Threat Weekly – A Situational Awareness Report from our
Technical Security Team
Volume 2, Issue 4 – 26 January 2012
No significant new threats have been
identified to raise the threat posture.
TOP OF THE NEWS
EU proposes 'right to be forgotten' by internet
A new law promising internet users
the "right to be forgotten" will be proposed by the European
Commission on Wednesday [25th]. It says people will be able to ask
for data about them to be deleted and firms will have to comply
unless there are "legitimate" grounds to retain it.
The move is part of a wide-ranging
overhaul of the commission's 1995 Data Protection Directive. Some
tech firms have expressed concern about the reach of the new bill.
Details of the revised law were unveiled by the Justice
Commissioner, Viviane Reding, at the Digital Life Design (DLD)
conference in Munich.
A spokesman for the commissioner
clarified that the action was designed to help teenagers and young
adults manage their online reputations. "These rules are
particularly aimed at young people as they are not always as aware
as they could be about the consequence of putting photos and other
information on social network websites, or about the various
privacy settings available," said Matthew Newman. He noted that
this could cause problems later if the users had no way of deleting
embarrassing material when applying for jobs. However, he stressed
that it would not give them the right to ask for material such as
their police or medical records to be deleted. Although the
existing directive already coves the principle of "data
minimisation", Mr Newman said that the new law would reinforce the
idea by declaring it "a right".
Other measures in the bill include
an obligation on all firms to notify users and the authorities
about data lost through hacking attacks or other breaches "as soon
as possible". Ms Reding said that she would expect that under
normal circumstances this would mean within 24 hours. The
commissioner said that firms would have to explicitly seek people's
permission to use data about them and could not proceed on the
basis of "assumed" consent in situations where approval was
More on this story at: http://www.bbc.co.uk/news/technology-16677370
O2 caught sending mobile phone numbers to websites
UK network O2 has found itself at the
centre of an embarrassing data privacy storm after it emerged that
it allows websites to see the mobile numbers of all subscribers
that browse the Internet using its 3G data service.
The controversy was set off by a
single O2 user, Lewis Peckover, who noticed that his mobile number
was being sent to every website embedded in plain text as part of
the http header. Extraordinarily, the numbers appears to be
forwarded by O2’s own servers when users connect to the Internet
through its 3G service; anyone using a WiFi connection will not be
affected because they are not traversing that infrastructure.
Given the potential for websites to
capture numbers for text spamming, annoyed users have bombarded
O2’s Twitter feed with complaints to which the network found itself
responding with a stock tweet to every user who raised the issue.
“Hi there, we're looking into this as we speak - it's important to
us. Once we've got an update, we'll share it,” tweeted O2.
It turns out that the issue is not
new. Graham Cluley of Sophos points out that the issue was first
made public in March 2010 at the CanSecWest conference in Vancouver
by researcher Collin Mulliner. The proxying by O2 is not
particularly surprising, indeed all mobile networks probably do it
to optimise web traffic to cross their hard-pressed 3G networks
efficiently. The question is why O2 thinks it important to insert a
sensitive piece of information such as a mobile phone number into
data sent to websites. It could just be inserted automatically
without the intention having been to give websites the ability to
see phone numbers.
O2 later released a statement
confirming the forwarding issue had occurred due to a routine
maintenance error between 10 and 25 January 2012 which it said it
had now rectified. "We investigated, identified and fixed it this
afternoon. We would like to apologise for the concern we have
caused," O2 said.
News International email deletion: Judge Orders Forensic IT
Rupert Murdoch's News International
wilfully deleted emails that could have shown its journalists'
participation in phone and computer hacking, according to the words
of a High Court judge yesterday as he ordered a forensic search of
the company's computers. The comments demonstrate clear lessons for
companies on the importance of email retention. Data and law
experts have told Computerworld UK that any company that decides to
deliberately delete email or destroy computers in the face of legal
proceedings likely to struggle in court.
On a day that High Court judge Mr
Justice Vos turned up the heat on the newspaper group, News
International agreed payouts to 37 people, including Sara Payne,
the mother of murdered schoolgirl Sarah; as well as actor Jude Law
and former deputy prime minister Lord Prescott. But the company
said that the aggravated damages payouts do not indicate an
admission of guilt. News International also agreed compensation
after admitting hacking into the email account of Christopher
Shipman, son of mass murderer Dr Harold Shipman. The company has
previously told government's culture committee in carefully worded
language that "technological corruptions" of its database "resulted
in some data being lost", and allegedly told victims' lawyers that
it ditched some computers as part of an office move in 2010.
