27 December 2002 - ID Thief Turns Extortionist
An identity thief tried to use a California woman's on-line accounts
to steal money, but she thwarted the majority of his efforts.
The thief then tried to extort money from the woman, offering
to disclose his methods and provide advice on protecting her information
for $400. When his offer was ignored, he reportedly became belligerent,
threatening harassment and making clear he knew personal details
about her life. Cyberstalking laws exist in most states, and people
should report such events to law enforcement officials. http://www.msnbc.com/news/851175.asp?0cv=CB10
24
December 2002 - Stolen DoD Contractor Computer Equipment Contains
Personal Data
Thieves stole notebook computers and server hard drives from the
office of a Defense Department health care service contractor
in Phoenix, AZ. The stolen items contained personal data about
beneficiaries; the contractor is providing the beneficiaries with
information about protecting their personal information. The FBI
is involved in the investigation, along with the Defense Criminal
Investigative Service and local police. http://www.gcn.com/vol1_no1/daily-updates/20735-1.html
12
December 2002 - Prestige Worm
The Prestige worm arrives as an attachment purporting to be pictures
of the Prestige oil tanker disaster off the Spanish coast. The
worm is in an .exe file included in the .zip attachment. If the
attachment is executed, a Spanish message asks users if they want
to install an application to view the pictures; if they click
their approval, an error message tells them the application could
not be installed, and behind the scenes, the worm is doing its
work. Prestige self replicates through Outlook address books and
IRC programs, changes files in the Windows system directory and
replaces and renames the regedit.exe file. http://www.net-security.org/virus_news.php?id=142
12
December 2002 - Purloined e-Mail Message Spells Trouble
The editor of Durban's (South Africa) Independent newspaper has
found himself in the hot seat after a cracker broke into the newspaper's
e-mail system and sent around an e-mail from the editor to the
paper's managing director. In the e-mail message, the editor had
listed a number of senior staff who he felt should be ousted from
their positions. The editor is on leave indefinitely.
- web stories removed by source -
11
December 2002 - eBa y Warns Customers of Phony Site Scam
Some eBay customers received e-mail messages informing them there
were billing problems with their accounts and pointing them to
a phony site that tried to collect their credit card information.
The site has since been taken off line. eBay has warned its customers
about the scam.
- web stories removed by source -
5
December 2002 - Sophos Malware Statistics for 2002
Sophos has published statistics for the most frequently reported
malware during 2002. Top three were Klez, followed by Bugbear
and Badtrans. http://www.computerworld.com/securitytopics/security/virus/story/0,10801,76408,00.html
http://www.sophos.com/pressoffice/pressrel/uk/20021204yeartopten.html
3
December 2002 - Texas Academic Hospitals' Security Found Wanting
The Texas State Auditor's Office has found that weak security
for computer systems at the state's academic hospitals could allow
medical data to be accessed and altered and further, cyber intruders
could disrupt systems that underlie healthcare at the facilities.
The report did not detail the vulnerabilities, but the auditor's
office did inform the various affected facilities. http://www.gcn.com/vol1_no1/daily-updates/20580-1.html
29
November 2002 - Phreakers Manipulate Voice Mail Systems
Phone phreakers figured out how to break into a certain brand
of voice mail systems and reconfigure them to create new mailboxes
from which they could make long distance calls. Businesses across
the country have been affected by the problem.
- web stories removed by source -
26
November 2002 - CIO Tech Poll Indicates Security Spending Will
Increase in 2003
According to a poll conducted by CIO Magazine, CIOs plan to focus
spending in 2003 on security and B2B2C initiatives. IT budgets
are expected to increase 5.1% over the next year; more than half
of the 301 CIOs polled said they planned to increase their security
spending in the next year.
http://www2.cio.com/techpoll/1202_techreport.html
13
November 2002 - Security Awareness, Inc. Client Receives Praise
From Government Report
The Bureau of Public Debt, who uses SAI awareness training materials,
received praise for their security policies and awareness program
in a recent report from the Treasury's Office of the Inspector
General. http://www.govexec.com/dailyfed/1102/111202a1.htm
18
November 2002 - Homeland Security Gets Green Light
The Senate this week approved a massive, controversial Department
of Homeland Security bill that includes tougher prison sentences
for computer criminals who compromise or damage critical computing
systems. It also bans spyware in banner ads used to monitor browser
activities. The Senate approved the bill 90-9 after a month of
debate. It now goes to President George W. Bush for his signature.
