Saturday, January 07, 2006

Internet News Article Reuters.co.uk: "Forgetting computer passwords is an everyday source of frustration, but a solution may literally be at hand -- in the form of computer chip implants.

With a wave of his hand, Amal Graafstra, a 29-year-old entrepreneur based in Vancouver, Canada, opens his front door. With another, he logs onto his computer.

Tiny radio frequency identification (RFID) computer chips inserted into Graafstra's hands make it all possible.

'I just don't want to be without access to the things that I need to get access to. In the worst case scenario, if I'm in the alley naked, I want to still be able to get in (my house),' Graafstra said in an interview in New York, where he is promoting the technology. 'RFID is for me.'

The computer chips, which cost about $2, interact with a device installed in computers and other electronics. The chips are activated when they come within 3 inches of a so-called reader, which scans the data on the chips. The 'reader' devices are available for as little as $50 (29 pounds).

Information about where to buy the chips and readers is available online at the 'tagged' forum, (http://tagged.kaos.gen.nz/) where enthusiasts of the technology chat and share information.

Graafstra said at least 20 of his tech-savvy pals have RFID implants.

'I can't feel it at all. It doesn't impede me. It doesn't hurt at all. I almost can't tell it's there,' agreed Jennifer Tomblin, a 23-year-old marketing student and Graafstra's girlfriend."

Friday, January 06, 2006

PCWorld.com - Microsoft Rushes Out Patch for Windows Metafile Flaw: "Microsoft Rushes Out Patch for Windows Metafile Flaw

Software giant bows to pressure from experts and releases important patch days earlier than expected.

Amid controversy and customer demand surrounding a flaw in its Windows operating system, Microsoft abandoned its announced timetable for supplying a fix and rushed a patch onto its Web site to correct a problem that could allow a hacker to gain control over desktops or servers. "

Thursday, January 05, 2006

Netcraft: Fraud Hosting and Phishing Site Countermeasures: "Fraud Hosting and Phishing Site CountermeasuresNetcraft Services
Once a bank has been alerted to the fact that it is the subject of a phishing attack, the race is on to close the target phishing site as quickly as possible. When the fraud is inadvertently hosted by an otherwise reputable and experienced organization, this can be routine.

However, professional fraudsters will take steps to ensure that the process is as difficult and time consuming as possible: your time is their money.

Fraudsters will often host their sites in developing countries with limited law enforcement resources and incentivize the hosting company to keep the site running as long as it possibly can. Indeed, some unscrupulous hosting companies actually promote fraud hosting as a service. "

Wednesday, January 04, 2006

State laws target identity theft

Multiple states enacted laws Sunday designed to help prevent identity theft after major security breaches compromised personal data for millions of consumers in 2005, including last week's incident at Marriott Vacation Club International.

New and existing state laws require timely notification of information breaches to affected customers, and related legislation allows consumers to freeze their credit reports as a means of identity-theft prevention and protection.

But similar federal legislation remains tied up in Congress, which is where consumer groups said it should stay while industry pushes for a tightly focused national breach-notification standard.

Twelve states have credit-freeze legislation, which allows residents to block new creditors from accessing their credit reports and helps prevent identity thieves from opening spending accounts using a stolen name.

Credit-freeze laws in Connecticut, Illinois and New Jersey were enacted Sunday, while Maine's will become effective Feb. 1 and Colorado's July 1.

"Quite simply, the states are again the ones doing strong laws and showing Congress the way," said Ed Mierzwinski, consumer-program director at the U.S. Public Interest Research Group in Washington. The freeze laws are the first attempt to give people control over their Social Security numbers, the "financial DNA that is strewn all over the place."

Consumer groups endorse the states' credit-freeze laws, but want them to apply to all consumers, not just identity-theft victims as some currently do, he said.

"The freeze is not an absolute save-all," said Jay Foley, co-director of the Identity Theft Resource Center, a nonprofit in San Diego that tracks the more than 130 breaches disclosed last year, potentially affecting more than 57 million people. "It's a tool for victims and for families with senior members who are not competent to handle their credit."

More than 20 states have breach-notification laws. There already is near national compliance with California's law, which was the first in the nation when enacted in 2003 to require companies to notify state residents when their unencrypted personal information is reasonably thought to have been compromised.

"If Congress fiddles with it, it will most likely result in a weaker law that pre-empts the best of the state laws," Mr. Mierzwinski said, adding that businesses have been lobbying for a weak federal law with notification "triggers" only when industry says the breach could be harmful.

