets of L.A. and other cities better known for drugs and weapons violence are now turning to identity theft crimes as well, according to a published report .

Cases of identity theft reportedly involving a chapter of the ‘Crips’ from Long Beach, Calif., Armenian Power, and Mexican Mafia gangs, have demonstrated that ID theft is no longer the domain of international computer hackers, for instance. Gang-related ID theft was part of the 31 percent jump in ID theft complaints in California last year, according to a new report from Identity Theft 911.

California is a big fat target for ID theft: around 1.5 million Californians were victims of this crime last year, according to the report, and credit-card fraud is the main culprit. Next is employment fraud, including Social Security number (SSN) thefts for undocumented workers.

Experts say street gangs are finding ID theft an easy way to make a buck. In a recent case being investigated by California’s Department of Consumer Affairs, a former personnel specialist there, Rachel Dumbrique, sent names and SSNs of 5,000 people on the state’s payroll to a personal Yahoo email account on her last day at the agency. She says she didn’t know SSNs were in the file, but investigators are looking at the case closely because she’s the wife of an imprisoned gang member of Mexican Mafia.

Meanwhile, a group affiliated with the Long Beach Insane Crips gang allegedly sole nearly $90,000 from a local financial institution in a check-cashing scam.

http://www.darkreading.com/document.asp?doc_id=161687&f_src=drdaily

Why every detail is so important………..

I’m making sure the pc technicians where I work get this information………..

Insider used the one machine that hadn’t been ‘fixed’ to prevent use of external storage devices
AUGUST 13, 2008 | 5:45 PM
By Tim Wilson
Site Editor, Dark Reading

If your primary defense against portable storage devices is to seal up the USB ports on your users’ computers, you’d better be pretty darn good with a glue gun.

That’s the message that’s emerged from court documents surrounding the recently revealed security breach at Countrywide Home Loans, where an employee siphoned off about 20,000 customer records a week for more than two years and sold them to a third party. (See Ex-Countrywide Employee Charged With Selling Customer Data.)

An affidavit by an FBI special agent assigned to the case reveals exactly how the insider attack took place. It states that in an effort to prevent users from loading unauthorized data onto memory sticks or other portable storage media, Countrywide had sealed the USB ports on all of its employees’ machines — all, that is, except one.

Rene Rebollo Jr., 36, a former senior financial analyst with Countrywide Home Loan’s subprime mortgage division, found that one machine near his own workspace, according to the affidavit. And so, every Sunday night for about two years, Rebollo brought a memory stick over to that machine and downloaded personal information on approximately 20,000 customers.

Countrywide had not deployed any method for detecting or managing downloads to portable storage devices, since its policy was to block their use entirely on all employee machines. As a result, the downloads went undetected for years, leading to the compromise of some 2 million records, according to court documents.

A criminal complaint against Rebollo said that he earned about $65,000 a year at Countrywide and had opened a personal bank account for holding what he estimated to be up to $70,000 in proceeds from Countrywide data sales. Experts have said that Rebollo woefully underestimated the value of the mortgage data, which is difficult to get on the black market and can fetch several dollars per record.

Disabling USB ports — either logically through the registry or physically, by sealing them with glue or some other permanent substance — is a simple way to prevent users from accessing portable storage devices, experts said. But it can prove fallible.

“This is certainly a quick way to lower the risk of information transfer,” said Tom Olzak, director of information security at HCR Manor Care, in a recent blog. “It isn’t difficult, especially in a Windows environment. A simple registry hack on each workstation, easily deployed via login scripts, can completely shut down USB and Firewire ports.

