Thursday, February 8, 2007

Study Notes Link Between IT Sabotage, Work Behavior. Study Notes Link Between IT Sabotage, Work Behavior. Workers who sabotage corporate systems are almost always IT workers who exhibit specific negative office behavior according to recent research. [PC World: Latest Technology News] 12:37:54 PM

Study: Weak Passwords Really Do Help Hackers. Study: Weak Passwords Really Do Help Hackers. Left online for 24 days to see how hackers would attack them, Linux PCs with weak passwords were hit by some 270,000 intrusion attempts. [PC World: Latest Technology News] 12:35:01 PM

FTC Issues Fraud and ID Theft Data for 2006. FTC Issues Fraud and ID Theft Data for 2006. Unauthorized credit card charges were the leading contributor to more than $1.1 billion bilked in reported consumer fraud complaints last year, according to new figures released today by the Federal Trade Commission. Shop-at-home/catalog sales and prizes and sweepstakes accounted for nearly 15 percent of all fraud-related complaints, followed closely by Internet services and online auctions. While the FTC's data tracks both online and offline fraud, the commission said some 60 percent of fraud complaints stemmed from transactions where the initial contact with the consumer was over e-mail (45 percent) and the Web (15 percent). (The PDF version of the FTC report is here.) Credit-card fraud was the most common source of reported losses, followed by phone or utilities fraud (16 percent), bank fraud (16 percent) and employment fraud (14 percent). The latter category usually involved the unauthorized use of someone's Social Security number in order to secure employment. Claudia Bourne Farrell, a spokesperson for the FTC, was herself a victim of employment fraud. "I learned about it when the Internal Revenue Service asked why I wasn't declaring income and paying taxes on my job" at a Washington, D.C., restaurant, she said. Investigators later linked the identity thief to a local man using her Social Security number under the name Claudio Farrell. While consumers are usually reimbursed by their bank for fraudulent credit- and debit-card charges, fraud that results from new accounts being opened in a victim's name -- from new cell phone and utility services ordered by the fraudsters -- represent a far more serious type of fraud, said Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse. "Usually, when a new account is opened in your name, the monthly statements go to a drop box or the criminal's address, and the victim doesn't generally find out about it until they go to open a new line of credit or orders a copy of their credit report," Givens said. "This is the most difficult type of fraud to erase from your file." A victim must do a great deal of work to expunge the fraudulent accounts from their credit files, she said. The FTC warned that the percentage of fraud complaints where wire transfers were the reported payment method continued to increase last year. Most wire transfer losses are associated with Internet auction scams, where auctioneers simply take the money but never ship the promised merchandise. Twenty-three percent of the consumers reported fraud incidents where wire transfer was the payment method, an increase of eight percentage points from calendar year 2005, the FTC said. California, Texas and Florida led the nation in the total number of identity and consumer fraud cases that were reported last year. Virginia and Maryland were sixth and eighth, respectively, in the rankings of consumer fraud complaints per 100,000 people by state. Maryland came it at No. 11 in the rankings of reported identity theft cases per 100,000 people, while Virginia came in at 15 in the same measure. For Washington, D.C., the FTC said there were 1,904 complaints made by city residents last year about consumer fraud or identity theft. The Washington region in general ranked 110 in fraud complaints out of the top 400 metropolitan areas in the country. Consumers in the 18-29 age set were the largest age group that reported losses from fraud. That finding closely mirrors other studies that have identified younger online users as those most likely to be defrauded or scammed. The overall number of fraud complaints was down slightly from 2005, but the FTC noted that one major data contributor did not properly catalog many of its complaints, so comparisons with previous years are difficult. The FTC and consumer advocates urge consumers to keep a close eye on their credit files for signs of fraudulent activity. Under federal law, consumers are entitled to a free copy of their credit report each year. Consumers can order their free credit report by visiting AnnualCreditReport.com. [Security Fix] 12:31:26 PM

Internet Attacked! (Did Anyone Notice?) Internet Attacked! (Did Anyone Notice?) Tuesday marked the fourth anniversary of "Safer Internet Day," a 40-country effort to raise awareness about computer and Internet security. But the day probably didn't feel too safe for the dozens of unheralded technologists responsible for defending the World Wide Web against one of the most concerted attacks against the Internet's core since a similar assault in 2002. Details about the sources, size and methods used in the attack are still trickling in, but like the celebration of Safer Internet Day, it's not clear that anyone using the Web at the time even took notice. That's largely a good thing, and I'll explain why later in this post. At around 7 p.m. ET on Monday, three of the Internet's 13 "root servers" -- the computers that provide the primary roadmap for nearly all Internet communications -- came under heavy and sustained attack from a fairly massive, remote-controlled network of zombie computers. These are machines infected surreptitiously with programs that allow criminals to control them remotely. The zombies were programmed to try to overwhelm several of the root servers with massive amounts of traffic. Among the apparent targets was a root server controlled by the Department of Defense Network Information Center. There is also evidence to suggest the attackers targeted the servers responsible for managing the stability of the ".uk" and ".org" domains. A number of technologists I spoke with who helped defend against the attack said it's too early to say definitively where the attack came from, but this perspective from an operator responsible for maintaining one of the root servers suggests that South Korea, China and the United States were the biggest source of computers used in the attack (the initial analysis suggest that 13 percent of machines involved in the attack were located here in San Francisco, the site of the RSA Security Conference, from which I'm currently blogging.) In the news coverage so far, theories about the motives behind the attack varied widely, from speculation that it was just hacker mischief to notions that it was cooked up by curious criminals bent on testing their ability to extort the many wealthy and powerful interests that rely on a functioning Internet. The truth is that no one but the attackers knows the true reason. Paul Levins, vice president of the Internet Corporation for Assigned Names and Numbers (ICANN) -- the entity charged with, among other tasks, coordinating responses among root server providers in such attacks -- said it would likely be at least a week before the more meaningful facts come out. "This is a fact based community, and we're waiting for the facts to come in after the analysis before we can make committed statements about what the origins were, and its intended targets," Levins said. This attack highlights a couple of important but often overlooked points, one dark and troubling, and the other somewhat more hopeful. First, the tools and resources used by organized cyber criminals -- namely hacked personal computers that can be remotely controlled by attackers -- are so abundant that they've become virtually disposable. Experts estimate that at any given time there are tens of millions of hacked personal computers that are used in attacks or, more commonly, in sending spam and hosting phishing Web sites. On the other hand, the fact that there is scant evidence that anyone surfing the Web at the time of the attack even noticed is testament to the resiliency of the global Internet infrastructure, as well as to the swift action on the part of the technologist and experts charged with maintaining the network most of us have come to take for granted. Not that you can ever have enough security and capacity to handle these types of attacks. The various organizations that operate the 13 root servers are constantly upgrading bits and pieces of their systems to make them more robust and resilient, and one root-server operator -- Verisign Inc. -- is announcing Thursday that it plans to spend $100 million over the next three years to achieve a tenfold increase in its capacity to handle Internet traffic requests. [Security Fix] 12:24:54 PM

Facebook defends teen security tricks. Facebook defends teen security tricks. No change is good RSA Facebook has defended its privacy protection despite the possibility that this has been circumvented for the first time by an alleged sexual predator. [The Register - Music and Media] 12:20:04 PM

© Copyright 2007 Paul Hardwick. Last update: 3/4/07; 10:52:25 AM.