Legal experts have said that email
deletion is perfectly legal, but that it could raise troubling
questions during a time of legal investigations. "Emails are
treated like any other document and there is no law around how long
they should be kept," said Danvers Baillieu, a senior associate at
law firm Pinsent Masons, as the allegations grew last year. But he
added : "If a company senses the faintest whiff [of criminal or
civil proceedings], then they have to keep the documents. Otherwise
the deletion of such emails could weigh against them in the eyes of
a judge or jury." Anthony Nagle, an of Counsel lawyer at Morrison
& Foerster, agreed: "If a [court] issue has arisen and you're
shown to have deleted your data, you'll be asked why you did
Yesterday in the High Court, the
judge, visibly angry, said News International had taken "a rather
startling approach" to email management and data deletion, adding
that there were important questions around whether it had "actively
tried to get off scot-free" by destroying "a very substantial
number of emails and computers of journalists".
More on this story can be found at:
Symantec pulls pcAnywhere, man-in-the-middle attacks are
Symantec has issued an advisory,
warning users that its pcAnywhere remote screen sharing software is
vulnerable to a man-in-the-middle attack, and urging them to
disable it until a security update is rolled out. The company said
pcAnywhere users are at an increased risk due to the theft of
source code from its servers that took place in 2006. The Symantec
breach also exposed the source code of early versions of Norton
Antivirus Corporate Edition, Norton Internet Security and
The 2006-era software poses no risk to
current Norton customers, but the security giant said its
pcAnywhere users can be targeted by attackers. The pcAnywhere
remote access software is used by some enterprises for help desk
support and issue resolution. Companies can use the software in
conjunction with the pcAnywhere Access Server for multiple
connections and to avoid issues with company firewalls or NAT
devices. “Our current analysis shows all pcAnywhere 12.0, 12.1 and
12.5 customers are at increased risk, as well as customers using
prior versions of the product,” Symantec said in its advisory.
Companies may have pcAnywhere deployed
because it is bundled with numerous Symantec products, according to
the advisory. “The full standalone product is bundled in a
number of Altiris-based solutions. A remote access component of
pcAnywhere, called the pcAnywhere Thin Host, is also bundled with a
number of Symantec backup and security products,” Symantec
Symantec issued a patch on Monday
addressing three vulnerabilities in pcAnywhere running on Windows.
Additional patches are planned this week for pcAnywhere versions
12.0, 12.1 and 12.5. The company said additional patches will be
issued until a new version of pcAnywhere is released.
In a white paper entitled, “Symantec
pcAnywhere Security Recommendations”, Symantec said the encoding
and encryption elements within pcAnywhere are vulnerable. “It is
possible that successful man-in-the-middle attacks may occur
depending on the configuration and use of the product,” Symantec
said. “If a man-in-the-middle attack should occur, the malicious
user could steal session data or credentials.” A Symantec
spokesperson said the company is unaware of any ongoing
It is also possible that an attacker
can obtain the cryptographic key and launch unauthorized remote
control sessions, gaining access to other systems using Active
Directory credentials, Symantec said. Company environments that use
pcAnywhere internally are also at risk, Symantec said. The attack
would have to be carried out by a malicious insider. Symantec
advises users to block pcAnywhere assigned ports and use secure VPN
tunnels for remote access.
Koobface Botnet Goes Silent As
Its Creators are Named
After Facebook released their
identities, the five hackers behind the Koobface worm have
apparently taken down their “Mothership” server and have started
deleting their social networking accounts. All five people are
Russians. Shortly after the suspects were named, the Koobface
network went silent. The suspects have been identified as
Anton Korotchenko, Alexander Koltyshev, Roman Koturbach, Syvatoslav
Polinchuk, and Stanislav Avdeiko.
Written by: D Gray VCSL
Anonymous takes down government, recording industry
websites in retaliation for bust
Anonymous says it is in the process
of staging its "largest attack ever" -- more than 5,000 loosely
associated hackers taking down websites belonging to government and
recording industry organizations in response to [last] Thursday's
shutdown of the file-sharing site Megaupload.com. The Department of
Justice unsealed an indictment against Megaupload.com on Thursday,
arresting its founder -- Kim Dotcom, formerly known as Kim Schmitz
-- in New Zealand and charging him and at least five other company
executives with violating privacy laws.
