InfoSec in the News

2001 and earlier

Most of these news stories could have been prevented with an effective security awareness program or they promote the use of security awareness.
Also visit our News Archives for older stories

Subscribe to the following e-mail lists for even more stories:

SANS NewsBites

Security Wire Digest

30 December 2003 - e-Mail Rumor Causes Run on Bank
A rumor spread by e-mail caused a run on Japan's Saga Bank. A message sent from a cell phone to members of a mailing list suggested that Saga bank would go bankrupt; customers withdrew 18 billion yen (approximately US$169.4 million) from the bank the next day, double the previous day's
withdrawals. http://www.yomiuri.co.jp/newse/20031230wo27.htm

30 December 2003 - Hoax e-Mail Urges Users to Download Security Software
The Bank of England has intercepted over 100,000 phony e-mail messages which purport to come from a Bank of England administrator and which urge recipients to download an attachment that will protect customers' financial data from cyber fraud. Bank technicians are working with the UK's National Hi-Tech Crime Unit (NHTCU) to discern what the attachment actually does and where it came from.

30 December 2003 - Cyber Blackmail Artists Target Individuals in the Workplace
Cyber extortionists have been targeting office workers with e-mail threatening to download illegal content onto their PCs, release viruses or erase files if they don't pay up. The ransom they demand is usually
small, so people often pay, and then they are targeted again because they have been identified as a "soft touch." http://www.computerworld.com/printthis/2003/0,4814,88623,00.html

29 December 2003 - e-Mail Exploits Terrorism Fears to Plant Trojan Horse Program
An e-mail spreading in Malaysia exploits terrorism fears by warning of planned attacks in that country and providing a link to what it says is a site with more pertinent information. In truth, the link causes a virus to be installed on users' computers; the virus, which bears similarities to the Backdoor.Tofger Trojan horse program, attempts to connect to three different Internet hosts.

26 December 2003 - Phishers Target Visa Cardholders
Visa credit card holders are the latest targets of phishers. People have been receiving e-mail messages with a link for users to reactivate their accounts as part of a purported anti-fraud service. The link,
which led to a web page that does not belong to Visa, has been taken down.

24 December 2003 - On-Line Fraud Complaints Up 60%
Statistics from the Internet Fraud Complaint Center (IFCC) show that on-line fraud complaints rose from 75,000 on 2002 to more than 120,000 in 2003 - an increase of 60%. The center, which is run by the FBI and the National White Collar Crime Center (NW3C), is changing its name to the Internet Crime Complaint Center (IC3). http://www.securityfocus.com/news/7714

19 December 2003 - Semantic Attacks are "the Future of Fraud on the Internet"
Bruce Schneier observes that phishing is a form of "semantic attacks," which are harder to protect against than physical and logical or "syntactic" attacks because their targets are computer users, not the
computers themselves. People have a tendency to believe things they read, even on the Internet and they are likely to open attachments from what appear to be known senders. http://www.bayarea.com/mld/mercurynews/7529172.htm

19 December 2003 - Stolen Bank Laptop Contains Customer Data
A laptop stolen from Bank Rhode Island's (BankRI) principal data-processing provider contains the names, addresses and social security numbers of about 43,000 customers. BankRI CEO Merrill Sherman said the bank's IT department now plans to install encryption and fraud detection software on its computers. http://www.computerworld.com/printthis/2003/0,4814,88443,00.html

19 December 2003 - Australia's Spam Act
Australia's Spam Act, which goes into effect April 11, 2004, carries penalties of up to AUS$1.1 million (approximately $800,000) a day for offenders.

19 December 2003 - Cyber Thief Pleads Guilty to Stealing Data
Daniel J Baas, of Milford Ohio pleaded guilty in federal district court to breaking into Arkansas-based Acxiom Corp.'s computers and stealing customer data. He is being held without bond until his sentencing, when
he could face a prison term as well as court-ordered restitution.

18 December 2003 - NY Attorney General and Microsoft File Suits Against Spammers
New York Attorney General Eliot Spitzer, along with Microsoft, has filed lawsuits against a group of spammers. 8,000 messages (caught) by Microsoft "spam traps" contained a total of 40,000 fraudulent messages; the lawsuits seek $5000 for each phony statement for a total of $20 million.

16 December 2003 - Bush Signs CAN-SPAM Act
President George W. Bush has signed the CAN-SPAM Act. The new law places penalties of up to $250 per e-mail for violations, which include falsifying header information and not providing opt-out instructions.
CAN-SPAM critics observe that the law does not affect spammers outside the United States and that it overrides state laws that are, in some cases, more stringent than the new federal law.

16 December 2003 - Board Says NIST Computer Security Division Needs More Funding
The Information Security and Privacy Advisory Board says the National Institute of Standards and Technology's (NIST) Computer Security Division is underfunded in the fiscal 2004 budget. The division
received nearly $15 million in fiscal 2003; it is slated to receive about $10 million in fiscal 2004.

15 December 2003 - Former Programmer Gets Prison Sentence for Deleting Applications
Jesus C. Diaz, who once worked as an AS/400 programmer for Hellmann Worldwide Logistics, has been convicted of accessing the company's computer system remotely and deleting critical OS/400 applications. A Hellmann IT staff member who had recently attended SANS security conference followed the protocol he learned there and was able to preserve evidence. Diaz received a one-year sentence, half of which he may serve at home, and was ordered to pay more than $80,000 restitution.

12 December 2003 - Government Cyber Security Report Card Analysis
Despite the overall low grades given to the government for cyber security, the improvements can be viewed in a positive light. For instance, while the Department of Transportation's grade rose from an F last year to a D+ this year, the improvement is due to a score increase from 28 to 69. In addition, several agencies' grades did improve significantly; the Nuclear Regulatory Commission's grade rose
from a C to an A, and the National Science Foundation's grade rose from a D- to an A-. Federal Information Security Management Act (FISMA) regulations are likely to bring about greater improvement in next year's report card.
A word document with the grades themselves is available:

12 December 2003 - Classified Disks Missing at Los Alamos National Laboratory
A routine inventory of classified electronic storage media at Los Alamos National Laboratory (LANL) found nine floppy disks and one large-capacity storage disk unaccounted for. LANL officials have
instituted a "limited security stand-down" for all employees who work with classified data; they will not be permitted to handle removable electronic media until they undergo retraining. Officials at LANL believe the disks were probably destroyed "as part of a regularly scheduled disposal process."

12 December 2003 - Spammers Indicted in Virginia
Jeremy James, a.k.a. Gaven Stubberfield, and Richard Rutowski have been indicted on charges they conspired to send out large quantities of spam in violation of Virginia's anti-spam law. In addition to exceeding the legal volume for spam, they are accused of falsifying information to disguise the spam's origin. If they are convicted, they could each receive a five-year prison sentence and be ordered to pay a fine of up to $2,500.