“But this might cause a problem if you deploy USB or Firewire devices like keyboards, mice, displays, etc.,” Olzak noted. “A direct registry modification to achieve a security result is not my idea of a good time.” For many enterprises, encryption or granular control of USB ports may prove to be better options than disabling USB altogether, he suggested.

http://www.darkreading.com/document.asp?doc_id=161548&f_src=drweekly 

 

The shape of propaganda to come……..cyberwars

Several weeks prior to Russia’s invasion of Georgia, a virulent cyberwar was initiated on the internet infrastructure of Georgia.  The goal was typical, disrupt and control communications between the government and the populace:

In the wake of the Russian-Georgian conflict, a week worth of speculations around Russian Internet forums have finally materialized into a coordinated cyber attack against Georgia’s Internet infrastructure. The attacks have already managed to compromise several government web sites, with continuing DDoS attacks against numerous other Georgian government sites, prompting the government to switch to hosting locations to the U.S, with Georgia’s Ministry of Foreign Affairs undertaking a desperate step in order to disseminate real-time information by moving to a Blogspot account.

Who’s behind it? The infamous Russian Business Network, or literally every Russian supporting Russia’s actions? How coordinated and planned is the cyber attack? And do we actually have a relatively decent example of cyber warfare combining PSYOPs (psychological operations) and self-mobilization of the local Internet users by spreading “For our motherland, brothers!” or “Your country is calling you!” hacktivist messages across web forums. Let’s find out, in-depth.

The attacks originally starting to take place several weeks before the actual “intervention” with Georgia President’s web site coming under DDoS attack from Russian hackers in July, followed by active discussions across the Russian web on whether or not DDoS attacks and web site defacements should in fact be taking place, which would inevitably come as a handy tool to be used against Russian from Western or Pro-Western journalists. The peak of DDoS attack and the actual defacements started taking place as of Friday:

“Several Georgian state computer servers have been under external control since shortly before Russia’s armed intervention into the state commenced on Friday, leaving its online presence in dissaray. While the official website of Mikheil Saakashvili, the Georgian President, has become available again, the central government site, as well as the homepages for the Ministry of Foreign Affairs and Ministry of Defence , remain down. Some commercial websites have also been hijacked.

The Georgian Government said that the disruption was caused by attacks carried out by Russia as part of the ongoing conflict between the two states over the Georgian province of South Ossetia. In a statement released via a replacement website built on Google’s blog-hosting service, the Georgian Ministry of Foreign Affairs said: “A cyber warfare campaign by Russia is seriously disrupting many Georgian websites, including that of the Ministry of Foreign Affairs.”

After defacing Mikheil Saakashvili’s web site and integrating a slideshow portraying Saakashvili as Hitler next to coming up with identical images of both Saakashvili and Hitler’s public appearances, the site remains under a sustained DDoS attack. It’s also interesting to point out that the an average script kiddie wouldn’t bother, or wouldn’t even understand the PSYOPs effect of coming up with identical gestures of both parties and integrating them within the defaced sites……

The implications of this are staggering…………..

http://blogs.zdnet.com/security/wp-trackback.php?p=1670

 

Corporate Whistleblowers 0 – Corporations 9999

Sad end of the road for fellow Whistleblower David Welch.  This pretty much renders the Sarbanes-Oxley whistleblower provision useless.

Va. whistleblower loses bid for reinstatement
By LARRY O’DELL – 5 days ago

RICHMOND, Va. (AP) – A fired bank executive who became the first person to win protection under a federal law that shields whistleblowers, only to see his victory overturned, suffered another setback in a federal appeals court Tuesday.

A three-judge panel of the 4th U.S. Circuit Court of Appeals did not reinstate David Welch to his job, ruling that he failed to explain how his employer’s alleged shoddy accounting practices could be considered a violation of federal law.

Welch was dismissed as chief financial officer of Cardinal Bankshares Corp. in 2002 after reporting what he said were misclassifications in financial reports that essentially overstated the bank’s earnings by $195,000. Cardinal is the holding company for the local bank in Floyd, population about 400, in southwestern Virginia.

A federal administrative law judge ruled in 2004 that Welch should be reinstated under the Sarbanes-Oxley Act, enacted two years earlier in response to corporate scandals at Enron Corp., WorldCom Inc. and other companies. The law required more stringent accounting practices and offered protection to workers who point out violations.

Since Sarbanes-Oxley was signed into law, more than 1,000 self-professed whistleblowers have come forward, and most have seen their cases rejected. Welch was the first to win his case before an administrative law judge, but that decision was reversed in June 2007 by the Department of Labor’s Administrative Review Board.