In response, the hacker collective
known as Anonymous announced a collaborative attack against
government and recording industry websites, successfully taking
down the site of the Department of Justice -- which coordinated the
case against Megaupload -- and the Recording Industry Association
of America. As of 4 p.m. Pacific time, Justice.gov and RIAA.org
were failing to load, along with other stated targets such as
Anonymous said on a Twitter account
it has used regularly -- @YourAnonNews -- that the assault is "The
Largest Attack Ever by Anonymous -- 5,635 People Confirmed Using
#LOIC to Bring Down Sites!" In other messages, the group said it
was aiming to take down more sites throughout the night.
Members of Anonymous posted a
statement to file-hosting site Pastebin.com late Thursday
afternoon, according to the Twitter feed. The statement makes
reference to the Megaupload arrests and indictment, and reiterates
the members' earlier statement that they were "launching our
largest attack ever on government and music industry sites." The
statement provides a list of the sites targeted by the effort:
justice.gov, universalmusic.com, riaa.org, mpaa.org, copyright.gov,
hadopi.fr, wmg.com, usdoj.gov, bmi.com and fbi.gov. Many of the
sites named in the statement were still managing to load at times
late Thursday afternoon, though in a slow fashion and with mixed
results as to the content, including the home pages of the FBI, the
Motion Picture Association of America and music publishing company
In a statement, the Department of
Justice acknowledged that its website faced service problems and
said it was approaching the issue as if it was the result of an
More on this story at: Http://www.mercurynews.com/nation-world/ci_19777444
Anonymous strikes again.
Fresh off the last few days' worth
of Web attacks, designed as a kind of cyber-retribution for the
demise of file-sharing site Megaupload at the hands of the FBI,
members of the "hacktivist" group have taken to Twitter to claim
accountability for an attack on CBS.com this morning.
And by CBS.com, we mean all of
CBS.com. As in, the attackers didn't just force the site offline
using a barrage of distributed denial-of-service attacks (DDOS)
delivered by the group's "Low Orbit Ion Cannon" tool – which has
now been transformed into a Web-based attack vector that
unsuspecting users can unknowingly participate in. It was first
assumed that Anonymous somehow acquired root access to CBS.com in
this morning's attack, as the site's files and directories appeared
to have been wiped. However, additional investigation reveals that
the attackers used a technique called DNS poisoning to redirect
visitors to different web servers than those hosting CBS' site.
"Anonymous did not take down #CBS .com ; the IP for their web host
changed from 126.96.36.199 to 188.8.131.52 & 37; looks like
poisoned DNS," wrote Twitter user @jeremiahfelt.
Users attempting to access the main
CBS index page were instead shown a directory structure containing
just one file – foundry.html. Any attempts to access any of
CBS.com's sub-sites, like bookmarked pages for its litany of
television shows, for example, were met with 404 Not Found
More on this story at:
THE REST OF THE WEEK’S NEWS
McAfee tackles 'spam hijack' flaw in anti-malware
A leading anti-virus software firm says a
flaw in one of its programs has exposed its customers' computers to
the risk of being hijacked by spammers. McAfee said it planned to
release a patch for its SaaS for Total Protection service by the
end of Thursday [26th]. The software is marketed as a "peace of
mind" solution offering "complete email and web protection". McAfee
said there had been at least one related attack, but stressed that
users' data had not been put at risk.
The problem was exposed on British art firm
Kaamar Limited's blog earlier this week. Keith and Annabel Morrigan
posted a warning to other owners of the product after receiving a
message alerting them to the fact that their server had been
sending out spam emails. They said that further research had
revealed their computer had been sending out the equivalent of what
would have been 10 months' worth of normal traffic in one day.
After linking the botnet attack to a problem
with their anti-malware software's "Rumor Service" they said that
they had alerted McAfee to the problem on 5 January. The owners of
the Staffordshire-based business noted that their email address had
been flagged up as a threat as a consequence of the attack, meaning
that even their legitimate messages were now being blocked from
delivery. "As an ultimate insult, even McAfee, whose software is at
the root of our problems, now rate our email IP as 'High Risk': we
can't email them as they have blacklisted us!" they wrote.