12 December 2003 - Man Fined for Trying to Install Keystroke Logger
The Johannesburg Commercial Crime Court convicted Innocent Madlala under South Africa's Electronic Communications and Transactions (ECT) Act for attempting to install a keystroke-logging device on an Internet banking computer. Madlala was fined R20,000, approximately US$3178.

9 December 2003 - Considering Camera Phone Policies
META Group vice president for Technology Research Services Jack Gold recommends that companies develop clear policies regarding the use of camera phones on business premises; they should also consider whether the devices should be allowed on site at all. Camera phones could be used to photograph proprietary information.

2 December 2003 - American Eagle Outfitters Hacker Gets 18 Months / Fined $64,000
Kenneth Patterson had admitted to posting user names, passwords, and information on how to break into his ex-employer's system, and to conducting a series of denial of service attacks. He was sentenced to 1 and a half years in jail and ordered to pay $64,000 in restitution.

01 December 2003 - Top Ten Viruses and Hoaxes Reported Last Month
A new email aware worm stormed to the top of the charts in November, and an existing hoax had a new burst of life. Find out more in our monthly round-up

01 December 2003 - Report: Nearly Half of Growing U.S. Firms Hit by Breaches
Nearly half of the fastest-growing U.S. companies have suffered security breaches, but most still aren't prepared to dedicate enough resources to address the problem, according to a study by PricewaterhouseCoopers. http://www.pwc.com/extweb/ncpressrelease.nsf/DocID/031752489FF7C5C885256DE50070644C

01 December 2003 - Trojan Promises Pictures; Steals System, User Data
A new Trojan is on the loose that purports to be photos of a nude woman. But the worm in fact steals system information and other data from infected systems.

28 November 2003 - Hatch Staffer on Admin Leave After Document Theft Allegations Surface
Senate Judiciary Committee Chairman Orrin Hatch (R-Utah) has placed a member of his staff on administrative leave after an investigation indicated that the staff member in question obtained confidential documents from the servers of two Democratic senators. As of November 21, steps had been taken to preserve data related to the alleged breach. In addition, a third-party forensic examination will determine whether or not documents were accessed without authorization.

27 November 2003 - Wells Fargo Customer Data Thief Arrested
Police in California have arrested a man who confessed to having stolen computers from a Wells Fargo bank analyst's office. Edward Jonathan Krastov was arrested after he logged onto AOL using a stolen computer and the owner's account. The computers contained customer account and other personal data. Wells Fargo says they found no evidence the stolen information was abused, but plans to monitor affected accounts and has offered to buy affected customers a one-year subscription to a consumer
credit watchdog service. http://www.cnn.com/2003/TECH/ptech/11/27/wellsfargo.theft.ap/index.html

24 November 2003 - Wells Fargo Offers $100,000 Reward in Computer Theft Case
Wells Fargo is offering $100,000 for information leading to the arrest and conviction of the person who stole a computer from a bank analyst's office. The stolen computer contains the names, addresses, bank account and social security numbers of customers who had taken out personal lines of credit. Lynn Greenwood, senior vice president of Wells Fargo's home and consumer finance group, says there is no evidence the data is being misused. The bank has told affected customers about the problem. http://zdnet.com.com/2102-1105_2-5110830.html?tag=printthis

21 November 2003 - Six Men Guilty of Identity Theft, Internet Bank Fraud
Six UK men have received prison sentences after pleading guilty to defrauding banks of £350,000 (approximately US$600,000) using the Internet. The six stole identities over the Internet, which they then used to establish bank accounts and apply for credit cards. http://www.zdnet.co.uk/print/?TYPE=story&AT=39118059-39020369t-10000022c

14 November 2003 - New Worm Poses as Paypal Message, Steals Credit Card Details
An email posing as a message from PayPal asking you to confirm your credit card details is, in fact, a new variant of the Mimail worm.

6 November 2003 - Legislator Suggests Antivirus Software be Required
During a House Energy and Commerce Committee's Subcommittee on Telecommunications and the Internet hearing, Representative Charles Bass (R-N.H.) asked, "Is there any reason why any computer in this country shouldn't have some kind of antivirus software on it as a requirement?" Others at the hearing pointed out that US citizens would perceive any such requirement to be trampling their rights. In addition, some computers, like those used in factory automation, are simply not set up to run anti-virus software. http://www.computerworld.com/printthis/2003/0,4814,86902,00.html

5 November 2003 - Man Allegedly Used Virus to Change Dial-Up Numbers
Italian police have charged a 39-year-old man with fraud and virus distribution for allegedly using e-mail messages that trick users into running a virus on their computers; the virus, known as Marq-A or Zelig,
changes the Internet dial up number to that of a "premium rate" line. The man stood to reap more than one million Euros a month if his scheme had been allowed to run that long.

4 November 2003 - E-Mail BackUp Tapes Unintentionally Thrown Out
Staff of IT contractor Telstra Enterprise Services apparently dug through trash in order to recover Australian government department and agency e-mail backup tapes that had been inadvertently thrown out. Telstra regulatory and corporate director Bill Scales said that his company told the security agencies about the security problem as soon as they discovered it.

4 November 2003 - Microsoft To Offer Bounty On Hackers
Microsoft will announce today (Wednesday) that it will offer two $250,000 bounties for information that leads to the arrest of the people who released the MSBlast worm and the SoBig virus. http://news.com.com/2102-7355_3-5102110.html?tag=st_util_print

3 November 2003 - Cyber Criminals Face Stiffer Sentences
As of November 1st, people convicted for cyber crimes face stiffer sentences, thanks to the 2002 homeland Security Act. People who use computers to inflict bodily harm or death face sentences of 20 years to life. Another law, passed just this April, makes it harder for judges to be lenient and give sentences that are not as harsh as federal guidelines.

30 October 2003 - Survey Finds European Security More Reactive Than Proactive
A McAfee-sponsored survey of European companies found that nearly half of European organizations view security as fixing the vulnerabilities exploited by malware. 84% of respondents, however, said that "security is a critical concern" in their organizations. The percentage of companies that have measures in place to deal with blended threats varies from country to country; this is probably due to language differences and the fact that the majority of worms and viruses are created with English speaking targets in mind. http://news.bbc.co.uk/1/hi/technology/3223887.stm

29 October 2003 - Phishing Suspect Pleads Guilty
Helen Carr of Ohio has pleaded guilty to federal conspiracy charges for conducting a phishing operation, a scheme in which bank or ISP customers are spammed with fraudulent e-mail asking for verification of account and other personal information. Ms.Carr was apprehended after an off-duty FBI cyber crime agent received one of her phony e-mails. She could face up to five years in prison.

28/30 October 2003 - Orbitz Investigating Possible Customer e-Mail Address Theft
On-line travel company Orbitz said that someone had likely breached security at their web site and stolen customers' e-mail addresses. The theft became apparent when customers began complaining that they were receiving spam at e-mail addresses they used to conduct business with Orbitz. There is no evidence that personal account information or credit card numbers were compromised. Orbitz has notified the FBI of the incident and assembled an internal security team to investigate the matter.