Mike Zaneis, director of congressional and public affairs at the U.S. Chamber of Commerce, disagreed. "Industry is not looking for a weak federal law. We are proponents of a strong, national uniform standard on data security breach."

The chamber does not have an official position on credit freezes or other access and correction protocols, he said, but it encouraged the appropriate House and Senate committees to explore the best solutions after a strict breach-notification law is passed.

With commerce being so global now, it makes no sense to have multiple state notification laws, Mr. Zaneis said, because they are difficult for industry to comply with and confusing for consumers who could end up inundated with notices and then desensitized to the important ones.

Susanna Montezemolo, a policy analyst for the nonprofit Consumers Union in Washington, scoffed at that notion. By complying with the strongest state law, businesses would be meeting their own state's requirements, which benefits consumers.

Many companies are following the California standard, which is why Maryland, Virginia and D.C. residents receive notification if their information has been breached, even though their home states do not have laws requiring businesses to do so, she said.

Congress became involved last year after the high-profile breach at data broker ChoicePoint Inc. In February, the Alpharetta, Ga., company began notifying 145,000 consumers in numerous states that their personal information had been compromised.

High-profile breaches also were found at Bank of America Corp., shoe retailer DSW Inc. and other companies. The most recent occurred last week when Marriott's timeshare unit announced that it had to notify 206,000 employees, time-share owners and customers that their personal data may have been compromised after backup computer tapes went missing from an Orlando, Fla., office.

Consumer groups said they are not against a federal breach-notification law, but do not want Congress to pass legislation that outweighs tougher state standards.

"Let's either do it right or not to do it, federal government," Mr. Foley said. "This is far too important to mess around with."

Avoiding phishing scams; warning on fund distributions

There are no typos. The language is plain and straightforward, not stilted and almost drunken. The situation seems plausible.

The e-mail I received yesterday from "Amazon.com" about my account and an "Amazon Payments Billing Issue" included just one clue and it went like this: "After responding to the message, we ask that you allow at least 72 hours for the case to be investigated. E-mailing us before that time will result in delays."

Had I responded to the message, the bad guys who were phishing for account information wanted three days to be able to get away; no company of which you are a legitimate customer would ask for your help clearing up a payments issue but then tell you to avoid contact. The fraudsters trying to commit some form of identity theft knew that contacting Amazon directly would lead to their plot being foiled.

But they almost had me fooled, and I see these kinds of e-mails all the time.

"Phishing" is a criminal activity involving fake e-mails and bogus Web sites, trying to bamboozle consumers into revealing personal financial data. While the ploy started with banks and credit-card companies, it has evolved to retailers and almost any other business that takes credit or personal information online.

The tactic is particularly pervasive now, in the wake of the holiday season, in part because consumers are more vulnerable due to recent purchase activity. In my case, for example, the note appeared more real because I recently made my only Amazon purchases of the last 12 months.

That use of the account, plus the note suggesting that there had been unusual activity on my account, was just enough to get me to wonder. The rest of the information was clean enough that it looked real, except for the 72-hour comment.

Amazon subsequently confirmed that the note was a fraud.

Personally, phishing notes always have been easy to spot. The header on the e-mail will warn of the suspension of an account from some company I don't do business with; on the rare occasions when it has been a retailer I have purchased from in the past, there are obvious problems, like the sender has an address from a service provider like Hotmail, instead of, say, Amazon.com.

Because phishing expeditions frequently are run offshore, they often are written in a strange version of English, using phrases like "We earnestly ask you to use this connected link to commence the process of customer data confirmation."

When the note is trying too hard to sound official, when it calls you "customer" instead of by your name, when the link has an address that appears strange, you should get nervous.
In fact, if the e-mail includes your name, that's no guarantee either.

Rather than following up on this kind of notice -- no matter how official looking it might be -- contact the company directly, through normal channels. Ignore the links and go the real site -- entering the address yourself -- to look at your account activity, review the company's policies and forward the e-mail to an address you find on the site to inquire if it's real.

The bad guys are getting more sophisticated and their attempts are getting better. That's trouble for the rest of us, and should force all consumers to raise their attention to details to keep their vital personal information safe.

Tuesday, January 03, 2006

Spyware Articles: Watching the Watchers : Detection and Removal of Spyware

If spyware were a person and he set himself up in your house, you are likely going to do one of two things. You'll kick him out yourself or you'll call someone (such as thepolice) to do it for you. Employing tools that detect and remove spyware from your PC, whether it's at home or at the office, should be on the list of top things to do for your complete protection, and the protection of your children.

