8,257,378 Patient Records and 35.5 Million prescription records are hacked. Complete Story Here
State and federal authorities are investigating apossible extortion demand that seeks $10 million for the safe return ofmore than 8 million patient records and 35 million prescription recordsthat allegedly were hacked last week from the Virginia Department ofHealth Professions computers.
An extortion note posted onWikiLeaks, a Web site that publishes anonymous submissions and leaks ofsensitive government and corporate information, reads:
"ATTENTIONVIRGINIA I have your [stuff]! In *my* possession, right now, are8,257,378 patient records and a total of 35,548,087 prescriptions.Also, I made an encrypted backup and deleted the original.Unfortunately for Virginia, their backups seem to have gone missing,too. Uhoh :("
The note demands $10 millionwithin seven days, but it does not say from what date the count began.Hackers apparently infiltrated the health professions' computers lastThursday.
M.A. Myers, a spokesman for the Richmondoffice of the FBI, confirmed late today that an investigation has begunbut declined to provide specifics. He said the FBI received a referralfrom the Virginia Information Technologies Agency.
Theransom-note writer said if the money isn't paid in seven days, "I'll goahead and put this baby out on the market and accept the highest bid."
Ifthe prescription data can't be sold, the writer says, then "at the veryleast I can find a buyer for the personal data" -- which the note saysincludes names, ages, Social Security numbers and driver's licensenumbers.
Tuesday, May 5, 2009
HIPPA Hacker Wants $10 Million for Virginia Medical Records
VisaNet Brazil to IPO in Next 90 Days
Visanet is 40% controlled by Bradesco and 32% by state-run Banco do Brasil SA (BBAS3.BR). The Brazilian subsidiary of Banco Santander (STD), through its local ABN Banco Real unit, holds 14%, while Visa International has 10% and other investors have 4%.
"The decision to hold an IPO has been taken by the controllers," said Vargas during a conference call with reporters. "Over the next few days, Visanet will send the necessary documents to the Brazilian Securities and Exchange Commission." The executive said Visanet's controllers haven't yet decided how many shares they will offer under the IPO.
According to local press reports, Visanet's IPO could raise between 5 billion Brazilian reals ($2.33 billion) and BRL10 billion.
The IPO would be the first this year in Brazil and could turn out to be one of the largest-ever share offers, rivaling that of local peer Redecard SA (RDCD3.BR) in 2007.
In July 2007, Redecard's IPO totaled BRL4.64 billion. Redecard is controlled by local banking giant Itau-Unibanco (ITU).
-By Rogerio Jelmayer, Dow Jones Newswires; 55-11-2847-4521; rogerio.jelmayer@dowjones.com
McAfee Online Threats Report (PDF) 15 pages
Banking / Finance News
Source: McAfee
Complete item: http://img.en25.com/Web/McAfee/5395rpt_avert_quarterly-threat_0409_v3.pdf
Description:
The McAfee Threats Report brings you the latest in statistics and analysis covering email- and web based threats.
The Conficker worm, officially W32/Conficker.worm, has received as much attention as any security threat in recent history. This report will provide some perspective as to whether this attention is hype or reality. We will also focus on threats that do not receive the same level of media attention, but that in fact could be more dangerous than their more popular counterpart.
The geography of the threat landscape continues to evolve. This report offers analysis of the geographical contributions to threats-including spam origin, zombie creation, and malware site locations as well as identifying the emerging players in the threat-creation business. The report also provides some interesting details that suggest that countries creating threats do not mind using them against entities within their borders.
E-Secure-IT
https://www.e-secure-it.com
Conficker Attacks ANZ Bank
Banking / Finance Alerts
Source: ZDNet
Complete item: http://www.zdnet.com.au/news/security/soa/Conficker-worm-strikes-ANZ-Bank/0,130061744,339296289,00.htm
Description:
Australia and New Zealand Banking Group today confirmed it had become the victim of a computer virus attack, with sources saying it was the much-hyped Conficker worm.
"We have detected a known virus affecting some internal desktop services on the ANZ network," a spokesperson for the bank told ZDNet.com.au today, saying that the virus had been contained and there hadn't been any disruption to its business or implications for information security.
The spokesperson did not specify which virus had infected the bank's desktops, but ZDNet.com.au believes it is a variation of the Conficker worm.
Microsoft and Symantec are understood to have been asked to advise on the situation, which was said to have affected no customer facing machines, but Symantec declined to comment and Microsoft had not responded at the time of publication.
