osdir.com
mailing list archive F.A.Q. -since 2001!



Subject: Aust computer crime impact down, says survey -
msg#00051

List: security.attrition.infosec-news

Mail Archive Navigation:
by Date: Prev Next Date Index by Thread: Prev Next Thread Index

http://www.zdnet.com.au/news/security/0,2000061744,39193086,00.htm

By Munir Kotadia
ZDNet Australia
23 May 2005

The impact of computer crime and security incidents on organisations
has decreased over the past year, but the fight against malware and
hackers is far from over, according to the Australian Computer Crime
and Security Survey 2005.

Only 35 percent of the 540 organisations which responded to the survey
this year said the confidentiality, integrity or availability of their
networks had been affected by an electronic attack, down from 49
percent of respondents in 2004 and 42 percent in 2003.

Kevin Zuccato, director of the Australian High Tech Crime Centre
(AHTCC ), told ZDNet Australia the survey -- released today --
revealed that although the overall number of attacks had risen,
companies had improved their network defences.

"The Internet is generally a more dangerous place to be, but people
that put the effort in and put defences in place have screened the bad
activity from impacting on their enterprises. These are incidents that
have got through and not necessarily representative of the incidents
that might be occurring outside. Big business are getting the message
-- they are harder targets than they were a year or two ago," said
Zuccato.

Graham Ingram, general manager of AusCERT, said more organisations
seemed to be getting the basics right, but they still paid a high
price when the defences fail.

"Knowing there are easy things to do -- such as block a certain port
-- has helped. A lot of the high impact stuff has been filtered out.
However if [the malware] gets in, it is pretty nasty because the
payloads are becoming more aggressive," said Ingram.

Neil Campbell, a former law enforcement officer who is now the
national security manager of IT services company Dimension Data, said
he was not surprised that companies are being affected less by attacks
as they now had years of experience of being under fire.

"Between 2001 and 2003 was the period of the worm and virus -- we
really saw some massive infections and that had a huge impact. It
increased the level of awareness and preparedness," said Campbell, who
also praised Microsoft for strengthening Windows security: "There was
a massive effort by Microsoft in particular who increased the security
of its operating system. An increased focus on perimeter, desktop and
layered security has led to this improvement."

Infection by viruses, worms and Trojans was the most common form of
attack reported by respondents, with 64 percent of respondents
suffering. However, this figure had fallen from 88 percent in 2004 and
80 percent in 2003.

Denial of service (DoS) attacks -- where an organisations' Web site or
server is inundated with requests to a point where it slows to a crawl
or is knocked offline ? were the most costly. Fourteen percent of
respondents reported experiencing such attacks which resulted in
financial losses -- with the losses themselves accounting for more
than half (53 percent) of total losses experienced by survey
respondents. The survey did say, however, that figure was skewed by
one organisation which reported losses of AU$8 million as a result of
DoS attacks.

The AHTCC's Zuccato said botnets of compromised or zombie personal
computers were increasingly being used to extort money from online
businesses.

"Botnets are being used to do distributed DoS attacks. Extortion is
one of the concern that is no longer on the horizon -- it is with us
now. In the UK, extortion with threats to undertake DDoS attacks are
part of the course -- the online bookmakers are being hit," said
Zuccato.

Only seven percent of survey respondents thought they were managing
their security issues 'reasonably well'. This has increased compared
to last year (five percent) but fallen from 11 percent in 2003 ? the
same year as the Blaster and Slammer attacks.

Dimension Data's Campbell said the phase of high profile malware
attacks was a 'call to action' and led to significant improvements in
overall security.

"IT security is no different to physical security in that over time,
in the absence of incidents, security tends to ease up or if it was
never there it does not tend to be put in place. In previous years
there have been some fantastic weapons developed by the bad guys and
now the good guys have developed some great countermeasures," said
Campbell.

Apart from improvements in technology, the 'call to action' has also
increased the number of companies adopting formal security standards.
According to the survey, 65 percent of organisations now follow or use
established standards such as the AS 7799, Specification for
Information Security Management System and the ISO 17799:2001, Code of
Practice for Information Security Management. This compares with 58
percent last year and 37 percent in 2003.

AusCERT's Ingram said adherence to security standards has had a
positive impact on the corporate world.

"It is hard to reliably talk about cause and effect, but there is a
positive indicator that with better adherence to computer security
policies, practices and technologies, you are going to make an impact
in reducing the level of exposure to incidences," said Ingram.

According to Dimension Data's Campbell, overall security has improved
but he expects malware writers and hackers to continue innovating and
finding new ways to compromise security.