The appeals court affirmed the board’s decision, saying Welch “utterly failed to explain how Cardinal’s alleged conduct could reasonably be regarded as violating any of the laws” covered by Sarbanes-Oxley.

Judge Diana Gribbon Motz wrote that Welch failed to support his arguments to the review board with relevant statements. For example, she said Welch relied on laws or regulations passed years after the financial reports were filed, as well as other regulations that do not fall within the purview of Sarbanes-0xley.

Welch, now an accounting professor at Franklin University in Columbus, Ohio, declined to comment and his lawyer, Bruce Shine, did not immediately return a phone call seeking comment.

Leon Moore, president of Cardinal Bankshares, also did not immediately return a phone message.

 http://ap.google.com/article/ALeqM5ih78_hLGvLZf73wTfmbOSierYTHwD92CD0K00

Wall of Sheep….outstanding

This is GREAT!! 

Black Hat attendees are warned that the conference’s public wireless network is being monitored by hackers. People who send sensitive personal data over it are cautioned they might have that information posted on the Wall of Sheep, a forum to embarrass security professionals who don’t follow proper security procedures themselves.

http://ap.google.com/article/ALeqM5i_kwz9PQAu5EHgJfbaCx-a5i6jmgD92E4IMO1

Make the cost to the bad guys higher than they can take??

In this article on Network World, a security expert makes the following statement:

Companies have too long focused on perimeter defenses and not on protecting data inside their networks, Curry said. Retailers and other companies need to “wake up and take these threats seriously,” Curry said. “Make the cost to the bad guys too high for them to do it.”

 Nicely stated, except there are far too many companies who have bad guys making bad decisions about securing consumer data who are never touched.  They really have the same attitude as the criminals i.e. “as long as I don’t get caught…………”  As long as there is no accountability on that end, we’re going to continue to see problems.

http://www.networkworld.com/news/2008/080608-id-theft-ring-attacked-retailers.html?page=2

Better late than never????

Well, the Justice Department made the announcement yesterday that arrests had been made in an international ring that was involved in the theft of 40 million credit card numbers.

According to the article in CNN details are murky – clearly there have been unreported breaches that have affected the consumer.

Eleven people were indicted Tuesday for allegedly stealing more than 40 million credit and debit card numbers, federal authorities said.

The indictments, which alleged that at least nine major U.S. retailers were hacked, were unsealed Tuesday in Boston, Massachusetts, and San Diego, California, prosecutors said.

It is believed to be the largest hacking case that the Justice Department has ever tried to prosecute.

Three of the defendants are from the United States; three are from Estonia; three are from Ukraine, two are from China and one is from Belarus.

The remaining individual is known only by an alias and authorities do not know where that person is.

Under the indictments, three Miami, Florida, men — Albert “Segvec” Gonzalez, Christopher Scott and Damon Patrick Toey — are accused of hacking into the wireless computer networks of retailers including TJX Companies, whose stores include Marshall’s and T.J. Maxx, BJ’s Wholesale Club, OfficeMax, Barnes and Noble and Sports Authority, among others.

The three men installed “sniffer” programs designed to capture credit card numbers, passwords and account information as they moved through the retailers’ card processing networks, said Michael Sullivan, the U.S. attorney in Boston.

“This has other personal numbers that could give them access to credit or debit cards that have already been issued and are active,” Sullivan told CNN.

The probe began in late 2006, Sullivan said. In addition to the Justice Department, the Secret Service has been conducting an undercover investigation for more than three years through the U.S. attorney’s office in San Diego, he said.

The three then concealed the data in encrypted computer servers they controlled in the United States and eastern Europe, the Justice Department said.

Some credit and debit card numbers were sold on the Internet, and were “cashed out” by encoding the numbers on the magnetic strips of blank cards. “The defendants then used these cards to withdraw tens of thousands of dollars at a time from ATMs,” authorities said.

Gonzalez and the others used anonymous Internet-based currencies to conceal and launder their proceeds, as well as channeling funds through bank accounts in Eastern Europe, the department said.

