Our society’s infrastructure can no longer function without computers and networks. The sum of the world’s networked computers is a rapidly increasing force multiplier. Today’s businesses are becoming heavily dependent on technology for integration, productivity and organizational scalability.
Data is an increasing fraction of total corporate wealth and needs to remain secure while ensuring confidentiality, availability and integrity.
Increasingly, organizations require communications to provide rapid and agile collaboration, information sharing, and connectivity to data sources. Technology enables employees and partners to work and access systems anywhere, anytime – also placing systems at an increased risk by the same token of availability. The protection of digital assets during transport, and at rest on storage devices is essential to the life cycle of information, as it transcends the border of physical and logical controls.
The world of security is becoming more complex and threatening every day. This increasing complexity embeds dependencies in a manner that may diminish the frequency of surprises; however, the surprises will be all the more unexpected when they inevitably occur.
Security is becoming a means and not an end; modern protection strategies are quickly shifting toward risk absorption rather than risk avoidance. Service orientated architectures and Web 2.0 technologies are fueling the internet revolution while at the same time rapidly deteriorating the security situation. That deterioration compounds when nearly all individuals and businesses are establishing dependencies on computer and communications systems. It is thus obvious that increasing dependence means ever more difficulty in crafting protections against known and unknown threats to systems.… Read the article
Hackers broke into the industrial control system of a New Jersey air conditioning company earlier this year, using a backdoor vulnerability in the system, according to an FBI memo made public this week.
The intruders first breached the company’s ICS network through a backdoor in its Niagara AX ICS system, made by Tridium. This gave them access to the mechanism controlling the company’s own heating and air conditioning, according to a memo prepared by the FBI’s office in Newark (.pdf), which was published on Saturday by the website Public Intelligence. News about the memo was first reported by Ars Technica.
The breach occurred in February and March of this year, several weeks after someone using the Twitter moniker @ntisec posted a message online indicating that hackers were targeting SCADA systems, and that something had to be done to address SCADA vulnerabilities.
The individual had used the Shodan search engine to locate Tridium Niagara systems that were connected to the internet and posted a list of URLs for the systems online. One of the IP addresses posted led to the New Jersey company’s heating and air conditioning control system.
The company used the Niagara system not only for its own HVAC system, but also installed it for customers, which included banking institutions and other commercial entities, the memo noted. An IT contractor who worked for the company told the FBI that the company had installed its own control system directly connected to the internet with no firewall in place to protect it.… Read the article
Dexter Malware (POS Systems Attack)
In an article titled “Dexter – Draining blood out of Point of Sales” an Israel-based security firm Seculert has identified Malware programmed to attack POS systems. The targeting of POS systems appears to help attackers extract card data from aggregation points versus targeting end-user machines or physically installing a skimmer.
Dexter has reportedly targeted systems in 40 countries over the past 2-3 months.
According to Spiderlabs, a team of ethical hackers working for security-software analysis firm Trustwave, Dexter has an unusual nature. Spiderlabs blogger Josh Grunzweig noted: “I can’t remember the last time I saw a piece of malware that targeted Point of Sale systems that had a nice C&C structure to it.”
Bank Fraud had evolved to a billion dollar industry world wide and Dexter is just another example of how attackers are choosing the targets with the most lucrative cyber bounty.… Read the article
During the holidays cybercriminals kept themselves busy, hacking websites and stealing all the data they could find. South African Postbank, a financial institution owned by SA Post Office, is one of the victims.
South African bank Postbank was robbed of $6.7 million earlier this month. But the thieves didn’t need masks and guns to pull off the job — just computers.
To pull off the heist, the hackers created a backdoor into one of the bank’s computers. From that hacked computer, they were able to access the rest of the network and issue the commands to distribute the $6.7 million to different accounts owned by the thieves. Those accounts were promptly emptied via ATM visits. Preliminary reports revealed that the cybercrime ring responsible for the theft opened a number of Postbank accounts all across the country and then, in the period between January 1 and January 3, they managed to access a Post Office employee’s computer from where they deposited money from other accounts into their own.
Since the crime didn’t raise any red flags with its automated fraud-detection programs, bank employees failed to notice the money was missing until the bank re-opened after the New Year’s holiday.
The irony is that 3 years ago the institution invested a large amount of money in their anti-fraud systems. However, as we can clearly see, anti-fraud systems aren’t worth much if the company doesn’t have a strict policy for the way their employees handle computers.
If the reports are true, then it is very likely that an employee with privileged rights must have fallen victim to a scam email designed to spread a malicious Trojan.… Read the article
A hacker facing trial on charges that he and a cohort conspired to break into an AT&T Web site for 3G iPad users told CNET today that he will fight the charges “to the end.”
Andrew “Escher” Auernheimer, 26, was indicted several months ago on one count of conspiracy to gain unauthorized access to computers and one count of identity theft. He faces up to 10 years in prison and $500,000 in fines. Co-defendant Daniel Spitler pleaded guilty in June and a judge put the case on hold, reportedly because of plea negotiations.
But Auernheimer, whose hacker handle is “weev,” says he’s not going to cop a plea.
“I did not fold the two previous times when the FBI tried to frame me as a terrorist” for allegedly calling in a bomb threat to a synagogue, which he denies, he said in an e-mail. “I will not fold now when they try to libel me as a thief. My indictment conveys a message that I am some sort of identity thief.”
In a follow-up phone interview, Auernheimer said he has done “nothing ethically wrong” and is being persecuted for “telling the truth” by exposing a security hole in AT&T’s Web site that was leaking e-mail addresses and unique device numbers for about 120,000 3G iPad users last year, including government and high-profile corporate customers.
Andrew Auernheimer, aka “Weev,” in a photo from earlier this year.(Credit: Anonymous)
“I contend there is no crime in telling the truth or using AT&T’s, or anybody’s, publicly accessible data, to cite it to talk about how they made people’s data public,” he said.… Read the article