"We have seen organisations spur themselves and move to improve
security but you have to accept that security in any domain is
generally an arms race. You certainly cannot say we have hit the worst
of it and now it will all improve from here," he added.



_________________________________________
InfoSec News v2.0 - Coming Soon!
http://www.infosecnews.org

Thread at a glance:

Previous Message by Date:

Interior to use wireless despite Internet court battle

http://www.fcw.com/article88944-05-23-05-Web By Aliya Sternstein May 23, 2005 Lawyers representing a group of American Indians suing the Interior Department say wireless Internet service could grant unauthorized access to Indian trust fund account information. But Interior plans to issue a solicitation notice for departmentwide wireless service soon. Interior lawyers are reviewing the final version of the notice and would not comment on its contents. Last Tuesday, lawyers gave a federal judge a report published in December by Interior's inspector general on wireless management and security. It details how easily hackers could manipulate trust accounts held by 500,000 American Indians. Between October 2003 and April 2004, inspectors found that Interior networks sometimes intersected with other networks and broadcasted information to inappropriate areas and people. Last month, Interior shut down the Bureau of Land Management's Web site after the IG issued a report warning that its information technology systems were vulnerable to cyberthreats. The shutdown was the latest in a long-running dispute about the security of Indian trust fund information. December's report notes that at the BLM Boise, Idaho, District Office, a wireless network that was supposed to bridge the district office directly to a building about a mile away, broadcasting the network signal to everyone within a mile radius. Inspectors observed that more than 3,000 other commercial and residential wireless networks occupied that radius. Other instances of BLM sloppiness appear throughout the IG's report. "We observed approximately 148 users connecting to [a BLM] wireless network during non-business hours; however, BLM indicated that there were only about 10 authorized users," the report states. The report adds that officials may have alleviated some security concerns by issuing the April 2004 memo that required insecure Interior agencies to disconnect their wireless networks. But the IG report states that the memo is "silent on how DOI should handle what may be the inevitable use of wireless technology in the future." Interior officials have not disclosed information about the new wireless initiative because of the current litigation and bidding protocol. Interior spokespersons released a statement. "To understand our position regarding the commercial wireless [cellular] services program under DOI's Wireless initiative, the Office of the Chief Information Officer and the Office of Acquisition and Property Management offices partnered. Significant progress has been made, and a solicitation will soon be issued. This partnership is the department's direct response to the March 2004 GAO Report ?Agencies Can Achieve Significant Savings on Purchase Card Buys." The project's synopsis states that Interior must establish an enterprisewide contract vehicle to acquire cost-effective nationwide commercial wireless services, coverage and management. The notice pertains to commercial mobile wireless services. The IG report warns that the agency must take steps to improve security of wireless services. The report found, for example, that the wireless signals are available after business hours and are also identifiable. Inspectors quickly recognized that a wireless network was BLM's because it broadcast a unique network name. "Additionally, we found at one BLM and one [Fish and Wildlife Service] location that wireless networks remained in operation during non-business hours," the report stated "This, in conjunction with the networks broadcasting unique identifying information that is easily identifiable to DOI, accelerates a hacker's ability to compromise DOI networks." At a Bureau of Reclamation facility, inspectors identified wireless signals in three parking lots outside the network's perimeter. In addition, Interior could not account for all wireless network devices. Specifically, six network access points at two BLM locations, were not inventoried. An earlier court order disconnected the Bureau of Indian Affairs from the Internet, but the IG report found that contractors at a BIA office used non-Interior laptops that had wireless capabilities. Wireless-enabled laptops could be connected to Interior's wired networks and expose those networks and data to unauthorized users, the report states. _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org

Next Message by Date:

