Data Security News
Thailand approves extradition of credit card hack suspect
-
By Dan Goodin in San Francisco
The Register
8th March 2010
A criminal court in Thailand has approved the extradition to the US of a
Malaysian man suspected of participating in credit card thefts of more
RSA: Cybersecurity A Joint Fed, Industry Effort
-
By J. Nicholas Hoover
InformationWeek
March 8, 2010
Government officials played a starring role at the annual RSA Conference
last week, laying out their plans for government cybersecurity,
Cybersecurity program has serious defects, GAO says
-
By William Jackson
GCN.com
March 08, 2010
Implementing the Comprehensive National Cybersecurity Initiative, a
broad program intended to protect the nation.s cyber infrastructure, has
been hampered by a lack of coordination and transparency, according to
the Government Accountability Office.
"CNCI is unlikely to fully achieve its goal of reducing potential
vulnerabilities, protecting against intrusion attempts, and anticipating
future threats to federal information systems unless roles and
responsibilities for cybersecurity activities across the federal
government are more clearly defined and coordinated," the GAO concluded
in a November briefing to the staff of the House Armed Services
subcommittee on Terrorism, Unconventional Threats and Capabilities.
The GAO also concluded that too much of the initiative, which was
spelled out in National Security Presidential Directive 54 and Homeland
Security Presidential Directive 23, has remained classified.
"Since the approval of NSPD-54/HSPD-23, few elements of CNCI have been
made public," the GAO briefing said. "While certain aspects and details
of CNCI must necessarily remain classified, the lack of transparency
regarding CNCI projects hinders accountability to Congress and the
public. In addition, current classification may make it difficult for
some agencies, as well as the private sector, to interact and contribute
to the success of CNCI projects."
Ford Motor Rolls Out New Security Features To Prevent Car-Hacking
-
By Kelly Jackson Higgins
DarkReading
March 08, 2010
Automobile giant Ford Motor this year will debut vehicles with built-in
WiFi -- along with enhanced security features to prevent data breaches
via its new cars.
Ford has offered the so-called Sync technology service it co-developed
with Microsoft in most of its Ford, Lincoln, and Mercury vehicles since
2008. The technology lets drivers run their Bluetooth-enabled mobile
phones and digital media players via their vehicles and use voice
commands to operate them, for instance.
The automaker announced today that the second generation of its Sync
technology -- due out later this year and to include a full Windows CE
operating system with a new driver interface called MyFordTouch -- will
come with a built-in browser and secured WiFi access. It will first
debut in the 2011 Ford Edge and 2011 MKX Lincoln, and later, in the 2010
Ford Focus.
"We really began to focus on the security side when we began launching
Sync, and it was [originally] for working with phones and media
players," says Jim Buczkowski, director of Ford electronics and
electrical systems engineering. "Now we're extending that system
connectivity to include WiFi as another data path for customers in their
vehicles ... and we're extending that security model for protecting
WiFi."
Backdoor found in Energizer Duo USB battery charger
-
By Elinor Mills
InSecurity Complex
CNet News
March 8, 2010
Software that can be downloaded for use with the Energizer Duo USB
battery charger contains a backdoor that could allow an attacker to
remotely take control of a Windows-based PC, Energizer and US-CERT is
warning.
"The installer for the Energizer Duo software places the file
UsbCharger.dll in the application's directory and Arucer.dll in the
Windows system32 directory," the U.S. Computer Emergency Readiness Team
said in an advisory on Friday. "Arucer.dll is a backdoor that allows
unauthorized remote system access via accepting connections on 7777/tcp.
Its capabilities include the ability to list directories, send and
receive files, and execute programs."
The Windows software was made available via a download with the
Energizer Duo Charger, Model CHUSB, Energizer said in a statement.
The battery maker said it does not know how the Trojan got into the
software. "Energizer has discontinued sale of this product and has
removed the site to download the software," the statement said.
"Energizer is currently working with both CERT and U.S. government
officials to understand how the code was inserted in the software."