- web stories removed by source -
13
November 2002 - Beware Malware Disguised As Error E-mail
An e-mail message designed to look like a "bounced back"
may actually be malware that drops a Trojan horse in the computers
of users who take the bait and open the attachment. The message
arrives with a return address prefix MAILER-DAEMON and subject
line "FAILURE NOTICE." The text encourages recipients
to open an attachment called mail.hta. Those who do are greeted
by a spam-like ad that also drops a Trojan program that links
to a defunct Web site. Because of the social engineering, some
AV vendors say the potential for infection is rising. Security
vendors advise consumers and enterprises to block attachments
with .hta extensions. - web stories removed by source -
13
November 2002 - e-Card Tricks Recipients into Accepting License
Terms
An electronic greeting card created by a Panama-based company
tricks recipients into downloading an application that sends e-cards
to everyone in the Outlook address book. The company manages to
make such activity legal by the simple fact that users have accepted
the terms of a license agreement.
http://news.com.com/2100-1001-965570.html
11 November 2002 - CA Law Requires Reporting of Certain Security
Breaches
California has passed a law requiring State agencies and private
businesses to report cyber security breaches that may have compromised
confidential information. As of July 1, 2003, those who fail to
comply with the law face civil or class action suits.
http://www.businessweek.com/technology/content/nov2002/tc20021111_2402.htm
7
November 2002 - Michigan Man Pleads Guilty to Stealing Files from
Former Employer
Gregg Wysocki of Rochester Hills, Michigan has pleaded guilty
to criminal computer intrusion. Wysocki could receive a prison
sentence of up to five years and be ordered to pay a $10,000 fine
for stealing files from his previous employer and using the information
they contained to get a job with a competitor.
http://www.usatoday.com/tech/news/2002-11-07-computer-intrusion_x.htm
5
November 2002 - Phone Phreakers Rack Up $11,000 Bill in Ohio
Hackers guessed an Ohio woman's voice mail password, and recorded
a message that would sound to operators as if someone were accepting
charges for a collect call so that they could use her line to
make lengthy international calls. Her one-month phone bill was
nearly $11,000, that she did not have to pay. People should choose
voice mail passwords that are hard to guess and should change
them frequently; they should also consider blocking or limiting
access to international calls. http://www.ohio.com/mld/ohio/news/local/4446396.htm
5
November 2002 Cyber Sabotage Stories
Examples of insider (or former insider) cyber sabotage include
a terminated temporary employee crashing servers which irretrievably
deleted all the data and an employee sabotaging product performance
test results. - web stories removed by source -
4
November 2002 - Fraudulent Job Posting Used for Identity Theft
Fraudulent job postings on Monster.com have been used to harvest
information that could be used to steal applicants' identities.
Monster.com's FAQ section advises applicants not to provide social
security credit card or bank account numbers to prospective employers.
http://www.msnbc.com/news/830411.asp?0dm=B21AT
4
November 2002 - East Palo Alto Phone Phreaking
Hackers apparently broke into East Palo Alto (CA) City Hall phone
system and used it to make $30,000 worth of calls to the Philippines.
AT&T and East Palo Alto are at odds over who is responsible
for the bill. http://www.bayarea.com/mld/mercurynews/news/local/4439758.htm
1
November 2002 - Linksys Router Vulnerable to DoS
The Linksys BEFSR41 EtherFast Cable/DSL Router with 4-Port Switch
with firmware earlier than version 1.42.7 is vulnerable to an
easily launched denial of service (DoS) attack that could crash
the router. Firmware 1.43 addresses the vulnerability. (Webmaster
note: This story has been included bacause of the popularity of
this router with home users.) http://www.eweek.com/article2/0,3959,663801,00.asp
17
& 18 October 2002 - Yahoo Customers Tricked into Exposing
Personal Data
Some Yahoo customers were duped by a fraudulent e-mail into supplying
their credit card and Yahoo account information. Yahoo sent a
mass mailing to its customers advising them not to heed the phony
request. - web stories removed by source -
15,
16 & 18 - October 2002 Pop-Up Spam
A company called DirectAdvertiser offers a tool which exploits
Microsoft Messenger to send "anonymous and untraceable"
pop-up ads to ranges of IP addresses. The Messenger service was
designed for administrator use in contacting network users. Messenger
is enabled by default in most versions of Windows. http://www.wired.com/news/technology/0,1282,55795,00.html
8 & 21 October 2002 - Navy Computers Missing
According to an internal Navy report, the Pacific Fleet cannot
account for 595 computers; a spokesman later said that number
has been reduced to 187. Some of the missing computers contain
classified information. All of the computers have removable hard
drives. http://news.com.com/2100-1001-962664.html
http://www.computerworld.com/securitytopics/security/story/0,10801,75295,00.html
3 October 2002 - Man Pleads Guilty to Identity Fraud
Abraham Abdallah pleaded guilty to attempting to steal the identities
of wealthy Americans and steal money from their bank accounts.
