Monday, April 30, 2007

Entrepreneurial hackers buy sponsored links on Google

Ad links sidetracked users, installed password stealer
A hacker scheme that involved buying search keywords on Google and then routing users to a malicious site when they clicked on sponsored links was revealed yesterday by a security company.

According to Roger Thompson, chief technology officer at Exploit Prevention Labs, the ploy involved sponsored links (the text ads that appear alongside search results on Google), a malicious intermediary and malware that steals online banking usernames and passwords.

"It's quite an investment on the bad guys' part," said Thompson. "Instead of just hacking into sites, they bought keywords."

Click here for the full story.

Tuesday, April 24, 2007

Olympics to bring London IT security challenges

ID cards may be an answer, but sponsorships pose a problem
Britain's IT industry is likely to see business surge as London prepares to spend at least $2 billion on security when it hosts the 2012 Olympics.

The cost could rise as the U.K. tries to fortify itself during the world's most prominent sporting event from a repeat of the July 2005 bombings on London's transport system, said Derek Wyatt, a member of Parliament who spoke at InfoSecurity Europe in London on Tuesday.

"I hope this gives you an inkling of what I think will be the biggest piece of business your industry is going to face over the next five years," Wyatt told a crowd of IT executives.

Technology will play a major role, although decisions on how it will be integrated are far from decided, Wyatt said. One security issue is authentication: how to ensure a person who holds a ticket is indeed the same person who bought it.

Click here for the full story.

Friday, April 20, 2007

Grading On a Curve

The government's security report card should be taken with a great big grain of salt
By now, almost everyone's heard about the "Federal Computer Security Report Card" released last week. Issued by the House Government Oversight and Reform Committee, the report card is based on the Office of Management and Budget's analysis of each federal agency's own reporting on its compliance with the Federal Information Security Management Act (FISMA).

This report card, like every one since FISMA was enacted in 2002, was abysmal. The federal government as a whole recieved a C-. The Nuclear Regulatory Commission and departments of Defense, State, Treasury, Commerce, Education and Agriculture all received failing grades. The Department of Homeland Security received a D, while the Department of Energy (which is responsible for the nation's nuclear weapons and energy programs) received a C-.

So what does this tell us about the security of government networks? Not all that much, actually.

Click here for the full story.

Thursday, April 19, 2007

No data stolen in 2006 computer intrusions, says Commerce Dept.

Hackers managed to get into 33 agency computers
Unknown intruders last year managed to infect 33 computers belonging to a bureau of the U.S. Department of Commerce (DOC) with data-stealing Trojans and other malware.

But the compromises were quickly detected and no information is believed to have been stolen, according to testimony presented today at a congressional subcommittee hearing on the extent to which federal networks and critical infrastructure have been compromised by foreign hackers. The hearing is being held by a subcommittee of the Committee on Homeland Security and is being chaired by Rep. James Langevin (D-R.I.).

Click here for the full story.

Wednesday, April 18, 2007

Targeted Attacks on the Rise

It's the other end of the threat spectrum: Instead of a massive attack on hundreds of your users, it's one message, sent to a single user, containing a backdoor Trojan -- or worse.

Such narrowly-targeted attacks are becoming more popular than ever, according to a new report issued today by MessageLabs. The messaging security company says it identified 716 emails in 249 targeted attacks last month. The attacks targeted 263 different domains, belonging to 216 different customers.

Click on here for the full story.

Monday, April 16, 2007

Study: Browser Warnings Don't Work

The lock-and-key icon was broken. The site-authentication image was not there. A security message popped up, warning that the site was not properly certified.

And still, more than half of them entered a password and tried to log in.

That's the bottom-line finding of a new study from researchers at Harvard University and MIT, who conducted a live test of banking users to measure the effectiveness of browser-based authentication and anti-phishing features earlier this year. The research is scheduled to be presented at the IEEE Symposium on Security and Privacy next month.

Click here for the full story.

Friday, April 13, 2007

Feds Under Fire Over Security

Congress is ticked off about computer security.
Over the last two days, members of both the House and Senate have registered complaints over the way government agencies are dealing with the security issue, and they've called for action to address the problems.

