By Linda McGlasson
Managing Editor
Bank Info Security
November 23, 2009
Bank customers in California, Wisconsin and Missouri are reporting fraudulent ATM withdrawals that police say are tied to transactions conducted with the Hancock Fabrics retail chain.
In California, Napa Police Department spokesman Brian McGovern says 60 residents reported their cards being used by thieves. In one case, a Napa resident reported $840 in cash withdrawals. The Hancock Fabrics store on Imola Avenue in Napa was the "common thread" among the numerous people who reported credit and debit card fraud. McGovern says the store had recently replaced its point-of-sale machines.
At about the same time, as many as 70 Wisconsin victims reported suspicious ATM withdrawals from their accounts, according to Wood and Portage county law enforcement, which also ties the thefts to machines in Hancock Fabrics stores.
And in Missouri, at least 10 customers at Hancock Fabrics in the St.
Louis area reported their debit card numbers and pin numbers stolen during the week of November 9.
Tuesday 24 November 2009
NIST Drafts Cybersecurity Guidance
By J. Nicholas Hoover
InformationWeek
November 23, 2009
Draft guidance from the National Institute of Standards and Technology issued last week, pushes government agencies to adopt a comprehensive, continuous approach to cybersecurity, tackling criticism that federal cybersecurity regulations have placed too much weight on periodic compliance audits.
The guidance, encapsulated in a draft revision to NIST Special Publication 800-37, will likely be finalized early next year. While federal agencies aren't required to follow all of its recommendations, NIST is officially charged with creating standards for compliance with the Federal Information Systems Management Act, (FISMA), which sets cybersecurity requirements in government, so this guidance should at the very least be influential.
As official statistics show attacks on the federal government continuing to rise, the Government Accountability Office and agency inspector generals have repeatedly found the federal government or particular agencies falling short of the spirit of FISMA, if not its letter.
Meanwhile, critics have repeatedly found fault with either FISMA or its implementation in practice, saying that it doesn't do enough to ensure that government agencies remain consistently vigilant about cybersecurity.
The new document puts more onus on applying risk management throughout the lifecycle of IT systems. "This is part of a larger strategy to try to do more on the front end of security as opposed to just on the back end," says NIST's Ron Ross, who is in charge of FISMA guidance at the agency. "We don't think of security as a separate undertaking, but as a consideration we make in our normal lifecycle processes."
[...]
InformationWeek
November 23, 2009
Draft guidance from the National Institute of Standards and Technology issued last week, pushes government agencies to adopt a comprehensive, continuous approach to cybersecurity, tackling criticism that federal cybersecurity regulations have placed too much weight on periodic compliance audits.
The guidance, encapsulated in a draft revision to NIST Special Publication 800-37, will likely be finalized early next year. While federal agencies aren't required to follow all of its recommendations, NIST is officially charged with creating standards for compliance with the Federal Information Systems Management Act, (FISMA), which sets cybersecurity requirements in government, so this guidance should at the very least be influential.
As official statistics show attacks on the federal government continuing to rise, the Government Accountability Office and agency inspector generals have repeatedly found the federal government or particular agencies falling short of the spirit of FISMA, if not its letter.
Meanwhile, critics have repeatedly found fault with either FISMA or its implementation in practice, saying that it doesn't do enough to ensure that government agencies remain consistently vigilant about cybersecurity.
The new document puts more onus on applying risk management throughout the lifecycle of IT systems. "This is part of a larger strategy to try to do more on the front end of security as opposed to just on the back end," says NIST's Ron Ross, who is in charge of FISMA guidance at the agency. "We don't think of security as a separate undertaking, but as a consideration we make in our normal lifecycle processes."
[...]
Symantec Japan website bamboozled by hacker
By John Leyden
The Register
23rd November 2009
A Symantec-run website was vulnerable to Blind SQL Injection problems that reportedly exposes a wealth of potentially sensitive information.
Romanian hacker Unu used off-the-shelf tools (Pangolin and sqlmap) to steal a glimpse at the database behind Symantec's Japanese website. A peek at the Symantec store revealed by the hack appears to show clear-text passwords associated with customer records. Product keys held on a Symantec server in Japan were also exposed by the hack.
Unu has previously exposed similar problems involving the websites of the UK's parliament and Kaspersky, among many others. The grey-hat hacker has published screenshots to back up his latest claims which, if verified, run deeper than shortcomings on the websites of Kaspersky, F-secure and other security firms previously reported by Unu.
Symantec said it was investigating the reported breach, which Unu claims gave him full disk and database access. The security giant said the vulnerability only affected a website used by consumer customers in the Far East. Symantec admitted there was a problem without commenting on how serious the snafu might be, pending the result of an investigation.