Conficker uses an exploit in Microsoft Windows or Microsoft Server to gain access to machines. It spreads by either sending out remote procedure calls to other machines or via external devices such as USB. There was widespread concern around the beginning of last month as the virus, which can download modified versions of itself, was set to mutate on 1 April.
Media and analysts were concerned that the virus might install new malware on the computers which could having varying purposes, from spamming other machines to stealing banking passwords. However, the disaster which had been predicted didn't occur until later.
Reports came out that one variation of Conficker had slowly became more active during the month after 1 April and was installing a virus called Waledac which sent out reams of spam; as well as installing a fake anti-spyware program called SpywareProtect 2009.
Chris Gatford, senior security consultant at penetration testing firm Pure Hacking said that there were many more dangerous viruses out there which the bank could have. He said that Conficker had only received so much attention because there were good tools to detect it.
He admitted that there had been angst due to uncertainty over what Conficker's creators were going to use it for and said that the viruses Conficker installed on infected machines were likely to continue to change. He also pointed out that the level of spam could rise.
"Bear in mind that the spam side of Conficker has so far been very low," he said, with machines sending around 10,000 spam mails a day. "That could change any time," he said, adding that they could conceivably send around 600,000 a day, which could cause serious network congestion.
As to the possibility of ANZ having contracted the virus, Gatford said he wouldn't be surprised. "I'd say there are a lot of Australian corporates that are infected," he said
E-Secure-IT
https://www.e-secure-it.com
Supreme Court and Identity Theft
Justices Limit Use of Identity Theft Law in Immigration Cases
By ADAM LIPTAK and JULIA PRESTON
WASHINGTON — The Supreme Court on Monday rejected a favorite tool of prosecutors in immigration cases, ruling unanimously that a federal identity-theft law may not be used against many illegal workers who used false Social Security numbers to get jobs.
The question in the case was whether workers who use fake identification numbers to commit some other crimes must know they belong to a real person to be subject to a two-year sentence extension for “aggravated identity theft.”
The answer, the Supreme Court said, is yes.
Prosecutors had used the threat of that punishment to persuade illegal workers to plead guilty to lesser charges of document fraud.
“The court’s ruling preserves basic ideals of fairness for some of our society’s most vulnerable workers,” said Chuck Roth, litigation director at the National Immigrant Justice Center in Chicago. “An immigrant who uses a false Social Security number to get a job doesn’t intend to harm anyone, and it makes no sense to spend our tax dollars to imprison them for two years.”
Justice Samuel A. Alito Jr. said in a concurring opinion that a central flaw in the interpretation of the law urged by the government was that it made criminal liability turn on chance. Consider, Justice Alito said, a defendant who chooses a Social Security number at random.
“If it turns out that the number belongs to a real person,” Justice Alito wrote, “two years will be added to the defendant’s sentence, but if the defendant is lucky and the number does not belong to another person, the statute is not violated.”
Continue Reading at the NYTimes
HTTPS = HTTB.S.
You know...now that I think about it, I thought I had read something about the insecurity of security on the web once, but I can't quite place where, so I'll have to settle with providing you with this latest article...
Oh wait...I just remembered where I read it. Right here on the PIN Payments News Blog! Here's the link with the latest story to follow: eCommerce and Browsers Don't Mix.
Infosecurity 2009: Flaw in https blows hole in ecommerce security
Author: Cliff Saran
A serious flaw in the way ecommerce sites implement secure internet access based though the secure HTTPS protocol could put customers' credit card details at risk
Internet users are aware that they should only give their credit card details to sites that use HTTPS protocol to encrypt the transmission of user details over the internet.
But First Base Technologies has spotted a flaw in the way many web sites use HTTPS, that renders the encryption useless.
According to Peter Wood, chief of operations at First Base Technologies, the flaw allows a hacker to hijack the internet cookies used to manage secure sessions on HTTPS web servers.
"Many websites do not flag the session cookie used by HTTPS as secure," he said speaking at InfoSecurity 2009.
Normally this cookie is used like a pass key to allow the user's browser to send a token to the HTTPS server, rather than requiring authentication every time the server is accessed.
However, Wood's team has found that unless the HTTPS session cookie is flagged "secure", it is transmitted as plain text and can be intercepted by a hacker.
This is not normally a problem for an HTTPS session, but ecommerce sites that present web-based catalogues normally also use HTTP and support multiple browser sessions, allowing the user to log into the web site more than once. When these are combined with an HTTPS session token that has not been flagged as "secure", the hacker can pretend to be a genuine user and access the site using the same token.
Wood warned that the attack could also be used to compromise strong security practices like RSA SecureID, that rely on two-factor authentication.
