Group items matching

in title, tags, annotations or url

A 10-month cyberespionage investigation has found that 1,295 computers in 103 countries and belonging to international institutions have been spied on, with some circumstantial evidence suggesting China may be to blame. The 53-page report, released on Sunday, provides some of the most compelling evidence and detail of the efforts of politically-motivated hackers while raising questions about their ties with government-sanctioned cyberspying operations. It describes a network which researchers have called GhostNet, which primarily uses a malicious software program called gh0st RAT (Remote Access Tool) to steal sensitive documents, control Web cams and completely control infected computers. "GhostNet represents a network of compromised computers resident in high-value political, economic and media locations spread across numerous countries worldwide," said the report, written by analysts with the Information Warfare Monitor, a research project of the SecDev Group, a think tank, and the Munk Center for International Studies at the University of Toronto. "At the time of writing, these organizations are almost certainly oblivious to the compromised situation in which they find themselves." The analysts did say, however, they have no confirmation if the information obtained has ended up being valuable to the hackers or whether it has been commercially sold or passed on as intelligence. Although evidence shows that servers in China were collecting some of the sensitive data, the analysts were cautious about linking the spying to the Chinese government. Rather, China has a fifth of the world's Internet users, which may include hackers that have goals aligning with official Chinese political positions.

A majority of business executives believe that they have a right to know what their employees are doing on social-networking sites, but most workers say it's none of their bosses' business, according to a new survey by Deloitte. The survey was conducted in April with about 2,000 U.S. adults. Of the 500 respondents with managerial job titles (vice president, CIO, partner, board member, etc.), 299, or 60%, agreed that businesses have a right to know how employees portray themselves or their companies on sites like Facebook and MySpace. But 53% of employee respondents said their profiles are none of their employers' business, and 61% said that they wouldn't change what they were doing online even if their boss was monitoring their activities. That disagreement, says Sharon Allen, chairman of Deloitte's board and the sponsor of the survey, is one that companies need to address, particularly as these sites have become part of younger workers' lives. "It does, in fact, tee up the challenging debate or discussion that needs to take place to try to resolve both of their concerns," she said. Few businesses are having that conversation, according to the survey, though many executives indicated that it was on their minds. When asked what their company's policy was regarding social-networking use, roughly a quarter (26%) of employees said they knew of specific guidelines as to what they could and couldn't post. Similar numbers said their office didn't have a policy or they didn't know if their company had a policy - 23% and 24%, respectively.

Are you an advertiser looking to target mothers online with children under 12 who are concerned about obesity to promote a healthy snack food? Or people that don't support drilling in the Arctic National Wildlife Refuge but support offshore drilling generally? If so, Resonate Networks -- a new ad network geared to nonprofit, political and corporate advertisers -- promises to serve up just the right audience based on highly targeted, if anonymous, profile data focused on political views and attitudes. "It's really drilling down to people's beliefs and where they stand on issues," said Bryan Gernert, CEO of Alexandria, Va.-based Resonate, a non-partisan company launched by former Republican and Democratic political strategists including Harold Ickes, Bill Clinton's former deputy chief of staff and one of Resonate's investors. Unlike traditional ad networks that target advertising based on a site content or audience demographics, Resonate combines survey information, online and offline databases and proprietary algorithms to match Web users' political leanings and levels of activism with sites they tend to visit most often. "You can identify Web sites that have a preponderance of people who support certain issues," that go beyond obvious issue-oriented or political sites, said Gernert. He added that Resonate is already working with 500 of about 2,500 sites that correlate strongly with particular issues or audiences with high levels of engagement or influence.

"Facebook CEO Mark Zuckerberg has just written an open letter to Facebook users regarding a privacy overhaul that is due to hit the site in the next few weeks. Soon, users will be able to selectively choose, on a per-post basis, who can see the content they post to the site. Facebook is also going to remove regional networks entirely, largely because some of those networks (like China) consist of millions of users, which makes them useless from a privacy standpoint. If these changes sound familiar, it's because Facebook actually announced them way back in July. Zuckerberg also notes that Facebook now has 350 million users ? it has added a whopping 50 million of them in the last two and a half months. Alongside the regional network change, privacy controls will be simplified. As Facebook rolls out the new privacy settings, users will be presented with a page designed to walk them through the new options. Depending on your current privacy level, Facebook will make recommendations, though you'll be able to change them as usual. "