Bank security breach may be biggest yet

http://money.cnn.com/2005/05/23/news/fortune500/bank_info/index.htm May 23, 2005 NEW YORK (CNN/Money) - Bank of America Corp. and Wachovia Corp. are among the big banks notifying more than 670,000 customers that account information was stolen in what may the biggest security breach to hit the banking industry. Account information on the customers was illegally sold by bank employees to a man identified as Orazio Lembo, whom police said was doing business by illegally posing as a collection agency. When police in Hackensack, N.J., first announced arrests in the case on April 28, they estimated that more than 500,000 people were affected. That number was raised to 676,000 Friday. Because some people have more than one account, Hackensack Police Chief Charles "Ken" Zisa says the number of accounts breached may top 1 million. "As this gets going, these numbers are going to go up and up," Hackensack Detective Capt. Frank Lomia told CNN earlier Monday, adding that more arrests may be coming in the case. The data-theft may have been the biggest ever in banking, the Hackensack, N.J., police department said in a statement, citing an unnamed Treasury Department official. Of the four banks involved in the case, Bank of America (up $0.01 to $46.58, Research), the nation's No. 2 bank, has notified 60,000 customers of the problem. Wachovia (Research) has notified 48,000 customers. Customer account numbers and balances were allegedly sold to Lembo, who then sold the information to collection agencies, the Hackensack police department said in a statement. Wachovia customers whose account information was stolen have received complimentary one-year credit monitoring service and each account will also be monitored by the bank, a Wachovia spokesman told CNN, adding that two former Wachovia employees have been charged in the case. Bank of America spokeswoman Alexandra Liftman said the bank was notifying customers affected, but added there was no evidence of account fraud or identity theft. Customers affected would be offered free credit monitoring, she said, adding Bank of America is cooperating with law enforcement officials and conducting its own internal investigation. One associate who was named by police is "no longer with the bank," Liftman said. Charges filed Last month, New Jersey police arrested and charged nine people, including seven bank employees and Lembo, who operated DRL Associates, the bogus collection agency, Hackensack police said. A tenth person was subsequently arrested. DRL did not qualify as a collection or detective agency, the police said. "Based on forensic examination of Lembo's computers, it was determined that he had employed upper-level bank employees to access and identify individual accounts in their respective banks," the police statement said. "That information was then sold to his clients, which included more than 40 law firms and collection agencies." Lomia told CNN that Lembo paid $10 a name, convincing the bank employees that they wouldn't get caught. He said the department has not yet classified this as an identity theft case but is watching it closely. In addition to confidential bank information, DRL also obtained employment information from the manager of the New Jersey Department of Labor in Jersey City, Hackensack police said. Police estimate that Lembo made several million dollars over the past four years; and that his informants each made tens of thousands of dollars in the scheme. The department said it is continuing its investigation, and the Department of the Treasury and the Internal Revenue Service also are involved. The FBI in Newark told CNN it is not handling the case, but that the Secret Service may become involved. Lomia said the law firms that allegedly sought Lembo's services are part of "phase two" of the investigation. Other banks affected by the theft ring are Commerce Bancorp (Research), based in Cherry Hill, N.J., and PNC Financial Services Group Inc. (Research) PNC said it is cooperating with Hackensack police. _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org

Previous Message by Thread:

Interior to use wireless despite Internet court battle

http://www.fcw.com/article88944-05-23-05-Web By Aliya Sternstein May 23, 2005 Lawyers representing a group of American Indians suing the Interior Department say wireless Internet service could grant unauthorized access to Indian trust fund account information. But Interior plans to issue a solicitation notice for departmentwide wireless service soon. Interior lawyers are reviewing the final version of the notice and would not comment on its contents. Last Tuesday, lawyers gave a federal judge a report published in December by Interior's inspector general on wireless management and security. It details how easily hackers could manipulate trust accounts held by 500,000 American Indians. Between October 2003 and April 2004, inspectors found that Interior networks sometimes intersected with other networks and broadcasted information to inappropriate areas and people. Last month, Interior shut down the Bureau of Land Management's Web site after the IG issued a report warning that its information technology systems were vulnerable to cyberthreats. The shutdown was the latest in a long-running dispute about the security of Indian trust fund information. December's report notes that at the BLM Boise, Idaho, District Office, a wireless network that was supposed to bridge the district office directly to a building about a mile away, broadcasting the network signal to everyone within a mile radius. Inspectors observed that more than 3,000 other commercial and residential wireless networks occupied that radius. Other instances of BLM sloppiness appear throughout the IG's report. "We observed approximately 148 users connecting to [a BLM] wireless network during non-business hours; however, BLM indicated that there were only about 10 authorized users," the report states. The report adds that officials may have alleviated some security concerns by issuing the April 2004 memo that required insecure Interior agencies to disconnect their wireless networks. But the IG report states that the memo is "silent on how DOI should handle what may be the inevitable use of wireless technology in the future." Interior officials have not disclosed information about the new wireless initiative because of the current litigation and bidding protocol. Interior spokespersons released a statement. "To understand our position regarding the commercial wireless [cellular] services program under DOI's Wireless initiative, the Office of the Chief Information Officer and the Office of Acquisition and Property Management offices partnered. Significant progress has been made, and a solicitation will soon be issued. This partnership is the department's direct response to the March 2004 GAO Report ?Agencies Can Achieve Significant Savings on Purchase Card Buys." The project's synopsis states that Interior must establish an enterprisewide contract vehicle to acquire cost-effective nationwide commercial wireless services, coverage and management. The notice pertains to commercial mobile wireless services. The IG report warns that the agency must take steps to improve security of wireless services. The report found, for example, that the wireless signals are available after business hours and are also identifiable. Inspectors quickly recognized that a wireless network was BLM's because it broadcast a unique network name. "Additionally, we found at one BLM and one [Fish and Wildlife Service] location that wireless networks remained in operation during non-business hours," the report stated "This, in conjunction with the networks broadcasting unique identifying information that is easily identifiable to DOI, accelerates a hacker's ability to compromise DOI networks." At a Bureau of Reclamation facility, inspectors identified wireless signals in three parking lots outside the network's perimeter. In addition, Interior could not account for all wireless network devices. Specifically, six network access points at two BLM locations, were not inventoried. An earlier court order disconnected the Bureau of Indian Affairs from the Internet, but the IG report found that contractors at a BIA office used non-Interior laptops that had wireless capabilities. Wireless-enabled laptops could be connected to Interior's wired networks and expose those networks and data to unauthorized users, the report states. _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org