The offending site - pcd.symantec.com - has been taken offline pending the addition of extra security defences.
[...]
The Register
23rd November 2009
A Symantec-run website was vulnerable to Blind SQL Injection problems that reportedly exposes a wealth of potentially sensitive information.
Romanian hacker Unu used off-the-shelf tools (Pangolin and sqlmap) to steal a glimpse at the database behind Symantec's Japanese website. A peek at the Symantec store revealed by the hack appears to show clear-text passwords associated with customer records. Product keys held on a Symantec server in Japan were also exposed by the hack.
Unu has previously exposed similar problems involving the websites of the UK's parliament and Kaspersky, among many others. The grey-hat hacker has published screenshots to back up his latest claims which, if verified, run deeper than shortcomings on the websites of Kaspersky, F-secure and other security firms previously reported by Unu.
Symantec said it was investigating the reported breach, which Unu claims gave him full disk and database access. The security giant said the vulnerability only affected a website used by consumer customers in the Far East. Symantec admitted there was a problem without commenting on how serious the snafu might be, pending the result of an investigation.
The offending site - pcd.symantec.com - has been taken offline pending the addition of extra security defences.
[...]
Inside the Ring - Chinese, Russian cyberwarfare
By Bill Gertz
INSIDE THE RING
November 19, 2009
[...]
Chinese, Russian cyberwarfare
The Pentagon's National Defense University recently published a groundbreaking book that is one of the few U.S. government documents to highlight the cyberwarfare capabilities of both China and Russia.
The book "Cyberpower and National Security" contains a chapter on the issue revealing that China's computer attack capabilities have become "more visible and troubling" in recent years. "China has launched an unknown number of cyber reconnaissance and offensive events with unknown intent against a variety of countries," the chapter said.
Among the most important attacks were the 2005 cyber espionage attacks against Pentagon computer networks that federal investigators code-named Titan Rain. Another Chinese-origin attack involved computer operations against the U.S. Naval War College in 2006 that shut down systems.
According to the chapter, China's military strategists regard cyberwarfare as an important element of "pre-emptive" warfare capabilities.
Chinese military analysts Peng Guangqian and Yao Youzhi are quoted as saying China plans to use several types of pre-emptive attacks in a future conflict, including "striking the enemy's information center of gravity and weakening combat efficiency of his information systems and cyberized weapons" with the goal of weakening information superiority and reducing combat efficiency.
[...]
INSIDE THE RING
November 19, 2009
[...]
Chinese, Russian cyberwarfare
The Pentagon's National Defense University recently published a groundbreaking book that is one of the few U.S. government documents to highlight the cyberwarfare capabilities of both China and Russia.
The book "Cyberpower and National Security" contains a chapter on the issue revealing that China's computer attack capabilities have become "more visible and troubling" in recent years. "China has launched an unknown number of cyber reconnaissance and offensive events with unknown intent against a variety of countries," the chapter said.
Among the most important attacks were the 2005 cyber espionage attacks against Pentagon computer networks that federal investigators code-named Titan Rain. Another Chinese-origin attack involved computer operations against the U.S. Naval War College in 2006 that shut down systems.
According to the chapter, China's military strategists regard cyberwarfare as an important element of "pre-emptive" warfare capabilities.
Chinese military analysts Peng Guangqian and Yao Youzhi are quoted as saying China plans to use several types of pre-emptive attacks in a future conflict, including "striking the enemy's information center of gravity and weakening combat efficiency of his information systems and cyberized weapons" with the goal of weakening information superiority and reducing combat efficiency.
[...]
Microsoft warns of IE exploit code in the wild
By Elinor Mills
InSecurity Complex
CNet News
November 23, 2009
Microsoft on Monday said it is investigating a possible vulnerability in Internet Explorer after exploit code that allegedly can be used to take control of computers, if they visit a Web site hosting the code, was posted to a security mailing list.
Microsoft confirmed that the exploit code affects IE 6 and IE 7, but not IE 8, and it said it is "currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," according to a statement.
The exploit code was published to the BugTraq mailing list on Friday with no explanation.
"The exploit targets a vulnerability in the way Internet Explorer uses Cascading Style Sheet (CSS) information. CSS is used in many Web pages to define the presentation of the sites' content," Symantec wrote in a blog post this weekend.
[...]
InSecurity Complex
CNet News
November 23, 2009
Microsoft on Monday said it is investigating a possible vulnerability in Internet Explorer after exploit code that allegedly can be used to take control of computers, if they visit a Web site hosting the code, was posted to a security mailing list.
Microsoft confirmed that the exploit code affects IE 6 and IE 7, but not IE 8, and it said it is "currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," according to a statement.
The exploit code was published to the BugTraq mailing list on Friday with no explanation.
