Thursday, March 26, 2009

Another "Study" Jumps On The Anti-IT Bandwagon

"Enterprises increasingly worry that their employees may be more willing to steal data or sell insider knowledge because of the poor economy, according to an annual security survey conducted by KPMG International.

"Sixty-six percent of respondents felt that out-of-work IT staffers would be tempted to join the criminal underground, driven in part by threats to bonuses, job losses and worthless stock options.

"The E-crime Survey 2009, presented at the E-Crime Congress in London on Tuesday, surveyed 307 private companies, government organizations and law enforcement agencies.

"In the survey, KPMG said that fraud committed by managers, employees and customers tripled last year in comparison with 2007, which indicates that the recession will likely only exacerbate those problems..."

More lies at ComputerWorld...

Tuesday, March 24, 2009

Cheap Twits Hiring

"As Twitter's popularity grows, firms are attempting to take advantage of its free social networking services to help cut recruitment costs during difficult economic times. But the value of Twitter as a platform for finding new employees remains unproven.

"U.K. mobile network operator, O2, recently released the results of research on Twitter adoption among small U.K. businesses, and found that 62 percent of the 500 small businesses it questioned viewed cost-cutting as one of the greatest benefits of the service. Respondents cited marketing and recruitment functions as the most common way to reduce overhead through the social network; 16 percent claimed to have saved over £1000 as a result.

"U.S. digital agency Organic even claims it has now shifted 75 percent of its recruitment efforts towards social networking platforms. The company finds Twitter to be especially appealing thanks to the tech-savvy audience it attracts and the free services it offers..."

More at ClickZ...

Monday, March 23, 2009

Security Researchers Admit To Having NO CLUE

No Surprise There
"Security researchers are in the dark about what will happen next week when the newest variant of Conficker, 2009's biggest worm by a mile, begins trying to contact its controllers.

"`It's impossible to know until we see something that has a clear profit motive,` said Joe Stewart, director of malware research at SecureWorks Inc. and a noted botnet researcher.

"PCs infected with Conficker.c, the third version of the worm that first appeared late last year, will use a new communication scheme on April 1 to establish a link to the command-and-control servers operated by the hackers who seeded the malware. The date is hard-coded into the worm, which in turn polls any of a number of major Web sites, including Yahoo, for the date, said Stewart.

"That tactic is just one of several designed to make it tough for security researchers to figure out what Conficker's all about, and more importantly, what it might do..."

From ComputerWorld...

Friday, March 20, 2009

Hackers Deflower Virgin Media

"More than a thousand hackers are using reconfigured cable modems to fraudulently access free high speed Virgin Media broadband, sources have revealed.

"The hack has been made possible by the recent launch of Virgin Media's 50Mbit/s `XXL` package. It relies on new equipment running the upgraded DOCSIS 3.0 data transmission standard.

"The launch has allowed hackers to apply the new configuration from Virgin Media's official up to 50Mbit/s home modem to legacy DOCSIS 1.0 hardware, to access the DOCSIS 1.0 platform at higher speeds. Our source said over a thousand lines have been seen obtaining about 30Mbit/s downstream.

"Virgin Media told The Register it was aware of the problem and was working to address it."

From The Register...

Twits PWN3D

"Micro-blogging site Twitter suffers from a potentially devastating vulnerability that forces logged-in users to post messages of an attacker's choice simply by clicking on a link.

"The XSS, or cross-site scripting, error was discovered by Secure Sciences Corp researchers Lance James and Eric Wastl, who have fashioned [a] link to demonstrate their finding. Clicking on it while logged in to Twitter causes users to immediately broadcast an innocuous message to all of their followers...

"Of course, it would be just as easy to craft links that do considerably more damage. Tweets are limited to just 140 characters, making it almost mandatory to use shortened URLs that obscure their final destination. While it's possible to preview the link before visiting, many Twitter users have grown so accustomed to them they click on them directly."

From The Register...

Google's Credit Card Cache

"A defunct payment gateway has exposed as many as 19,000 credit card numbers...

"The discovery by a local IT industry worker was made by mistake and appears to be caused by a known issue with the Google search engine, in which the pages of defunct web sites containing sensitive directories remain cached and available to anyone."

More at iTnews...

Saturday, March 14, 2009

Hackers Gasping For Adobe AIR

"Adobe has released their new AIR product with much fanfare about letting developers "use proven Web technologies to build rich Internet applications that deploy to the desktop and run across operating systems." The grand vision that's being promoted is that AIR is pioneering the application development model of the future, where cross-platform applications will be developed using a platform-independent tool such as AIR, and then deployed across the Web as downloadable gadgets that can be installed on any computer...