New Spear Phishing Spam Email Targets eBay Sellers

Greenview Data, Inc., the industry leading provider of SpamStopsHere email security solutions, announced today that a new wave of spear phishing attacks are targeting eBay sellers. Cyber criminals are targeting eBay members selling items on the World's Largest Marketplace by sending forged auction inquires from what appears to be eBay's "Question from eBay Member" message portal.

Account holders are prompted to respond to the inquiry by clicking the "Respond Now" link button in the email, and are then directed to a fraudulent eBay login screen. After the seller has entered their login information, cyber-criminals then "hijack" the seller's account and steal their identity.

Spear phishing is the latest spam technique used by cyber-criminals to gain access to personal and corporate accounts and steal sensitive data. Unlike traditional phishing attacks in which millions of emails are sent indiscriminately, spear phishing attacks are extremely targeted and focus on one end user or organization at a time.

Spear phishing emails are designed to appear as if they are sent from a trusted individual, and typically ask for login IDs and passwords.

"Just about anyone with an email account has undoubtedly seen an eBay phishing scam email at one time or another," said Ted Green, CEO of SpamStopsHere. "We are seeing an evolution in phishing and spear phishing attacks. The sophistication of attacks is constantly increasing. Cyber criminals are relentless in developing new and ingenious methods of monetary and identity theft. End user education is the best defense against spear phishing attacks."

www.SpamStopsHere.com recommends the following guidelines when confronted with any suspected phishing attack:

1. If an email asks you to log into your bank, PayPal, eBay or other personal account, assume it is a phishing scam.

DO NOT UNDER ANY CIRCUMSTANCE CLICK ON THE LINK IN THE EMAIL

2. Never enter banking information, social security numbers or other sensitive information by clicking a link in an email.

3. Never enter your computer user name or password into an email that requests it, not even if it claims to be from your IT manager or other co- worker. It is easy for a spammer to forge the sender's name.

4. If you are unsure as to the legitimacy of a particular email, open an Internet browser and manually type in the URL of the institution in question, e.g. "www.chase.com". Do not use the URL in the email as a reference, as it may be a forgery.

5. Treat any email that asks for sensitive data as a phishing scam.

Monday, January 02, 2006

Record year for computer insecurity

Known breaches of personal data exposed millions to identity theft

Data breaches disclosed at Marriott International, Ford Motor, ABN Amro Mortgage Group and Sam's Club this month capped what computer experts call the worst year ever for known computer-security breaches.

At least 130 reported breaches exposed more than 55 million Americans to potential ID theft. Security experts warn that wayward personal data, such as Social Security and credit card numbers, could end up in the hands of criminals and feed a growing problem.

An adviser for the Treasury Department's Office of Technical Assistance estimates cybercrime proceeds in 2004 were $105 billion, greater than those of illegal drug sales.

The breaches come at a time when the Department of Homeland Security's research budget for cybersecurity programs was cut 7 percent to $16 million.

ID theft-related bills are stalled in Congress, and data brokers such as ChoicePoint, itself a victim of fraud this year, remain unregulated, "so it is likely that many more serious breaches have gone unreported," said Avivah Litan, a security analyst at Gartner.

Andy Purdy, acting director of the DHS' National Cyber Security Division, said it is working with the private sector and government to build a response system to detect and stop major cyberattacks. "The challenges are significant, but we believe we're making progress," he said.

Sunday, January 01, 2006

Local residents warned of phishing scam

It's called phishing, but it's not fun for consumers who find themselves on the end of the hook. Recently, Jefferson City citizens have been targets of the practice. Relying on fake e-mails, phishing is an Internet scam featuring links to what appears to be a bonafide Central Bank Web site.

Complete with the official-looking dogwood logo, the e-mails warn that online home banking and bill paying services will be deactivated if the customer doesn't respond with the "requested information" soon.

One woman recently was suckered. She reported the loss first to the bank and later to Jefferson City police. "She's gotten it remedied," said Sgt. Robert Clark. But he noted that people have to be careful, because most of these scams originate overseas. "And it's hard to go to Europe to track these people down," he said.

Local police usually forward the scam to federal investigators."All I can do is urge people, legitimate companies are never going to ask for personal information in an e-mail," Clark said.