McAfee's director of security research, David
Marcus, confirmed the problem with the firm's software on the
firm's blog on Wednesday. He acknowledged "a misuse of our 'rumor'
technology to allow an attacker to use an affected machine as an
'open relay', which could be used to send spam". "The... issue has
been used to allow spammers to bounce off of affected machines,
resulting in an increase of outgoing email from them. Although this
issue can allow the relaying of spam, it does not give access to
the data of an affected machine. "The forthcoming patch will close
this relay capability."
More on this story at: http://www.bbc.co.uk/news/technology-16627713
Do you need a cyberumbrella?
If your company were hit with a cyberattack
today, would it be able to foot the bill? The entire bill,
including costs from regulatory fines, potential lawsuits, damage
to your organizations' brand, and hardware and software repair,
recovery and protection? It's a question worth careful
consideration, given that the price of cyberattacks is rising at an
alarming rate. The second annual Cost of Cyber Crime study,
released last August by the Ponemon Institute, reported that the
median annualized cost of cybercrime for a company is $5.9 million
-- a 56% increase from the 2010 median figure. A growing number of
insurance companies are offering policies that provide protection
in the event of data breaches and other malicious hacks. But
they're having some difficulty making many sales -- in part because
the cost of premiums can be staggering.
Lawyers and information security leaders say
many executives mistakenly believe that standard corporate
insurance policies or general liability policies cover losses
related to hacking, or that their cyberpolicies, if they have them,
will cover all costs related to a breach. Most of the time, they
won't. A February 2011 paper by Forrester Research analyst Khalid
Kark indicates that many companies are still trying to understand
the basics of these policies, which are offered by such carriers as
ACE USA, Chubb, The Hartford and St. Paul Travelers Cos. The most
common questions revolve around what types of polices are out
there, what they cover, how to select the right policy and whether
such insurance is even needed.
IT leaders are particularly likely to get
confused, because tech execs have not traditionally made decisions
about corporate insurance. Likewise, the risk management and legal
teams that typically do make insurance decisions have not
customarily sought out their IT counterparts for advice. Yet, IT's
input is crucial when it comes to deciding whether to purchase
cyberinsurance and determining what coverage to buy, security
"The IT people and the risk people
desperately need to get together to talk about risk in terms of
information technology and the likelihood and outcomes of a
breach," says Don Fergus, an IT risk consultant and 2012 chairman
of the IT Security Council for the security professionals
organization ASIS International.
More on this story at:
Feds Shutter Megaupload, Arrest
Megaupload, the popular file-sharing site,
was shuttered Thursday and its executives indicted by the Justice
Department in what the authorities said was “among the largest
criminal copyright cases ever brought by the United States.” Seven
individuals connected to the Hong Kong-based site were indicted on
a variety of charges, including criminal copyright infringement and
conspiracy to commit money laundering. Four of the members of what
the authorities called a five-year “racketeering conspiracy” were
arrested Thursday in Auckland, New Zealand, the authorities
One of those arrested was Kim Schmitz, aka
Kim Dotcom, Megaupload’s founder. His attorney, Ira Rothken of
California, said neither he nor his 37-year-old client, who resides
in Hong Kong and New Zealand, was given the opportunity to
surrender. Dotcom was arrested without notice, he said. “We’re
looking into what’s going on,” Rothken said in a telephone
Visitors to the Megaupload site, which gets
about 50 million hits daily and claims 4 percent of all internet
traffic, were greeted with a message from the Justice Department.
”This domain name associated with the website Megaupload.com has
been seized pursuant to an order issued by a U.S. District
Swizz Beatz, Megaupload’s chief executive,
was not implicated in the indictment but is embroiled in a legal
spat with Universal Music over a Megaupload promotional video.
The government said the site facilitated
copyright infringement of movies “often before their theatrical
release, music, television programs, electronic books, and business
and entertainment software on a massive scale.” The government said
Megaupload’s “estimated harm” to copyright holders was “well in
excess of $500 million.”
Unsealed Thursday, the five-count indictment
from the Eastern District of Virginia came as the Justice
Department said it seized 18 domains in all connected to
Megaupload. The agency said it executed more than 20 search
warrants in the United States and eight countries, seizing $50
million in assets.
Megaupload, which often charges its 150
million registered members for its file-sharing service, was on the
recording and movie industries’ most-hated lists, often being
accusing of facilitating wanton infringement of their members’
copyrights. The indictment claims it induced users to upload
copyrighted works for others to download, and that it often failed
to comply with removal notices from rights holders under the
Digital Millennium Copyright Act. But the site routinely removed
uploaded child pornography, according to the indictment.