Wood said, "If you use RSA you have to tell the server to generate secure cookies otherwise a hacker can grab the token using a man in the middle style attack." Once the token has been stolen, the hacker can then access any of the data and applications on the corporate intranet that the user has access to. Moreover, the hacker may be able to reverse engineer the secure token to work out how it was generated, which would compromise the company's two-factor authentication system.
Wood said that the only way web sites can protect users is by ensuring their application developers correctly flag HTTPS cookies as secure. Editor's Note: Hey! That's complete and utter HTTB.S.! Hackers will always find a way in. The ONLY WAY Web sites can protect their users by having them conduct financial transactions the way the do in brick and mortar locations. By swiping, not typing. OUTSIDE THE BROWSER SPACE. eCommerce companies would also greatly benefit from "card present" rates on credit cards and True PIN Debit rates, which in many instances are capped. More Security AND more Profits? Wow...I gotta learn more about that.
Oh...and Wood also said he believed hackers were using this flaw to steal internet users' card details. Ya think?
I LOVE This Article!!!!!!
Posted by Tim Wilson, May 4, 2009 12:48 AM
Julius Caesar didn't see the need for a bodyguard when he went to the floor of the Roman senate on a March day in 44 B.C.
That little oversight cost him 23 stab wounds and the throne of the empire. More than 1,900 years later, Abe Lincoln entered the presidential box at Ford's Theater in Washington, D.C. -- again, no bodyguard seemed necessary. We all know how that decision turned out.
In fact, you could argue that history is full of poor security decisions, including many that have been made over and over again. Sometimes a look back at history makes you want to go back, shake the principals by the lapels, and say, "not again! Haven't you learned anything?"
Which brings us, inevitably, back to the subject of IT security.
This week we're celebrating the third birthday of Dark Reading, which launched its maiden story on May 1, 2006. One of the goals of the site was to cover everything that had to do with computer security, from bug reports and major breaches to best practices and product news. Our idea was to give security pros a single place to look for news and information, whether they wanted to know about the latest application vulnerabilities or develop an RFI for a new firewall.
The site still has plenty of flaws, but one thing we've successfully built is a pretty nice archive of what's happened in the industry during the past few years. If you enter the work "vulnerability" in our search bar, you'll find almost 1,000 stories. "Insider" brings up 365 articles. "XSS" -- the acronym for cross-site scripting -- will net you 84 different items. We've started to develop a little bit of searchable history on the site, giving you a bit of a window into what has happened in many different areas of IT security.
As I look back over the content we've published during our short life on the Web, I'm struck by how many times organizations have made the same mistakes over and over again.
The lost laptop that exposed the personal data of millions of soldiers at the Department of Veterans Affairs in 2006 doesn't seem very much different than the lost laptop that exposed the data of more than 225,000 individuals at the Oklahoma Housing Finance Agency this past weekend. The P2P vulnerability that exposed thousands of Pfizer employees to identity theft in 2007 is the same sort of flaw that exposed the president's Marine One helicopter plans to users in Iran just one month ago.
Clearly, malware is proliferating with a pace and sophistication that has never been seen before on the Web -- and that's scary. But shouldn't we have already fixed these problems that have been happening for years and years? After 25 years of viruses, why are we still trying to convince employees not to click on links from unknown email senders? A recent study by Verizon Business Systems indicates that more than 90 percent of security breaches are the result of hacks and vulnerabilities that are more than 2 years old.
Not again! Haven't you learned anything? Editor's Note: The ones that are two years old don't scare me as much as the one's that are cropping up (see Torpig Botnet Harvest Bank Credentials) as I type. Speaking of typing, did you ever hear of "key-logging?" That's like, 10 years old...and people still think it's okay to type their credit card numbers into a box at a merchant checkout. What do you do when you purchase goods at a brick and mortar retailer? Do you write your credit/debit card number down in a box on a sheet of paper? No! You swipe your card and you enter your PIN. Why? Because that's the safest way to do it.
As we enter our fourth year of serving the security community, we at Dark Reading would like to thank you, our readers, for your interest and loyalty since we opened our home page in 2006. We hope we've helped to inform you of some of the newest hacks on the Web, and gave you the information you needed to protect your organization against the most innovative new threats.
At the same time, however, we invite you to take a look back through the history of attacks we're amassing on the site. See anything familiar? You're not the only one. Attackers often like to exploit old vulnerabilities, as well.
