30
December 2003 - e-Mail Rumor Causes Run on Bank
A rumor spread by e-mail caused a run on Japan's Saga Bank. A
message sent from a cell phone to members of a mailing list suggested
that Saga bank would go bankrupt; customers withdrew 18 billion
yen (approximately US$169.4 million) from the bank the next day,
double the previous day's
withdrawals. http://www.yomiuri.co.jp/newse/20031230wo27.htm
30
December 2003 - Hoax e-Mail Urges Users to Download Security Software
The Bank of England has intercepted over 100,000 phony e-mail
messages which purport to come from a Bank of England administrator
and which urge recipients to download an attachment that will
protect customers' financial data from cyber fraud. Bank technicians
are working with the UK's National Hi-Tech Crime Unit (NHTCU)
to discern what the attachment actually does and where it came
from.
http://news.bbc.co.uk/1/hi/business/3357239.stm
http://news.com.com/2102-7349_3-5134038.html?tag=st_util_print
30
December 2003 - Cyber Blackmail Artists Target Individuals in
the Workplace
Cyber extortionists have been targeting office workers with e-mail
threatening to download illegal content onto their PCs, release
viruses or erase files if they don't pay up. The ransom they demand
is usually
small, so people often pay, and then they are targeted again because
they have been identified as a "soft touch." http://www.computerworld.com/printthis/2003/0,4814,88623,00.html
29
December 2003 - e-Mail Exploits Terrorism Fears to Plant Trojan
Horse Program
An e-mail spreading in Malaysia exploits terrorism fears by warning
of planned attacks in that country and providing a link to what
it says is a site with more pertinent information. In truth, the
link causes a virus to be installed on users' computers; the virus,
which bears similarities to the Backdoor.Tofger Trojan horse program,
attempts to connect to three different Internet hosts.
http://news.com.com/2102-7349_3-5133874.html?tag=st_util_print
26
December 2003 - Phishers Target Visa Cardholders
Visa credit card holders are the latest targets of phishers. People
have been receiving e-mail messages with a link for users to reactivate
their accounts as part of a purported anti-fraud service. The
link,
which led to a web page that does not belong to Visa, has been
taken down.
http://www.computerworld.com/printthis/2003/0,4814,88583,00.html
24
December 2003 - On-Line Fraud Complaints Up 60%
Statistics from the Internet Fraud Complaint Center (IFCC) show
that on-line fraud complaints rose from 75,000 on 2002 to more
than 120,000 in 2003 - an increase of 60%. The center, which is
run by the FBI and the National White Collar Crime Center (NW3C),
is changing its name to the Internet Crime Complaint Center (IC3).
http://www.securityfocus.com/news/7714
19
December 2003 - Semantic Attacks are "the Future of Fraud
on the Internet"
Bruce Schneier observes that phishing is a form of "semantic
attacks," which are harder to protect against than physical
and logical or "syntactic" attacks because their targets
are computer users, not the
computers themselves. People have a tendency to believe things
they read, even on the Internet and they are likely to open attachments
from what appear to be known senders. http://www.bayarea.com/mld/mercurynews/7529172.htm
19
December 2003 - Stolen Bank Laptop Contains Customer Data
A laptop stolen from Bank Rhode Island's (BankRI) principal data-processing
provider contains the names, addresses and social security numbers
of about 43,000 customers. BankRI CEO Merrill Sherman said the
bank's IT department now plans to install encryption and fraud
detection software on its computers. http://www.computerworld.com/printthis/2003/0,4814,88443,00.html
19
December 2003 - Australia's Spam Act
Australia's Spam Act, which goes into effect April 11, 2004, carries
penalties of up to AUS$1.1 million (approximately $800,000) a
day for offenders.
http://news.zdnet.co.uk/business/legal/0,39020651,39118686,00.htm
19
December 2003 - Cyber Thief Pleads Guilty to Stealing Data
Daniel J Baas, of Milford Ohio pleaded guilty in federal district
court to breaking into Arkansas-based Acxiom Corp.'s computers
and stealing customer data. He is being held without bond until
his sentencing, when
he could face a prison term as well as court-ordered restitution.
http://www.boston.com/business/technology/articles/2003/12/19/ohio_hacker_pleads_guilty_to_data_theft
18
December 2003 - NY Attorney General and Microsoft File Suits Against
Spammers
New York Attorney General Eliot Spitzer, along with Microsoft,
has filed lawsuits against a group of spammers. 8,000 messages
(caught) by Microsoft "spam traps" contained a total
of 40,000 fraudulent messages; the lawsuits seek $5000 for each
phony statement for a total of $20 million.
http://msnbc.msn.com/id/3747034
16
December 2003 - Bush Signs CAN-SPAM Act
President George W. Bush has signed the CAN-SPAM Act. The new
law places penalties of up to $250 per e-mail for violations,
which include falsifying header information and not providing
opt-out instructions.
CAN-SPAM critics observe that the law does not affect spammers
outside the United States and that it overrides state laws that
are, in some cases, more stringent than the new federal law.
http://www.computerworld.com/printthis/2003/0,4814,88306,00.html
16
December 2003 - Board Says NIST Computer Security Division Needs
More Funding
The Information Security and Privacy Advisory Board says the National
Institute of Standards and Technology's (NIST) Computer Security
Division is underfunded in the fiscal 2004 budget. The division
received nearly $15 million in fiscal 2003; it is slated to receive
about $10 million in fiscal 2004.
http://www.fcw.com/fcw/articles/2003/1215/web-nist-12-16-03.asp
15
December 2003 - Former Programmer Gets Prison Sentence for Deleting
Applications
Jesus C. Diaz, who once worked as an AS/400 programmer for Hellmann
Worldwide Logistics, has been convicted of accessing the company's
computer system remotely and deleting critical OS/400 applications.
A Hellmann IT staff member who had recently attended SANS security
conference followed the protocol he learned there and was able
to preserve evidence. Diaz received a one-year sentence, half
of which he may serve at home, and was ordered to pay more than
$80,000 restitution.
http://www.midrangeserver.com/tfh/tfh121503-story03.html
12 December 2003 - Government Cyber Security Report Card Analysis
Despite the overall low grades given to the government for cyber
security, the improvements can be viewed in a positive light.