"The exploit targets a vulnerability in the way Internet Explorer uses Cascading Style Sheet (CSS) information. CSS is used in many Web pages to define the presentation of the sites' content," Symantec wrote in a blog post this weekend.
[...]
Friday 20 November 2009
Palin Calls E-Mail Hack 'Most Disruptive' Campaign Event
By Kim Zetter
Threat Level
Wired.com
November 18, 2009
Never mind the disastrous interview with Katie Couric or the blank stares in response to Charlie Gibson's question about the Bush Doctrine.
Former vice presidential candidate Sarah Palin calls the hacking of her Yahoo e-mail account "the most disruptive and discouraging" incident in last year's presidential campaign.
Writing in her new book, Going Rogue: An American Life, Palin says the intrusion into her personal e-mail account in September 2008 "created paralysis" in her administration, because it cut off easy communication with her "Alaska staff." Presumably, this refers to her staff in the governor's office, which would seem to be an acknowledgment that the personal account was used to conduct critical state work, as alleged in an activist's lawsuit last year.
Threat Level broke the story in September 2008 that someone using the name "Rubico" had obtained access to Palin's Yahoo e-mail account and posted photos -- including two pictures of her children -- and five screen shots of e-mail messages on the whistleblower site WikiLeaks.
Bloggers traced "Rubico" to a 20-year-old Tennessee college student named David Kernell, whose father is a Democratic state legislator.
Kernell is now free on bail awaiting trial for the hack, scheduled for next year.
Palin writes in her book that she was sitting in a Michigan hotel room with her husband Todd when she learned about the intrusion on TV. Just then Steve Schmidt, John McCain's campaign manager, walked in to confirm what she'd just seen on the news.
Threat Level
Wired.com
November 18, 2009
Never mind the disastrous interview with Katie Couric or the blank stares in response to Charlie Gibson's question about the Bush Doctrine.
Former vice presidential candidate Sarah Palin calls the hacking of her Yahoo e-mail account "the most disruptive and discouraging" incident in last year's presidential campaign.
Writing in her new book, Going Rogue: An American Life, Palin says the intrusion into her personal e-mail account in September 2008 "created paralysis" in her administration, because it cut off easy communication with her "Alaska staff." Presumably, this refers to her staff in the governor's office, which would seem to be an acknowledgment that the personal account was used to conduct critical state work, as alleged in an activist's lawsuit last year.
Threat Level broke the story in September 2008 that someone using the name "Rubico" had obtained access to Palin's Yahoo e-mail account and posted photos -- including two pictures of her children -- and five screen shots of e-mail messages on the whistleblower site WikiLeaks.
Bloggers traced "Rubico" to a 20-year-old Tennessee college student named David Kernell, whose father is a Democratic state legislator.
Kernell is now free on bail awaiting trial for the hack, scheduled for next year.
Palin writes in her book that she was sitting in a Michigan hotel room with her husband Todd when she learned about the intrusion on TV. Just then Steve Schmidt, John McCain's campaign manager, walked in to confirm what she'd just seen on the news.
FBI Suspects Terrorists Are Exploring Cyber Attacks
Forwarded from: Richard Forno
The second paragraph undermines the whole article, as such statements tend to do in all articles warning of cyber or terrorist attacks, just as any number of 'stories' citing some new DHS or FBI terror threat that suddenly hits the airwaves periodically during the year.
This entire article simply says -er, repeats- that "terrorists may consider cyber attacks." Yeah. We know that already, and have known about it for quite a while, too. Dare I raise the question "so what's new about that?"
The Hill hearings this week and the resulting stories about cyberwar and cybersecurity, and the advice contained in a recent GAO report about ideas to improve security are nothing more than the newest folks in DC pontificating publicly about the SAME stuff we've been hearing for 10,
15+ years. The only thing that's improved during this time is this
town's ability to spin its wheels while doing nothing to address the problem it claims to worry so much about.
Le mal sigh. :(
The second paragraph undermines the whole article, as such statements tend to do in all articles warning of cyber or terrorist attacks, just as any number of 'stories' citing some new DHS or FBI terror threat that suddenly hits the airwaves periodically during the year.
This entire article simply says -er, repeats- that "terrorists may consider cyber attacks." Yeah. We know that already, and have known about it for quite a while, too. Dare I raise the question "so what's new about that?"
The Hill hearings this week and the resulting stories about cyberwar and cybersecurity, and the advice contained in a recent GAO report about ideas to improve security are nothing more than the newest folks in DC pontificating publicly about the SAME stuff we've been hearing for 10,
15+ years. The only thing that's improved during this time is this
town's ability to spin its wheels while doing nothing to address the problem it claims to worry so much about.
Le mal sigh. :(
Subscribe to:
Posts (Atom)