“There are ties between all three districts and ties internationally that go all the way to the Ukraine and Latvia,” Sullivan said. “The 41 million credit and debit numbers were used internationally.”

Gonzalez was previously arrested in 2003 by the Secret Service on suspicion of access device fraud, the Department of Justice said, and was working as a confidential informant for the agency. However, the Secret Service discovered during the investigation that Gonzalez was involved in this case, authorities said.

The California indictment charged eight others with operating an international stolen credit and debit card distribution ring, selling stolen card information for personal gain — millions of dollars, in at least one case, authorities said.

Three of the defendants in the most recent case, among them Gonzalez, were also charged in May in a related indictment in New York, Justice said. Those charges allege the three were engaged in a scheme to hack into computer networks run by the Dave & Buster’s restaurant chain and steal credit and debit card numbers from at least 11 locations.

The three installed “sniffer” programs at the cash register terminals of the locations, capturing credit and debit card numbers, authorities said. At one location, the sniffer captured data for some 5,000 cards, causing some $600,000 in losses to the banks that issued the credit and debit cards.

Gonzalez is awaiting trial on the New York charges. The other two of the international defendants are also in custody, police said.

“Identity theft can involve a single criminal stealing the personal financial information of a single victim or, as it did here, it can involve a group of criminals stealing the credit card numbers of millions of people, many of whom may not even learn that they were victims for months or years,” said Attorney General Michael Mukasey.

“Identity theft victims suffer well beyond the immediate financial costs; they suffer lost confidence in their privacy and security, as well as the emotional strain and the time it can take to repair damaged financial lives and credit histories. In many cases, the effects of these crimes can be felt for years after they are committed.”

Mukasey and other officials said the case serves as a reminder that computer crimes can cross international borders.

“We have been working with countries around the world to identify and address technical vulnerabilities in computer networks, and to ensure that laws and procedures are adequate to deal with these kinds of crime,” Mukasey said. “And we have been working closely with our international partners to crack specific cases when they take us beyond our borders.”

http://www.cnn.com/2008/CRIME/08/05/card.fraud.charges/index.html#

Not JUST internal controls……

 
Ex-Countrywide Employee Charged With Selling Customer Data

Former mortgage group analyst grabbed personal information and saved it on USB flash drives

AUGUST 5, 2008 | The FBI has busted a former Countrywide Home Loan worker who is suspected of downloading the personal data of some 20,000 customers a week over a period of two years and selling it to third parties.

 

Rene Rebollo Jr., 36, a former senior financial analyst with Countrywide Home Loan’s subprime mortgage division, who allegedly stored the data on USB flash drives, and Wahid Siddiqi, who allegedy purchased the data from Rebollo, were both arrested on Friday on charges related to the sale of the identities of Countrywide customers.

The FBI and investigators with Countrywide Finanical said in a criminal complaint that Rebollo, who was terminated from the company last month, had access to a Countrywide database with sensitive customer information. Rebollo told FBI agents that he had been selling the data outside the firm for two years and made about $70,000, according to the complaint.

Rebollo told the FBI that he got requests from other people to grab specific types of data from the Countrywide database. Siddiqi, 25, meanwhile, was caught in an FBI sting after ordering personal data for cash.

According to the FBI, Rebollo is charged with exceeding authorized access to the computer of a financial institution, which carries a maximum sentence of five years in prison. Siddiqi is charged with fraud and other illegal activity with access devices, and could face 15 years in prison. According to a published report, the data may have been sold to companies that wanted to offer their own loans to the Countrywide victims. Up to 2 million Countrywide customer names were “run and sold,” according to the report. Phil Neray, vice president at Guardium, says Countrywide’s breach was caused in part by a lack of proper internal controls. “The lack of internal IT controls is just another example of this, and is perhaps indicative of a corporate culture that was less focused on internal controls than other objectives,” Neray says.

To say this was a problem with a lack of internal controls is a gross understatement.  Things like this generally don’t happen unless the “tone at the top”  is something that is not exactly one of honesty and integrity.  The poor schmucks in this article just got caught…………

Although it does sound like there were a lot of knuckleheads in management that were sloppy and not watching the store.