For instance, while the Department of Transportation's grade rose
from an F last year to a D+ this year, the improvement is due
to a score increase from 28 to 69. In addition, several agencies'
grades did improve significantly; the Nuclear Regulatory Commission's
grade rose
from a C to an A, and the National Science Foundation's grade
rose from a D- to an A-. Federal Information Security Management
Act (FISMA) regulations are likely to bring about greater improvement
in next year's report card.
http://www.fcw.com/fcw/articles/2003/1208/web-grades-12-12-03.asp
A word document with the grades themselves is available:
http://www.reform.house.gov/UploadedFiles/2003-2000_Computer%20Security%20Grades.doc
12
December 2003 - Classified Disks Missing at Los Alamos National
Laboratory
A routine inventory of classified electronic storage media at
Los Alamos National Laboratory (LANL) found nine floppy disks
and one large-capacity storage disk unaccounted for. LANL officials
have
instituted a "limited security stand-down" for all employees
who work with classified data; they will not be permitted to handle
removable electronic media until they undergo retraining. Officials
at LANL believe the disks were probably destroyed "as part
of a regularly scheduled disposal process."
http://www.computerworld.com/printthis/2003/0,4814,88167,00.html
12 December 2003 - Spammers Indicted in Virginia
Jeremy James, a.k.a. Gaven Stubberfield, and Richard Rutowski
have been indicted on charges they conspired to send out large
quantities of spam in violation of Virginia's anti-spam law. In
addition to exceeding the legal volume for spam, they are accused
of falsifying information to disguise the spam's origin. If they
are convicted, they could each receive a five-year prison sentence
and be ordered to pay a fine of up to $2,500.
http://www.washingtonpost.com/ac2/wp-dyn/A56209-2003Dec11?language=printer
12
December 2003 - Man Fined for Trying to Install Keystroke Logger
The Johannesburg Commercial Crime Court convicted Innocent Madlala
under South Africa's Electronic Communications and Transactions
(ECT) Act for attempting to install a keystroke-logging device
on an Internet banking computer. Madlala was fined R20,000, approximately
US$3178.
http://allafrica.com/stories/200312120540.html
9
December 2003 - Considering Camera Phone Policies
META Group vice president for Technology Research Services Jack
Gold recommends that companies develop clear policies regarding
the use of camera phones on business premises; they should also
consider whether the devices should be allowed on site at all.
Camera phones could be used to photograph proprietary information.
http://informationweek.securitypipeline.com/news/showArticle.jhtml?articleId=16600564
2
December 2003 - American Eagle Outfitters Hacker Gets 18 Months
/ Fined $64,000
Kenneth Patterson had admitted to posting user names, passwords,
and information on how to break into his ex-employer's system,
and to conducting a series of denial of service attacks. He was
sentenced to 1 and a half years in jail and ordered to pay $64,000
in restitution.
http://www.zwire.com/site/news.cfm?newsid=10603022&BRD=2212&PAG=461&dept_id=465812&rfi=6
01 December 2003 - Top Ten Viruses and Hoaxes Reported Last
Month
A new email aware worm stormed to the top of the charts in November,
and an existing hoax had a new burst of life. Find out more in
our monthly round-up
http://www.sophos.com/pressoffice/pressrel/uk/20031128topten.html
01
December 2003 - Report: Nearly Half of Growing U.S. Firms Hit
by Breaches
Nearly half of the fastest-growing U.S. companies have suffered
security breaches, but most still aren't prepared to dedicate
enough resources to address the problem, according to a study
by PricewaterhouseCoopers. http://www.pwc.com/extweb/ncpressrelease.nsf/DocID/031752489FF7C5C885256DE50070644C
01
December 2003 - Trojan Promises Pictures; Steals System, User
Data
A new Trojan is on the loose that purports to be photos of a nude
woman. But the worm in fact steals system information and other
data from infected systems.
http://vil.nai.com/vil/content/v_100837.htm
28
November 2003 - Hatch Staffer on Admin Leave After Document Theft
Allegations Surface
Senate Judiciary Committee Chairman Orrin Hatch (R-Utah) has placed
a member of his staff on administrative leave after an investigation
indicated that the staff member in question obtained confidential
documents from the servers of two Democratic senators. As of November
21, steps had been taken to preserve data related to the alleged
breach. In addition, a third-party forensic examination will determine
whether or not documents were accessed without authorization.
http://www.washingtonpost.com/ac2/wp-dyn/A17502-2003Nov27?language=printer
27
November 2003 - Wells Fargo Customer Data Thief Arrested
Police in California have arrested a man who confessed to having
stolen computers from a Wells Fargo bank analyst's office. Edward
Jonathan Krastov was arrested after he logged onto AOL using a
stolen computer and the owner's account. The computers contained
customer account and other personal data. Wells Fargo says they
found no evidence the stolen information was abused, but plans
to monitor affected accounts and has offered to buy affected customers
a one-year subscription to a consumer
credit watchdog service. http://www.cnn.com/2003/TECH/ptech/11/27/wellsfargo.theft.ap/index.html
24
November 2003 - Wells Fargo Offers $100,000 Reward in Computer
Theft Case
Wells Fargo is offering $100,000 for information leading to the
arrest and conviction of the person who stole a computer from
a bank analyst's office. The stolen computer contains the names,
addresses, bank account and social security numbers of customers
who had taken out personal lines of credit. Lynn Greenwood, senior
vice president of Wells Fargo's home and consumer finance group,
says there is no evidence the data is being misused. The bank
has told affected customers about the problem. http://zdnet.com.com/2102-1105_2-5110830.html?tag=printthis
21
November 2003 - Six Men Guilty of Identity Theft, Internet Bank
Fraud
Six UK men have received prison sentences after pleading guilty
to defrauding banks of £350,000 (approximately US$600,000)
using the Internet. The six stole identities over the Internet,
which they then used to establish bank accounts and apply for
credit cards. http://www.zdnet.co.uk/print/?TYPE=story&AT=39118059-39020369t-10000022c
14
November 2003 - New Worm Poses as Paypal Message, Steals Credit
Card Details
An email posing as a message from PayPal asking you to confirm
your credit card details is, in fact, a new variant of the Mimail
worm. http://www.sophos.com/virusinfo/articles/mimaili.html
6
November 2003 - Legislator Suggests Antivirus Software be Required
During a House Energy and Commerce Committee's Subcommittee on
Telecommunications and the Internet hearing, Representative Charles
Bass (R-N.H.) asked, "Is there any reason why any computer
in this country shouldn't have some kind of antivirus software
on it as a requirement?" Others at the hearing pointed out
that US citizens would perceive any such requirement to be trampling
their rights. In addition, some computers, like those used in
factory automation, are simply not set up to run anti-virus software.