"Two Kansas men have been charged with making $1m in proceeds by buying computer networking gear in China and passing it off as products from Cisco Systems. Christopher Myers, 40, and Timothy Weatherly, 27, obtained the networking gear from a variety of sources and then slapped phony Cisco labels on them, according to documents filed in federal court in Kansas City. To give the goods the additional air of legitimacy, they put them in purported Cisco boxes and included counterfeit Cisco manuals. Myers also stands accused of obtaining access to a website containing Cisco's confidential serial numbers, so the men could affix them to the gear they sold. Prosecutors said the men sold the equipment on eBay and on private websites. They were charged with one count of conspiracy, 30 counts of trafficking in counterfeit goods and one count of trafficking in counterfeit labels. The government is seeking forfeiture of $1m in proceeds from the alleged crimes. If convicted, the men also face a maximum of fives years in prison and $250,000 in fines. Myers made an initial appearance in court on Thursday. Security experts have warned that counterfeit networking gear could contain back doors that allow spies to conduct industrial espionage on US companies."

The recent U.S. stimulus bill includes $18 billion to catapult the health industry toward the world of electronic health records. This is sure to light a fire under every hungry security vendor to position itself as the essential product or service necessary to achieve HIPAA compliance. It should also motivate healthcare IT professionals to learn where their sensitive data is located and how it flows. To be sure, with federal money allocated through 2014 for the task of modernizing the healthcare industry there will be many consultant and vendor businesses that will thrive on stimulus money. Healthcare is unique in that storage of electronic health records is highly distributed between primary care physicians, specialist doctors, hospitals, and insurance/HMO organizations. Information has to be efficiently shared among these entities with great sensitivity towards patient privacy and legitimate claims processing. Patients want to prevent over zealous employers from performing unauthorized background checks on medical history; claim processors want to prevent paying fraudulent claims arising from targeted patient identity theft. The bill has two provisions which turn this into a tremendously challenging plan, and a daunting task for securing patient data: * Citizens will have the right to monitor and control use of their own health data. This implies a large centralized identity and access control service, or perhaps a federated network of patient registration directories. Authenticated users will be able to reach into the network of health databases audit use of their data and payment history. * Health organizations suffering loss of more than 500 patient records must publicly disclose the breach, starting with postings on the government's Health and Human Services website. This allows related organizations to trace the impact of the breach throughout the healthcare network, but care must be taken not to disclose vulnerabilities in the system to intruders

Securing our Nation against cyber attacks has become one of the Nation's highest priorities. To achieve this objective, networks, systems, and the operations teams that support them must vigorously defend against external attacks. Furthermore, for those external attacks that are successful, defenses must be capable of thwarting, detecting, and responding to follow-on attacks on internal networks as attackers spread inside a compromised network. A central tenet of the US Comprehensive National Cybersecurity Initiative (CNCI) is that 'offense must inform defense'. In other words, knowledge of actual attacks that have compromised systems provides the essential foundation on which to construct effective defenses. The US Senate Homeland Security and Government Affairs Committee moved to make this same tenet central to the Federal Information Security Management Act in drafting FISMA 2008.

A former Fannie Mae IT contractor has been indicted for planting a virus that would have nuked the mortgage agency's computers, caused millions of dollars in damages and even shut down operations. How'd this happen? The contractor was terminated, but his server privileges were not. Rajendrasinh Makwana was indicted on Tuesday in the U.S. District Court for Maryland (press report, complaint and indictment PDFs). From early 2006 to Oct. 24, Makwana was a contractor for Fannie Mae. According to the indictment, Makwana allegedly targeted Fannie Mae's network after he was terminated. The goal was to "cause damage to Fannie Mae's computer network by entering malicious code that was intended to execute on January 31, 2009." And given Fannie Mae-along with Freddie Mac-was nationalized in an effort to stabilize the mortgate market Makwana could caused a good bit of havoc. Makwana worked at Fannie Mae's data center in Urbana, MD as a Unix engineer as a contractor with a firm called OmniTech. He had root access to all Fannie Mae servers. The tale of Makwana malware bomb plot is a warning shot to all security teams and IT departments. Given the level of layoffs we've seen lately the ranks of disgruntled former employees is likely to grow. Is there any company NOT lopping off a big chunk of its workforce? And some of these workers may even have Makwana's access privileges and knowledge of the corporate network.