- web stories removed by source -
2
October 2002 - CD-ROMs for UN Inspectors Contained Viruses
UN inspectors in Vienna were given four CD-ROMs of reports
from an Iraqi official; the disks also contained computer viruses.
The viruses were fairly common, leading to speculation that their
appearance on the disks was not intentional, but the result of
inadequate antivirus software. American companies are prohibited
from exporting their products to Iraq under the current US embargo.
http://www.siliconvalley.com/mld/siliconvalley/4201505.htm
30
September 2002 - Virus Masquerades As Microsoft Patch
A virus is circulating on the Internet in the guise of a Microsoft
security patch. The virus is in an .exe attachment, which the
text of the e-mail advises users to run. http://www.nwfusion.com/news/2002/0930msvirus.html
19
September 2002 - Disgruntled Former Employee Gets Prison Sentence
for Erasing Company Data
A UK computer engineer who botched a job went back into the
company's computer system and wiped out their data after the company
refused to pay his bill; Stephen Carey had altered the company's
computer system so he could access the database from home. Police
who seized the man's home computer found that the time the files
were destroyed matched the time his home computer was connected
to the company's. Carey received an 18-month prison sentence for
unauthorized modification of computer material. - web stories
removed by source -
17
September 2002 - Home Users Know the Drill but Don't Abide By
It
The recently released draft of the National Strategy to Secure
Cyberspace recommends that home users deploy firewalls, use regularly
updated anti-virus software, create strong passwords, install
all necessary patches and use common sense about e-mail and downloads.
Though these pieces of advice are well-known, many home users
do not adhere to them. http://www.washingtonpost.com/wp-dyn/articles/A30681-2002Sep17.html
9
September 2002 - Venezuelan CD Pirates Sold Confidential Data
Two people have been arrested in Caracas, Venezuela for their
roles in a CD piracy trade that included confidential phone company
records and police files.
- web stories removed by source -
7
September 2002 - City Employee Opens Hard Drive to Kazaa Network
An Aspen, Colorado city employee who had installed Kazaa peer-to-peer
file sharing software on his work computer inadvertently made
his entire hard drive available to the network. The problem was
discovered by Canadian Kazaa member James Pocock, who e-mailed
the employee as well as the city's mayor and police chief about
the information he'd been able to view. The city has changed passwords
and installed a new firewall.
- web stories removed by source -
4
September 2002 - Mitnick Describes Social Engineering Tactics
Kevin Mitnick describes how companies leave themselves vulnerable
to socially engineered cyber attacks: corporate culture and terrain
can be discerned by examining documents found in trash cans, and
help desk personnel are often easily tricked into handing over
login names and passwords over the phone. Furthermore, if CEOs
make a habit of ignoring security policies and procedures when
they want a task accomplished quickly, this too can be exploited.
http://www.infoconomy.com/pages/news-and-gossip/group66338.adp
26
August 2002 - Woman Pleads Guilty to Importing Phony Software
A woman in Los Angeles has pleaded no contest to charges of importing
almost $75 million worth of counterfeit software. Lisa Chen will
receive a sentence of between five and nine years in federal prison
and pay restitution to Microsoft and Symantec. Chen and three
other people were arrested after an 18-month investigation; the
others' cases are pending in federal court. This is apparently
the largest seizure of counterfeit software ever in the United
States.
http://www.siliconvalley.com/mld/siliconvalley/3943489.htm
26
August 2002 - VA Revamps Computer Disposal Policy
129 computers from the Department of Veterans Affairs (VA)
that contained sensitive information such as health records and
government credit card numbers were given away in Indianapolis.
The VA is revising its computer disposal policy. The VA's CIO
says the agency will buy an enterprise license for software that
will erase data from hard drives and will develop and establish
a qualification and certification program for all VA ISOs.
http://www.fcw.com/fcw/articles/2002/0826/news-va-08-26-02.asp
23
August 2002 - Liquidated Computers Harbor Sensitive Data
Two used computers bought from a liquidation firm on the Internet
turned out to contain quantities of sensitive information from
the businesses that originally owned them. The author suggests
running a magnet over hard drives before the computers are sold
and instituting legal action against those who expose others'
personal information by allowing it out with discarded computers.
http://www.linuxjournal.com/article.php?sid=6286
22
August 2002 - Microsoft Office and Internet Explorer Holes
Critical security holes In Microsoft's Office suite and Internet
Explorer could allow attackers to run programs on vulnerable computers,
possible reading files or even crashing machines. Microsoft has
made a patch for the vulnerability available.