http://www.computerworld.com/printthis/2003/0,4814,86902,00.html
5
November 2003 - Man Allegedly Used Virus to Change Dial-Up Numbers
Italian police have charged a 39-year-old man with fraud and virus
distribution for allegedly using e-mail messages that trick users
into running a virus on their computers; the virus, known as Marq-A
or Zelig,
changes the Internet dial up number to that of a "premium
rate" line. The man stood to reap more than one million Euros
a month if his scheme had been allowed to run that long.
http://www.theregister.co.uk/content/56/33801.html
4
November 2003 - E-Mail BackUp Tapes Unintentionally Thrown Out
Staff of IT contractor Telstra Enterprise Services apparently
dug through trash in order to recover Australian government department
and agency e-mail backup tapes that had been inadvertently thrown
out. Telstra regulatory and corporate director Bill Scales said
that his company told the security agencies about the security
problem as soon as they discovered it.
http://news.com.au/common/story_page/0,4057,7759335^15319,00.html
4
November 2003 - Microsoft To Offer Bounty On Hackers
Microsoft will announce today (Wednesday) that it will offer two
$250,000 bounties for information that leads to the arrest of
the people who released the MSBlast worm and the SoBig virus.
http://news.com.com/2102-7355_3-5102110.html?tag=st_util_print
3
November 2003 - Cyber Criminals Face Stiffer Sentences
As of November 1st, people convicted for cyber crimes face stiffer
sentences, thanks to the 2002 homeland Security Act. People who
use computers to inflict bodily harm or death face sentences of
20 years to life. Another law, passed just this April, makes it
harder for judges to be lenient and give sentences that are not
as harsh as federal guidelines.
http://www.denverpost.com/Stories/0,1413,36~33~1739529,00.html
30
October 2003 - Survey Finds European Security More Reactive Than
Proactive
A McAfee-sponsored survey of European companies found that nearly
half of European organizations view security as fixing the vulnerabilities
exploited by malware. 84% of respondents, however, said that "security
is a critical concern" in their organizations. The percentage
of companies that have measures in place to deal with blended
threats varies from country to country; this is probably due to
language differences and the fact that the majority of worms and
viruses are created with English speaking targets in mind. http://news.bbc.co.uk/1/hi/technology/3223887.stm
29
October 2003 - Phishing Suspect Pleads Guilty
Helen Carr of Ohio has pleaded guilty to federal conspiracy charges
for conducting a phishing operation, a scheme in which bank or
ISP customers are spammed with fraudulent e-mail asking for verification
of account and other personal information. Ms.Carr was apprehended
after an off-duty FBI cyber crime agent received one of her phony
e-mails. She could face up to five years in prison.
http://www.securityfocus.com/news/7329
28/30
October 2003 - Orbitz Investigating Possible Customer e-Mail Address
Theft
On-line travel company Orbitz said that someone had likely breached
security at their web site and stolen customers' e-mail addresses.
The theft became apparent when customers began complaining that
they were receiving spam at e-mail addresses they used to conduct
business with Orbitz. There is no evidence that personal account
information or credit card numbers were compromised. Orbitz has
notified the FBI of the incident and assembled an internal security
team to investigate the matter.
http://www.computerworld.com/printthis/2003/0,4814,86665,00.html
15
October 2003 - CIO Magazine's State of Security Survey
Data from 7500 respondents in 54 countries seems to reinforce
other surveys showing declining losses from cybersecurity. CIO
magazine and PricewaterhouseCoopers report that most organizations
dealt with few attacks, had little downtime, and rarely had damages
from the attacks that exceeded $10,000. This will be used by CIOs
who want to spend less on security to justify their cutbacks.
Other interesting data compares European and US respondents and
attempts to compare the security behaviors of "very confident"
and "not at all confident" organizations. Definitely
worth reading.
http://www.cio.com/archive/101503/state.html
14
October 2003 - Presenting a Business Case for Security Funding
It used to be that bosses could be scared into funding security
proposals with stories of other companies' cyber disasters. Now
that funding is scarcer, bosses want more hard data to back up
spending requests. Advice for preparing such information includes
getting a security assessment done by a third party, creating
a plan to address the vulnerabilities found in the assessment,
and "build[ing] an
ROI-based business case for security investments." http://www.computerworld.com/printthis/2003/0,4814,85892,00.html
14
October 2003 - Outlook 2003 to Have Increased Security
In the newest version of Microsoft Outlook, which will become
available at the end of the month when Microsoft office 2003 is
released, security options will be set at the highest level by
default. Users of Outlook 2003 will also be able to disable all
macros and block HTML content in e-mail.
http://www.wired.com/news/infostructure/0,1377,60781,00.html
1 October 2003 - Phishing Scam Pretends to be Part of FBI Investigation
A recent phishing scam claimed to be part of an FBI investigation
into credit card theft. Internet users received an e-mail message
that appeared to be from the FBI and led them to a phony website
designed to look like an official FBI site. Once there, users
were asked to enter their credit card numbers, PINs and approximate
account balances. The site has been taken down and the FBI is
investigating.
http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=23736
30
September 2003 - Canadian Tax Department Computers Stolen
Four Canadian tax department computers were stolen from offices
in Laval, Quebec. The computers contain personal information belonging
to 120,000 Canadians. Revenue minister Elinor Caplan has ordered
a security review.
http://www.nationalpost.com/components/printstory/printstory.asp?id=265166B5-49E3-4256-8C34-434D908C8DC5
28
August 2003 - RIAA Using Digital Fingerprints to Track Illegally
Traded Files
Recently released court papers show that the Recording Industry
Association of America (RIAA) is tracking down people who illegally
trade copyrighted material on the Internet through the use of
digital fingerprints. The RIAA says it can use that information
to tell whether the songs were recorded from legally purchased
CDs or traded illegally on the Internet. The case involves a New
York woman who is fighting the RIAA's attempt to discover her
identity.
http://www.msnbc.com/news/958219.asp
25 August 2003 - Used BlackBerry Contained Proprietary Information
A man who bought a BlackBerry on eBay for $15.50 found that the
wireless device contained a database of over 1,000 names, e-mail
addresses and phone numbers of Morgan Stanley executives, as well
as more than 200 internal Morgan Stanley e-mails. The seller is
a former VP of mergers and acquisitions who had left the company.