A Harvard University fellow has developed a browser extension that stops advertising networks from tracking a person's surfing habits, such as search queries and content they view on the Web. The extension, called Targeted Advertising Cookie Opt-Out (TACO), enables its users to opt out of 27 advertising networks that are employing behavioral advertising systems, wrote Christopher Soghoian, who developed it, on his Web site. Soghoian, a fellow at the Berkman Center for Internet and Society at Harvard and a doctoral candidate at Indiana University, modified a browser extension Google released under an Apache 2 open-source license. Google's opt-out plugin for Internet Explorer and Firefox blocks cookies delivered by its Doubleclick advertising network. A cookie is a small data file stored in a browser that can track a variety of information, such as Web sites visited and search queries, and transmit that information back to the entity that placed the cookie in the browser. Google's opt-out plugin comes as the company announced plans last week to target advertisements based on the sites people visit. Targeted advertising is seen as a way for advertisers to more precisely find potential customers as well as for Web site publishers to charge higher advertising rates. But the behavioral advertising technologies have raised concern over how consumers get enrolled in the programs, what data is being tracked and how the data is protected.

WASHINGTON -- Few tech policy debates are plumped up with more rhetoric than those concerning Net neutrality and privacy restrictions for advertisers. It should be a noisy year at the Federal Communications Commission. Here at the Cable Show, the annual conference hosted by the National Cable and Telecommunications Association, advisors to the three current commissioners outlined some of the simmering issues that are likely to boil up at the FCC this year, and those two are on the short list. Rick Chessen, acting chief of staff for interim FCC Chairman Michael Copps, said the agency could move toward adding to its Internet policy statement a fifth principle that would explicitly bar ISPs from discriminating against certain traffic on their networks. "The principle would be one of nondiscrimination, but you would recognize the need for reasonable network management," Chessen said. The FCC's broadband principles comprised the policy document that was at the center of last year's action against Comcast, where the agency found that the cable giant had unfairly blocked peer-to-peer traffic on its network without notifying its subscribers it was doing so. The new principle Chessen suggested would seek to clarify the agency's stance against the selective blocking of traffic. Comcast is challenging last year's ruling in a court case where the outcome could broadly shape how Congress proceed with Net neutrality policy. Rosemary Harold, the legal advisor to Republican Commissioner Robert McDowell, said her boss is more cautious than the two Democrats on the matter.

The following is an excerpt from the book The Truth About Identity Theft. In this section of Chapter 11: Social Engineering (.pdf), author Jim Stickley explains how easy it really is to hack a password. People often ask me how hard it is to hack a password. In reality, it is rare that I ever need to hack someone's password. Though there are numerous ways to gain passwords on a network and hundreds, if not thousands, of tools available to crack encrypted passwords, in the end I have found that it is far easier to simply ask for them. A perfect example of this type of attack was a medium-sized bank that I was testing recently. The bank's concern was related to the new virtual private network (VPN) capabilities it had rolled out to a number of its staff. The VPN allowed staff to connect directly to their secured network while at home or on the road. There is no doubt that a VPN can increase productivity, but there are some pretty major risks that can come with that convenience. The bank explained that the VPN was tied into its Active Directory server. For people who are not technical, basically this just means that when employees log in via the VPN, they use the same credentials they use to log on to their computer at the office. So I went back to my office, sat down, and picked up the phone. The first call I made was to find out the name of an employee in the IT department. I called the company's main line to the bank, pressed 0, and asked to speak with someone in the IT department. I was asked what I was calling about, so I told the employee I was receiving emails from that bank that seemed malicious. I could have used a number of excuses, but I have found that if you tie in an unhappy customer with a potential security issue, your call gets further up the food chain. In this case, I reached a man who I will call Bill Smith. I made up a story about the email, and after a few minutes, he was able to explain to me that I had called the wrong bank and it was actuall

The U.S. Department of Justice's indictment of Albert Gonzalez on Monday seems to have all the elements of a Hollywood crime drama: A hacker gains access to millions of credit and debit card numbers and has the power to take down a nation. Too bad for Tinseltown, the attack itself was about as sexy and a pile of routers. According to the indictment, Gonzalez, 28, gained a foothold into the systems of credit card processors such as Heartland Payment Systems ( HPY - news - people ) and retailers like OfficeMax ( OMX - news - people ), Barnes & Noble ( BKS - news - people ) and TJX Cos. ( TJX - news - people ) using an amateur hacking technique called "wardriving," which uses wireless access points to find vulnerable networks from which to launch attacks. Once connected to those private networks, Gonzalez used a well-known technique called "SQL injection" to trick Web applications into forking over private information that gave him deeper access into networks. Even though it sounds complicated, techies liken this kind of hack to simply turning the front doorknob to get into a house.