- web stories removed by source -
15
& 16 August 2002 - IRS Can't Account for Computers Lent to
Volunteers
According to an audit report from the Office of the Treasury InspectorGeneral
for Tax Administration, the Internal Revenue Service (IRS) cannot
account for some portion of 6,600 computers it lent to volunteers
to help prepare returns for low income, disabled and senior citizens.
Earlier this year, the Inspector General found 2,300 computers
missing from other areas of the IRS. The missing machines may
contain sensitive taxpayer data.
http://www.govexec.com/dailyfed/0802/081502t1.htm
http://www.washingtonpost.com/wp-dyn/articles/A24030-2002Aug15.html
15
August 2002 - Variety of Anti-Virus Products Proves Helpful to
Scottish Bank
The Halifax/Bank of Scotland uses different anti-virus products
at each layer of its IT infrastructure, a strategy it says has
reduced the number of virus incidents in its systems by a factor
of 10, from 3,000 to 300 a month. http://www.vnunet.com/News/1134385
8
August 2002 - Missing US Military Laptops Found
Two laptop computers were reportedly missing from a US military
command center in Florida; that center is responsible for coordinating
US
military efforts in Afghanistan. One reportedly contains sensitive
data. The two missing laptops have been recovered after a member
of the
military confessed to having them. The motive for the theft was
not espionage, according to a spokesman for the Air Force's Office
of Special Investigations.
http://www.usatoday.com/news/nation/2002-08-09-laptops_x.htm
7
August 2002 - Australian Students Pay to Have Grades Deleted
The Independent Commission Against Corruption (ICAC) found that
eleven students at the University of Technology, Sydney (UTS)
paid a student liaison officer to delete their failing marks from
the University's computer system. An ICAC commissioner said a
survey of New South Wales's 10 public universities indicated that
all were vulnerable to computer record tampering. http://www.smh.com.au/articles/2002/08/06/1028157935947.html
6
August 2002 - Information About Japanese Defense Agency Network
Leaked
Fujitsu, the company that created a network for Japan's Defense
Agency, says information about the network may have been leaked
to outsiders. In June, a group of men attempted to extort money
from the company for the return of network diagrams and other
information useful to hackers.
- web stories removed by source -
5
& 6 August 2002 - 400 Laptops Missing at Department of Justice
An investigation conducted by the Office of The Inspector General
of the Department of Justice revealed that they have lost track
of 400 laptop computers, some of which may contain sensitive law
enforcement or national security information. The investigation
also showed that close to 800 weapons were unaccounted for. It
has been nearly ten years since the FBI's last complete inventory
of laptops and weapons; the FBI is responsible for 371 of the
missing laptops. Recommendations include using bar codes and scanning
devices, implementing more stringent requirements for reporting
lost laptops and revising the guidelines that govern getting property
back from erstwhile employees.
http://www.wired.com/news/politics/0,1283,54343,00.html
http://www.fcw.com/fcw/articles/2002/0805/web-doj-08-06-02.asp
http://zdnet.com.com/2100-1103-948595.html
5
August 2002 -Former DEA Agent Pleads Guilty in Data Selling Case
Former US Drug Enforcement Administration Agent Emilio Calatayud
has pleaded guilty to selling DEA information to LA private investigation
firms. In a plea agreement, Calatayud admitted to stealing the
data from federal databases including the FBI's National Crime
Information Center (NCIC), and the California Law Enforcement
Telecommunications System (CLETS); he received more than $22,000
in exchange for the information. Calatayud faces between one and
two years in custody for his crimes. http://online.securityfocus.com/news/562
[SANS Editor's Note (Ranum: A violation of the public trust in
the US: 1-2 years. A $360 stolen credit card transaction in Indonesia:
up to 11 years. No wonder we have so many problems like this.]