He said he had removed the battery months before selling the BlackBerry
and assumed the data had been erased. Departing employees normally
hand over their BlackBerries to be erased before they leave the
company as a part of a company policy, even though the employees,
not the company, own the devices. http://www.wired.com/news/print/0,1294,60052,00.html
25
August 2003 - FBI On the Trail of Sobig.F
The Sobig.F worm may have originated on an adult Usenet newsgroup.
Phoenix Usenet access provider EasyNews was served with a subpoena
from the FBI regarding an account that may have been used to post
the worm. That account was established with a stolen credit card
number just minutes before the worm was posted. http://www.computerworld.com/printthis/2003/0,4814,84326,00.html
22
August 2003 - Flash Memory Devices Pose Security Risk
Portable flash memory storage devices could pose security threats
to organizations because administrators cannot control data transfer
between networks and the devices. The devices could be used to
steal corporate data or release malware into a company network
inside the firewall. One way to address the problem would be to
restrict users' file access.
http://news.com.com/2102-1009_3-5067246.html?tag=ni_print
30
July 2003 - FTC Warns of Peer-to-Peer Security Risks
The Federal Trade Commission (FTC) has issued a consumer privacy
alert describing the risks that company the use of peer-to-peer
file sharing software. The risks include accidentally downloading
viruses or pornography and sharing copyrighted files, which could
lead to prosecution.
http://news.com.com/2102-1029_3-5057814.html?tag=ni_print
30
July 2003 - Sydney University Must Surrender Backup Tapes in File-Swapping
Data Case
An Australian federal judge has ruled that Sydney University must
turn over back-up tapes to record companies, which allege that
file-swapping data were on the University's computer system. The
school must also bear the cost of recovering the data, which it
says has been overwritten.
http://news.com.com/2102-1029_3-5057849.html?tag=ni_print
25
July 2003 - South African Police Questioning Suspect in Absa Account
Thefts
Western Cape (South Africa) police are holding a suspect for questioning
regarding money being illegally transferred from Absa bank customers'
accounts. The suspect allegedly sent the bank customers "spy
software" that harvested their bank account numbers and PINs.
http://www.news24.com/News24/Finance/Companies/0,,2-8-24_1392790,00.html
23
July 2003 - Wells Fargo Customers Receive Fraudulent e-Mail
Some Wells Fargo customers have reported receiving e-mail messages
that appeared to be about new accounts, and which included an
attachment that, if launched, harvested passwords from the infected
machines and sent them to a third party.
http://www.infoworld.com/article/03/07/23/HNwellsfargo_1.html
23
July 2003 - Man Put Keystroke Loggers on Kinko's Terminals
Juju Jiang pleaded guilty to charges stemming from his installing
keystroke logging software on Internet terminals at Kinko's in
New York City. He used the information he harvested to open on-line
accounts. http://www.msnbc.com/news/943043.asp?0dm=C269T
http://www.securityfocus.com/news/6447
23
July 2003 - 34 States are Considering or Have Passed Information
Security Laws
According to a report from the National Council of State Legislatures,
at least 24 states have introduced legislation regarding information
security, and 10 states have passed information security laws.
http://www.fcw.com/geb/articles/2003/0721/web-ncs-07-23-03.asp
21
July 2003 - Transportation Security Administration Laptop Stolen
A Transportation Security Administration laptop was stolen from
a staffer's car; officials are concerned because the computer
contains personal information about airport baggage and passenger
screeners which could be used to steal identities if it were to
fall into the wrong hands. The laptop is protected by a number
of security measures. http://www.nynewsday.com/news/local/queens/nyc-screen0721,0,3811514.story
9
July 2003 - Massachusetts State Lottery Commission Web Site Spoofed
A phony web site that mimics the Massachusetts State Lottery Commission
site was being used in an attempt to try to steal personal data.
Some people received e-mails and text messages telling them they
had won $30,000 in a lottery and directing them to the phony site.
Once there, they found they were required to enter personal information
and pay a $100 processing fee in order to claim their prize. The
site has been
taken down. The Commission is working with the FBI to find those
responsible for the scam.
http://www.computerworld.com/printthis/2003/0,4814,82892,00.html
9
July 2003 - PayPal Customers Targeted by ID Data Theft Scam
Some PayPal customers have received messages telling them that
their billing information has been lost and that in order to keep
their accounts, they must re-enter the data on a specific site.
Though many of the sites' links point to the PayPal web site,
the form which requests personal information, such as name, address,
credit card information and social security number, is on an server
at a different IP address. The phony site uses a valid SSL certificate
http://www.computerworld.com/printthis/2003/0,4814,82888,00.html
26
June 2003 - Vengeful Employee Suspected of Leaking Data
Network consultancy ThruPoint is investigating how confidential
documents on an internal server were illegally accessed and leaked.
The company suspects the culprit is an unnamed disgruntled employee,
who e-mailed staff a confidential plan to restructure the company's
European offices. Details of the document also surfaced briefly
on a U.K. Web site that includes a forum for ThruPoint's ex-employees.
(Security
Wire Digest)
26
June 2003 - FBI To Police P2P Pirates
The latest effort to clamp down on digital piracy through peer-to-peer
(P2P) networks is the proposed Piracy Deterrence and Education
Act. The House bill authorizes FBI agents to investigate copyright
violators, including those who exchange protected works through
popular online forums like KaZaA and Morpheus. The bill also calls
for an FBI warning to be sent to suspected violators and for increased
information sharing between law enforcement, content holders and
ISPs.
(Security
Wire Digest)
23
June 2003 - Student Breached University Computer System and Disrupted
Election
Shawn Nematbakhsh, a computer science major at the University
of California at Riverside allegedly broke into a university computer
system and cast 800 votes for a fake candidate in a student election.