The Air Force is seeking an entrepreneurial innovator to develop technology to analyze the conduct of insiders to determine if they pose a threat to government IT systems. In a call for proposals aimed at small businesses, posted on Tuesday, the Air Force is asking outside developers to "define, develop and demonstrate innovative approaches for determining 'good' (approved) versus 'bad' (disallowed/subversive) activities, including insiders and/or malware." For their initial efforts, the Air Force will pay up to $100,000. The proposal says current techniques that monitor illicit activities only address the most blatant violations of policy or the grossest deviations from accepted behavior. Most systems concentrate their resources on repelling attacks at the network borders with little attention devoted to threats that evade detection and/or emanate from within. The proposal states: "As such, there currently exists a great need across the federal, military and private sectors for a viable and robust means to provide near-real-time detection, correlation and attribution of network attacks, by content or pattern, without use of reactive previously-seen signatures. Many times, these trusted entities have detailed knowledge about the currently-installed host and network security systems, and can easily plan their activities to subvert these systems."

Burger King's wildly popular Facebook application "Whopper Sacrifice," which rewards you with a free Whopper when you drop 10 friends, has been shut down. Social networking just got healthier. Last week, Burger King announced it was teaming up with social networking powerhouse Facebook for a special promotion: If you removed 10 people from your network of friends, the fast-food company would reward you with a coupon for a free Whopper. The story became an Internet sensation, but it's only now getting meatier. As it turns out, a notification feature on the "Whopper Sacrifice" application that lets your friends know they have been replaced by a shot at a free hamburger violates Facebook's privacy policy. "We encourage creativity from developers and companies using Facebook platform, but we also must ensure that applications follow users' expectations and privacy," the company said in a statement. "After extensive discussions with the developer, we've made some changes to the application's behavior to assure that users' expectations of privacy are maintained. The application remains active on Facebook."

"The Electronic Frontier Foundation said it sued the Justice Department and other U.S. agencies to get information about their policies for using social networks including Facebook and Twitter in investigations, data collection and surveillance. The civil rights group said in a complaint filed yesterday in federal court in San Francisco that the government has used social-networking sites in conducting investigations and hasn't clarified the scope of that use or whether there are any restrictions or oversight to prevent abuses. The EFF said in its complaint that it is seeking the information to "help inform Congress and the public about the effect of such uses and purposes on citizens' privacy rights and associated legal protections." It cited news articles that reported police searching Facebook photos for evidence of underage drinking and an FBI search of an individual's home after the person sent messages on Twitter during the G-20 Summit notifying protesters of police movements. Facebook, based in Palo Alto, California, is the world's largest social networking site with more than 300 million users who post photos, messages and other information on their own free Facebook pages. Twitter, based in San Francisco, is a free Web service with 58 million users that lets people send 140- character messages, called "tweets," to multiple followers. EFF, also based in San Francisco, filed Freedom of Information Act requests with federal agencies in October. None of the agencies had completed processing the requests by the applicable 20-day deadline, according to the complaint. The lawsuit seeks a court order for the government to process the requests and produce documents."

NEW YORK With increasing amounts of personal information liable to float around in cyberspace, consumers are deciding whether their data is safe in the hands of some public- and private-sector entities. A BBC World News America/Harris Poll finds a mixed verdict, with social-networking sites faring especially badly. In polling conducted last month, adults were asked to say how much trust they have in various sectors "to handle your personally identified information (such as credit-card information, contact information and so forth) in a properly confidential and secure manner." The poll's best scores went to "health providers, such as doctors and hospitals," with 20 percent of respondents expressing "a great deal of trust" and 55 percent "some trust" in these. Nineteen percent voiced "not much trust" and 7 percent "no trust at all" in this sector. At the bottom of the rankings were "social-networking sites (like Facebook or MySpace)," with 5 percent expressing a great deal of trust and 18 percent some trust in these. Thirty-one percent said they had not much trust and 46 percent no trust at all in these sites to safeguard personal information. (Whether people should direct their distrust to themselves for posting such information there in the first place is a question the survey didn't address.) Respondents were also wary of "search and portal sites (like Google or Yahoo!)" when it comes to keeping personal information secure: Ten percent voiced a great deal of trust, 39 percent some, 29 percent not much and 22 percent no trust at all. Even the federal government fared (slightly) better, with 13 percent expressing a great deal of trust, 41 percent some, 28 percent not much and 18 percent none. The scores were more positive for "banks and brokerage companies": 15 percent a great deal of trust, 43 percent some, 28 percent not much and 13 percent none. That was roughly on a par with the ratings for "my e-mail provider": 14 percent a great deal, 48 percent some, 27 p