15 October 2003 - CIO Magazine's State of Security Survey
Data from 7500 respondents in 54 countries seems to reinforce other surveys showing declining losses from cybersecurity. CIO magazine and PricewaterhouseCoopers report that most organizations dealt with few attacks, had little downtime, and rarely had damages from the attacks that exceeded $10,000. This will be used by CIOs who want to spend less on security to justify their cutbacks. Other interesting data compares European and US respondents and attempts to compare the security behaviors of "very confident" and "not at all confident" organizations. Definitely worth reading.

14 October 2003 - Presenting a Business Case for Security Funding
It used to be that bosses could be scared into funding security proposals with stories of other companies' cyber disasters. Now that funding is scarcer, bosses want more hard data to back up spending requests. Advice for preparing such information includes getting a security assessment done by a third party, creating a plan to address the vulnerabilities found in the assessment, and "build[ing] an
ROI-based business case for security investments." http://www.computerworld.com/printthis/2003/0,4814,85892,00.html

14 October 2003 - Outlook 2003 to Have Increased Security
In the newest version of Microsoft Outlook, which will become available at the end of the month when Microsoft office 2003 is released, security options will be set at the highest level by default. Users of Outlook 2003 will also be able to disable all macros and block HTML content in e-mail.

1 October 2003 - Phishing Scam Pretends to be Part of FBI Investigation
A recent phishing scam claimed to be part of an FBI investigation into credit card theft. Internet users received an e-mail message that appeared to be from the FBI and led them to a phony website designed to look like an official FBI site. Once there, users were asked to enter their credit card numbers, PINs and approximate account balances. The site has been taken down and the FBI is investigating.

30 September 2003 - Canadian Tax Department Computers Stolen
Four Canadian tax department computers were stolen from offices in Laval, Quebec. The computers contain personal information belonging to 120,000 Canadians. Revenue minister Elinor Caplan has ordered a security review.

28 August 2003 - RIAA Using Digital Fingerprints to Track Illegally Traded Files
Recently released court papers show that the Recording Industry Association of America (RIAA) is tracking down people who illegally trade copyrighted material on the Internet through the use of digital fingerprints. The RIAA says it can use that information to tell whether the songs were recorded from legally purchased CDs or traded illegally on the Internet. The case involves a New York woman who is fighting the RIAA's attempt to discover her identity.

25 August 2003 - Used BlackBerry Contained Proprietary Information
A man who bought a BlackBerry on eBay for $15.50 found that the wireless device contained a database of over 1,000 names, e-mail addresses and phone numbers of Morgan Stanley executives, as well as more than 200 internal Morgan Stanley e-mails. The seller is a former VP of mergers and acquisitions who had left the company. He said he had removed the battery months before selling the BlackBerry and assumed the data had been erased. Departing employees normally hand over their BlackBerries to be erased before they leave the company as a part of a company policy, even though the employees, not the company, own the devices. http://www.wired.com/news/print/0,1294,60052,00.html

25 August 2003 - FBI On the Trail of Sobig.F
The Sobig.F worm may have originated on an adult Usenet newsgroup. Phoenix Usenet access provider EasyNews was served with a subpoena from the FBI regarding an account that may have been used to post the worm. That account was established with a stolen credit card number just minutes before the worm was posted. http://www.computerworld.com/printthis/2003/0,4814,84326,00.html

22 August 2003 - Flash Memory Devices Pose Security Risk
Portable flash memory storage devices could pose security threats to organizations because administrators cannot control data transfer between networks and the devices. The devices could be used to steal corporate data or release malware into a company network inside the firewall. One way to address the problem would be to restrict users' file access.

30 July 2003 - FTC Warns of Peer-to-Peer Security Risks
The Federal Trade Commission (FTC) has issued a consumer privacy alert describing the risks that company the use of peer-to-peer file sharing software. The risks include accidentally downloading viruses or pornography and sharing copyrighted files, which could lead to prosecution.

30 July 2003 - Sydney University Must Surrender Backup Tapes in File-Swapping Data Case
An Australian federal judge has ruled that Sydney University must turn over back-up tapes to record companies, which allege that file-swapping data were on the University's computer system. The school must also bear the cost of recovering the data, which it says has been overwritten.

25 July 2003 - South African Police Questioning Suspect in Absa Account Thefts
Western Cape (South Africa) police are holding a suspect for questioning regarding money being illegally transferred from Absa bank customers' accounts. The suspect allegedly sent the bank customers "spy software" that harvested their bank account numbers and PINs.

23 July 2003 - Wells Fargo Customers Receive Fraudulent e-Mail
Some Wells Fargo customers have reported receiving e-mail messages that appeared to be about new accounts, and which included an attachment that, if launched, harvested passwords from the infected machines and sent them to a third party.

23 July 2003 - Man Put Keystroke Loggers on Kinko's Terminals
Juju Jiang pleaded guilty to charges stemming from his installing keystroke logging software on Internet terminals at Kinko's in New York City. He used the information he harvested to open on-line accounts. http://www.msnbc.com/news/943043.asp?0dm=C269T

23 July 2003 - 34 States are Considering or Have Passed Information Security Laws
According to a report from the National Council of State Legislatures, at least 24 states have introduced legislation regarding information security, and 10 states have passed information security laws. http://www.fcw.com/geb/articles/2003/0721/web-ncs-07-23-03.asp

21 July 2003 - Transportation Security Administration Laptop Stolen
A Transportation Security Administration laptop was stolen from a staffer's car; officials are concerned because the computer contains personal information about airport baggage and passenger screeners which could be used to steal identities if it were to fall into the wrong hands. The laptop is protected by a number of security measures. http://www.nynewsday.com/news/local/queens/nyc-screen0721,0,3811514.story

9 July 2003 - Massachusetts State Lottery Commission Web Site Spoofed
A phony web site that mimics the Massachusetts State Lottery Commission site was being used in an attempt to try to steal personal data. Some people received e-mails and text messages telling them they had won $30,000 in a lottery and directing them to the phony site. Once there, they found they were required to enter personal information and pay a $100 processing fee in order to claim their prize. The site has been
taken down. The Commission is working with the FBI to find those responsible for the scam.

9 July 2003 - PayPal Customers Targeted by ID Data Theft Scam
Some PayPal customers have received messages telling them that their billing information has been lost and that in order to keep their accounts, they must re-enter the data on a specific site. Though many of the sites' links point to the PayPal web site, the form which requests personal information, such as name, address, credit card information and social security number, is on an server at a different IP address. The phony site uses a valid SSL certificate http://www.computerworld.com/printthis/2003/0,4814,82888,00.html

26 June 2003 - Vengeful Employee Suspected of Leaking Data
Network consultancy ThruPoint is investigating how confidential documents on an internal server were illegally accessed and leaked. The company suspects the culprit is an unnamed disgruntled employee, who e-mailed staff a confidential plan to restructure the company's European offices. Details of the document also surfaced briefly on a U.K. Web site that includes a forum for ThruPoint's ex-employees. (Security Wire Digest)

26 June 2003 - FBI To Police P2P Pirates
The latest effort to clamp down on digital piracy through peer-to-peer (P2P) networks is the proposed Piracy Deterrence and Education Act. The House bill authorizes FBI agents to investigate copyright violators, including those who exchange protected works through popular online forums like KaZaA and Morpheus. The bill also calls for an FBI warning to be sent to suspected violators and for increased information sharing between law enforcement, content holders and ISPs.
(Security Wire Digest)

23 June 2003 - Student Breached University Computer System and Disrupted Election
Shawn Nematbakhsh, a computer science major at the University of California at Riverside allegedly broke into a university computer system and cast 800 votes for a fake candidate in a student election. He has been arrested. If convicted of charges, Nematbakhsh could face three years in prison and a $10,000 fine; he claims his actions were intended to prove that the university network was vulnerable.