He has been arrested. If convicted of charges, Nematbakhsh could
face three years in prison and a $10,000 fine; he claims his actions
were intended to prove that the university network was vulnerable.
http://www.cnn.com/2003/TECH/internet/06/23/us.hacker.ap/index.html
19
June 2003 - RIAA Warns Individual File Traders
The Recording Industry Association of America (RIAA) has sent
cease-and-desist letters to five people it suspects of offering
vast quantities of copyrighted music through peer-to-peer filesharing
networks. The RIAA obtained the names of the four Verizon subscribers
and one EarthLink subscriber after an appeals court panel ordered
Verizon to provide the RIAA with the subscribers' identities.
The RIAA has not said whether it will pursue further legal action.
http://news.com.com/2100-1027_3-1019184.html
19
June 2003 - Brokerages Must Retain IM Logs
US securities regulators are now requiring brokerages to retain
instant messaging (IM) records for at least three years, putting
the use of the communication tool in line with e-mail requirements.
The companies were also advised to monitor employee use of IM.
http://www.infoworld.com/article/03/06/19/HNfinancialim_1.html
16
June 2003 - Software Piracy Ring Busted
A successful sting operation on a software piracy ring has netted
Italian police 181 arrests and approximately 118 million euros
(US$139.6 million) worth of pirated software. The Business Software
Alliance (BSA) lent support to the effort. http://news.com.com/2102-1012_3-1017776.html?tag=ni_print
16
June 2003 - FTC Seeks Bigger Guns To Take On Spam
The Federal Trade Commission (FTC) last week requested additional
powers from Congress to help in its fight against the ever-increasing
flood of electronic junk mail. The FTC wants to monitor spammers
across international lines, be allowed to examine their bank accounts
without telling them for a limited period of time, require spammers
to describe their products honestly and comply with requests to
be taken off contact lists. Spam is an increasing resource hog
and a drain on sysadmins' time. The FTC says spam costs businesses
$8 billion to $10 billion a year.
http://www.ftc.gov/os/2003/06/030611reauthsenate.htm
13
June 2003 - Proposed Legislation Would Allow Spammers to be Sued
US Senator Charles Schumer (D-NY) has introduced legislation that
would allow attorneys general, ISPs and individuals to file civil
suits against spammers. Dubbed the Stop Pornography and Abusive
Marketing, or SPAM Act, the bill would also require commercial
e-mail to have accurate headings and subject lines, have unsubscribe
directions that work and be labeled as advertising. http://www.computerworld.com/printthis/2003/0,4814,82130,00.html
11
June 2003 - Foundstone Faced With Software Piracy Charges
Acting on anonymous tips, the Software & Information Industry
Association (SIIA) last March launched a probe into the vulnerability
assessment and security consulting firm's software licensing practices.
Based on evidence collected through confidential sources, the
group charges that Foundstone engaged in "extensive piracy."
Citing former and anonymous Foundstone employees, Fortune magazine
estimates that up to 95 percent of the company's software was
unlicensed or pirated. "Do we have some things that we need
to correct? Yes. We've taken steps to identify noncompliance issues,
and taken immediate steps to become compliant and raise employee
awareness," says Larry McIntosh, Foundstone's chief marketing
officer. (Security
Wire Digest)
10
June 2003 - Canadian Survey Finds IT Security Spending on the
Rise
A Canadian study, Pulse of Internet Security in Canada, found
that 73% of 150 C-level Canadian executives surveyed are spending
more on security now than they were a year-and-a-half ago. 61%
of the executives said security is among their top five priorities
Half of those surveyed said they have had a security breach. http://www.globetechnology.com/servlet/story/RTGAM.20030610.gtsecurityjune10/BNStory/Technology
6
June 2003 - Bugbear.B Sent Out Stanford Documents
Stanford University's computer system became infected with the
Bugbear.B worm, which sent random files, some of them confidential,
to other system users, who have since been blocked from sending
mail to people outside the system.
http://www.siliconvalley.com/mld/siliconvalley/6027714.htm?template=contentModules/printstory.jsp
5
June 2003 - Bugbear Variant is Spreading
A new variant of the Bugbear virus, Bugbear.B, is circulating
on the Internet. It arrives as an attachment, uses random e-mail
addresses found on infected computers for the From line, and uses
document names from infected computers as well. It exploits a
two-year old MIME vulnerability in Outlook to send itself out.
It copies itself to shared hard drives. It also places a back
door on infected computers and installs key-logging software,
ostensibly to steal personal information like passwords and credit
card information. It also tries to disable anti-virus products.
http://www.computerworld.com/printthis/2003/0,4814,81834,00.html
4
June 2003 - LA Police Officer Suspended for Allegedly Accessing
Databases
A Los Angeles (CA) police sergeant has been suspended from the
force for allegedly accessing confidential databases without permission.
Sgt. Mark Arneson had allegedly been obtaining information for
a private investigator. http://www.usatoday.com/tech/news/2003-06-04-police-tap_x.htm
4
June 2003 - New Laws in Taiwan Make Hacking a Felony
Two new articles added to Taiwan's criminal code make hacking
a felony. Obtaining unauthorized access to a proprietary computer
system is now punishable by a prison term of up to three years
and a fine of up to NT$100,000. Causing damage by attempting to
alter data on someone else's computer disks is punishable by a
prison term of five years and a fine of up to NT$200,000. Punishment
is even more stringent for attacks against government computer
systems.
http://www.chinapost.com.tw/detail.asp?ID=38185&GRP=A
3
June 2003 - Business Software Alliance Says Piracy Rate Shows
Modest Decline
The Business Software Alliance (BSA) says that the software piracy
rate fell last year, from 40% to 39%; the decline follows two
straight years of increases. The rate is 10 percentage points
below its 1994 level. Piracy rates in the US have fallen from
32% to 24% since 1994; Eastern Europe and the Asia-Pacific region
have piracy rates of at least 90%. http://news.com.com/2102-1028_3-1012480.html?tag=ni_print
30
May 2003 - Hacker Breaks Into Colorado Health Clinic System
A hacker infiltrated the computer system at Southwest Family Medicine
in Littleton, Colorado, leaving staff and patients wondering what
personal data have been exposed. The clinic's office manager said
they had mistakenly believed that their computer consultants had
addressed security appropriately.