It's hard for an old newsman to admit, but maybe we ought to spend a little less time focused on the industry's newest threats and a little more time focused on the ones that have consistently come back to bite us, again and again, during the relatively short history of computer security. Maybe learning from old mistakes is just as important as avoiding new ones.
Editor's Note: THAT is why I love this Article! It's EXACTLY the point that HomeATM has been trying to make since DAY ONE. There WILL be the day when EVERYONE realizes that financial transactions conducted on a PC need to be conducted outside the browser. Our solution is PC"I" 2.0 certified, and uses a End-to-End Triple Data Encryption Standard (3DES) and further protects card holder data by employing a Derived Unique Key Per Transaction (DUKPT) key management system. (Protected by DUKPT) The HomeATM SafeTPIN is your vehicle baby...you can take it anywhere you wanna go. Just as Julius Caesar was "warned" to beware of "The IDES of March", we need to beware of the proliferation of malicious code designed to steal our usernames, our passwords and our ID's. We need to beware of "The March of ID's"
Continue "Dark Reading:" In any case, we at Dark Reading are committed to spending the coming year doing what we've been doing since 2006 -- bringing you the latest news, analysis, opinion, and product news that the industry has to offer. We know that in order to do your job, you need to understand the full spectrum of threats to your business, both old and new, and that your livelihood depends on getting the information you need -- when you need it. We also know that in many cases, those who don't learn from history -- even just a few years of it -- may be doomed to repeat it.
Just ask Honest Abe.
-- Tim Wilson, Site Editor, Dark Reading
Merchant Risk Council to Sponsor CNP Payment Forum
MERCHANT RISK COUNCIL POWERS FRAUD AND RISK SESSIONS FOR CNP PAYMENT FORUM
Three Sessions Showcase Fraud, Security and Payment-related Issues Facing Today’s Global Merchants
Fountain Hills, AZ - May 5, 2009 - PIN PAYMENTS NEW BLOG: The Merchant Risk Council (MRC), a merchant-led trade association focused on electronic commerce risk and payments globally, today announced that they are providing content and speakers for the Customer Not Present (CNP) Payment Forum May 11-13, 2009 in Barcelona, Spain.
The MRC has developed three unique sessions in partnership with the CNP Payment Forum:
- Understanding the DNA of e-Commerce Fraud
- Chargebacks: Current Trends, Best Practices and Fraud
- An Inside Look at Two Merchant’s Approach to e-Commerce Payment Fraud
Sessions will be moderated by MRC Payment Program Manager Bob O’Neill. Session panelists and speakers include representatives from 2Checkout, CyberSource, The Generations Network, Payventures, Retail Decisions and Symantec.
“It is increasingly important that our forum attendees understand all aspects of the payments ecosystem,” says Ashok Misra, CNP Payment Forum Executive Vice Chair and Senior Manager of Payments and Security for RealNetworks, Inc. “The MRC understands the fraud risk side of card-not-present payments better than any organization around. We are very excited at what they are bringing to this forum.”
“Developing content for the European CNP Payment Forum reflects the MRC’s expanding scope from its traditional North American focus to a more global approach in helping merchants throughout the world combat fraud,” said Tom Donlea, MRC Executive Director. “The MRC is rapidly becoming the preeminent source for all e-Commerce constituents who deal with the growing complexities of online sales security and payments – both in the U.S. and abroad.”
The CNP Payment Forum is being held at the Eurostars Grand Marina Hotel in Barcelona, Spain from May 11-13.
About the Merchant Risk Council
The Merchant Risk Council (MRC) is a merchant-led trade association focused on electronic commerce risk and payments globally. The MRC leads industry networking, education and advocacy programs to make electronic commerce more efficient, safe and profitable.
Today, with the power of its member-base, the MRC is the leading trade association for managing payments, preventing online fraud and promoting secure e-Commerce. The MRC is dedicated to working with e-Commerce and multi-channel merchants, payment processors, credit card issuers, credit card companies, alternative payment providers, risk management experts, and law enforcement to make the Internet a safer and more profitable place to do business.
The MRC Board of Directors and Advisors includes: Expedia, Inc., Adobe Systems, Inc., Neiman Marcus Direct, 41st Parameter, Apple, BestBuy.com, Bill Me Later, Blizzard Entertainment, Chase Paymentech, CyberSource Corporation, Dell, Inc., Discover Network, Gap, Inc. Direct, iovation, Microsoft, Trustwave, Visa, Inc. and Wal-Mart.
The MRC is headquartered in Seattle, Washington.
About CNP Payment Forum
The Customer Not Present Payment Forum is a non-profit organization created by and committed to serving merchant organizations that process CNP transactions (Customer-Not-Present i.e. e-commerce, mail and telephone orders). In addition to the merchants in the CNP space, it invites representatives of acquirers, card schemes and payment service providers to participate with their respective merchants in its activities in order to encourage dialogue and best practices between all stakeholders in the CNP arena. CNP Payment Forum was formed by European merchants with support from Direct Response Forum (DRF) USA.
CNP Payment Forum’s main objective is to provide the CNP players with networking opportunity, education, sharing of best practices and representation (or engagement) in promoting the interests of the industry in CNP processes. This year in Barcelona it is running its 6th annual conference.
MEDIA CONTACT: Jordan Rubin
TELEPHONE: 206.364.2789
EMAIL: jordan@merchantriskcouncil.org
Apple to Buy Twitter? iTwit
Facebook tried to buy Twitter. Google and Microsoft have been giving the red-hot Internet-messaging startup the eye. But we hear it's Apple that's closest to sealing a deal, possibly for as much as $700 million.
A source who's plugged into the Valley's deal scene and has been recruited by Apple for a senior position says Apple and Twitter are in serious negotiations, with the goal of unveiling a deal by June 8, when Apple's annual Worldwide Developers Conference launches in San Jose.
Twitter turned down a $500 million offer in cash and stock from Facebook, in part because Twitter's investors couldn't agree on whether Facebook's stock was worth as much as Facebook said it was. But Apple could easily pay cash. A source familiar with the thinking of Twitter's board says the company would be hard-pressed to refuse an all-cash offer in the range of $700 million. (Is Twitter really worth that? Since it's business is nothing but a fantasy at this point, any valuation, high or low, is a matter of make-believe.)
What does Twitter, an adorable but unprofitable startup, have to do with a hardware company like Apple? The iPhone is the obvious driver of the deal: The many iPhone apps like Tweetie that people use to post Twitter messages are hot sellers for Apple. But Apple gets the benefit of Twitter-addicted iPhone users whether or not it owns Twitter. And it seems like an odd cultural fit, since Apple's hardly known for its Web prowess.
Continue Gawking at ValleyWag
apple, twitter, apple to buy twitter, iTwit, HomeATM, PIN Payments Blog
RIM & HP Unite for BlackBerry Biz Apps
You plug our device into your Blackberry or iPhone ONE TIME, swipe your card, and enter your PIN. The cardholder data is end-to-end (3DES) encrypted (inside the device) and the encrypted data is transmitted, using the phone as a modem, then securely stored in the HSM at our Network Operations Center.
That's it. Now your done. Your Blackberry is now "ENABLED" as a secure 2FA fully encrypted mobile banking and mobile payment device. Oh, and you can also pass it along to the next guy/gal and they can do the same. (enable their smart phone) And so on...and so on...
iSwipe™ - iSwipe Therefore iAm™ currently works on ANY smart phone...but our engineers have already devised a way to use it on no so smart phones and that application will be available in about 4--5 months.) To learn more, feel free to ask!
Research in Motion (RIM) and Hewlett-Packard (HP) have confirmed rumours by formally announcing a partnership between the two firms to provide various business applications for BlackBerry devices.
The new platforms will be useable on BlackBerry Enterprise Server 5.0, also officially unveiled at RIM’s Wireless Enterprise Symposium (WES) 2009 event in Orlando, Florida.
One of the new applications is HP CloudPrint for BlackBerry smartphones, which enables people to print emails, documents, photos and web pages from a BlackBerry to the nearest printer via an Internet connection.
The service should not be limited to HP printers, as the companies claim HP CloudPrint is printer-agnostic and driverless.
The two companies will also be taking on the management side of things with HP Operations Manager for BlackBerry Enterprise Server. This is said to enable companies to monitor and manage their BlackBerry handsets.
“RIM and HP are working together to deliver solutions to customers that weave mobility into their daily operations – from innovative new services in the cloud to managed mobile services for the enterprise. Through our collaboration with HP, businesses will have access to an expanded set of applications and services for their BlackBerry smartphone deployments,” said RIM co-CEO Jim Balsillie in a statement.
Continue Reading at CBR
Online Sales Slip in '09
Online Sales Slip
MAY 5, 2009Whoops!
Only a few days ago, eMarketer ran an article (Online Sales Up) based on a study that showed US online retail sales on average were up 11% in Q1 2009.Looking forward, however, the projection for online sales in 2009 does not appear so rosy.
After years of unbroken growth, eMarketer forecasts thatcontinued recessionary pressure will cause online sales to actuallycontract in 2009—by 0.4%.