The money laundering charges are connected to
allegations Megaupload paid users for uploading infringing content
under an “uploader rewards” program.
More on this story at:
ACS: Law solicitor Andrew Crossley suspended by
Andrew Crossley, the controversial solicitor
who sent thousands of letters to alleged illegal file-sharers, has
been suspended from the profession for two years. At a disciplinary
tribunal he was also ordered to pay costs of £76,326.55.
The court heard how Mr Crossley used his law
firm ACS: Law to demand money in recompense for alleged copyright
infringements. The scheme unravelled when several cases went to
court. The Solicitors' Regulation Authority (SRA), which brought
the case against Mr Crossley, welcomed the decision to uphold the
allegations against Mr Crossley. "Some of those affected were
vulnerable members of the public and this matter has caused them
significant distress," said an SRA spokesman. "We hope that it
serves as a warning to others. Solicitors have a trusted position
in society and therefore have a duty to act with integrity,
independence and in the best interests of their clients," he added.
It has taken two-and-a-half years for the case to come before the
Solicitors' Disciplinary Tribunal.
The allegations included "acting in a way
that was likely to diminish the trust the public places in him or
in the legal profession" and "using his position as a solicitor to
take unfair advantage of the recipients of the letters for his own
benefit". In mitigation, Mr Crossley said that he had already
suffered as a result of the work he had undertaken and was now
bankrupt. He said he was in danger of having his house repossessed
and that his 15-year relationship had broken down because of the
Mr Crossley began the so-called speculative
invoicing scheme in May 2009. In total he sent about 20,000 letters
to people identified as having downloaded content, often
pornography, without paying for it. He claimed he was acting on
behalf of MediaCAT, which in turn represented the copyright owners.
The letters threatened court action unless the recipient paid a
one-off fee of about £500. Consumer group Which? was one of the
first to highlight the cases of people who claimed that they had
been wrongly accused and had been upset by the threatening nature
of the letters.
When a handful of cases came to court, the
scheme came in for widespread derision, angering the presiding
judge, Judge Birss, who turned the spotlight on Mr Crossley,
accusing him of abusing the court process. The lawyer for the
defendants likened the case to Charles Dickens' Bleak House.
In a further twist, the ACS: Law website was
hacked and huge amounts of sensitive data were exposed during
attempts to get it up and running again. Mr Crossley was fined by
the Information Commissioner's Office for the data breach. James
Bench, founder of campaign group Being Threatened?, set up to
represent those who received letters from ACS: Law, said he was
pleased by the findings of the disciplinary hearing. "The judgement
will provide some satisfaction to those innocent members of the
public that Mr Crossley relentlessly bullied in the operation of
this scheme," he said. "It was clear to all that Mr Crossley's
speculative invoicing scheme lacked any legal merit," he added. But
he said that he was disappointed that the case had taken nearly
three years to reach a conclusion.
It was revealed during the hearing that the
SRA had asked Mr Crossley to stop the scheme within days of him
setting it up, but he had refused.
Man Arrested and Charged in Federal Reserve Bank of New
York Source Code Theft
A computer programmer has been charged with
stealing source code worth $9.5m from the Federal Reserve Bank of
New York, according to the FBI and prosecutors. Bo Zhang, a
32-year-old from Queens in New York, was cuffed on suspicion of
swiping the Government-wide Accounting and Reporting (GWA)
software, used to help keep track of the US government's
"Among other things, the GWA handles ledger
accounting for each appropriation, fund, and receipt within the
Department of the Treasury, and provides federal agencies with an
account statement - similar to bank statements provided to bank
customers - of the agencies’ account balances with the United
States Treasury," the US attorney's office for the Southern
District of New York said in an official statement.
Zhang was hired as a contractor to work on
the code where it's held in an access-controlled electronic
repository in New York. During last summer he allegedly stole the
GWA code, which has so far cost the US $9.5m to develop. "According
to the complaint, Zhang admitted that in July 2011, while working
at the Fed, he checked out and copied the GWA code onto his hard
drive at the Fed; he subsequently copied the GWA code onto an
Fed-owned external hard drive; and he connected that external
hard-drive to his private office computer, his home computer, and
his laptop," the US attorney's office added. "Zhang stated that he
used the GWA Code in connection with a private business he ran
training individuals in computer programming."
