29 December 2005 - The Year in Security
Data security breaches lead a run-down of the 2005's significant
security events; more than 130 data security breaches were reported,
exposing more than 55 million Americans to potential data theft. Other
issues include the arrests of "bot masters", the increased focus on
creating stealthy attack tools and narrowly targeted attacks, and Sony
BMG's problems with digital rights management (DRM) software on certain
29 December 2005 - UK Man's Spam Claim Successful
A UK Court found in favor of Nigel Roberts, a Channel Island man who
filed a claim against Media Logistics UK, an Internet marketing company,
after he received unsolicited commercial email from them on his personal
email account. A three-year-old EU spam law, the Directive on Privacy
and Telecommunications, allows individuals to claim damages from
offenders. Media Logistics acknowledged the claim but did not defend
it; Mr. Roberts will receive GBP270 (US$466) in compensation and GBP30
(US$52) in court fees.
28 December 2005 - Marriott Acknowledges Missing Backup Tapes Contain Personal Data
More than 200,000 employees, owners and customers of Marriott Vacation
Club International are being notified that backup tapes containing their
personal data, including bank, credit card and Social Security numbers,
are missing from a Florida office. Club officials have reported the missing tapes to authorities and have begun their own investigation into
the tapes' disappearance.
25 December 2005 - Iowa State University Acknowledges Data Security Breaches
Two computers at Iowa State University suffered security breaches this
month, possibly exposing the personal data of ISU employees and
university athletic department donors. University technology staff
investigating the breaches says credit card numbers were encrypted and
therefore unlikely to have been read by intruders. The breaches
affected more than 3,000 ISU employees and approximately 2,500 donors.
University officials say they do not plan to contact the police to help
them find the intruder's identity. ISU suffered a similar security
breach in June of this year.
15 December 2005 - Meth Users Turn to Internet Fraud to Fund Their Habit
A USA Today investigation revealed that methamphetamine users have
turned to the Internet to steal data and commit identity fraud to raise
money to feed their addictions. The meth users and traffickers have in
the past stolen information from mailboxes and wallets; now they are
trading that information on the Internet and conducting elaborate
schemes to steal funds and launder money. The investigations involved
interviews with more police officers, district attorneys, addicts and
Internet security experts.
14 December 2005 - Owner-Operator of Pirated Software Website Pleads Guilty
Nathan Peterson has pleaded guilty to two counts of criminal copyright
infringement; Peterson owned and operated iBackups.net, a website that
offered pirated software. When he is sentenced in April 2006, Mr.
Peterson faces a prison sentence of up to 10 years and a fine of
US$500,000. He will also pay restitution of US$5.4 million. Customers
of the website were told the products they purchased on iBackups was "backup software" to protect their systems from crashes. Products were
sold via download or through the mail. The site was shut down in
12 December 2005 - State of Information Security 2005 Report Finds Security-Related
Events on the Rise
The State of Information Security 2005 report from CIO Magazine and
PricewaterhouseCoopers found that security-related events have increased
22.4 percent since last year. Just 37 percent of the companies
responding to the survey have established a security plan; twenty-four
percent plan to implement one in the next year. The number of
organizations with a CISO or CIO rose from 31 percent last year to 40
percent this year. Among organizations with a chief information
security officer (CISO) or Chief Security Officer (CSO), 62 percent have
security plans in place. The study surveyed more than 8,200 IT security
executives in 63 countries around the world. http://www.enn.ie/frontpage/news-9658009.html
30 November 2005 - Top Ten Viruses and Hoaxes for November
Sophos reports highest ever record of new malware in one month,
and new Sober worm shoots to number one in the prevalence chart.
Find out more in our analysis of the last 30 days. http://s466.link.sophos.com/topnov05?pl_id=9
November 2005 - Phishers send email posing as IRS tax refund
Sophos experts have warned internet users of a phishing email
which aims to steal from American taxpayers by posing as notification
of a refund from the Internal Revenue Service. The phishers are
taking advantage of a an apparent error on the real US Government
website which is allowing
phishers to redirect visitors to a bogus website. http://s466.link.sophos.com/irs?pl_id=9
November 2005 - Scottrade Informs Customers of Third-Party Data
Scottrade, an online trading company, has informed its customers
that the company's electronic checking provider, TROY Group, suffered
a security breach which compromised personal data including names,
driver's licenses, bank account and bank routing numbers and trading
account numbers. The TROY Group acknowledged the security breach
in an October 25 press release.