“eMarketer forecasts that online sales will be virtually flat in2009,” says Jeffrey Grau, eMarketer senior analyst and author of thenew report, E-Commerce in a Recession: The Impact on Consumers and Retailers.“Assuming the economy will begin to recover in 2010, however, retailerswill see a return to sales growth and hit full stride again in 2011.”
eMarketer projects that from 2011 to 2013 online sales will rebound to double-digit growth.NIn the meantime, even in the trough of the economy, there are opportunities for online retailers.
“The current economic upheaval has weakened many traditionalretailers, putting consumers’ wallets up for grabs,” says Mr. Grau.“Online retailers that can fill the void with superior customerservice, rich product information and greater shopping convenienceshave a chance to win new customers for life.” In addition, even as consumers are reining in spending, they are increasingly researching purchases online.
“There is nothing new about consumers using the Internet to helpthem make purchase decisions on big-ticket items such as cars andcomputers,” says Mr. Grau. “But a new breed of consumers is extendingtheir research to everyday products.”
These information-hungry shoppers go online to find out whethera toy is safe, a shampoo is unscented or a diaper manufacturer isenvironmentally responsible. In other words, the way consumers shop is changing, and smartonline retailers will take advantage their new behavior—and informationneeds.
“The new online consumer is independent and less likely totrust recommendations of a salesperson or be swayed by the emotionalappeal of a TV ad,” says Mr. Grau.
Editor's Note: I wonder if you can parlay that to mean that they will be less likely to trust recommendations of people who say "type your card information into our box" or "click your PIN into the floating PIN Pad" or HTTPS-ecure.
Another Bank Issues New Cards from Heartland Breach
Source: coshoctontribune
Complete item: http://www.coshoctontribune.com/article/20090504/UPDATES01/90504013
Description:
A batch of 800 debit cards of Ohio Heritage Bank customers were compromised over the weekend due to information being taken from Heartland Payment Systems.
Heartland is an independent debit and credit card transaction processing company that does more than 100 million transactions monthly for some 250,000 businesses across the United States, according to Ohio Heritage Bank President Dick Baker.
"There was no breach of our security. It's nothing we did wrong," said Baker. "We were just the unfortunate recipient of what happened."
Baker said that they were alerted of the matter Saturday and that bank employees stayed after hours to work on the situation and call customers who were affected. Not all customers were spoken with and Baker said letters were also mailed out.
E-Secure-IT
https://www.e-secure-it.com
Torpig Botnet Harvests Online Banking Credentials
As I mentioned in that post, the most secure way to authenticate the online banking customer is to put a HomeATM 2.0 Certified PIN Entry Device in their hands. ($12) The bank issues the card, the bank issues the PIN, and now, instead of toasters, the bank issues our device. End Result?: Complete 100% secure 2FA (two-factor authentication) log-in. What that means to the banks and their customers is virtual elimination of phishing (average cost $350) no threat of DNS Hijacking, cloned cards could no longer be used and essentially no more ID Theft, thus no more emptying of bank accounts.
Now, here comes a story about a botnet called Tropig (also known as Sinowa) a hard to detect malicious code used to infect PC's and steal those very same username/password's used at financial institutions. Don't say I didn't warn you that this would happen and this is just the beginning...the worst is yet to come.
Source: Computer World Complete item: Click Here
Description:
Researchers from the University of California gained control over a well-known and powerful network of hacked computers for 10 days, gaining insight into how it steals personal and financial data.
The botnet, known as Torpig or Sinowal, is one of the more sophisticated networks that uses hard-to-detect malicious software to infect computers and subsequently harvest data such as email passwords and online banking credentials.
The researchers were able to monitor more than 180,000 hacked computers by exploiting a weakness within the command-and-control network used by the hackers to control the computers. It only worked for 10 days, however, until the hackers updated the command-and-control instructions, according to the researchers' 13-page paper.
Still, that was enough of a window to see the data-collecting power of Torpig/Sinowal. In that short time, about 70GB of data were collected from hacked computers.
The researchers stored the data and are working with law enforcement agencies such as the US Federal Bureau of Investigation, ISPs and even the US Department of Defence to notify victims. ISPs also have shut down some Web sites that were used to supply new commands to the hacked machines, they wrote.
Torpig/Sinowal can pilfer user names and passwords from email clients such as Outlook, Thunderbird and Eudora while also collecting email addresses in those programs for use by spammers. It can also collect user names and passwords from web browsers.