"The designers of AIR obviously wanted to play in the desktop application space, so AIR applications have full access to the machine they are running on. But it seems that the AIR designers were unwilling to give up on also being a platform for casually loaded Internet gadgets, even though they did not see fit to give AIR a sandbox for running untrusted applications...

"The resulting situation will be a bonanza for criminal hackers. AIR will become the first truly cross-platform tool for distributing malicious applications. Macintosh and Windows, home and business computers will all be equal-opportunity targets for Trojan horse attacks, keystroke loggers, etc., truly realizing the dream of `write once, hack everywhere!`"

More at AjaxWorld...

Hackers PWN Ticketmaster

"If you're hoping to score tickets to Coldplay's Vancouver concerts when they go on sale Saturday, you could find yourself up against computer hackers who can order up hundreds and even thousands of tickets in the time it would take you to punch in a single order.

"Scalpers looking to jump the online queue can program a computer to circumvent Ticketmaster's website security and automatically order tickets at speeds far beyond ones the ordinary buyer could hope to match...

"`Maybe it takes you a minute-and-a-half to click through to buy a ticket, in that minute-and-a-half the hacker could have made 100,000 ticket requests," said Ryan Purita, a forensic examiner and security specialist with Sherlock Forensics. "You cannot beat a hacker script...`"

Source: Vancouver Sun...

Friday, March 13, 2009

Cyberbullies Steal Lunch Money

"Bank officials are beginning to recover some of the $200,000 that computer hackers are suspected of transferring out of the Carl Junction school district's account.

"The Joplin Globe is reporting that the amount recovered totals at least $80,000.

"Superintendent Phil Cook says a computer virus that struck on Feb. 26. allowed someone to access the district's bank account.

"He says about $200,000 was transferred earlier this month from the district's account to a number of banks nationwide in increments of about $8,000.

"The bank noticed the problem March 6 and contacted the southwest Missouri school district.

"Cook says the FBI is investigating."

From KSPR...

McAfee's Business Partners Are Evil

[See also this post. Is the pot calling the kettle black or does it simply take one to know one? -Hinky]

"Federal law enforcement officials filed bribery charges today against the District of Columbia's acting chief security officer, along with a one-time D.C. government employee who owns an IT outsourcing company that runs offshore operations in India. Both were later arraigned in federal court.

"Arrested this morning was Yusuf Acar, who currently is the District of Columbia's acting chief security officer; police said they found $70,000 in cash in his Washington home. Acar's annual salary is $127,468, according to court documents.

"The second suspect arraigned on bribery charges is Sushil Bansal, CEO and founder of Advanced Integrated Technologies Corp. (AITC), a Washington-based outsourcing vendor that has won a number of contracts from the district's IT department.

"In what the government officials described as the `McAfee Software Scheme,` Bansal's firm submitted a purchase order for 2,000 units of McAfee Foundstone software, which is used to provide automated scanning and vulnerability assessments, for $104,166. McAfee generated a quote for AITC for the purchase of 500 units of the software at $36,845, but AITC, the provider in this case, charged the D.C. government for 2,000 licenses."

Full article at ComputerWorld...

Thursday, March 12, 2009

FBI Rounds Up Evil IT Workers In Nation's Capitol

"FBI agents have arrested a District of Columbia government worker and another man while they search the offices of the city's chief technology officer.

"The head of that city office, Vivek Kundra, recently left to take a White House technology post.

"A law enforcement official, speaking on condition of anonymity because charges had not yet been unsealed, said worker Yusuf Acar was arrested Thursday. Another man, Sushil Bansal, was also arrested. A court appearance is expected later in the day.

"Katherine Schweit, spokeswoman for the FBI's Washington field office, said the search was being conducted as part of an ongoing investigation.

"Schweit declined to give the subject of the investigation, or comment further on the case."

Source: Yahoo!...

Wednesday, March 11, 2009

"Customers will write us bigger checks."

"The behemoth of Redmond, Wash., is methodically rolling out business software that's sold as an online service. There's a very compelling reason: For Microsoft, selling software-as-a-service means more revenues, and eventually profits, out of each transaction.

"Microsoft Senior Vice President Chris Capossela puts it bluntly: `Customers will write us bigger checks.`"

Full article at Forbes...

"The Big Bad Database of Senator Norm Coleman"

"Wikileaks has released detailed lists of the controversial Republican Senator Norm Coleman's supporters and donors. Some 51,000 individuals are represented.

"Although politically interesting in their own right, the lists, which are part of an enourmous 4.3Gb database leak from the Coleman campaign, provide proof to the rumors that sensitive information--including thousands of supporter's credit card numbers--where put onto the Internet on January 28 as a result of sloppy handling by the campaign.