FDIC: Hackers took more than $120M in three months
-
By Robert McMillan
IDG News Service
March 8, 2010
Ongoing computer scams targeting small businesses cost U.S. companies
$25 million in the third quarter of 2009, according to the U.S.
Tokyo's Cyber Emergency Centre at the vanguard of hacking defence
-
By Leo Lewis
The Times
March 8, 2010
Across one wall of a Thunderbirds-style command centre a huge map of the
world keeps a running log of global cyber-attacks. Bloodcurdling names
The Corporate Side of Snooping
-
By DEVIN LEONARD
Off the Shelf
The New York Times
March 5, 2010
IT'S easy to understand how Washington reporters can become jaded. They
are constantly being spun by the same gang of politicians and lobbyists
Microsoft's tax-for-hacks 'horrible' idea, say security experts
-
By Gregg Keizer
Computerworld
March 5, 2010
Microsoft's idea that the fight against malware could be funded by an
Internet tax is "horrible," an analyst said Thursday as other experts
weighed in on a recent comment by the company's security chief.
Earlier this week, Scott Charney, Microsoft's vice president for its
Trustworthy Computing group, said that while there are plenty of ways to
combat malware, scrub infected PCs and take down botnets, no one wanted
to foot the bill.
"Maybe markets will make it work," Charney said, but then added that an
Internet usage tax might be the solution. "You could say it's a public
safety issue and do it with general taxation," Charney said.
"The idea of a general Net tax is a horrible idea," said John Pescatore,
Gartner's security analyst. "Why not a tax on all retail goods for a
standard antishoplifting service all merchants would have to use?" A
business, he said, can now select what it thinks is the best
anti-malware solution, but that choice would presumably vanish if
funding for battling the bad guys went national.
Facebook founder Mark Zuckerberg 'hacked into emails of rivals and journalists'
-
By Mail Foreign Service
06th March 2010
Facebook founder Mark Zuckerberg has been accused of hacking into the
email accounts of rivals and journalists.
Westin Bonaventure Los Angeles latest victim of hotel hackers
-
By Barbara De Lollis
USA TODAY
Hotel Check-In
March 07, 2010
You may have to monitor your credit card statements - and even place a
At RSA, Some Security Pros Don't Practice What They Preach
-
By Tim Wilson
DarkReading
March 05, 2010
SAN FRANCISCO -- RSA Conference 2010 -- You'd think the behavior of
wireless users at one of the industry's biggest security conferences
Iowa Homeland Security Web site "compromised"
-
By WILLIAM PETROSKI
dmreg.com
March 4, 2010
The Iowa Homeland Security and Emergency Management Division's Web site
has been "compromised," a state official said today.
Nation's cybersecurity suffers from a lack of information sharing
-InfoSec News: Nation's cybersecurity suffers from a lack of information sharing: Forwarded from: Richard Forno <rforno (at) infowarrior.org>
Talk about a blast from the past!
This article could be ripped from FCW's archives with only the dates and
names changed .... I mean, didn't we hear industry and gov folks say the
same thing in 1997, 2000, 2003, 2005, 2007 and 2009 about critical
infrastructure protection, Y2K, homeland security, etc? Heck, the
Nation even has a "National Strategy for Information Sharing" issued by
the White House. Lot of good that's done, too.
Yet after 15 years or so we're *still* talking about the same problems
and obstacles to overcome involved with both information-sharing and
infosec in general, in both human and technical terms.
...but that's okay, we can always levy a Charney-charge [1] on everyone
to help subsidize the industry instead. This is the decade of bailing
folks out, isn't it?
Same stuff, different year. And folks wonder why I am so damn cynical about
this industry.
-rf
[1]
On Mar 4, 2010, at 01:18 , InfoSec News wrote:
New BlackEnergy Trojan Targeting Russian, Ukrainian Banks
-
By Kelly Jackson Higgins
DarkReading
March 04, 2010
SAN FRANCISCO -- RSA Conference 2010 -- Russian hackers have written a
more sophisticated version of the infamous BlackEnergy Trojan associated
White House Cyber Czar: 'There Is No Cyberwar'
-
By Ryan Singel
Threat Level
Wired.com
March 4, 2010
Howard Schmidt, the new cybersecurity czar for the Obama administration,
has a short answer for the drumbeat of rhetoric claiming the United
Heartland Aftershocks: Still at Risk?