http://www.thedenverchannel.com/health/2239887/detail.html
26
May 2003 - California Senate Approves Harsher Anti-Spam Bill
A bill recently passed by the California State Senate would make
sending unsolicited commercial e-mail a felony and would allow
people to sue spammers $500 for each message sent. Current California
law is based on an "opt-out" model, which can in fact
backfire because responding to a message alerts spammers to live
e-mail addresses. The new bill presents an "opt-in"
model, and is based on a federal law against unsolicited and junk
faxes due to the cost incurred by the recipient. The bill next
goes to a vote in the California Assembly, and if approved there,
makes its way to Governor Gray Davis.
http://zdnet.com.com/2100-1105_2-1009411.html
24
May 2003 - Proposed Anti-Spam Bill is in Congress
The Reduction in Distribution of Spam Act is likely to pass through
Congress quickly. The Bill imposes stiff penalties for people
who use false identities to send unsolicited commercial e-mail
or fail to honor people's requests to be removed from their mailing
lists. Critics of the proposed legislation say it does not go
far enough; marketers could still send out unlimited numbers of
messages. http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=2811844
22
May 2003 - Disgruntled Former Employee Computer Intrusion Cases
on the Rise
Approximately 75% of federal computer intrusion cases in Massachusetts
involve former employees, according to Assistant US Attorney Allison
D. Burroughs. The US attorney's office in Boston is presently
working on eleven such cases. They include the case of a fired
travel agency employee who later broke into the company's computers
and canceled customers' airline reservations.
http://www.boston.com/dailyglobe2/142/metro/Workers_vengeance_makes_its_way_on_Web+.shtml
22
May 2003 - Data Thieves Target PayPal Users
PayPal customers are being targeted by data thieves intent on
obtaining personal information that can be used to steal identities.
Some PayPal users have received e-mail messages with "PayPal
Verification" in the subject line; the message offers a link
to a site that appears to be official but is not. It asks for
users' names, credit card numbers, mothers' maiden names, bank
account numbers and other sensitive information. The site was
registered in the name of someone whose identity had been stolen.
http://www.securityfocus.com/news/5039
(SAI note
- One of our employees received one of these messages. Some of
the actual page contents were being pulled from the genuine Paypal
site. They attempted to contact Paypal and EBay only to receive
nothing more than automated responses.)
22
May 2003 - Data Thieves Target Citibank c2it Customers
Personal data thieves are also targeting some Citibank customers.
Customers who use the c2it money transfer service have been receiving
e-mails that are HTML messages that contain forms that ask for
such personal data as social security numbers, dates of birth
and mothers' maiden names. The message is well-crafted; only the
return address in the message header gives pause, as it is a Hotmail
account rather than a Citibank address.
http://www.eweek.com/article2/0,3959,1102980,00.asp
22
May 2003 - Teen Repeats Internet Scam After First Arrest
19-year-old Shiva Sharma of Queens (NY) allegedly tricked AOL
users into divulging personal and financial information that he
used to purchase and sell $30,000 worth of electronic equipment
on the Internet. Sharma was arrested on similar charges four months
ago; he could face up to seven years in prison.
http://www.nydailynews.com/front/story/85857p-78336c.html
19
May 2003 - W32/Palyh Worm Pretends to be From Microsoft
A worm called Palyh travels as a .pif attachment to e-mail designed
to look like is comes from support@microsoft.com. The worm copies
itself to the Windows folder and sends itself to e-mail addresses
found in the infected computer.
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,81344,00.html
15
May 2003 - Survey Says External Threats More Prevalent than Internal
Threats
A Deloitte Touche Tohmatsu (DTT) survey found that 39% of banks
and financial services companies reported computer security breaches
last year. 16% of those came from external sources, 10% from internal
sources and 13% from both. 175 senior IT executives were surveyed.
DTT's Simon Owen said the figures show that the biggest threat
to companies is not from employees; cyber attacks are becoming
increasingly sophisticated.
http://news.zdnet.co.uk/story/0,,t269-s2134573,00.html
14
May 2003 - Bank of America Customers Targeted by Fraud Artist
Bank of America customers have been targeted by a con artist who
tries to get them to visit a phony website and provide their personal
account data. They received spoofed e-mails directing them to
the phony site. Bank of America has warned its customers about
the scam and encourages them to be proactive about their on-line
habits.
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,81211,00.html
13
May 2003 - SEC Files Charges Against Alleged Spammer
The US Securities and Exchange Commission (SEC) has filed fraud
charges against K.C. Smith who allegedly stole more than $100,000
from unwitting on-line investors by setting up two phony web sites,
including one for the nonexistent US Deposit Insurance Corp. (USDIC)
that had the SEC's official seal on it. Smith allegedly sent 9
million spam messages promoting his scheme and used other fraudulent
means to hide his identity while conducting business. Smith agreed
to repay the allegedly stolen funds plus interest, but has neither
admitted nor denied the allegations against him.
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,81188,00.html
13
May 2003 - Targeted Attacks on the Rise
Hackers are increasingly launching "targeted attacks"
in which specific tools are used against specific cyber targets,
instead of releasing worms and viruses that spread indiscriminately
across the Internet. Statistics from security services provider
Riptech show that 40% of attacks suffered by their client base
were targeted, significantly above the expected 15%. http://news.com.com/2010-1071-1001016.html
12
May 2003 - Hacked Hosting Firms Caught Without Recent Backup
Three Netherlands-based Web hosting service providers are learning
a difficult lesson about the need to regularly back up data after
a hack attack put them out of commission. Alphamega,
the Hosting Company and Original Europe were brought down by a
cyberattack on May 3 that resulted in corruption of the firms’
internal software and the theft of some data. But the initial
damage assessment got much worse when the companies admitted not
having recent backups for all customers’ Web sites. In some
cases, the most recent backups may be more than four months old.
(Security Wire Digest)
12
May 2003 - Fizzer Worm
A mass-mailing worm called Fizzer is spreading around the world.
Fizzer spreads through both e-mail and file-sharing programs,
and affects computers running Windows operating systems. It disables
anti-virus software, steals passwords, and places a backdoor in
infected computers.
http://news.bbc.co.uk/1/hi/technology/3021927.stm
8
May 2003 - Phony e-Mails to Bank Customers Try to Steal Passwords,
Download Trojan
Customers of First Union Bank have been receiving fraudulent e-mail
messages claiming to be from First Union, telling them their user
names and passwords have been lost, and directing them to a web
site so they can supply the bank with their information. Even
if the users do not enter their information, merely visiting the
site causes the Backdoor AMQ Trojan horse program to be downloaded
to their computers. http://www.eweek.com/article2/0,3959,1068224,00.asp
8
May 2003 - German Student Arrested on Suspicion of Running MP3
File Sharing Service
German police have arrested a 25-year-old computer-programming
student for allegedly conducting an MP3 file sharing service.