Despite Zhang's rather innocuous purported
use for the code, he was arrested by the FBI on Wednesday morning
and now faces up to ten years in prison and fines of up to
$250,000. "Zhang took advantage of the access that came with his
trusted position to steal highly sensitive proprietary software.
His intentions with regard to that software are immaterial.
Stealing it and copying it threatened the security of vitally
important source code," FBI assistant director-in-charge Janice K
A New York Fed spokesperson told Reuters and
others that the bank had investigated the breach as soon as it was
uncovered and promptly referred the case to the authorities. "The
New York Fed has further strengthened its already considerable
protections as a result of this incident," the spokesman said.
Computer Hackers Hijack US Trains - TSA Memo
Hackers were able to break into a
northwest U.S, rail company's network and take control of passenger
trains in December, the Transport Security Administration
disclosed. According to a report by TechEye, the TSA - which is
responsible for protecting all US transportation systems - found
that a train on an unnamed stretch of railway "was slowed for a
short while" and rail schedules were then delayed for 15 minutes.
The following day a "second event occurred" before rush hour, but
it is not believed that this second hack affected schedules, the
The TSA report said that investigators became
suspicious that the hack was an intentional act rather than a
computer glitch, and then acted under the assumption that the
hackers could present a broader danger to the US transport system.
TechEye reports that two IP addresses for found which are believed
to be connected to the attacks, but the TSA has not said where the
IPs are located, although it is believed that they are outside of
A government memo, obtained by NextGov, read:
"the conclusion that rail was affect [sic] by a cyberattack is very
serious." While the Homeland Security Department - which oversees
the TSA - is not sure if the railway infiltration was a targeted
attack or not, but the event has posed enough of a threat to
encourage the TSA to begin educating train companies on the dangers
of computer hacks.
NextGov continues: "Investigators discovered
two Internet access locations, or IP addresses, for the intruders
on Dec. 1 and a third on Dec. 2, the document noted, but it does
not say in which country they were located."
Romanian who hacked NASA spared cooler stint
A Romanian hacker who admitted breaking into
NASA's network has avoided jail, receiving a three-year suspended
prison sentence instead. Robert Butyka, 26, from Cluj-Napoca,
Romania, still faces a civil lawsuit over disputed damages of
$500,000 against the space agency's computer systems in a case due
to be heard in March. Butyka, who was arrested by Romanian
cyber-cops back in November, admitted hacking into NASA's network
in December 2010 at a hearing earlier this month prior to a
sentencing hearing this week where he was put on probation for
Patient Data Theft Sends IT Specialist To Jail
Eric McNeal, a 38-year-old information
technology specialist from Atlanta, Ga., has been sentenced for
hacking into the patient database of a former employer, stealing
patient information, and then deleting the information from the
system. For his crime, McNeal was sentenced on Jan. 10 to serve 13
months in prison with three years of supervision after his release.
McNeal also was ordered to perform 120 hours of community
"The circumstances of this case and resulting
patient data breach is very common," and can happen in any size of
practice, Rick Kam, president and co-founder of ID Experts told
InformationWeek Healthcare. According to court documents, McNeal,
who pleaded guilty to the charge on Sept. 28, worked as an
information technology specialist for APA, a perinatal medical
practice in Atlanta. He left APA in November 2009, and subsequently
joined a competing perinatal medical practice, which was located in
the same building as APA.
In April 2010, McNeal used his home computer
to hack into APA's patient database; download the names, telephone
numbers, and addresses of APA's patients; and then delete all the
patient information from APA's system. McNeal used the patient
names and contact information he stole to launch a direct-mail
marketing campaign for his new employer. There is no evidence that
McNeal downloaded or misused specific patient medical
Christine Marciano, president of Cyber Data
Risk Managers, said medical facilities looking at this case should
ask themselves how they can realistically protect against similar
hacking attempts. "Having an exit strategy in place when an
employee leaves or is terminated should be strictly enforced,"
Marciano told InformationWeek Healthcare. "The exit strategy needs
to include cutting off the employee's access to all of the
facility's databases in order to prevent unauthorized access."
Richard Santalesa, senior counsel at
InfoLawGroup, said because McNeal pleaded guilty his sentence was
reduced, and noted that McNeal could have received a five-year
federal prison sentence for his crimes. "Anyone who gives their
personal information to a doctor or medical facility does not
expect that their information will be hacked and used to make
money," U.S. Attorney Sally Quillian Yates, said in a statement.
"The cost of medical care is already high enough without patients
having to pay a heavier cost with the loss of their privacy."
