Month: February 2010

Most Enterprises Worldwide Hit by Cyber Attack in 2009

Posted on by admini

Respondents on average said they were exploring 19 different IT standards or frameworks to protect their networks and were currently employing at least eight of them.

But IT managers said they are understaffed in key areas, with network security (44 percent), messaging security (39 percent) identified as groups that remain woefully understaffed.

Hacker countermeasures Last week, NetWitness, a Virginia-based computer security firm, disclosed that organized hackers had broken into the computers of 2,411 companies and government agencies over the past 18 months.

In January, senior executives at Exxon Mobile (NYSE: XOM), ConocoPhillips (NYSE: COP) and Marathon Oil (NYSE: MRO) confirmed that they were targeted by an extremely aggressive malware campaign attack in 2008 designed to steal key proprietary data — including multi-million-dollar research to locate the next great oil or natural gas discovery.

http://www.esecurityplanet.com/features/article.php/3866866/Most-Enterprises-Worldwide-Hit-by-Cyber-Attack-in-2009.htm

Read more

FTC warns 100 organisations over leaked P2P data

Posted on by admini

The leaked data — including customer and employee personal information — was left open to download after workers in the affected organisations decided to download content at work without really understanding what they were doing.

The offending organisations included schools, local governments, private corporations and small businesses.

The FTC issued a statement on this action, which is hopes will act as a wider warning against a real risk.

http://www.theregister.co.uk/2010/02/23/p2p_data_leak_warning/

Read more

Criminals Hide Payment-Card Skimmers Inside Gas Station Pumps

Posted on by admini

The devices typically include a scanner, transmitter, camera, and, most recently, Bluetooth- or wireless-enabled links that shoot the stolen data back to the bad guys.

A similar attack occurred with a rigged ATM machine last year in Las Vegas during the Defcon hacker show: Security researcher Chris Paget lost $200 to an ATM machine in the Rio All-Suite Hotel & Casino that appeared to be operating normally, but failed to spit out cash.

The U.S. Secret Service was investigating the incident, and it was unclear whether the machine was outfitted internally with a skimming device or had been tampered with for someone to grab the cash withdrawals at a later time.

Bruce Schneier, CTO for BT Counterpane and author of the Schneier on Security blog, says attackers in Europe are also moving skimming devices inside gas pumps as a way to avoid detection.

Troy Arnold from the Sandy police department told a local news outlets that the device in the 7-Eleven gas pump was the size of a cellular phone SIM card and was affixed to the card reader inside the pump.

“It’s a small device — Bluetooth, the size of a SIM card — that is attached to the actual credit card reader.

Back in December, a similar spree occurred in the Sacramento, Calif., area, where gas pumps at an AM/PM convenience store were outfitted with card skimmers, transmitters, and small cameras that siphon victims’ debit card data.

http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=223100233&cid=RSSfeed

[Link to an article showing a typical ATM skimmer setup: http://www.snopes.com/fraud/atm/atmcamera.asp. But remember all they really need, is the skimmer to be installed and a good camera!]

Read more

Next generation firewall software introduced by Palo Alto Networks

Posted on by admini

Chris King, director of product marketing at Palo Alto, explained that it is building on key themes on the threat landscape and realising that there is a lot of applications that have a value but are fraught with risk.

It explained that its next generation firewalls combine three identification technologies to provide the necessary visibility and control over applications, users and content.

René Bonvanie, vice president of worldwide marketing at Palo Alto Networks, said that he believed that the market is ready for this, and he was happy with what was coming along.

http://www.scmagazineuk.com/next-generation-firewall-software-introduced-by-palo-alto-networks/article/164251/

Read more

Spike In Power Grid Attacks Likely In Next 12 Months

Posted on by admini

“Some companies say there’s never been a successful attack against the grid, but that’s not true,” he says.

Doug Preece, senior manager for smart energy services at Capgemini, says he expects an uptick in hacking of smart grid devices during the next 12 months as more smart-grid pilot projects are launched at energy firms. “A closed communications network was difficult to breach.” “Their communications will be predominantly wireless, and it’s assumed they will be sniffed, penetrated, hacked, and service will be denied …So we’re designing mitigation techniques and security to address these things,” he says.

The best-case scenario of attack would be someone poking around the network for vulnerabilities so he can cut his energy bill, for example, says Eric Knapp, vice president of technical marketing for NitroSecurity. “The worst-case scenario would be an attacker compromising [the smart grid] and then controlling the distribution of power,” he says.

Patricia Titus, chief information security officer for Unisys Federal Systems and former CISO for the Transportation Security Administration (TSA), says energy firms need to “take a breath” and determine whether adopting smart grid technology will exacerbate or solve problems.

And it’s not that existing SCADA systems are all insulated from attack, even with their private lines.

The Grey Goose report calls out Russia, Turkish hackers, and China as the top threats to the power grid.

It just opens up another window that requires a higher level of sophistication [to breach].”

http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=223000369

Read more

Computer Jargon Baffles Users, Hinders Security

Posted on by admini

One problem is that computer “geeks” use jargon to cloak their work in scholarly mystique, resulting in a lack of clarity in everything from instruction manuals and systems design to professional training, the experts said.

“If you don’t demystify security, people become anxious about it and don’t want to do it,” former U.S. Homeland Security Secretary Michael Chertoff told Reuters on the sidelines of the EastWest Institute security meeting in Brussels. “There are some people in the profession who to some degree enjoy the mystification of what they do, that it’s not penetrable… Doctors and lawyers used to enjoy “a sense of mystified special knowledge,” Chertoff said.

The industry has made progress in educating users, but a huge and urgent task lies ahead in view of the growing criminal threat and the imminent arrival of billions more Internet users.

Plain language is vital, said Steve Purser, head of Technical Competence at the European Network and Information Security Agency, a European Union body. They are going to think how to get round the system.”

Educating the individual customer has long been a top goal for an industry struggling to balance security against ease of use and the clamor for mobile communications. “If we try to teach standard messages such as ‘always protect your password’ the danger is that people will learn the recipe but not learn why this happens,” Purser said.

Delegates said imaginative messages explaining the importance of online protection are needed, tailored to different age groups and audiences and posted on media ranging from TV advertising and schools curriculums to Youtube, Second Life, social network sites and video games.

Curtis Siller, director of Standards at the Institute of Electrical and Electronics Engineers, said the industry had to do a better job of communicating the risks to various audiences.

http://www.nytimes.com/reuters/2010/02/19/technology/tech-us-security-cyberspace.html?_r=2&scp=5&sq=computer&st=cse

Read more