The investigation into the man's activities was initiated by the
International Federation of the Phonographic Industry (IFPI).
http://news.zdnet.co.uk/story/0,,t269-s2134454,00.html
7
May 2003 - OSU Police Seize Computers That May Have Been Used
for Illegal File Sharing
Ohio State University police have seized five computers that were
allegedly being used to distribute illegally downloaded music
and movies to students. No students have been charged in the case;
that could change if copyrighted material is discovered. The investigation
began three months ago when file-sharing was consuming 10% of
the bandwidth of the university's computer system. http://www.usatoday.com/tech/news/2003-05-07-osu-seizures_x.htm
7
May 2003 - Earthlink Wins Damages in Buffalo Spammer Case
Earthlink has been awarded 416 million in damages against Howard
Carmack, a New York state man who allegedly used stolen credit
cards and identities to establish Internet accounts, then used
those accounts to send out more than 825 unsolicited e-mails,
also known as SPAM. The district court in Atlanta also banned
Mr. Carmack, known as the Buffalo Spammer, from sending out more
SPAM. Earthlink has also begun testing SpamBlocker, a permission-based
blocking technology. http://www.infoworld.com/article/03/05/07/HNspamcase_1.html
http://news.com.com/2100-1032-1000272.html
5
May 2003 - Organizations Pay the Price for Music Swapping on Their
Networks
As music sales tumble, the Recording Industry Association of America
(RIAA) and other entertainment groups are clamping down on music
and video piracy. Recently, the RIAA served notice to more than
300 enterprises to eliminate illegal file-swapping on their networks.
This is no idle threat. Last year, an Arizona company paid the
RIAA $1 million for unwittingly hosting a server that its employees
used to swap MP3 files.
http://www.infosecuritymag.com/2003/apr/news.shtml#4
1
May 2003 - Four Students Reach Settlement Agreements with RIAA
The Recording Industry Association of America (RIAA) has reached
settlements with four college students it says were running illegal
music file sharing services. The students will each pay the RIAA
between $12,000 and $17,500. Attorneys for a Princeton University
student involved in the case said their client had reached a settlement
with the RIAA but had not admitted guilt. http://www.washingtonpost.com/wp-dyn/articles/A2755-2003May1.html
1
May 2003 - Couple Arrested for Allegedly Stealing Credit Reports,
Using Info to Make Purchases
A woman who worked at Weichert Financial Services in New Jersey
and a man she lives with have been charged with using fraudulently
obtained credit reports to make Internet purchases. Mary Louissaint
and Ronald Hyppolyte are being held without bail. More than 3,700
credit reports were allegedly illegally accessed through Weichert
Financial's computer system, some of them from a computer at an
address where Louissaint and Hyppolyte recently lived.
http://www.philly.com/mld/philly/news/local/5762824.htm
30
April 2003 - Majority of Cyber Crime Losses are Due to Data Theft
An IBM research report, Information at Risk, suggests that most
monetary losses businesses suffer from cyber crime are due not
to virus attacks but to data and intellectual property theft.
The report, which used data from the UK's National Hi-Tech crime
Unit (NHTCU) and the US Computer Security Unit, found that UK
companies lost 145 million pounds (approximately $233 million)
to cyber crime last year. http://www.vnunet.com/News/1140571
30
April 2003 - Wisconsin High School Students Investigated for Altering
Grades
A group of students at Stoughton High School in Stoughton, Wisconsin
allegedly bought keystroke logging software for less than $100
on the Internet and used it to break into their school's computer
system and alter their grades. Approximately 20 students are being
investigated; some have begun suspensions and are awaiting decisions
on expulsion. http://www.madison.com/captimes/news/stories/47911.php
29
April 2003 - Virginia's Anti-Spam Law Toughest In Nation
Under a new law that goes into effect on July 1, anyone who uses
forged addresses for high volume spam and others who send pornographic
spam to computers in Virginia are subject to penalties of up to
five years in jail and forfeiture of assets. The spammers do not
need to be in Virginia to be subject to the law. http://seattlepi.nwsource.com/business/aptech_story.asp?category=1700&slug=Fighting%20Spam
26
April 2003 - Spammers Using Trojan Horse Programs
As authorities begin cracking down on unsolicited e-mail, spammers
are turning to methods used by hackers to launch distributed denial
of service attacks. They are using Trojan horses that include
their own SMTP engines to route their unsolicited messages through
unwitting users' computers.
http://www.securityfocus.com/news/4217
25
April 2003 - Addressing Insider Security Threats
Two companies share steps they have taken to guard against insider
security threats. British Telecom employees have access to company
web applications on a need-to-know basis; the company has also
deployed intrusion detection systems and firewalls. In addition,
software that controls employee access and activity is linked
to the human resources department; when employees leave the company,
their access is revoked. Palm uses intrusion detection systems
and penetration scanner utilities among other security tools.
Palm's Director of Global IT Services Matt Archibald recommends
conducting unannounced
penetration studies and checking for configuration changes. http://www.infoworld.com/article/03/04/25/17FEinjob.sb1_1.html?security
24
April 2003 - Web Hosting Company Hacked
A hacker broke into a server belonging to Bargainhost, a web hosting
company, stole passwords and defaced websites. Customers are being
advised to change their passwords, though at least one customer
has already reported losing valuable data. Website backups have
also been corrupted.
http://news.bbc.co.uk/2/hi/technology/2967749.stm
21
April 2003 - AT&T Voice Mail Security Measures
AT&T has implemented security measures to protect customers
from phone phreaking; recently, hackers have been manipulating
people's voice mail systems to accept unauthorized long-distance
calls. AT&T customers will be required to use random codes
rather than saying "yes" to accept collect calls. Customers
are also encouraged to use complex voice-mail passwords, to change
them frequently and to check their announcements to see if they
have been changed.