25 November 2005 - ET could hack internet (Yes, this is
a real story)
Aliens could hack the internet and spread viruses if proper precautions
are not put in place, warned a top scientist. http://www.scmagazine.com/us/news/article/529846/?n=us
November 2005 - Verizon Wireless clamps down on wireless spam
US mobile operator Verizon Wireless has filed a lawsuit in New
Jersey, seeking an injunction against Passport Holidays of Ormond
Beach, Fla., for allegedly violating federal and state laws by
sending tens of
thousands of unsolicited text messages to its customers. http://www.scmagazine.com/us/news/article/529850/?n=us
November 2005 - Backup encryption failures leave data in peril
Potentially sensitive corporate data is being placed unnecessarily
at risk because less than a quarter of companies currently encrypt
their backup tapes, newly published research has claimed. http://www.scmagazine.com/us/news/article/529514/?n=us
November 2005 - IT security fears holding back US e-commerce
One in four U.S. consumers will not shop online this holiday season
due to internet security concerns, according to a new survey from
the Business Software Alliance (BSA). http://www.scmagazine.com/us/news/article/529512/?n=us
November 2005 - PC users underestimate malware threat
Ordinary PC users do not take computer security seriously
enough and are not prepared to pay for it, a BT chief has said. http://www.scmagazine.com/us/news/article/529809/?n=us
November 2005 - One third of Brits send fake emails
Nearly a third of people in the UK have admitted to impersonating
someone else when sending an email, according to new research. http://www.scmagazine.com/us/news/article/529517/?n=us
November 2005 - SANS Top 20 Internet Security Vulnerability Shows
Attackers Are Using
New Approaches For Which Users Are Not Prepared
The SANS Institute and the United Kingdom National Infrastructure
Security Coordination Centre today announced the 2005 Top 20 Internet
Security Vulnerabilities. The new report shows attackers are increasingly
attacking security software and back up software and network security
and communication devices that users (a) thought was keeping them
safe, and (b) do not patch. The new threat sets defenders
back six years in their fight against attackers.
November 2005 - Survey: IT Execs Say Security Will Top IT Spending
List in 2006
A survey by Goldman Sachs & Co. of 100 IT executives found
that security software and enterprise IT upgrades are expected
to top their IT spending lists in 2006. Fifty two percent of those
surveyed said they expected IT spending levels to be unchanged,
while forty percent said they were considering reducing their
IT budgets for 2006. http://www.computerworld.com/printthis/2005/0,4814,106422,00.html
November 2005 - Boeing Employee Data on Stolen Laptop
Boeing has acknowledged that a recently stolen laptop computer
contained sensitive data belonging to more than 160,000 current
and former employees. The laptop was stolen from an off-site location.
Among the data on the computer are Social Security numbers, banking
information and birth dates. Boeing is notifying everyone whose
data were on the computer and will pay for enrollment in credit
monitoring and fraud protection programs. Authorities have been
notified as well.
November 2005 - Irish IT Security Awareness Campaign Survey Finds
Few Informed About Spyware and Phishing
A survey conducted on behalf of Ireland's Make IT Secure Initiative
found that 24 percent of those polled know what spyware is and
just 13 percent feel they have a good understanding of what phishing
is. However, 79 percent of home users and 75 percent of work users
use anti-virus software. The public awareness campaign focuses
on educating users about phishing, spyware, identity fraud and
online child safety. http://www.siliconrepublic.com/news/news.nv?storyid=single5699
November 2005 - Spammer Sentenced to One Year in Prison
Peter Moshou, sometimes known as the "Timeshare Spammer",
was sentenced to one year in federal prison and ordered to pay
US$120,000 in restitution for sending millions of spam messages
in 2004 and 2005. Mr. Moshou was convicted in June of violating
the CAN-SPAM Act; he had been named in a lawsuit filed by EarthLink.
EarthLink also said that it has won a US$15.4 million judgment
against Craig Brockwell and BC Alliance Inc. in a suit that claimed
Mr. Brockwell and his company sent hundreds of thousands of unsolicited
November 2005 - Trojan horse exploits Sony DRM copy-protection
Sophos experts warn of the Stinx Trojan horses that can hide under
the cloak of Sony's controversial CD copy-protection software,
and have been spammed across the internet in an email claiming
to come from a business magazine. Also, find out about the free
Sophos tool which can detect if Sony's cloaking technology has
been installed on your PC and disable it if you wish. http://s452.link.sophos.com/sonydrm?pl_id=9
November 2005 - Verizon Files to Stop FL Company From Gathering
A court has granted a temporary injunction in a suit brought by
Verizon against a Florida company called the Global Information
Group. The company allegedly impersonated Verizon employees and
attempted to gather confidential information from Verizon wireless
customers. The temporary injunction prohibits Global Information
from contacting Verizon customers and from sharing customer information
with third parties. In
addition, the court issued an order allowing Verizon to seize
the data the company had allegedly collected. Verizon has also
filed a civil suit against the Global information Group.