19 June 2003 - RIAA Warns Individual File Traders
The Recording Industry Association of America (RIAA) has sent cease-and-desist letters to five people it suspects of offering vast quantities of copyrighted music through peer-to-peer filesharing networks. The RIAA obtained the names of the four Verizon subscribers and one EarthLink subscriber after an appeals court panel ordered Verizon to provide the RIAA with the subscribers' identities. The RIAA has not said whether it will pursue further legal action. http://news.com.com/2100-1027_3-1019184.html

19 June 2003 - Brokerages Must Retain IM Logs
US securities regulators are now requiring brokerages to retain instant messaging (IM) records for at least three years, putting the use of the communication tool in line with e-mail requirements. The companies were also advised to monitor employee use of IM. http://www.infoworld.com/article/03/06/19/HNfinancialim_1.html

16 June 2003 - Software Piracy Ring Busted
A successful sting operation on a software piracy ring has netted Italian police 181 arrests and approximately 118 million euros (US$139.6 million) worth of pirated software. The Business Software Alliance (BSA) lent support to the effort. http://news.com.com/2102-1012_3-1017776.html?tag=ni_print

16 June 2003 - FTC Seeks Bigger Guns To Take On Spam
The Federal Trade Commission (FTC) last week requested additional powers from Congress to help in its fight against the ever-increasing flood of electronic junk mail. The FTC wants to monitor spammers across international lines, be allowed to examine their bank accounts without telling them for a limited period of time, require spammers to describe their products honestly and comply with requests to be taken off contact lists. Spam is an increasing resource hog and a drain on sysadmins' time. The FTC says spam costs businesses $8 billion to $10 billion a year.

13 June 2003 - Proposed Legislation Would Allow Spammers to be Sued
US Senator Charles Schumer (D-NY) has introduced legislation that would allow attorneys general, ISPs and individuals to file civil suits against spammers. Dubbed the Stop Pornography and Abusive Marketing, or SPAM Act, the bill would also require commercial e-mail to have accurate headings and subject lines, have unsubscribe directions that work and be labeled as advertising. http://www.computerworld.com/printthis/2003/0,4814,82130,00.html

11 June 2003 - Foundstone Faced With Software Piracy Charges
Acting on anonymous tips, the Software & Information Industry Association (SIIA) last March launched a probe into the vulnerability assessment and security consulting firm's software licensing practices. Based on evidence collected through confidential sources, the group charges that Foundstone engaged in "extensive piracy." Citing former and anonymous Foundstone employees, Fortune magazine estimates that up to 95 percent of the company's software was unlicensed or pirated. "Do we have some things that we need to correct? Yes. We've taken steps to identify noncompliance issues, and taken immediate steps to become compliant and raise employee awareness," says Larry McIntosh, Foundstone's chief marketing officer. (Security Wire Digest)

10 June 2003 - Canadian Survey Finds IT Security Spending on the Rise
A Canadian study, Pulse of Internet Security in Canada, found that 73% of 150 C-level Canadian executives surveyed are spending more on security now than they were a year-and-a-half ago. 61% of the executives said security is among their top five priorities Half of those surveyed said they have had a security breach. http://www.globetechnology.com/servlet/story/RTGAM.20030610.gtsecurityjune10/BNStory/Technology

6 June 2003 - Bugbear.B Sent Out Stanford Documents
Stanford University's computer system became infected with the Bugbear.B worm, which sent random files, some of them confidential, to other system users, who have since been blocked from sending mail to people outside the system.

5 June 2003 - Bugbear Variant is Spreading
A new variant of the Bugbear virus, Bugbear.B, is circulating on the Internet. It arrives as an attachment, uses random e-mail addresses found on infected computers for the From line, and uses document names from infected computers as well. It exploits a two-year old MIME vulnerability in Outlook to send itself out. It copies itself to shared hard drives. It also places a back door on infected computers and installs key-logging software, ostensibly to steal personal information like passwords and credit card information. It also tries to disable anti-virus products.

4 June 2003 - LA Police Officer Suspended for Allegedly Accessing Databases
A Los Angeles (CA) police sergeant has been suspended from the force for allegedly accessing confidential databases without permission. Sgt. Mark Arneson had allegedly been obtaining information for a private investigator. http://www.usatoday.com/tech/news/2003-06-04-police-tap_x.htm

4 June 2003 - New Laws in Taiwan Make Hacking a Felony
Two new articles added to Taiwan's criminal code make hacking a felony. Obtaining unauthorized access to a proprietary computer system is now punishable by a prison term of up to three years and a fine of up to NT$100,000. Causing damage by attempting to alter data on someone else's computer disks is punishable by a prison term of five years and a fine of up to NT$200,000. Punishment is even more stringent for attacks against government computer systems.

3 June 2003 - Business Software Alliance Says Piracy Rate Shows Modest Decline
The Business Software Alliance (BSA) says that the software piracy rate fell last year, from 40% to 39%; the decline follows two straight years of increases. The rate is 10 percentage points below its 1994 level. Piracy rates in the US have fallen from 32% to 24% since 1994; Eastern Europe and the Asia-Pacific region have piracy rates of at least 90%. http://news.com.com/2102-1028_3-1012480.html?tag=ni_print

30 May 2003 - Hacker Breaks Into Colorado Health Clinic System
A hacker infiltrated the computer system at Southwest Family Medicine in Littleton, Colorado, leaving staff and patients wondering what personal data have been exposed. The clinic's office manager said they had mistakenly believed that their computer consultants had addressed security appropriately.

26 May 2003 - California Senate Approves Harsher Anti-Spam Bill
A bill recently passed by the California State Senate would make sending unsolicited commercial e-mail a felony and would allow people to sue spammers $500 for each message sent. Current California law is based on an "opt-out" model, which can in fact backfire because responding to a message alerts spammers to live e-mail addresses. The new bill presents an "opt-in" model, and is based on a federal law against unsolicited and junk faxes due to the cost incurred by the recipient. The bill next goes to a vote in the California Assembly, and if approved there, makes its way to Governor Gray Davis.