Israeli-Arab Hacking Continues
Israeli hackers downed the website
administered by the Central Bank of the United Arab Emirates on
Thursday as the financial institution hosted European Central Bank
chief Mario Draghi. The attack was apparently conducted by a group
calling itself "IDF Team," which also claimed responsibility for
knocking the Arab Bank offline on Thursday.
UAE Central Bank officials downplayed the
incident, emphasizing that talks with the European delegation
remained the top priority of the day. "We have been busy here,"
Sultan bin Nasser al-Suwaidi, governor of the UAE Central Bank told
the Financial Times. "There are IT technicians who will take care
Meanwhile, a second Israeli hacker group
known as "Nuclear" posted details of 4,800 credit cards extracted
from various accounts held in Saudi Arabia on Wednesday evening.
Information included card numbers, passwords, security codes, code
types and expiration dates. The Saudi credit card data was leaked
online just one day after Israeli hackers downed the websites of
both the Saudi Stock Exchange (Tadawul) and the Abu Dhabi
Securities Exchange (ADX). However, Saudi officials denied that
Tadawul experienced downtime, stating that "sophisticated security
protection" had been enforced.
The "IDF Team" operation against Tadawul and
ADX was reportedly conducted in retaliation for the hacking of two
prominent Israeli sites on Monday: the Tel Aviv Stock Exchange
(TASE) and El Al (Israel Airlines).
It should be noted that various forms of
cyber warfare have been waged by civilians in the Middle East for a
number of years - and can be traced back to the early days of IRC
(Internet Relay Chat) when rival parties battled each other with
channel takeovers, scripts, automated bots and flooding
New stealthy botnet Trojan holds Facebook users
A new strain of cybercrime Trojan is
targeting Facebook users by taking over their machines and shaking
them down for cash. Carberp, like its predecessors ZeuS and SpyEye,
infects machines by tricking punters into opening PDFs and Excel
documents loaded with malicious code, or attacks computers in
drive-by downloads. The hidden malware is designed to steal account
information, and harvest credentials for email and
A new configuration of the Carberp Trojan
targets Facebook users to ultimately steal e-cash vouchers.
Previous malware attacks on Facebook have been designed purely to
slurp login info, so this latest skirmish, spotted by transaction
security firm Trusteer, can be considered something of an
escalation. The Carberp variant replaces any Facebook page the user
navigates to with a fake page notifying the victim that their
Facebook account is temporarily locked. Effectively holding
Facebook users hostage, the page asks the mark for their first
name, last name, email, date of birth, password and a Ukash 20 euro
($25) voucher number to verify their identity and unlock the
Trusteer warns the cash voucher attack is in
some ways worse than credit card fraud, because with e-cash it is
the account-holder, not the financial institution, who assumes the
liability for fraudulent transactions. Trusteer said it does not
have any concrete data on how many people might have been hit by
this particular attack. But it warns social networking users,
particular those with e-cash accounts, to be wary of this
particular scam and potential follow-up frauds along the same
lines, which might easily trap the unwary.
Amit Klein, CTO at Trusteer, commented: "The
fraud technique is quite effective. Keep in mind that the user gets
an authentic-looking message in the context of a genuine,
deliberate log-in to Facebook. We do know that this is exactly
where users are most susceptible to divulging personal information
and following additional instructions, as their trust in the
content is maximal."
The use of anti-debugging and rootkit
techniques make Carberp Trojan difficult to detect, warns security
consultancy Context Information Security. Context said: "Carberp is
also part of a botnet that can take full control over infected
hosts, while its complicated infection mechanisms and extensive
functionality make it a prime candidate for more targeted attacks."
Context adds that Carberp, which creates a backdoor on infected
machines, can be controlled from a central administrator control
panel, allowing botnet herders to more easily mine stolen data.
Trusteer said it had reported the attack to
Facebook, and shared malware samples prior to giving live with its
blog, a day after Facebook boasted it had been free of the Koobface
worm for more than nine months. "I don't think that this incident
contradicts their "virus free" statement, since Carberp only
infects the victim PCs without any modification of the victim's
profile in Facebook or any other alteration of the Facebook site,"
Trusteer's CTO told El Reg. "And to the best of our knowledge,
Carberp does not propagate through Facebook."
Passwords are like underwear. You shouldn’t leave them out
where people can see them. You should change them regularly. And
you shouldn’t loan them out to strangers.