November 2005 - Stolen Desktop PC Contained Credit History Data
on 3,600 Individuals
A desktop computer stolen in October from a regional office of
TransUnion LLC contains Social Security numbers and other personal
information belonging to more than 3,600 consumers. TransUnion
LLC is one of three companies in the US that keeps records of
individuals' credit histories. TransUnion sent out notices on
October 21 informing those affected by the theft and offering
a year of free credit report monitoring. TransUnion vice president
for corporate affairs Colleen Tunney said the company is investigating
why the data was stored on an individual computer and not on a
secure corporate network.
November 2005 - Phishing Scam Pretends to be Cash Prize From Google
A new phishing campaign purports to be an announcement from Google
that the recipient has won US$400. The spam email with the message
also has a link to a phony Google site where users are asked to
supply their addresses and credit card information. The phishing
web site, which was hosted in the US, was shut down within 24
hours after the scam was detected.
November 2005 - 'Live phishing' experiment nets consumers hook,
line, and sinker
the spiraling threat from identity theft, most consumers who were
recently approached by complete strangers on the streets of New
York freely gave up personal and sensitive data, which could be
used by cyber criminals to crack account passwords or to steal
November 2005 - Shoppers still wary of online market
distrust of online commerce remains widespread, according to a
national study released last week. http://www.scmagazine.com/us/news/article/526709/
November 2005 - Italian organization calls for Sony spyware probe
advocacy group has asked the Italian government to investigate
whether Sony BMG Entertainment broke any of the country's laws
when it included what has been called a form of spyware on some
of its CD-Roms. http://www.scmagazine.com/us/news/article/526725/
November 2005 - Hong Kong Court Gives File Sharer a Three-Month
A Hong Kong court sentenced Chan Nai-ming to three months in jail
for digital piracy; he uploaded three Hollywood movies to the
Internet with BitTorrent, allowing them to be shared in violation
of copyright laws.
November 2005 - Australian Gov't Teams with ISPs to Track Down
The Australian government is working with five Internet Service
Providers to track down computers that have been compromised and
made part of zombie networks that are used to send spam or launch
distributed denial-of-service attacks. The Australian Internet
Security Initiative will identify IP addresses of hosts that exhibit
behavior indicating they are zombies. The ISPs then can contact
their customers, let them know their computers have been compromised
and help them disinfect their machines. Steps may be taken to
disconnect from the Internet the computers of customers who do
not disinfect their computers."
November 2005 - US Authorities Arrest Alleged Botnet Operator
FBI agents have arrested Jeanson James Ancheta and charged him
with spreading a Trojan horse program that allowed him to create
a botnet of 400,000 computers. A botnet is a network of compromised
computers that can be controlled to send spam or launch distributed
denial-of-service attacks (DDoS). Among the zombie computers in
his network were some belonging to the US Department of Defense.
Mr. Ancheta allegedly took payment from companies whose adware
he surreptitiously loaded into their computers. He also allegedly
controlled the computers via an IRC channel and advertised their
use for sending spam or launching distributed denial-of-service
attacks. Mr. Ancheta was scheduled to be arraigned on Monday,
November 7, 2005. Two aspects make this case unique: (1) it is
the first time an alleged botnet operator will be prosecuted in
the United States, and (2) Mr. Ancheta is accused of using a botnet
to make a profit. In the past, people who have created botnets
have done so primarily for bragging rights.
November 2005 - Greek Police Arrest Swedish Programmer for Spamming
Greek police have arrested a Swedish computer programmer, Rick
Downes, on charges of sending spam. Mr. Downes, who retired to
Greece, has denied the charges and maintains the police have no
evidence against him. Mr. Downes' computer has been seized and
sent to police laboratories for examination; he says he has not
been asked for his administrative password. Mr. Downes is a member
of the Coalition Against Unsolicited Commercial Email and has
campaigned against spam in the past. Mr. Downes was suspected
of sending spam after a travel agent and two other people reported
receiving nearly identical spam email messages shortly after meeting
him. Mr. Downes's wife says they suspect that a travel agent's
computer was compromised and the addresses were being used by
a spammer; the police seemed ignorant of how spammers operate,
apparently believing they collect email addresses one at a
November 2005 - Phishing Attack Targets PayPal Users
A new phishing attack is targeting people who use PayPal. The
users receive an email message telling them that someone has been
trying to access their accounts from a foreign country. The are
advised to click on a link that purports to be a PayPal Security
Tool executable, but is really a Trojan horse program that modifies
the local workstation's DNS settings and deletes itself; when
users try to visit PayPal in the future, they are directed to
a fraudulently crafted site where the thieves proceed to elicit
personal data by asking them to update their accounts. The data
requested includes names, Social Security numbers and bank account
and routing numbers.