24 May 2003 - Proposed Anti-Spam Bill is in Congress
The Reduction in Distribution of Spam Act is likely to pass through Congress quickly. The Bill imposes stiff penalties for people who use false identities to send unsolicited commercial e-mail or fail to honor people's requests to be removed from their mailing lists. Critics of the proposed legislation say it does not go far enough; marketers could still send out unlimited numbers of messages. http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=2811844

22 May 2003 - Disgruntled Former Employee Computer Intrusion Cases on the Rise
Approximately 75% of federal computer intrusion cases in Massachusetts involve former employees, according to Assistant US Attorney Allison D. Burroughs. The US attorney's office in Boston is presently working on eleven such cases. They include the case of a fired travel agency employee who later broke into the company's computers and canceled customers' airline reservations.

22 May 2003 - Data Thieves Target PayPal Users
PayPal customers are being targeted by data thieves intent on obtaining personal information that can be used to steal identities. Some PayPal users have received e-mail messages with "PayPal Verification" in the subject line; the message offers a link to a site that appears to be official but is not. It asks for users' names, credit card numbers, mothers' maiden names, bank account numbers and other sensitive information. The site was registered in the name of someone whose identity had been stolen. http://www.securityfocus.com/news/5039

(SAI note - One of our employees received one of these messages. Some of the actual page contents were being pulled from the genuine Paypal site. They attempted to contact Paypal and EBay only to receive nothing more than automated responses.)

22 May 2003 - Data Thieves Target Citibank c2it Customers
Personal data thieves are also targeting some Citibank customers. Customers who use the c2it money transfer service have been receiving e-mails that are HTML messages that contain forms that ask for such personal data as social security numbers, dates of birth and mothers' maiden names. The message is well-crafted; only the return address in the message header gives pause, as it is a Hotmail account rather than a Citibank address.

22 May 2003 - Teen Repeats Internet Scam After First Arrest
19-year-old Shiva Sharma of Queens (NY) allegedly tricked AOL users into divulging personal and financial information that he used to purchase and sell $30,000 worth of electronic equipment on the Internet. Sharma was arrested on similar charges four months ago; he could face up to seven years in prison.

19 May 2003 - W32/Palyh Worm Pretends to be From Microsoft
A worm called Palyh travels as a .pif attachment to e-mail designed to look like is comes from support@microsoft.com. The worm copies itself to the Windows folder and sends itself to e-mail addresses found in the infected computer.

15 May 2003 - Survey Says External Threats More Prevalent than Internal Threats
A Deloitte Touche Tohmatsu (DTT) survey found that 39% of banks and financial services companies reported computer security breaches last year. 16% of those came from external sources, 10% from internal sources and 13% from both. 175 senior IT executives were surveyed. DTT's Simon Owen said the figures show that the biggest threat to companies is not from employees; cyber attacks are becoming increasingly sophisticated.

14 May 2003 - Bank of America Customers Targeted by Fraud Artist
Bank of America customers have been targeted by a con artist who tries to get them to visit a phony website and provide their personal account data. They received spoofed e-mails directing them to the phony site. Bank of America has warned its customers about the scam and encourages them to be proactive about their on-line habits.

13 May 2003 - SEC Files Charges Against Alleged Spammer
The US Securities and Exchange Commission (SEC) has filed fraud charges against K.C. Smith who allegedly stole more than $100,000 from unwitting on-line investors by setting up two phony web sites, including one for the nonexistent US Deposit Insurance Corp. (USDIC) that had the SEC's official seal on it. Smith allegedly sent 9 million spam messages promoting his scheme and used other fraudulent means to hide his identity while conducting business. Smith agreed to repay the allegedly stolen funds plus interest, but has neither admitted nor denied the allegations against him.

13 May 2003 - Targeted Attacks on the Rise
Hackers are increasingly launching "targeted attacks" in which specific tools are used against specific cyber targets, instead of releasing worms and viruses that spread indiscriminately across the Internet. Statistics from security services provider Riptech show that 40% of attacks suffered by their client base were targeted, significantly above the expected 15%. http://news.com.com/2010-1071-1001016.html

12 May 2003 - Hacked Hosting Firms Caught Without Recent Backup
Three Netherlands-based Web hosting service providers are learning a difficult lesson about the need to regularly back up data after a hack attack put them out of commission.
Alphamega, the Hosting Company and Original Europe were brought down by a cyberattack on May 3 that resulted in corruption of the firms’ internal software and the theft of some data. But the initial damage assessment got much worse when the companies admitted not having recent backups for all customers’ Web sites. In some cases, the most recent backups may be more than four months old. (Security Wire Digest)

12 May 2003 - Fizzer Worm
A mass-mailing worm called Fizzer is spreading around the world. Fizzer spreads through both e-mail and file-sharing programs, and affects computers running Windows operating systems. It disables anti-virus software, steals passwords, and places a backdoor in infected computers.

8 May 2003 - Phony e-Mails to Bank Customers Try to Steal Passwords, Download Trojan
Customers of First Union Bank have been receiving fraudulent e-mail messages claiming to be from First Union, telling them their user names and passwords have been lost, and directing them to a web site so they can supply the bank with their information. Even if the users do not enter their information, merely visiting the site causes the Backdoor AMQ Trojan horse program to be downloaded to their computers. http://www.eweek.com/article2/0,3959,1068224,00.asp

8 May 2003 - German Student Arrested on Suspicion of Running MP3 File Sharing Service
German police have arrested a 25-year-old computer-programming student for allegedly conducting an MP3 file sharing service. The investigation into the man's activities was initiated by the International Federation of the Phonographic Industry (IFPI).

7 May 2003 - OSU Police Seize Computers That May Have Been Used for Illegal File Sharing
Ohio State University police have seized five computers that were allegedly being used to distribute illegally downloaded music and movies to students. No students have been charged in the case; that could change if copyrighted material is discovered. The investigation began three months ago when file-sharing was consuming 10% of the bandwidth of the university's computer system. http://www.usatoday.com/tech/news/2003-05-07-osu-seizures_x.htm

7 May 2003 - Earthlink Wins Damages in Buffalo Spammer Case
Earthlink has been awarded 416 million in damages against Howard Carmack, a New York state man who allegedly used stolen credit cards and identities to establish Internet accounts, then used those accounts to send out more than 825 unsolicited e-mails, also known as SPAM. The district court in Atlanta also banned Mr. Carmack, known as the Buffalo Spammer, from sending out more SPAM. Earthlink has also begun testing SpamBlocker, a permission-based blocking technology. http://www.infoworld.com/article/03/05/07/HNspamcase_1.html

5 May 2003 - Organizations Pay the Price for Music Swapping on Their Networks
As music sales tumble, the Recording Industry Association of America (RIAA) and other entertainment groups are clamping down on music and video piracy. Recently, the RIAA served notice to more than 300 enterprises to eliminate illegal file-swapping on their networks. This is no idle threat. Last year, an Arizona company paid the RIAA $1 million for unwittingly hosting a server that its employees used to swap MP3 files.