Next Message by Thread:

Bank security breach may be biggest yet

http://money.cnn.com/2005/05/23/news/fortune500/bank_info/index.htm May 23, 2005 NEW YORK (CNN/Money) - Bank of America Corp. and Wachovia Corp. are among the big banks notifying more than 670,000 customers that account information was stolen in what may the biggest security breach to hit the banking industry. Account information on the customers was illegally sold by bank employees to a man identified as Orazio Lembo, whom police said was doing business by illegally posing as a collection agency. When police in Hackensack, N.J., first announced arrests in the case on April 28, they estimated that more than 500,000 people were affected. That number was raised to 676,000 Friday. Because some people have more than one account, Hackensack Police Chief Charles "Ken" Zisa says the number of accounts breached may top 1 million. "As this gets going, these numbers are going to go up and up," Hackensack Detective Capt. Frank Lomia told CNN earlier Monday, adding that more arrests may be coming in the case. The data-theft may have been the biggest ever in banking, the Hackensack, N.J., police department said in a statement, citing an unnamed Treasury Department official. Of the four banks involved in the case, Bank of America (up $0.01 to $46.58, Research), the nation's No. 2 bank, has notified 60,000 customers of the problem. Wachovia (Research) has notified 48,000 customers. Customer account numbers and balances were allegedly sold to Lembo, who then sold the information to collection agencies, the Hackensack police department said in a statement. Wachovia customers whose account information was stolen have received complimentary one-year credit monitoring service and each account will also be monitored by the bank, a Wachovia spokesman told CNN, adding that two former Wachovia employees have been charged in the case. Bank of America spokeswoman Alexandra Liftman said the bank was notifying customers affected, but added there was no evidence of account fraud or identity theft. Customers affected would be offered free credit monitoring, she said, adding Bank of America is cooperating with law enforcement officials and conducting its own internal investigation. One associate who was named by police is "no longer with the bank," Liftman said. Charges filed Last month, New Jersey police arrested and charged nine people, including seven bank employees and Lembo, who operated DRL Associates, the bogus collection agency, Hackensack police said. A tenth person was subsequently arrested. DRL did not qualify as a collection or detective agency, the police said. "Based on forensic examination of Lembo's computers, it was determined that he had employed upper-level bank employees to access and identify individual accounts in their respective banks," the police statement said. "That information was then sold to his clients, which included more than 40 law firms and collection agencies." Lomia told CNN that Lembo paid $10 a name, convincing the bank employees that they wouldn't get caught. He said the department has not yet classified this as an identity theft case but is watching it closely. In addition to confidential bank information, DRL also obtained employment information from the manager of the New Jersey Department of Labor in Jersey City, Hackensack police said. Police estimate that Lembo made several million dollars over the past four years; and that his informants each made tens of thousands of dollars in the scheme. The department said it is continuing its investigation, and the Department of the Treasury and the Internal Revenue Service also are involved. The FBI in Newark told CNN it is not handling the case, but that the Secret Service may become involved. Lomia said the law firms that allegedly sought Lembo's services are part of "phase two" of the investigation. Other banks affected by the theft ring are Commerce Bancorp (Research), based in Cherry Hill, N.J., and PNC Financial Services Group Inc. (Research) PNC said it is cooperating with Hackensack police. _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
blog comments powered by Disqus

Home | News | Sitemap | FAQ | advertise | OSDir is an Inevitable website. GBiz is too!