"You should call your bank representative if you have questions."That's the same advice given by Dave Westhues, Central Bank's vice president of retail delivery. Westhues said scammers are adept at creating web sites that look exactly like Central Bank's official one. He laments that many banks -- not just Central Bank -- are targeted.

"Typically, the (Web site) is sitting on a server at some business and they don't even know it's there," he said. "We contract with a third party to shut those down, and we can shut them down in less than an hour."

Phishers use pirated e-mail contact lists to harvest potential victims. He said between seven and eight attacks have been stopped this month. Westhues said, when it first started, mainly global companies -- like Bank America, eBay and PayPal -- were targeted. Now, phishers are moving onto mid-sized prey, like Central Bank, which serves a small trade area.

Because the bank is considered "local," people may be more apt to fall for the scam. He said the vast majority of people recognize the scam for what it is, but he added it doesn't hurt to warn customers -- which is why the bank has notified them of the practice in a variety of ways.

Westhues said the bank may send out some e-mail, but they never ask customers to respond. Westhues said the Internet is a safe place to conduct business, but users need to remember three things:

* Never follow a link in an e-mail, particularly to share information the bank already has.

* If you are interested in an e-mail link, close down your e-mail account and type the correct address into the address, or URL, window. "Initiate your own transactions," he said. "Don't follow embedded links in an e-mail."

* Always feel free to call the bank for advice.

"The Internet is a very safe way to do banking," he said.But new technologies can propose problems."We had these same conversations (about protection) when debit and credit cards first came out," he said.

Analysts Fret as Adware Makers Leverage WMF Flaw - Yahoo! News

Exploits of the WMF (Windows Metafile Format) flaw continued on Thursday as advertising networks took advantage of the vulnerability to spread their "products."

Several security lists and Weblogs warned that the Exfol adware network was presenting coded WMF images on rotating banner ads.
Researchers said that sites running pop-up advertisements from the network will infect viewers with vulnerable systems.

"You don't have to go to a crack site or a porn site," observed a posting on the blog of firewall vendor Sunbelt Software USA, of Clearwater, Fla.

"You go to any site that is using rotational popups from a third party ad network that is spawning Exfol popups, you get exploited," the posting continued.

Click here to read more about 'Zero-Day Exploits' of the WMF flaw.

According to a mid-December listing by McAfee Inc., the Exfol adware download adds a toolbar to Internet Explorer as well as a pack of Browser Helper Objects and other code.

Earlier on Thursday, Websense Security Labs reported that thousands of sites were distributing the exploit code from a site called iFrameCASH BUSINESS.

"I fear for the worst here, just because the wrong guys have it," warned Richard M. Smith, a security and privacy consultant based in Boston, referring to the Exfol network exploits. "These guys in the malware-for-profit business will figure out all the different ways they can make a profit off of [the WMF flaw]."

Vulnerable operating systems include a range of Windows Server 2003 editions: Datacenter Edition, Enterprise Edition, Standard Edition and Web Edition. Also at risk are
Windows XP Home Edition and Windows XP Professional, making both home users and businesses open to attack.

On Wednesday, Microsoft posted a workaround. However, several security researchers, including Smith, said that more is needed, and quickly.

According to Smith, Microsoft's workaround is inadequate. "We need a quick fix to turn off WMF. The number one thing is that it needs to be turned off in the browser."
However, a Microsoft spokesperson disputed this claim. "The workaround does prevent attempts to exploit this issue through Internet Explorer," the spokesperson said.

"The IE code path for displaying images itself is not vulnerable to this issue and the workaround blocks access to the Windows Fax and Picture Viewer from Internet Explorer. Therefore once the workaround has been applied, IE is not vulnerable by viewing images on a webpage."
Microsoft is also continuing to study the problem.

"While Microsoft is investigating the public postings which seek to utilize specially formed WMF files through IE, the company is looking thoroughly at all instances of WMF handling as part of the investigation," said the spokesperson.

Security Editor Larry Seltzer says that WMF stands for a "Windows Major Foul-Up." Click here to read more.

"Microsoft is not aware of any attempts to embed specially formed WMF files in things such as word documents," the spokesperson said. However, the company advised users "to accept files only from [a] trusted source."

F-Secure reported some 57 versions the malicious .wmf file exploit as of Thursday, dubbed the PFV-Exploit.

Although the exploit has only been used to install spyware or fake anti-spyware/anti-virus software thus far, the security firm anticipated that real viruses using WMF will start to spread soon.