1 May 2003 - Four Students Reach Settlement Agreements with RIAA
The Recording Industry Association of America (RIAA) has reached settlements with four college students it says were running illegal music file sharing services. The students will each pay the RIAA between $12,000 and $17,500. Attorneys for a Princeton University student involved in the case said their client had reached a settlement with the RIAA but had not admitted guilt. http://www.washingtonpost.com/wp-dyn/articles/A2755-2003May1.html

1 May 2003 - Couple Arrested for Allegedly Stealing Credit Reports, Using Info to Make Purchases
A woman who worked at Weichert Financial Services in New Jersey and a man she lives with have been charged with using fraudulently obtained credit reports to make Internet purchases. Mary Louissaint and Ronald Hyppolyte are being held without bail. More than 3,700 credit reports were allegedly illegally accessed through Weichert Financial's computer system, some of them from a computer at an address where Louissaint and Hyppolyte recently lived.

30 April 2003 - Majority of Cyber Crime Losses are Due to Data Theft
An IBM research report, Information at Risk, suggests that most monetary losses businesses suffer from cyber crime are due not to virus attacks but to data and intellectual property theft. The report, which used data from the UK's National Hi-Tech crime Unit (NHTCU) and the US Computer Security Unit, found that UK companies lost 145 million pounds (approximately $233 million) to cyber crime last year. http://www.vnunet.com/News/1140571

30 April 2003 - Wisconsin High School Students Investigated for Altering Grades
A group of students at Stoughton High School in Stoughton, Wisconsin allegedly bought keystroke logging software for less than $100 on the Internet and used it to break into their school's computer system and alter their grades. Approximately 20 students are being investigated; some have begun suspensions and are awaiting decisions on expulsion. http://www.madison.com/captimes/news/stories/47911.php

29 April 2003 - Virginia's Anti-Spam Law Toughest In Nation
Under a new law that goes into effect on July 1, anyone who uses forged addresses for high volume spam and others who send pornographic spam to computers in Virginia are subject to penalties of up to five years in jail and forfeiture of assets. The spammers do not need to be in Virginia to be subject to the law. http://seattlepi.nwsource.com/business/aptech_story.asp?category=1700&slug=Fighting%20Spam

26 April 2003 - Spammers Using Trojan Horse Programs
As authorities begin cracking down on unsolicited e-mail, spammers are turning to methods used by hackers to launch distributed denial of service attacks. They are using Trojan horses that include their own SMTP engines to route their unsolicited messages through unwitting users' computers.

25 April 2003 - Addressing Insider Security Threats
Two companies share steps they have taken to guard against insider security threats. British Telecom employees have access to company web applications on a need-to-know basis; the company has also deployed intrusion detection systems and firewalls. In addition, software that controls employee access and activity is linked to the human resources department; when employees leave the company, their access is revoked. Palm uses intrusion detection systems and penetration scanner utilities among other security tools. Palm's Director of Global IT Services Matt Archibald recommends conducting unannounced
penetration studies and checking for configuration changes. http://www.infoworld.com/article/03/04/25/17FEinjob.sb1_1.html?security

24 April 2003 - Web Hosting Company Hacked
A hacker broke into a server belonging to Bargainhost, a web hosting company, stole passwords and defaced websites. Customers are being advised to change their passwords, though at least one customer has already reported losing valuable data. Website backups have also been corrupted.

21 April 2003 - AT&T Voice Mail Security Measures
AT&T has implemented security measures to protect customers from phone phreaking; recently, hackers have been manipulating people's voice mail systems to accept unauthorized long-distance calls. AT&T customers will be required to use random codes rather than saying "yes" to accept collect calls. Customers are also encouraged to use complex voice-mail passwords, to change them frequently and to check their announcements to see if they have been changed.

21 April 2003 - Student Faces Charges for Alleged Server Intrusion
A business-college student in Erie, Pennsylvania, faces charges for allegedly breaking into a server belonging to Ohananet, a Hawaiian company. Jason Starr allegedly had control of the server, which was located in Missouri, for about a year. Starr also allegedly changed the server's password and attempted to access PayPal accounts belonging to Ohananet's president. If convicted, Starr could face up to a year in prison and a fine of as much as $100,000.

18 April 2003 - Former Employee Pleads Guilty to Breaking Into Company Computers
Alan Giang Tran, a former Airline Coach Service and Sky Limousine Company employee, has pleaded guilty to breaking into the company's computers, deleting critical data and changing passwords, locking employees out of their accounts. Tran could face up to ten years in federal prison; sentencing is scheduled for July 28. http://www.fbi.gov/fieldnews/april/la041703.htm

18 April 2003 - Trojan Downloaded Pornographic Images
A UK man was acquitted of charges of having pornographic images on his computer after it became apparent that his computer had been infected with a Trojan horse program that was responsible for downloading the images. http://www.theinquirer.net/?article=9023

16 April 2003 - Survey Shows Security Needs Improvement
Respondents to a Human Firewall Council survey completed an on-line self-assessment tool called the "Security Management Index" to grade their company's security efforts in ten areas; 80% of respondents earned a D or an F as an overall grade. The Human Firewall Council believes the "dismal" ratings stem from the fact that businesses seem to approach security by responding to each problem as it arises rather than addressing security as an overall business concern.

16 April 2003 - Fuming NASCAR Fan Floods Fox With E-mails
A racecar fan faces up to a year in prison for flooding Fox Entertainment with more than a half-million e-mails to protest a Boston affiliate's broadcasting a Red Sox game instead of an auto race.
Michael Melo of Billerica, Mass., recently pleaded guilty to a federal misdemeanor charge of damage to a protected computer system. The e-mail attack forced the network to shut down part of its Web site and cost the company $36,000, according to the Associated Press. Melo designed a program that repeatedly sent the same six e-mails to Fox Entertainment Group Inc. in Los Angeles over several days in spring 2001. "He was just very upset that the Red Sox would pre-empt NASCAR, so he decided to send these messages to express his views," said Melo's lawyer, Andrew Good.

15 April 2003 - Naval Academy Students Disciplined for Downloading Music Files
Eighty-five students at the US Naval Academy have been disciplined for illegally downloading music; computers belonging to 92 cadets were seized in November 2002. The students could face demerits, loss of leave time, extra duties and campus activity restrictions.

11 April 2003 - Disaster Recovery and Continuity Guidelines for Financial Institutions
The Federal Reserve, the Office of the Comptroller of the Currency and the Securities and Exchange Commission have published a white paper outlining disaster recovery and business continuity guidelines for financial institutions. The guidelines include establishing a system that will allow for same day business recovery after a disaster; that time frame would ideally be reuced to two hours after a disaster. Many companies balked at an earlier proposal that suggested a minimum distance of 200-300 miles between primary and secondary data centers; the paper does not establish a minimum distance for back-up facilities. http://www.computerworld.com/securitytopics/security/recovery/story/0,10801,80262,00.html

8 April 2003 - Pyramid Scheme Spam Temporarily Brings Down Montana ISP
A Montana Internet service provider (ISP) was deluged with up to 20,000 e-mail messages an hour, causing the service to shut down briefly. The messages were part of an electronic pyramid scheme. The ISPs owner believes the attacks originated locally; the incident is under investigation.