31
July 2002 - Surnova-B Worm Targets Kazaa Users
The Surnova-B worm has appeared on the Kazaa filesharing network
as a file purporting to be Star Ward episode two and nude pictures
of Britney Spears. The worm creates more false files for other
users to download (mistakenly). Infected computers that are running
MSN Instant Messenger could also send the virus to their contact
list. - web stories removed by source -
31
July & 1 August 2002 - Virus Count Down; Klez Still on Top
Central Command, an antivirus company, says its numbers of tracked
viruses were lower on July than in June, though the company is
not sure what is responsible for the decrease. The Klez virus
is still topping the charts at a number of antivirus firms. http://zdnet.com.com/2100-1105-947608.html
29
July 2002 - Hacker Says Activity was Unethical, Not Illegal
Robert Starks admits he intercepted sensitive e-mail from his
former employer's systems and posted it on his web site. He maintains
that he used his access privileges as system administrator to
obtain the e-mail and therefore did nothing illegal. - web
stories removed by source -
25
July 2002 - Employees Fired in Grade Altering Scheme at Florida
School
Three students have been expelled and two employees fired from
Florida Memorial College for their involvement in a grade-altering
scheme. Insiders in the registrar's office allegedly used their
valid passwords to access and significantly change students' grades
in exchange for money. An additional 69 people face disciplinary
action. The scheme was discovered during a routine grade audit
held in May. http://www.miami.com/mld/miamiherald/news/local/3728808.htm
25
& 26 July 2002 - Princeton Admissions Dean Charged with Hacking
Yale Admissions Site
Princeton University associate dean of admissions Stephen LeMenager
has been placed on administrative leave after evidence surfaced
that computers there were used to log in to a Yale University
admissions website without authorization. LeMenager maintains
he was merely testing the security of the site, which allows Yale
applicants to find out whether or not they have been accepted;
birthdates and social security numbers are used as authentication
tools. The site
was apparently accessed from a variety of computers. The FBI is
assessing the situation to determine if federal charges are applicable.
http://www.cnn.com/2002/US/07/25/yale.princeton/index.html
15
July 2002 - IT Professionals Enumerate Their Security Gripes
A survey of more than 1200 security professionals, including system
administrators, consultants and auditors yielded a list of their
security frustrations. Topping the list are bosses who won't provide
an adequate budget and who undermine initiatives, and who ignore
simple precautions by taping passwords to monitors, failing to
update anti-virus software and clicking on attachments of unknown
origin.
- web stories removed by source -
15
July 2002 - House Overwhelmingly Approves CSEA
By a vote of 385-3, the House of representatives approved the
Cyber Security Enhancement Act (CSEA), which provides for life
sentences for people convicted of malicious cyber crimes. The
bill now heads to the Senate. http://news.com.com/2100-1040-944023.html
12
July 2002 - Will Home Appliances Be the Next Target For Viruses?
Virus expert Eugene Kaspersky warns that embedded computers in
home appliances provide an appealing target for virus writers
because they will have a common operating system and millions
of potential victims. http://zdnet.com.com/2100-1103-943408.html
10
July 2002 - British ISPs Have Two Weeks to Set Up Tracking Systems
The British Home Office is requiring that Internet Service Providers
(ISPs) in the United Kingdom intercept and store electronic communications
such as faxes, e-mails, and Web surfing information in an effort
to curb organized crime and terrorism. The new Regulation of Investigatory
Powers Act (RIPA), which goes into effect on August 1, exempts
ISPs with fewer than 10,000 customers. http://news.zdnet.co.uk/story/0,,t269-s2118894,00.html
10
July 2002 - Two Men Arrested in Brazil for ATM Hack
Brazilian police have arrested two men - an electrician and an
IT specialist - who allegedly installed a device inside ATMs to
gather card numbers and placed digital cameras outside the machines
to capture the corresponding PIN numbers. http://www.vnunet.com/News/1133401
5
July 2002 - Virus Traced to Temp Worker
A temporary agency worker at the Aberdeen (Scotland) city council
was fired for allegedly allowing the Metrion-B virus to infect
the computer system. The virus infects executables and overwrites
batch and HTML files. An estimated 200 PCs were infected, and
the Council shut down its entire computer system to avoid any
further infection. Police are exploring the possibility that the
virus, which does not spread through e-mail, was deliberately
introduced.
http://www.theregister.co.uk/content/56/26067.html
3
July 2002 - DEA Agent Accused of Selling Law Enforcement Data
A former US Drug Enforcement Administration (DEA) agent who skipped
bail was found in Mexico and sent back to Los Angeles to face
a number of charges, including violating the Computer Fraud and
Abuse Act. Emilio Calatayud allegedly sold information from three
law enforcement databases, including the FBI's National Crime
Information Center (NCIC), the California Law Enforcement Telecommunications
System (CLETS) and the DEA's Narcotics and Dangerous Drug Information
System (NADDIS). The case underscores the problem of law enforcement
data being too easily accessible.