-
By Linda McGlasson
Managing Editor
Bank Info Security
March 4, 2010
Earlier this week, First National Bank of Durango, CO came forward to
reveal that as many as 5,000 of its customers were at risk because of
FBI Director: Hackers have corrupted valuable data
-
By Robert McMillan
IDG News Service
March 4, 2010
Hackers breaking into businesses and government agencies with targeted
attacks have not only stolen intellectual property, in some cases they
have corrupted data too, the head of the U.S. Federal Bureau of
Investigation said Thursday.
The United States has been under assault from these targeted
spear-phishing attacks for years, but they received mainstream attention
in January, when Google admitted that it had been hit and threatened to
pull its business out of China -- the presumed source of the attack --
as a result.
FBI Director Robert Mueller called these attacks a threat to the
nation's security on Thursday, speaking at the RSA Conference in San
Francisco. "Just one breach is all they need in order to open the
floodgates," he said, speaking about the hackers behind these
intrusions. "We have seen not only a loss of data, but also a corruption
of that data."
Mueller did not say exactly what he meant by corruption of data, but
security experts worry that if attackers are able to alter source code,
they might put back-doors or logic bombs in the software they gain
access to.
'Severe' OpenSSL vuln busts public key crypto
-
By Dan Goodin in San Francisco
The Register
4th March 2010
Computer scientists say they've discovered a "severe vulnerability" in
the world's most widely used software encryption package that allows
Heartland Breach: Colorado Bank Reports New Fraud
-
By Linda McGlasson
Managing Editor
Bank Info Security
March 3, 2010
A Colorado bank has come forward to reveal that as many as 5,000 of its
customers were at risk because of new fraudulent transactions tied to
Shands notifies 12,500 patients that data at risk
-
By Nathan Crabbe
Staff writer
Gainesville.com
March 2, 2010
Shands HealthCare has notified about 12,500 patients that a laptop
containing their medical information was stolen in January.
Nation's cybersecurity suffers from a lack of information sharing
-
By William Jackson
FCW.com
March 03, 2010
SAN FRANCISCO -- The lack of trust between the public and private
sectors continues to inhibit the sharing of information needed for the
nation to effectively defend against rapidly evolving cyberthreats, a
panel of industry experts and former government officials said Tuesday.
"We need to have more transparency in the public-private partnership,"
said Melissa Hathaway, former White House advisor who conducted last
year's comprehensive review of government cybersecurity. "The trust does
not exist between the two parties."
Hathaway, who now runs her own cybersecurity consulting firm, said
during a panel discussion at the RSA Security Conference that a .safe
space. overseen by a trusted third party is needed to facilitate
sharing.
William Crowell, former National Security Agency deputy director, said
that it should be possible to share information without identifying the
source, to make the parties feel more secure about providing it. "We
need to be able to abstract the information we are are going to share,"
he said. "That's our best approach in the long run."
Tracing attack source key to cybersecurity strategy, Chertoff says
-
By Jaikumar Vijayan
Computerworld
March 3, 2010
SAN FRANCISCO -- The difficult task of identifying the true sources of
cyber attacks remains one of the biggest challenges in the development
of a national cybersecurity strategy, former Department of Homeland
Security Secretary Michael Chertoff told Computerworld in an interview
at the RSA Security conference here today.
Chertoff, who is participating in a panel discussion at the conference,
said there is a growing need for the U.S to create a strong, formal
strategy for responding to cyberattacks against American interests.
Such a strategy would need to clearly articulate possible U.S. responses
to attacks, which could include diplomatic and other tools.
Chertoff noted that by comparison, physical attacks are relatively easy
to track down and respond to. "In the Cold War we could attribute an
attack. It was clear where it came from and we could respond," he said.