8 April 2003 - Letter Author Claims to have Breached Prison Computer Security
The Arkansas Democrat-Gazette received a letter containing the social security numbers of several Arkansas prison employees from someone claiming to be an inmate. The author of the letter alleges that prison authorities were lax in allowing inmates to have access to computers. A prison spokeswoman says the information would not have been available through the Internet, but could have been found on the prison's computer system. The incident is being investigated.

7 April 2003 - Nevada Hospital System Hack Traced to Russia
The security of a small Nevada hospital's computer system was breached by a hacker who has been traced back to Russia. The hacker routed the attack through the al-Jazeera web site to make it look as if the attack came from the Middle East. The hacker may have accessed employees' social security numbers and bank account information. A Trojan horse program embedded in a game some employees had downloaded allowed the attackers access. The hospital's payroll system has been removed from the network and employees have been instructed never to install software or sign on to streaming Internet services. http://www.usatoday.com/tech/webguide/internetlife/2003-04-07-hospital-hack_x.htm

5 April 2003 - RIAA Files Piracy Suits Against Four Students
The Recording Industry Association of America (RIAA) has filed suits against four students at three universities across the country. The suits allege that the students set up file sharing networks on their university computer systems, and ask for permanent injunctions to shut down those sites as well as a fine of $150,000 per copyright infringement. The RIAA said the suits would not be dropped if the students shut down the sites themselves. The music industry blames
Internet music piracy for declining revenues. http://www.washingtonpost.com/wp-dyn/articles/A23933-2003Apr3.html

2 April 2003 - Navigating IT Security Decision Making
Advice for companies maneuvering through the process of implementing IT security includes ignoring vendors' hype, becoming educated about actual risks and building up security by layers, starting with the fundamentals.

27 March 2003 - Hotmail Caps Outgoing Email Messages To Curb Spam
Microsoft has reduced the number of messages people using its free Hotmail service can send each day to 100 from 500, in an attempt to cut down on spam.

15 March 2003 - Former Employees Allegedly Hacked Company System Through Old Accounts
The computer system at LapLink, a software company, was allegedly hacked by two former employees who used accounts that hadn't been deleted. The attack caused the e-mail system to go down and apparently deleted crucial files. LapLink CEO Mark Eppley reportedly plans to file charges.

14 March 2003 -New Twist on Password Stealing Scam
Discover cardholders are the latest target in password stealing scams. Customers have been receiving e-mail messages telling them their accounts have been put on hold due to inactivity, and that in order to reactivate their accounts, they must log in to the account; responses to the message are sent to a Russian Internet address. Information collected includes plenty of identifiers that would enable identity theft: social security number, mother's maiden name, account
number and passwords. PayPal and eBay customers have been targeted by similar scams. The method employed by this scheme is different; the e-mail linked to a real Discover site, but the submission form was wrapped in a hidden submission so the information was sent to the attacker.

14 March 2003 - UT Student Charged in University Security Breach Case
Christopher Andrew Phillips, a computer science student at the University of Texas (UT) at Austin, has been charged in connection to the security breach of the university's computer system that exposed the personal data of over 55,000 people. A grand jury is investigating the case. If convicted of the charges of unlawful access to a protected computer and unlawful use of identification, Phillips could face five years in prison and be ordered to pay $500,000 in restitution.

14 March 2003 - Man Pleads Guilty to Sandia National Labs Breach
An 18 year-old Pakistani man had pleaded guilty to computer and credit card fraud charges. Adil Yahya Zakaria Shakour breached security at the Sandia National Laboratories' computer network and he defaced an Eglin Air Force Base web site. He also broke into a computer system at a North Carolina-based tax forms company and stole credit card information that he used to buy $7,000 worth of goods. Shakour faces deportation after a possible 15-year prison sentence; he will also have to pay restitution in the amount of $100,000. Sentencing is set for June 12.

13 March 2003 - Memory Stick Contained Patient Data
A woman who bought a portable memory stick that was supposed to be new found that it actually contained personal information about 13 cancer patients from the Royal Bolton Hospital in Lancashire (UK). Hospital officials say they will contact people affected by the information leak and will take steps to ensure that it doesn't happen again. http://www.theregister.co.uk/content/55/29752.html

12 March 2003 - Man Under House Arrest Stole Personal Data
A Florida man who was already under house arrest related to fraudulent identification use and drug possession charges was arrested and placed in custody on charges of having stolen personal information belonging to more than 2,000 people. Sirvon Thomas used the information to open lines of credit and purchase goods that he sold on eBay, but never delivered. Thomas is being held without bail. http://www.usatoday.com/tech/news/2003-03-12-net-theft_x.htm

11 March 2003 - Stolen Computer Equipment Contained Personal Data
Following the theft of computer equipment from the British Columbia (Canada) Ministry of Human Resources, 568 people have received letters cautioning them to keep tabs on their banking and credit card accounts. While the thieves were likely after the equipment rather than the information they hold, the potential exposure of social insurance numbers, birth dates and addresses is cause for concern. Police are investigating. Several weeks ago, a computer hard drive at a company in Regina that contained personal details of more than one million people was stolen. That hardware has been recovered. http://www.globetechnology.com/servlet/story/RTGAM.20030311.wdata311/GTStory

26 February 2003 - Singapore Raid Nets $1 Million in Pirated Software
In a 10-hour raid, police in Singapore arrested 17 people and seized an estimated $1 million in pirated software, the largest yield ever in a single raid. If found guilty, the people arrested could face jail terms of up to five years and fines of as much as $58,000.

20 February 2003 - Former Administrator Arrested for Hacking Company Network
A man who used to work as a network administrator for a Los Angeles Airport limousine company has been arrested on charges of hacking into the company's computer system and causing damage that cost the company thousands of dollars in lost revenue. The man allegedly changed passwords, deleted the customer database and erased applications. http://www.securityfocus.com/news/2567

20 February 2003 - Hacker Tricked into Revealing Identity
A hacker tricked a Nottingham, UK teen-aged girl into downloading keystroke-logging software, which he then used to steal her father's credit card information. The girl helped police find the hacker when she contacted him through a chat room a year later and asked him to take a quiz to see if they were compatible. The suspect provided ample information for police to track him down in Scotland. Police seized his computer equipment and found evidence that he had stolen credit card information from other people. He was recently sentenced to 100 hours of community service.

14 February 2003 - PayPal Users Receiving Trojan-Laden e-Mail
PayPal customers have been targeted by at least four fraudulent e-mail messages that purport to be security upgrade announcements, but which actually contain Trojan Horses programs. The e-mails ask the recipients to run .exe or .vbs programs to receive the updates, or they would be locked out of their PayPal accounts. http://www.wired.com/news/ebiz/0,1272,57673,00.html

12 February 2003 - Sixth Grader Suspended for Altering His Grades
A Florida sixth grader has been arrested on charges of altering his grades in his reading teacher's electronic grade book. While the grade books are accessible with passwords, the reading teacher had left hers open. The student was not able to access the school's mainframe computer nor was he able to access other teachers' grade books; he has been suspended and may be expelled.