Torpig/Sinowal can infect a PC if a computer visits a malicious Web site that is designed to test whether the computer has unpatched software, a technique known as a drive-by download attack. If the computer is vulnerable, a low-level piece of malicious software called a rootkit is slipped deep into the system.
The researchers found out that Torpig/Sinowal ends up on a system after it is first infected by Mebroot, a rootkit that appeared around December 2007.
Mebroot infects a computer's Master Boot Record (MBR), the first code a computer looks for when booting the operating system after the BIOS runs. Mebroot is powerful since any data that leaves the computer can be intercepted.
Mebroot can also download other code to the computer.
Torpig/Sinowal is customized to grab data when a person visits certain online banking and other websites. It is coded to respond to more than 300 websites, with the top targeted ones being PayPal, Poste Italiane, Capital One, E-Trade and Chase bank, the paper said.Hackers typically sell passwords and banking information on underground forums to other criminals, who try to covert the data into cash. While it's difficult to precisely estimate the value of the information collected over the 10 days, it could be worth between US$83,000 to $8.3 million, the research paper said.
If a person goes to a banking website, a falsified form is delivered that appears to be part of the legitimate site, but asks for a range of data a bank would not normally request, such as a PIN (personal identification number) or a credit card number.
Websites using SSL (Secure Sockets Layer) encryption are not safe if used by a PC with Torpig/Sinowal, since the malicious software will grab information before it is encrypted, the researchers wrote.
There are ways to disrupt botnets such as Torpig/Sinowal.
Editor's Note: The easiest way to disrupt the botnet is to utilize HomeATM's PCI 2.0 Certified SafeTPIN with 3DES end-to-end encryption (including the Track 2 data) and Protected by DUKPT key management. Use our device and you'll have no worries. Either that or stop shopping online!
The botnet code includes an algorithm that generates domain names that the malware calls on for new instructions.
Security engineers have often been able to figure out those algorithms to predict which domains the malware will call on, and preregister those domains to disrupt the botnet. It is an expensive process, however. The Conficker worm, for example, can generate up to 50,000 domain names a day.
Registrars, companies that sell domain name registrations, should take a greater role in cooperating with the security community, the researchers wrote. But registrars have their own issues.
URL to see the Your Botnet is My Botnet Analysis of a Takeover report :
http://www.cs.ucsb.edu/~seclab/projects/torpig/index.html
ABSTRACT
Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security threats on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims. In this paper, we report on our efforts to take control of the Torpig botnet for ten days. Over this period, we observed more than 180 thousand infections and recorded more than 70 GB of data that the bots collected. While botnets have been “hijacked” before, the Torpig botnet exhibits certain properties that make the analysis of the data particularly interesting. First, it is possible (with reasonable accuracy) to identify unique bot infections and relate that number to the more than 1.2 million IP addresses that contacted our command and control server. This shows that botnet estimates that are based on IP addresses are likely to report inflated numbers. Second, the Torpig botnet is large, targets a variety of applications, and gathers a rich and diverse set of information from the infected victims. This opens the possibility to perform interesting data analysis that goes well beyond simply counting the number of stolen credit cards.
1. INTRODUCTION
Malicious code (or malware) has become one of the most pressing security problems on the Internet. In particular, this is true for bots [3], a type of malware that is written with the intent of taking control over hosts on the Internet. Once infected with a bot, the victim host will join a botnet, which is a network of compromised machines that are under the control of a malicious entity, typically referred to as the botmaster. Botnets are the primary means for cyber criminals to carry out their nefarious tasks, such as sending spam mails [30], launching denial-of-service attacks [24], or stealing personal data such as mail accounts or bank credentials [14,32]. This reflects the shift from an environment in which malware was
developed for fun to the current situation, where malware is spread for financial profit.
Given the importance of the problem, significant research effort has been invested to gain a better understanding of the botnet phenomenon [8, 29], to study the modus operandi of cyber criminals [19, 22], and to develop effective mitigation techniques [10, 11]. One popular approach to analyze the activities of a botnet is to join it (that is, to perform analysis from the inside). To achieve this, researchers typically leverage honeypots, honey clients, or spam traps to obtain a copy of a malware sample. The sample is then executed in a controlled environment, which makes it possible to observe the traffic that is exchanged between the bot and its command and control (C&C) server(s). In particular, one can record the
commands that the bot receives and monitor its malicious activity.