http://online.securityfocus.com/news/510
1
July 2002 - Attacks on Power Companies Growing
Power companies are increasingly being targeted by hackers, according
to data gathered by RipTech. FBI spokespersons expressed concern.
http://www.cbsnews.com/stories/2002/07/08/tech/main514426.shtml
18
& 20 June 2002 - University Computers Compromised
The Secret Service is investigating the possibility that students
at universities in Texas, Arizona, Florida and California were
monitored by surreptitiously installed software designed to capture
passwords and credit card numbers. Nearly 20 hard drives were
removed from computers at Arizona State University.
http://news.com.com/2100-1001-938126.html - web stories removed
by source -
14
June 2002 - Former Employee Allegedly Broke Into Boss's Computer
Account
Wendy Sholds has been charged with two counts of unauthorized
access to a computer system. The Massachusetts woman allegedly
broke into her former boss's computer and forwarded confidential
e-mail to other employees. Sholds also allegedly used the boss's
username and password to view private information on the company
web site. The charges are currently designated misdemeanors and
carry a 30-day sentence. Pending legislation would increase the
penalties considerably. http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,71972,00.html
13
June 2002 - Internet Piracy Ring Members Face Charges
Twenty-one people face charges for their roles in a piracy ring
that dealt in software, computer games and movies. If found guilty
of conspiracy to commit copyright infringement, the people could
each face a five-year prison sentence and be required to pay a
fine of up to $250,000.
http://www.usatoday.com/life/cyber/tech/2002/06/14/piracy.htm
1
June 2002 - Disgruntled (Former) Employees Cause Problems
A man planted a logic bomb in his company's computer system when
he was demoted; it detonated months after he resigned, destroying
part of the program supporting the sales force's handheld computers.
The company went after the employee, and he has been sentenced
to two years in prison and ordered to pay restitution of $200,000.
Other companies are starting to step forward and prosecute saboteurs
as well.
http://www.cio.com/archive/060102/doom_content.html
9
May 2002 - Even Without Payloads, Hoaxes Can Cause Problems
While hoax virus warnings may not carry an actual malicious payload,
they do carry the threat of bogged down servers and embarrassment
of those who've forwarded the message. The columnist suggests
that organizations designate one person to be in charge of (finding
out) the validity of virus warnings, and all employees should
forward the messages to that person rather then sending them on
their merry way around the Internet, causing unnecessary worry
and resource consumption. http://www.vnunet.com/News/1131629
7 May 2002 - EDS Bans IM Products For Security's Sake
EDS, the computer branch of the British government, has banned
the use of Instant Messenger products as of May 8, 2002. Because
the IM services bypass security checkpoints, they could allow
viruses and other malware to propagate within the organization's
network.
http://www.theregister.co.uk/content/55/25185.html
29 April 2002 - GAO Undercover Agents Gain Access to Federal
Buildings
Undercover investigators from the General Accounting Office (GAO)
were able to gain access to and move freely about through four
federal buildings in Atlanta. They were also able to obtain building
passes and after hours access codes, and made copies of the credentials
on computers.
http://www.msnbc.com/news/745303.asp
26
April 2002 - Chilean Computer Thieves Caused Traffic Chaos
Thieves stole 15 PCs and 2 servers from a roadway traffic control
center in Santiago de Chile, throwing traffic signals out of synchronization
and causing traffic turmoil. http://www.wired.com/news/business/0,1367,52114,00.html
[It's bad enough that people steal computers, but to steal computers
that are related to public safety is pretty low.]
22
April 2002 - IM Users Tricked Into Downloading DDoS Software
Many IRC and IM users have been tricked into downloading malicious
software onto their computers which could then be used to launch
a distributed denial of service (DDoS) attack. The users are tricked
into downloading the malware. Hackers send messages telling victims
that their systems are infected (not true), and instructing the
victim to go to a certain website and download the software or
risk being banned from the IM system. When the user executes the
downloaded software, their systems become infected. http://www.ds-osac.org/edb/cyber/news/story.cfm?KEY=7929
14 April 2002 - Hidden Programs on Free Software Could Pose
Problems
Programs piggy-backing on free software can take actions ranging
from sending users ads to gathering surfing habits to changing
Internet settings. Some can make computers crash. They could eventually
be used by hackers to take more malicious action. http://www.cnn.com/2002/TECH/ptech/04/14/tag.along.software.ap/index.html
12 April 2002 - The Not-to-Do List
A list of 21 things you can do to invite cyber attacks includes
not updating virus signatures, not patching software and not educating
employees about security practices. http://www.computerworld.com/cwi/community/story/0,3201,NAV65-663_STO70076,00.html
11
April 2002 - Voice Mail Not So Secure
Voice mail systems are often not very secure, as is evidenced
by the recent leak of a message left by Hewlett Packard Chairwoman
and CEO Carly Fiorina for CFO Robert Wayman. http://www.computerworld.com/storyba/0,4125,NAV47_STO70048,00.html
20
March 2002 - CERT Warns of Social Engineering IM/IRC Attacks
CERT/CC has released an advisory warning that people using instant
messaging (IM) and Internet Relay Chat (IRC) have been tricked
into downloading malicious software that could be used to glean
personal data, take remote control of an infected computer or
to take part in a distributed denial of service attack (DDoS).