http://www.computerworld.com/securitytopics/security/story/0,10801,80554,00.html
21
April 2003 - Student Faces Charges for Alleged Server Intrusion
A business-college student in Erie, Pennsylvania, faces charges
for allegedly breaking into a server belonging to Ohananet, a
Hawaiian company. Jason Starr allegedly had control of the server,
which was located in Missouri, for about a year. Starr also allegedly
changed the server's password and attempted to access PayPal accounts
belonging to Ohananet's president. If convicted, Starr could face
up to a year in prison and a fine of as much as $100,000.
http://www.crime-research.org/eng/news/2003/04/Mess2002.html
18
April 2003 - Former Employee Pleads Guilty to Breaking Into Company
Computers
Alan Giang Tran, a former Airline Coach Service and Sky Limousine
Company employee, has pleaded guilty to breaking into the company's
computers, deleting critical data and changing passwords, locking
employees out of their accounts. Tran could face up to ten years
in federal prison; sentencing is scheduled for July 28. http://www.fbi.gov/fieldnews/april/la041703.htm
18
April 2003 - Trojan Downloaded Pornographic Images
A UK man was acquitted of charges of having pornographic images
on his computer after it became apparent that his computer had
been infected with a Trojan horse program that was responsible
for downloading the images. http://www.theinquirer.net/?article=9023
16
April 2003 - Survey Shows Security Needs Improvement
Respondents to a Human Firewall Council survey completed an on-line
self-assessment tool called the "Security Management Index"
to grade their company's security efforts in ten areas; 80% of
respondents earned a D or an F as an overall grade. The Human
Firewall Council believes the "dismal" ratings stem
from the fact that businesses seem to approach security by responding
to each problem as it arises rather than addressing security as
an overall business concern.
http://www.csoonline.com/read/040103/survey.html
16
April 2003 - Fuming NASCAR Fan Floods Fox With E-mails
A racecar fan faces up to a year in prison for flooding Fox Entertainment
with more than a half-million e-mails to protest a Boston affiliate's
broadcasting a Red Sox game instead of an auto race. Michael
Melo of Billerica, Mass., recently pleaded guilty to a federal
misdemeanor charge of damage to a protected computer system. The
e-mail attack forced the network to shut down part of its Web
site and cost the company $36,000, according to the Associated
Press. Melo designed a program that repeatedly sent the same six
e-mails to Fox Entertainment Group Inc. in Los Angeles over several
days in spring 2001. "He was just very upset that the Red
Sox would pre-empt NASCAR, so he decided to send these messages
to express his views," said Melo's lawyer, Andrew Good.
15
April 2003 - Naval Academy Students Disciplined for Downloading
Music Files
Eighty-five students at the US Naval Academy have been disciplined
for illegally downloading music; computers belonging to 92 cadets
were seized in November 2002. The students could face demerits,
loss of leave time, extra duties and campus activity restrictions.
http://news.com.com/2100-1025-996990.html
11
April 2003 - Disaster Recovery and Continuity Guidelines for Financial
Institutions
The Federal Reserve, the Office of the Comptroller of the Currency
and the Securities and Exchange Commission have published a white
paper outlining disaster recovery and business continuity guidelines
for financial institutions. The guidelines include establishing
a system that will allow for same day business recovery after
a disaster; that time frame would ideally be reuced to two hours
after a disaster. Many companies balked at an earlier proposal
that suggested a minimum distance of 200-300 miles between primary
and secondary data centers; the paper does not establish a minimum
distance for back-up facilities. http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,80262,00.html
8
April 2003 - Pyramid Scheme Spam Temporarily Brings Down Montana
ISP
A Montana
Internet service provider (ISP) was deluged with up to 20,000
e-mail messages an hour, causing the service to shut down briefly.
The messages were part of an electronic pyramid scheme. The ISPs
owner believes the attacks originated locally; the incident is
under investigation.
http://www.usatoday.com/tech/news/computersecurity/2003-04-08-isp-attack_x.htm
8
April 2003 - Letter Author Claims to have Breached Prison Computer
Security
The Arkansas Democrat-Gazette received a letter containing the
social security numbers of several Arkansas prison employees from
someone claiming to be an inmate. The author of the letter alleges
that prison authorities were lax in allowing inmates to have access
to computers. A prison spokeswoman says the information would
not have been available through the Internet, but could have been
found on the prison's computer system. The incident is being investigated.
http://www.usatoday.com/tech/news/computersecurity/2003-04-08-inmate-hack_x.htm
7
April 2003 - Nevada Hospital System Hack Traced to Russia
The security of a small Nevada hospital's computer system was
breached by a hacker who has been traced back to Russia. The hacker
routed the attack through the al-Jazeera web site to make it look
as if the attack came from the Middle East. The hacker may have
accessed employees' social security numbers and bank account information.
A Trojan horse program embedded in a game some employees had downloaded
allowed the attackers access. The hospital's payroll system has
been removed from the network and employees have been instructed
never to install software or sign on to streaming Internet services.
http://www.usatoday.com/tech/webguide/internetlife/2003-04-07-hospital-hack_x.htm
5
April 2003 - RIAA Files Piracy Suits Against Four Students
The Recording Industry Association of America (RIAA) has filed
suits against four students at three universities across the country.
The suits allege that the students set up file sharing networks
on their university computer systems, and ask for permanent injunctions
to shut down those sites as well as a fine of $150,000 per copyright
infringement. The RIAA said the suits would not be dropped if
the students shut down the sites themselves. The music industry
blames
Internet music piracy for declining revenues. http://www.washingtonpost.com/wp-dyn/articles/A23933-2003Apr3.html
2
April 2003 - Navigating IT Security Decision Making
Advice for companies maneuvering through the process of implementing
IT security includes ignoring vendors' hype, becoming educated
about actual risks and building up security by layers, starting
with the fundamentals.
http://www.computerworld.com/securitytopics/security/story/0,10801,79965,00.html?nas=SEC-79965
27
March 2003 - Hotmail Caps Outgoing Email Messages To Curb Spam
Microsoft has reduced the number of messages people using its
free Hotmail service can send each day to 100 from 500, in an
attempt to cut down on spam.
http://news.bbc.co.uk/1/hi/technology/2890661.stm
15
March 2003 - Former Employees Allegedly Hacked Company System
Through Old Accounts
The computer system at LapLink, a software company, was allegedly
hacked by two former employees who used accounts that hadn't been
deleted. The attack caused the e-mail system to go down and apparently
deleted crucial files. LapLink CEO Mark Eppley reportedly plans
to file charges.
ht