Smart Card Alliance Honors Smartest of the Smart
Smart Card News
Source: Deb Montner, Montner & Associates Tech PR Agency, 203-226-9290, dmontner@montner.com
Smart Card Alliance Presents 2009 Outstanding Smart Card Achievement Awards
CTST 2009, NEW ORLEANS, May 5, 2009 – The Smart Card Alliance today announced the 2009 award winners for “Outstanding Smart Card Achievement” (OSCA) in the North American smart card industry. The awards were announced during the Alliance Annual Conference, taking place this week in conjunction with CTST 2009 The Americas Conference and Exhibition at the Ernest N. Morial Convention Center in New Orleans.
“With smart card implementations in full swing across so many markets such as government, financial payments, transit, healthcare and enterprise, we were tasked with choosing winners from our most diverse group of OSCA candidates ever,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “These winners were chosen for their tremendous commitment, vision and leadership in bringing smart card technology to the forefront of all of these markets.”
The 2009 Outstanding Smart Card Achievement Award Winners
Outstanding Issuing Organization: Mount Sinai Medical Center
Mount Sinai Medical Center is recognized for taking a leadership position in building awareness of the benefits of using smart card technology in healthcare. Mount Sinai Medical Center currently provides its patients with a secure and portable personal health record that is stored on a smart card. Further, Mount Sinai Medical Center has taken the initiative to start the HealthSmart Network, allowing other New York metropolitan area healthcare facilities to participate in the Personal Health Card program.
In addition to identification and insurance information, the Personal Health Card can store medical information including a list of health problems identified by their healthcare providers, as well as known allergies, immunizations, current medications, lab results and healthcare encounters.
Outstanding Technology Organization: HID Global
HID Global earned the award through its partnership with Dell on the Dell® LatitudeTM E-Family Laptops, which include embedded contactless smart card readers that read/write to HID iCLASS® cards and other ISO/industry standard contactless smart cards. This integration of the first multi-technology contactless smart card reader into select Latitude E-Family laptops allows end-users to benefit from the enhanced security of multi-factor authentication and the convenience of using one card for logical and physical access control.
Individual Leadership Award: Patrick W. Hearn, vice president of government and identification markets, North and Central America, Oberthur Technologies
Hearn is recognized for his leadership in creating the first NIST-certified dual interface Personal Identity Verification (PIV) card, as well as in heading up Oberthur’s smart card implementations. Implementations include the Department of Defense Common Access Card, the Department of Homeland Security’s Transportation Worker Identification Credential, the General Services Administration USAccess Program (supporting 73 civilian agencies), the CLEAR Registered Traveler Program, the Guatemala National Identification Program, as well as dozens of other smart card programs within the United States and globally.
Other finalists in the Outstanding Issuer category who received awards are Chase and Wells Fargo, while finalists in the Outstanding Technology Organization category that also received awards are Giesecke & Devrient and Microsoft Corporation. Individual Leadership category finalists that also received awards are Charles Walton, the executive vice president of INSIDE Contactless, and Barry Mosteller, the director of technical marketing at Oberthur Technologies.
A panel representing practitioners, technology providers and media, all with extensive smart card technology experience and industry visibility, selected the award winners. This year’s panel was: Willy Dommen, Booz Allen Hamilton; Brian Russell, Giesecke & Devrient; John McKeon, IBM; Zack Martin, Avisian; Thomas Calvert, Intel; and Michael Sulak, United States Department of State.
About the Smart Card Alliance
The Smart Card Alliance is a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use and widespread application of smart card technology.
Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information please visit http://www.smartcardalliance.org.
###
FINRA Says Fine! (which beats Jail Time)
Complete item: http://www.finra.org/Newsroom/NewsReleases/2009/P118550
Description:
The Financial Industry Regulatory Authority (FINRA) has announced today that it has fined Centaurus Financial, Inc. (CFI), of Orange County, CA, $175,000 for its failure to protect certain confidential customer information. (Editor's Note: Beats Jail Time for the CEO, yes?)
Centaurus was also ordered to provide notifications to affected customers and their brokers and to offer these customers one year of credit monitoring at no cost.
FINRA found that from April 2006 to July 2007, CFI failed to ensure that it safeguarded confidential customer information. Its improperly configured computer firewall - along with an ineffective username and password on its computer facsimile server - permitted unauthorized persons to access stored images of faxes that included confidential customer information, such as social security numbers, account numbers, dates of birth and other sensitive, personal and confidential data.
The firm's failures also permitted an unknown individual to conduct a "phishing" scam. When CFI became aware of the phishing scam, the firm conducted an inadequate investigation and sent a misleading (a phishing?) notification letter to approximately 1,400 affected customers and their brokers.
E-Secure-IT
https://www.e-secure-it.com