http://www.computerworld.com/storyba/0,4125,NAV47_STO69329,00.html
Advisory: http://www.cert.org/incident_notes/IN-2002-03.html
6
March 2002 - Man Arrested for Allegedly Trying to Sell Personal
Data
Federal and local law enforcement agents arrested Donald Matthew
McNeese for allegedly trying to sell personal data belonging to
60,000 Prudential Insurance Company employees. He is charged with
downloading the data while he worked for the company. If
convicted, McNeese could face as much as 45 years in prison and
a fine of $750,000 plus restitution. http://www.computerworld.com/storyba/0,4125,NAV47_STO68850,00.html
4
March 2002 - Britney Virus Pops Up
Some AV researchers are warning of a new worm that spreads via
an e-mail attachment masquerading as photographs of pop princess
Britney Spears. When executed, VBS/Britney-A displays the message
"Enable ActiveX To See Britny (sic) Pictures" before
infecting the hard drive and sending itself to all the addresses
listed in Outlook. According to Sophos Anti-Virus, the worm also
attempts to distribute itself via Internet Relay Chat. One AV
expert says it may cause a few problems because it's a Compiled
Help Module attachment, and not a .vbs, and may trick some users
into executing it. Another minor concern is that even users that
employ filtering at the gateway may not filter for .chm attachments.
http://www.sophos.com/virusinfo/analyses/vbsbritneya.html
27
February 2002 - Malware Costs to Skyrocket
According to a new study by The Radicati Group, malware will cause
more than $21 billion in economic damage this year. At its current
rate,
malware will cause $54 billion in damage by 2006. Examining the
antivirus, anti-spam and content filtering segments of the security
market, the study
found that the market for security products continues to keep
pace with the expansion of the Internet. http://www.radicati.com
12
& 14 February 2002 - Anonymous Surfing Technology has Holes
Two researchers published a paper describing flaws in SafeWeb's
anonymous surfing technology that could allow web sites to gather
visitors' Internet addresses and other surfing habit information
by using JavaScript. http://www.wired.com/news/business/0,1367,50424,00.html
11
& 13 February 2002 - Info on Web Sites Could Pose Security
Risk
Corporate websites contain floor plans and back-up facility locations,
telecommunications sites include locations of routers and major
network nodes, and DOE websites provide sensitive information
about plutonium storage and nuclear reactor locations. Richard
Clarke says there is evidence that al-Qaeda used the Internet
to gather information about US facilities, and that other groups
may be doing the same thing.
http://www.computerworld.com/storyba/0,4125,NAV47_STO68181,00.html
http://www.computerworld.com/storyba/0,4125,NAV47_STO68182,00.html
http://www.computerworld.com/storyba/0,4125,NAV47_STO68183,00.html
http://www.computerworld.com/storyba/0,4125,NAV47_STO68281,00.html
11
February 2002 - Global Crossings Former Employee Exposes Data
A former employee of the telecommunications company Global Crossing
Holdings Ltd. Has been posting personal data belonging to other
company employees on the web for the last five months. According
to a company attorney, the employee allegedly stole a disk containing
the information. Though Global Crossing became aware of the problem
in September, it didn't inform its employees until December; former
employees were not told of the breach at all. Some former employees
say the company failed to in implement adequate controls over
who was allowed access to which data.
http://www.computerworld.com/itresources/rcstory/0,4167,KEY73_STO68168,00.html
1
February 2002 - Pirates Plead Guilty
Two men who pleaded guilty to charges stemming from their involvement
in an Internet piracy group face up to five years in prison and
$250,000 in fines. As part of their plea agreement, the two men
revealed details about how group members hid the illegal software.
