[ISN] Police Grapple With Cybercrime

http://online.wsj.com/news/article_email/SB10001424052702304626304579508212978109316-lMyQjAxMTA0MDIwMTEyNDEyWj By DANNY YADRON The Wall Street Journal April 20, 2014 When cybercriminals stole $2.5 million from the state of Utah in 2009, authorities got most of the money back—but never could find their man. The money was wired to a bank account in Texas, officials said, as a step before an attempt to move it overseas. Utah authorities managed to freeze much of the funding in the U.S., but couldn’t figure out how the state agency got hacked and by whom, officials said. At one point, state investigators sought a man with a false name at a nonexistent address. “It was just, for us, kind of a helpless feeling,” Utah Commissioner of Public Safety Keith Squires said of the incident. As crime is increasingly moving online, state and local police—who have spent decades refining how to track down murderers, thieves and drug dealers—are having a hard time keeping up. “It probably is one of the most perplexing questions right now in terms of state and local policing: How do they handle this stuff?” said Richard McFeely, who recently stepped down as the top cybersecurity official at the Federal Bureau of Investigation. “We’re not generally working these cases. We need to get out ahead of this.” […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hackers attack Spokeo, UN Civil Aviation Org in nine-site crime spree

http://www.zdnet.com/hackers-attack-spokeo-un-civil-aviation-org-in-nine-site-crime-spree-7000028594/ By Violet Blue Zero Day ZDNet News April 21, 2014 Adding to a list of high profile targets that includes Comcast, NullCrew released on Sunday evidence it added a major “people finder” data broker, the UN’s aviation regulation and security arm, the University of Virginia, Telco Systems and others to its growing catalog of those it has hacked and humiliated. The hackers of NullCrew claim in its Pastebin (e-zine) called “FTS Zine 5” that it also broke into Ukraine’s science center, where they claim to have discovered a database relating to individuals somehow working in “weapon code” production. NullCrew announced on Twitter that it published the evidence of hacking into nine sites Easter Sunday. As with its previous conquests NullCrew mocked its targets while explaining the attacks


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] AOL email hacked: Several users complain about compromised accounts

http://www.chicagotribune.com/business/technology/la-fi-tn-aol-hacked-email-phishing-twitter-20140421,0,6586634.story By Salvador Rodriguez Chicago Tribune April 21, 2014 You’ve got (spam) mail. Several AOL users are complaining on Twitter that their email accounts have been hacked and are being used to send out spam to others. Multiple users have said that their accounts have been affected despite not being used in a long time. Among them is Los Angeles Times Food Editor Russ Parsons. “I’ve gotten a couple of emails from friends telling me that my AOL account had been hacked and that they were getting spammed by it. The thing is, that account has been closed for at least two years,” Parsons said in an email. It’s unclear how widespread the problem is or what is causing it. Users are complaining that changing their accounts’ passwords is not resolving the problem, as is usually the case when an email account has been hacked. AOL has not addressed the situation and could not be reached for comment. [Updated 3:50 p.m. PDT April 21: AOL said it is working on resolving the issue. The company said users can go to AOL’s help website to check on the latest updates and said that users should contact AOL if they believe their account was hacked. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] SEC seeks data on cyber security policies at Wall Street firms

http://www.computerworld.com/s/article/9247802/SEC_seeks_data_on_cyber_security_policies_at_Wall_Street_firms By Jaikumar Vijayan Computerworld April 21, 2014 The Securities and Exchange Commission (SEC) plans to review the cyber defenses of 50 Wall Street broker-dealers and investment advisers to determine whether they are prepared for potential cyber threats. The SEC Office of Compliance Inspections and Examinations (OCIE) will review each company’s tools and policies regarding governance, risk identification and assessment, network and data security controls, remote access and third party cyber risks. In a security alert released last week, the SEC said the effort was launched after participants at an SEC-sponsored roundtable discussion in March stressed the importance of strong cybersecurity controls at Wall Street firms. During the roundtable, SEC Commissioner Luis Aguilar recommended that the Commission collect information from broker-dealers and other financial firms about their cyber readiness. The SEC will follow-up with information on how it can can help the financial industry bolster security. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] How Heartbleed transformed HTTPS security into the stuff of absurdist theater

http://arstechnica.com/security/2014/04/how-heartbleed-transformed-https-security-into-the-stuff-of-absurdist-theater/ By Dan Goodin Ars Technica April 21, 2014 If you want to protect yourself against the 500,000 or so HTTPS certificates that may have been compromised by the catastrophic Heartbleed bug, don’t count on the revocation mechanism built-in to your browser. It doesn’t do what its creators designed it to do, and switching it on makes you no more secure than leaving it off, one of the Internet’s most respected cryptography engineers said over the weekend. For years, people have characterized the ineffectiveness of the online certificate status protocol (OCSP) as Exhibit A in the case that the Internet’s secure sockets layer and transport layer security (TLS) protocols are hopelessly broken. Until now, no one paid much attention. The disclosure two weeks ago of the so-called Heartbleed bug in the widely-used OpenSSL cryptography library has since transformed the critical shortcoming into a major problem, the stuff of absurdist theater. Security experts admonish administrators of all previously vulnerable websites to revoke and reissue TLS certificates, even as they warn that revocation checks in browsers do little to make end users safer and could indeed weaken the security and reliability of the Internet if they were made more effective. Certificate revocation is the process of a browser or other application performing an online lookup to confirm that a TLS certificate hasn’t been revoked. The futility of certificate revocation was most recently discussed in a blog post published Saturday by Adam Langley, an engineer who was writing on his own behalf but who also handles important cryptography and security issues at Google. In the post, Langley recites a litany of technical considerations that have long prevented real-time online certificate revocations from thwarting attackers armed with compromised certificates, even when the digital credentials have been recalled. Some of the considerations include: […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail