Data Security News

Thailand approves extradition of credit card hack suspect

- By Dan Goodin in San Francisco The Register 8th March 2010
A criminal court in Thailand has approved the extradition to the US of a Malaysian man suspected of participating in credit card thefts of more

RSA: Cybersecurity A Joint Fed, Industry Effort

- By J. Nicholas Hoover InformationWeek March 8, 2010
Government officials played a starring role at the annual RSA Conference last week, laying out their plans for government cybersecurity,

Cybersecurity program has serious defects, GAO says

- By William Jackson GCN.com March 08, 2010
Implementing the Comprehensive National Cybersecurity Initiative, a broad program intended to protect the nation.s cyber infrastructure, has been hampered by a lack of coordination and transparency, according to the Government Accountability Office.
"CNCI is unlikely to fully achieve its goal of reducing potential vulnerabilities, protecting against intrusion attempts, and anticipating future threats to federal information systems unless roles and responsibilities for cybersecurity activities across the federal government are more clearly defined and coordinated," the GAO concluded in a November briefing to the staff of the House Armed Services subcommittee on Terrorism, Unconventional Threats and Capabilities.
The GAO also concluded that too much of the initiative, which was spelled out in National Security Presidential Directive 54 and Homeland Security Presidential Directive 23, has remained classified.
"Since the approval of NSPD-54/HSPD-23, few elements of CNCI have been made public," the GAO briefing said. "While certain aspects and details of CNCI must necessarily remain classified, the lack of transparency regarding CNCI projects hinders accountability to Congress and the public. In addition, current classification may make it difficult for some agencies, as well as the private sector, to interact and contribute to the success of CNCI projects."

Ford Motor Rolls Out New Security Features To Prevent Car-Hacking

- By Kelly Jackson Higgins DarkReading March 08, 2010
Automobile giant Ford Motor this year will debut vehicles with built-in WiFi -- along with enhanced security features to prevent data breaches via its new cars.
Ford has offered the so-called Sync technology service it co-developed with Microsoft in most of its Ford, Lincoln, and Mercury vehicles since 2008. The technology lets drivers run their Bluetooth-enabled mobile phones and digital media players via their vehicles and use voice commands to operate them, for instance.
The automaker announced today that the second generation of its Sync technology -- due out later this year and to include a full Windows CE operating system with a new driver interface called MyFordTouch -- will come with a built-in browser and secured WiFi access. It will first debut in the 2011 Ford Edge and 2011 MKX Lincoln, and later, in the 2010 Ford Focus.
"We really began to focus on the security side when we began launching Sync, and it was [originally] for working with phones and media players," says Jim Buczkowski, director of Ford electronics and electrical systems engineering. "Now we're extending that system connectivity to include WiFi as another data path for customers in their vehicles ... and we're extending that security model for protecting WiFi."

Backdoor found in Energizer Duo USB battery charger

- By Elinor Mills InSecurity Complex CNet News March 8, 2010
Software that can be downloaded for use with the Energizer Duo USB battery charger contains a backdoor that could allow an attacker to remotely take control of a Windows-based PC, Energizer and US-CERT is warning.
"The installer for the Energizer Duo software places the file UsbCharger.dll in the application's directory and Arucer.dll in the Windows system32 directory," the U.S. Computer Emergency Readiness Team said in an advisory on Friday. "Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp. Its capabilities include the ability to list directories, send and receive files, and execute programs."
The Windows software was made available via a download with the Energizer Duo Charger, Model CHUSB, Energizer said in a statement.
The battery maker said it does not know how the Trojan got into the software. "Energizer has discontinued sale of this product and has removed the site to download the software," the statement said. "Energizer is currently working with both CERT and U.S. government officials to understand how the code was inserted in the software."

FDIC: Hackers took more than $120M in three months

- By Robert McMillan IDG News Service March 8, 2010
Ongoing computer scams targeting small businesses cost U.S. companies $25 million in the third quarter of 2009, according to the U.S.

Tokyo's Cyber Emergency Centre at the vanguard of hacking defence

- By Leo Lewis The Times March 8, 2010
Across one wall of a Thunderbirds-style command centre a huge map of the world keeps a running log of global cyber-attacks. Bloodcurdling names

The Corporate Side of Snooping

- By DEVIN LEONARD Off the Shelf The New York Times March 5, 2010
IT'S easy to understand how Washington reporters can become jaded. They are constantly being spun by the same gang of politicians and lobbyists

Microsoft's tax-for-hacks 'horrible' idea, say security experts

- By Gregg Keizer Computerworld March 5, 2010
Microsoft's idea that the fight against malware could be funded by an Internet tax is "horrible," an analyst said Thursday as other experts weighed in on a recent comment by the company's security chief.
Earlier this week, Scott Charney, Microsoft's vice president for its Trustworthy Computing group, said that while there are plenty of ways to combat malware, scrub infected PCs and take down botnets, no one wanted to foot the bill.
"Maybe markets will make it work," Charney said, but then added that an Internet usage tax might be the solution. "You could say it's a public safety issue and do it with general taxation," Charney said.
"The idea of a general Net tax is a horrible idea," said John Pescatore, Gartner's security analyst. "Why not a tax on all retail goods for a standard antishoplifting service all merchants would have to use?" A business, he said, can now select what it thinks is the best anti-malware solution, but that choice would presumably vanish if funding for battling the bad guys went national.

Facebook founder Mark Zuckerberg 'hacked into emails of rivals and journalists'

- By Mail Foreign Service 06th March 2010
Facebook founder Mark Zuckerberg has been accused of hacking into the email accounts of rivals and journalists.

Westin Bonaventure Los Angeles latest victim of hotel hackers

- By Barbara De Lollis USA TODAY Hotel Check-In March 07, 2010
You may have to monitor your credit card statements - and even place a

At RSA, Some Security Pros Don't Practice What They Preach

- By Tim Wilson DarkReading March 05, 2010
SAN FRANCISCO -- RSA Conference 2010 -- You'd think the behavior of wireless users at one of the industry's biggest security conferences

Iowa Homeland Security Web site "compromised"

- By WILLIAM PETROSKI dmreg.com March 4, 2010
The Iowa Homeland Security and Emergency Management Division's Web site has been "compromised," a state official said today.

Nation's cybersecurity suffers from a lack of information sharing

-InfoSec News: Nation's cybersecurity suffers from a lack of information sharing: Forwarded from: Richard Forno <rforno (at) infowarrior.org>
Talk about a blast from the past!
This article could be ripped from FCW's archives with only the dates and names changed .... I mean, didn't we hear industry and gov folks say the same thing in 1997, 2000, 2003, 2005, 2007 and 2009 about critical infrastructure protection, Y2K, homeland security, etc? Heck, the Nation even has a "National Strategy for Information Sharing" issued by the White House. Lot of good that's done, too.
Yet after 15 years or so we're *still* talking about the same problems and obstacles to overcome involved with both information-sharing and infosec in general, in both human and technical terms.
...but that's okay, we can always levy a Charney-charge [1] on everyone to help subsidize the industry instead. This is the decade of bailing folks out, isn't it?
Same stuff, different year. And folks wonder why I am so damn cynical about this industry.
-rf
[1]
On Mar 4, 2010, at 01:18 , InfoSec News wrote:

New BlackEnergy Trojan Targeting Russian, Ukrainian Banks

- By Kelly Jackson Higgins DarkReading March 04, 2010
SAN FRANCISCO -- RSA Conference 2010 -- Russian hackers have written a more sophisticated version of the infamous BlackEnergy Trojan associated

White House Cyber Czar: 'There Is No Cyberwar'

- By Ryan Singel Threat Level Wired.com March 4, 2010
Howard Schmidt, the new cybersecurity czar for the Obama administration, has a short answer for the drumbeat of rhetoric claiming the United

Heartland Aftershocks: Still at Risk?

- By Linda McGlasson Managing Editor Bank Info Security March 4, 2010
Earlier this week, First National Bank of Durango, CO came forward to reveal that as many as 5,000 of its customers were at risk because of

FBI Director: Hackers have corrupted valuable data

- By Robert McMillan IDG News Service March 4, 2010
Hackers breaking into businesses and government agencies with targeted attacks have not only stolen intellectual property, in some cases they have corrupted data too, the head of the U.S. Federal Bureau of Investigation said Thursday.
The United States has been under assault from these targeted spear-phishing attacks for years, but they received mainstream attention in January, when Google admitted that it had been hit and threatened to pull its business out of China -- the presumed source of the attack -- as a result.
FBI Director Robert Mueller called these attacks a threat to the nation's security on Thursday, speaking at the RSA Conference in San Francisco. "Just one breach is all they need in order to open the floodgates," he said, speaking about the hackers behind these intrusions. "We have seen not only a loss of data, but also a corruption of that data."
Mueller did not say exactly what he meant by corruption of data, but security experts worry that if attackers are able to alter source code, they might put back-doors or logic bombs in the software they gain access to.

'Severe' OpenSSL vuln busts public key crypto

- By Dan Goodin in San Francisco The Register 4th March 2010
Computer scientists say they've discovered a "severe vulnerability" in the world's most widely used software encryption package that allows

Heartland Breach: Colorado Bank Reports New Fraud

- By Linda McGlasson Managing Editor Bank Info Security March 3, 2010
A Colorado bank has come forward to reveal that as many as 5,000 of its customers were at risk because of new fraudulent transactions tied to

Shands notifies 12,500 patients that data at risk

- By Nathan Crabbe Staff writer Gainesville.com March 2, 2010
Shands HealthCare has notified about 12,500 patients that a laptop containing their medical information was stolen in January.

Nation's cybersecurity suffers from a lack of information sharing

- By William Jackson FCW.com March 03, 2010
SAN FRANCISCO -- The lack of trust between the public and private sectors continues to inhibit the sharing of information needed for the nation to effectively defend against rapidly evolving cyberthreats, a panel of industry experts and former government officials said Tuesday.
"We need to have more transparency in the public-private partnership," said Melissa Hathaway, former White House advisor who conducted last year's comprehensive review of government cybersecurity. "The trust does not exist between the two parties."
Hathaway, who now runs her own cybersecurity consulting firm, said during a panel discussion at the RSA Security Conference that a .safe space. overseen by a trusted third party is needed to facilitate sharing.
William Crowell, former National Security Agency deputy director, said that it should be possible to share information without identifying the source, to make the parties feel more secure about providing it. "We need to be able to abstract the information we are are going to share," he said. "That's our best approach in the long run."

Tracing attack source key to cybersecurity strategy, Chertoff says

- By Jaikumar Vijayan Computerworld March 3, 2010
SAN FRANCISCO -- The difficult task of identifying the true sources of cyber attacks remains one of the biggest challenges in the development of a national cybersecurity strategy, former Department of Homeland Security Secretary Michael Chertoff told Computerworld in an interview at the RSA Security conference here today.
Chertoff, who is participating in a panel discussion at the conference, said there is a growing need for the U.S to create a strong, formal strategy for responding to cyberattacks against American interests.
Such a strategy would need to clearly articulate possible U.S. responses to attacks, which could include diplomatic and other tools.
Chertoff noted that by comparison, physical attacks are relatively easy to track down and respond to. "In the Cold War we could attribute an attack. It was clear where it came from and we could respond," he said.