http://www.gcn.com/vol1_no1/daily-updates/17875-1.html
30
& 31 January 2002 - SEC's Phony Site Gets Over 150,000 Hits
The Securities and Exchange Commission (SEC) used on-line investment
scam tactics, including preying on people's fears and offering
huge returns on investment with no risk, on a phony site designed
to educate consumers about investment fraud. People who actually
tried to invest were greeted with a warning message. The site
received more than 150,00 hits in a three-day period; the SEC
says it has planted other phony sites on the Internet in an effort
to fight back against investment fraud. http://news.com.com/2100-1017-826434.html
http://www.wired.com/news/business/0,1367,50125,00.html
28
January 2002 - Myparty Worm
The Myparty worm arrives as an attachment that appears to be an
innocuous web site link. However, those who click on the link
will become infected with the worm, which sends itself out through
to everyone in the machine's address book and leaves a backdoor
in the infected system. It infects computers between January 25
and January 29, and won't infect machines running Russian versions
of Windows, leading to speculation that Myparty is of Russian
origin.
http://news.com.com/2100-1001-823959.html
14
January 2002 - File Sharing Programs Can Expose Personal Data
Users of file-sharing programs should be careful about which files
and directories they make available to the network so as not to
accidentally share private information. http://www.msnbc.com/news/686184.asp?0dm=C235T
13
January 2002 - MoD Laptops Missing
Of the 1354 missing UK government computers, nearly 600 alone
are from the Ministry of Defense (MoD). A spokesman said that
not all computers contain classified information. The MoD also
reported 27 hacking incidents during the last three years. http://news.bbc.co.uk/hi/english/uk/newsid_1757000/1757792.stm
11
January 2002 - Gigger Virus
The Gigger virus arrives as an attachment purporting to be a Microsoft
security update and tries to delete files from infected computers'
hard drives. The JavaScript virus spreads via Outlook address
books and mIRC. Antivirus vendors are updating their software
to detect the virus and protection is now largely in place."
- web stories removed by source -
10
January 2002 - IRS Computers Missing
A recent Treasury Department audit revealed that the Internal
Revenue Service (IRS) could not account for more than 2300 of
its computers. An agency spokesman said that almost 1600 of the
machines have been located. He also said that taxpayer information
was not compromised despite the fact that the missing machines
likely contain tax return and audit information. http://news.cnet.com/news/0-1005-200-8418759.html?tag=owv
9
January 2002 - CSTB Report Says Companies are Neglecting Security
A report from the National Academy of Science's Computer Science
and Telecommunications Board (CSTB) says that US companies are
not using available security measures to protect themselves from
cyber attacks. The CSTB encourages companies to conduct random
security testing, use strong authentication systems and train
all employees in the proper use of security tools. Furthermore,
the report suggests that companies producing unsecure software
should be held liable. http://www.wired.com/news/technology/0,1282,49570,00.html
9
January 2002 - Guarding Against Socially Engineered Attacks
In the second of two articles about social engineering, the author
discusses preventing, spotting and dealing with socially engineered
attacks. Companies should implement security policies, use good
physical security practices and train their staff. They should
also have procedures in place for handling socially engineered
attacks when they occur. http://www.securityfocus.com/infocus/1533
9
January 2002 - AIM Fix Has Back Door
AIMFilter, a fix for the AIM vulnerability, contains a back door
that lets the program's author redirect users' browsers to pay-for-click
sites.
http://www.computerworld.com/storyba/0,4125,NAV47_STO67214,00.html
8
January 2002 - National Research Council Report: US Firms at Risk
Summary: "From an operational standpoint, cybersecurity today
is far worse than what known best practices can provide."
- web stories removed by source -
8 January 2002 - Macromedia Flash Virus Discovered
Macromedia Flash files, commonly used for animation and special
effects on popular websites, could be at risk of attack from a
new kind of virus. - web stories removed by source -
4
January 2002 - BSA Offers Illegal Software Amnesty Program
The Business Software Alliance (BSA) is offering amnesty to businesses
using illegally coped software. Users who own up need only pay
the necessary licensing fees; they will avoid penalties, which
can run as high as $150,000. The BSA provides tools to inventory
the companies' software. The program is available to certain cities,
including Houston, Norfolk and Richmond VA and the San Francisco
Bay area, through the end of January.
http://news.cnet.com/news/0-1003-200-8354860.html?tag=prntfr
3
January 2002 - Home Computer Users are Vulnerable
Home users' computers are increasingly becoming cracker targets
for a number of reasons: many home machines are powerful enough
to attract the attention of crackers looking at launch denial
of service attacks, many home machines maintain high-speed, always-on
connections that increase their vulnerability, and home users
tend to neglect security measures normally employed by businesses.
- web stories removed by source -