At first glance, Chicago's latest crime-fighting strategy seems to be plucked from a Hollywood screenplay. Someone sees a thief dipping into a Salvation Army kettle in a crowd of shoppers on State Street and dials 911 from a cellphone. Within seconds, a video image of the caller's location is beamed onto a dispatcher's computer screen. An officer arrives and by police radio is directed to the suspect, whose description and precise location are conveyed by the dispatcher watching the video, leading to a quick arrest. That chain of events actually happened in the Loop in December, said Ray Orozco, the executive director of the Chicago Office of Emergency Management and Communications. "We can now immediately take a look at the crime scene if the 911 caller is in a location within 150 feet of one of our surveillance cameras, even before the first responders arrive," Mr. Orozco said. The technology, a computer-aided dispatch system, was paid for with a $6 million grant from the Department of Homeland Security. It has been in use since a trial run in December. "One of the best tools any big city can have is visual indicators like cameras, which can help save lives," Mr. Orozco said. In addition to the city's camera network, Mr. Orozco said, the new system can also connect to cameras at private sites like tourist attractions, office buildings and university campuses. Twenty private companies have agreed to take part in the program, a spokeswoman for Mr. Orozco said, and 17 more are expected to be added soon. Citing security concerns, the city would not say how many cameras were in the system. Mayor Richard M. Daley said this week that the integrated camera network would enhance regional security as well as fight street crime. Still, opponents of Mr. Daley's use of public surveillance cameras described the new system as a potential Big Brother intrusion on privacy rights. "If a 911 caller reports that someone left a backpack on the sidewalk, wil

Mary Kay Hoal tried everything she could to keep her daughter off of MySpace. She put password locks on the computer and blocked the site. Still, her daughter found ways to log on. Hoal's concerns stemmed from statistics that showed 29,000 registered sex offenders were on MySpace, one out of every five kids are sexually solicited online, and nine out of ten children are exposed to pornography online. When she looked for alternative safe sites for kids, she found none, so she decided to do something about it. Story continues below ↓advertisement | your ad here Click Here! The result is www.yoursphere.com, the only social networking site for kids and teens that's backed by the Federal Trade Commission through the site's Privacy Vaults approval. The site's Chief Technology officer worked at the California Department of Justice tracking anonymous online sex offenders, as well as the Megan's Law database. Moreover, it requires verified parental consent for a minor to join. Other features include: -- Requires verifiable parental consent to join -- Confirms the identity of the parent providing consent -- Confirms that the parent or guardian providing consent is not a registered sex offender -- Is exclusively for kids and teens through age 18. -- Exceeds COPPA (Children's Online Privacy Protection Act) and Federal Trade Commission (FTC) guidelines for protecting kids online through our approval by Privacy Vaults Inc. -- Whose policy is "no creepers allowed" -- lurkers are removed and banned. -- No fake profiles. (No one is anonymous on Yoursphere.com) "The bottom line is that we're the only place in the online world that that has taken extraordinary measures to help ensure the safety of its members and meets or exceeds standards set by the government," Hoal said. "Our opinion is that if it's a behavior that is illegal, immoral or unacceptable offline, then it's unacceptable online." About Mary Kay Hoal After researching the disturbing la

Though Facebook has sometimes been criticized for sacrificing the privacy of its users in order to monetize the service, Chris Kelly, Facebook's chief privacy officer, has presided over the social network's efforts to build out the most sophisticated privacy options in the industry. On a granular level, Facebook users can now control what bits of information they share with each individual friend, group or network. Facebook users have taken notice. According to an annual study by the Ponemon Institute, a privacy research firm, Facebook ranks within the top 20 (15th) most trusted companies for privacy as rated by U.S. consumers. Kelly's job sometimes appears tricky, however. He must ensure that users feel they have control over their information, while weighing that need against Facebook's business model, which relies heavily on a culture of openness and sharing. Here is the full interview CIO conducted with Kelly during our reporting for a special feature on social networks and privacy. Kelly talked about what constitutes Facebook's overall view towards privacy, and how that affects its ability to serve up ads.

A security researcher has found that hackers are using Twitter as a means to distribute instructions to a network of compromised computers, known as a botnet. The traditional way of managing botnets is using IRC, but botnet owners are continuously working on finding new ways of keeping their networks up and running, and Twitter seems to be the latest trick.