10 February 2003 - Insurers Move Toward Stand Alone Policies for Hacking Protection
Insurance companies are now making businesses purchase stand-alone policies for hacking instead of covering those losses under their general liability policies. The market for hacking insurance is expected to leap from $100 million this year to $900 million in 2005. http://www.usatoday.com/money/industries/technology/2003-02-09-hacker_x.htm

10 February 2003 - Thousands of Aids Patients Named on Surplus Hard Drive
Confidential files naming thousands of people with AIDS and other sexually transmitted diseases was found on a hard drive awaiting sale at a Kentucky surplus-property office. According to AP, State auditor Ed Hatchett called it "a terrible security breach" and said it was one of eight computers randomly selected from a consignment that was being offered to state agencies and nonprofit groups. An internal investigation is underway. A recent MIT paper also reinforces the need to physically destroy hard drives or wipe them clean before ditching them.

6 February 2003 - Former ViewSonic Employee Arrested on Cyber Sabotage Charges
Andy Garcia Montebello has been arrested on charges of sabotaging computers of his former employer, ViewSonic Corp. Montebello's actions allegedly caused $100,000 in damages and cost the company $1 million in lost business If he is convicted, Montebello could receive a 15-year prison sentence. http://www.msnbc.com/news/869572.asp?0dm=T238T

3 February 2003 - Air Force Staff Sergeant Sentenced for Theft of Notebook Computers and PDAs
Air Force Staff Sergeant Sheridan Ferrell II was sentenced to six years in military prison for stealing four notebook computers and two Palm Pilots from US Central Command in Tampa, Florida. The items, some of which contained sensitive data, were stolen last summer and were recovered at Ferrell's home. He apparently stole the items because he was angry that he had been passed over for promotion. Ferrell was also demoted and will be dishonorably discharged after he completes his prison term. http://www.gcn.com/vol1_no1/daily-updates/21034-1.html

2 February 2003 - Missing Hard Drive Leaves Thousands Open To ID Theft
Some 180,000 insurance clients received a warning that they could have their identities stolen after IBM admitted a hard drive containing detailed data was either lost or purloined from one of its Canadian subsidiaries. The hard drive contained the records of General Insurance Co., including names, addresses, social security numbers, mother's maiden names and bank account details. The Toronto Star also reports other records, including health data, may also be stored on the missing drive. The Royal Canadian Mounties are investigating. http://www.theregister.co.uk/content/55/29117.html

29 January 2003 - Fourth Man Arrested in Credit Report Theft Ring
A fourth man has been arrested in connection with a massive identity theft ring in which thousands of credit reports were stolen and sold. The newly arrested man could face up to 35 years in prison and more than $1 million in fines if convicted. Another man, who exploited his position at a technology company to obtain the records, will be arraigned this week. http://www.cnn.com/2002/TECH/11/26/hln.wired.id.theft/index.html

23 January 2003 - Sprint DSL Customers Vulnerable to Login Data Theft
Weak security controls on ZyXel Communications DSL modems issued to Sprint FastConnect DSL customers could allow attackers to steal passwords and e-mail addresses; the vulnerabilities can exist even when computers are powered down, because the modems, which store login data, are often still on. Remote access to the modems' administrative software is protected by a weak password." Sprint does not provide instructions for resetting the password in its customer documentation, but plans to post information on its website about disabling the remote administration feature; modems without the feature will be shipped starting in February. http://www.wired.com/news/infostructure/0,1377,57342,00.html

22 January 2003 - FTC Report Says Identity Theft is On the Rise
A Federal Trade Commission (FTC) report says that complaints about identity theft have increased 73% since last year and account for 43% of all the complaints they received in 2002. Problems with Internet auctions generated 13% of complaints. http://zdnet.com.com/2100-1105-981489.html

22 January 2003 - Judge: Verizon Must Disclose Customer's Identity to RIAA
A federal judge has ruled that under the Digital Millennium Copyright Act (DMCA), Verizon Communications must disclose the identity of KaZaA users to the Recording Industry Association of America (RIAA). Verizon maintains that the DMCA does not apply in cases where customers' identities are sought by copyright holders, and plans to appeal the decision.
http://www.pcworld.com/news/article/0,aid,108889,00.asp - http://zdnet.com.com/2100-1106-981449.html

21 January 2003 - 4.7 Billion Budgeted for Federal IT Security
President Bush will ask Congress for $59 billion in new information technology spending in his FY 2004 budget. $4.9 billion of that is targeted for computer security. http://www.govexec.com/dailyfed/0103/012103h1.htm

16 January 2003 - Old Hard Drives Still Treasure Trove
Despite all the warnings, consumers continue to trade in or trash hard drives containing sensitive personal data. That's according to two Massachusetts Institute of Technology graduate students who found "significant personal information" on 49 of 129 still-functioning drives bought from used computer stores during a two-year period. The findings reinforce security experts' advice to physically destroy hard drives or wipe them clean before ditching them.

16 January 2003 - Study Shows Old Drives Not Adequately Cleaned
According to a study conducted by two MIT graduate students, people who sell their old disk drives are not doing an adequate job of ensuring the information they hold is removed. Of 158 drives purchased on eBay or computer salvage stores, only 12 had been appropriately sanitized; of the rest were either broken or contained personal data that were easy to recover and read. The report says people need to be better educated about methods for cleaning their data off drives they are selling. http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,77623,00.html

16 January 2003 - Allstate Banned from On-Line CA DMV Access
Allstate Insurance has been banned from checking on line driving records at the California Department of Motor Vehicles after officials discovered that employees at the company were violating confidentiality rules. Among the infractions: a confidential home address of one driver was given to another driver, computer passwords were shared, and false claim numbers were submitted to gain access to friends and family members' records.

13 January 2003 - Instant Messaging Security Risks
This article describes the various security threats associated with Instant Messaging clients: worms, backdoors, hijacking, and denial of service. Because the use of Instant Messaging is increasing, the possibility of becoming infected with malware is increasing as well. http://online.securityfocus.com/infocus/1657

10 January 2003 - DoD Task Force to Evaluate Healthcare Contractor Security
In the wake of the theft of computers containing personal data from a Defense Department (DoD) medical records contractor's office, the DoD has formed a task force that will evaluate security at all its medical contractors' offices, and has ordered those contractors to audit their information security procedures.

7 January 2003 - CSO Security Spending Survey
A CSO Survey indicates that companies will spend 10% of their IT budget on security in 2003; this figure marks an 8% increase over 2002 spending. Investment in computer security is increasingly seen as a strategic move, and some security departments are likely to get their own budgets instead of being a part of the IT budget. http://www.csoonline.com/csoresearch/report50.html

Return to top
© 1999-2016 Security Awareness, Inc. All Rights Reserved  :  Privacy Statement
Contact Us     Site Map