Earlier today, Rep. Tom Davis (R-Va.), ranking member of the House Government Oversight and Reform Committee, gave the federal government an overall grade of C-minus when it comes to safekeeping information on government computer systems.

Click here for the full story.

Thursday, April 12, 2007

Just how much will that data breach cost your company?

An online calculator lets companies estimate costs
Want to know just how much a data breach is likely to end up costing your company? Darwin Professional Underwriters Inc. may be able to help.

The Farmington, Conn.-based technology liability insurance company has released a free online calculator that it said allows businesses to estimate -- with a fair degree of accuracy -- their financial risk from data theft.

Click here for the full story.

Tuesday, April 10, 2007

How to avoid falling into the phishing hole

You never can defend yourself too much while online.
A PC World reader alerted me to a flaw on eBay's Web site that enabled a scam designed to trick people into handing over their personal information. eBay promptly patched the flaw last week, but experts I spoke with are wondering how long the fix will hold.

The flaw allowed a scammer to use an increasingly common type of attack called cross-site scripting , or XSS, to redirect people from an eBay listing to a spoofed eBay site. Though eBay may have plugged the hole for now, experts say, similar problems have surfaced in the past on eBay and other sites, and it's a safe bet they will again. The problem is not going away, and it will continue to cause visitors to eBay and other sites trouble for the foreseeable future.

Click here for the full story.

Monday, April 09, 2007

Nearly 500 IRS Laptops Lost or Stolen Over Three Years

Audit also finds unencrypted data of taxpayers on 44 laptops now in use
Nearly 500 Internal Revenue Service laptops — many likely containing unencrypted personal information of taxpayers — were lost or stolen over a 30-month period ending in June 2006, according to an audit released last month.

The audit, conducted by the Treasury Inspector General for Tax Administration, found that between Jan. 2, 2003, and June 13, 2006, a “large number” of laptops were stolen from the vehicles and homes of IRS employees, while 111 were stolen from various agency facilities.
Although auditors were unable to determine exactly what information was contained on the missing laptops, they did conclude that personal information of taxpayers is not adequately protected.

Click here for the full story.

Wednesday, April 04, 2007

Dude, Where's Your PC?

Do you know where all of your company's computers are?
The U.S. Department of Energy's Counterintelligence Directorate doesn't. In fact, the intelligence agency -- which is tasked with protecting sensitive data and operations against espionage by foreign entities -- is missing 20 computers that may contain classified data, according to an inspection report issued last week by the DOE's Office of the Inspector General.

At least 14 of the computers were known to have processed classified information, the report says. The Counterintelligence Directorate's inventory records "were so imprecise and inaccurate that [the agency] had to resort to extraordinary means to locate an additional 125 computers."

Click here for the full story.

Tuesday, April 03, 2007

Spam Costs $712 Per Employee Annually

As a luncheon meat, Spam is a bargain. As unsolicited marketing, spam is a rip-off: $712 per employee per year, or $71 billon to all U.S. businesses annually.

That's the cost of spam in terms of lost productivity, according to a survey released Monday by IT research firms Nucleus Research and KnowledgeStorm.

These figures come from a survey of 849 e-mail users conducted last month that found that two of every three e-mail messages received by businesspeople are spam, despite the fact that 60% of companies filter spam. The survey results are based on a $30-per-hour pay rate, a 2,080-hour work year, 100,249,046 U.S. e-mail-using workers, and that e-mail users are spending 16 seconds on average identifying and deleting spam that has evaded detection and landed in an in-box.

Click here for the full story.

Monday, April 02, 2007

TJX breach may spur greater adoption of credit card security standards

Experts say TJX either failed to encrypt or truncate credit card numbers or did not secure encryption keys

The exposure of 45.7 million credit and debit card numbers in the TJX data theft should serve as a wakeup call to retailers who risk losing money and credibility when they fail to protect sensitive customer data, say officials at the PCI Security Standards Council.

Click here for the full story.

About Me

Choose Dyrand Systems as your virtual IT department and focus on growing your business—not on the technology that supports it. You deserve peace of mind when it comes to IT. When you choose Dyrand, you’re choosing more than just an IT firm—you’re choosing an extension of your own team.