"Senator Coleman collected detailed information on every supporter and website visitor and retained unencrypted credit card information from donors, including their security codes. Although made aware of the leak in January, Senator Coleman kept the breach secret, failing to inform contributors, in violation of Minnesota Statute 325E.61."

Good reading at WikiLieaks...

Watcha Gonna Do When They Tweet For You?

"Like unhip adults late to adopt a fad, police departments and other law enforcement agencies are jumping on the social networking bandwagon. They hope to break down bureaucratic boundaries between departments and jurisdictions and further the fight against crime.

"A few companies in the field are developing promising businesses, and supporters have given the trend a slightly cringe-inducing name: Law Enforcement 2.0.

"As in so many other realms where the use of technology has expanded in what seems an eye-blink, this crime-fighting method promises great improvements over traditional ways of getting things done. But it also challenges existing privacy protections, like limitations on the information investigators can share about people they may suspect of committing crimes..."

More at The New York Times...

Tuesday, March 10, 2009

Non-IT Worker Destroys Data Just For Funsies

"A promising engineering student who deliberately deleted crucial information from his employer's computer backup systems cost the company hundreds of thousands of dollars in lost business and data recovery.

"Gareth Pert, 23, nearly crippled Hamilton business Progressive Hydraulics while acting out of `pure vindictiveness`, said company director Rodney Sharp.

"And Sharp has warned other employers they stand to lose their life's work if they trust new staff and don't tighten computer security systems..."


Monday, March 9, 2009

McAfee Jumps On Anti-IT Worker Bandwagon

"If you think the IT guy at work is annoying now -- does he really have to roll his eyes when you ask him where to find to the power switch? -- just wait until he steals $5 million dollars from the company.

"As the recession unfolds and companies lay off an increasing number of employees, firms face a new and growing threat in the form of disgruntled technology workers with access to a corporation's best-kept secrets.

"Theft of intellectual property, fraud and damage of corporate networks cost corporations over a $1 trillion globally in 2008, according to a recent report by the security firm McAfee..."

More at ABC News...

Friday, March 6, 2009

Mad Scientists Release H5N1 Bug

"It's emerged that virulent H5N1 bird flu was sent out by accident from an Austrian lab last year and given to ferrets in the Czech Republic before anyone realised. As well as the risk of it escaping into the wild, the H5N1 got mixed with a human strain, which might have spawned a hybrid that could unleash a pandemic.

"Last December, the Austrian branch of US vaccine company Baxter sent a batch of ordinary human H3N2 flu, altered so it couldn't replicate, to Avir Green Hills Biotechnology, also in Austria. In February, a lab in the Czech Republic working for Avir alerted Baxter that, unexpectedly, ferrets inoculated with the sample had died. It turned out the sample contained live H5N1, which Baxter uses to make vaccine. The two seem to have been mixed in error.

"Markus Reinhard of Baxter says no one was infected because the H3N2 was handled at a high level of containment. But Ab Osterhaus of Erasmus University in the Netherlands says: `We need to go to great lengths to make sure this kind of thing doesn't happen.`"

Source: NewScientist

Wednesday, March 4, 2009

No Honor Among Cyberthieves

"Cyber-crooks are not only exploiting security flaws in popular software in order to steal from vulnerable and innocent users. Independent Security Consultant Dancho Danchev describes how vulnerabilities in unpatched releases of the Zeus crimeware kit are being exploited by hackers in order to steal resources from their fellow criminals.

"The security researcher has come across an interesting posting made by a botnet runner, who asks for help to secure his infrastructure after being compromised several times by other hackers. According to his own account, someone hijacked his botnet, composed of over 100,000 compromised computers, by exploiting a vulnerability in the Zeus kit, which allowed remotely injecting a high-level account into the administration panel of the crimeware..."

Read the full article at Softpedia...

Security "Pros" Shill For Web 2.0 At Conference

"Facebook, LinkedIn and Twitter, once viewed as high-risk, productivity-sucking applications, seem to have wiggled their way into the hearts of security teams nationwide. In fact, most organizations no longer block the popular web sites and allow employees to access these Web 2.0 applications at work, according to a new survey from the Security Executive Council.

"The research, which was released this week at the CSO Perspectives conference, reveals 86 percent of organizations who responded to an open poll on the council's web site said they do allow workers to use Web 2.0 applications, such as Facebook, LinkedIn and Twitter, while on the job and/or with a company-issued computer.

"The topic of social networking and work access was the subject of a spirited discussion among professionals who attended CSOP, a three-day event in Clearwater, Florida. Some in attendance pointed to Web 2.0 access as a necessary recruiting and retention tool..."

More at Network World...