November 2005 - Australian Reseller to Pay Microsoft AU$1.3M for
The Australian Federal Court has ordered New South Wales-based
reseller PC Club and its associates to pay Microsoft AU$1.3 million
(US$952,300) in damages and costs for selling pirated and illegal
software and counterfeit Certificate of Authenticity labels. The
charges included copyright and trademark infringement and breaches
of the Trade Practices Act.
November 2005 - eBay Fraudster Sentenced to Four Years in Jail
David Levi has been sentenced to four years in jail for masterminding
a phishing scam that stole nearly 200,000 GBP (US$355,000) from
eBay customers. Mr. Levi headed a group that included six other
people who tricked eBay shoppers into disclosing their passwords
and other account information. His conviction is believed to be
the first in the UK for phishing fraud.
November 2005 - SEC Releases Tips for Safeguarding Personal Information
and Money Online
The US Securities and Exchange Commission has released a guide
for investors recommending steps they can take to protect their
online brokerage accounts from data thieves. Among the SEC's recommendations
are checking the sites' security certificates, using security
tokens when available, not responding to email asking for personal
data, using strong password practices and logging out completely
from accounts. http://www.sec.gov/investor/pubs/onlinebrokerage.htm
October 2005 - Better Protection Possible With Lower Budgets,
Claims Gartner Organizations
that focus on security processes and not products will be able
to lower their total information security budgets while simultaneously
improving their overall level of protection, Gartner claimed today. http://www.scmagazine.com/us/news/article/523421/
October 2005 - Identity Theft Threatens 26.7 million Americans
are currently 26.7m Americans at risk from identity theft because
they are unwittingly transmitting sensitive personal data to international
hackers and criminals, a newly published report has claimed.
20 October 2005 - Study Finds Spyware Most Prevalent in PCs
in US, Thailand and UK
According to research from anti-spyware company Webroot, the countries
with the highest incidences of computers infected with spyware
in the most recent quarter are the US, Thailand and the UK. Nearly
55 percent of consumers' PCs are infected with spyware. The research
counts tracking cookies among the spyware. In the UK, the average
number of pieces of spyware on the consumers' PCs is 18; discounting
the cookies, that figure falls to just 4.5.
October 2005 - Sainsbury gift voucher chain letter makes way around
An email chain letter which deludes people into thinking they
will be given £60 worth of supermarket gift vouchers has
spread amongst internet users in the United Kingdom.
October 2005 - Fear of identity theft holds back global e-commerce
online transactions are increasing in both the U.S. and Europe,
a growing fear of identity theft and other online fraud is eroding
confidence in e-commerce, newly published research has warned.
October 2005 - Phishing and pharming set to soar, groups warn
consumer groups have warned of a growing danger from phishing
and pharming attacks.
October 2005 - Transportation IG Audit Finds Serious Security
The Department of Transportation's inspector general was able
to penetrate and gain root control of a vulnerable server during
a recent audit. Because there is interconnectivity within DOT,
other departments could be put at risk by just one department's
security weaknesses. According to the audit report, there are
also previously noted security vulnerabilities that the agency
has not addressed. The audit is an annual event conducted in accordance
with the Federal Information Security Management Act (FISMA).
October 2005 - Anti-Phishing Working Group's August Report
According to the Anti-Phishing Working Group's August 2005 Phishing
report, phishing sites are remaining on line an average of 5.5
days. A year and a half ago, phishing web sites usually remained
on line for a week or more. The number of "phishing campaigns"
detected fell for the second month in a row, although the number
of new phishing web sites reached an all-time high of 5,259, up
from a reported 4,564 in July.
October 2005 - Spammer's Sentence is Under Seal
Anthony Greco was sentenced in a closed session for sending nine
million spam email messages through instant messages to members
of MySpace.com. The sentence is under seal. Earlier this year,
Mr. Greco reached a plea agreement with prosecutors wherein he
would serve a sentence of between 18 months and two years in prison
in return for his guilty plea. Mr. Greco had also threatened to
share his spamming techniques with others. Federal prosecutors
planned to ask the judge to make the sentence
October 2005 - FBI Agents Seize Alleged Spammer's Computers and
Recently unsealed warrants reveal that FBI agents raided the Michigan
home of Alan M. Ralsky, allegedly one of the nation's most prolific
senders of bulk email, and seized his financial records, computers
and disks. The seizure has reportedly halted his operation. Mr.
Ralsky was sued by Verizon Communications in 2001 for shutting
down Verizon's network by sending millions of unsolicited email
messages; he settled the case for an undisclosed sum and promised
not to send spam on the company's networks any more.
October 2005 - MPAA Files Lawsuits Against Movie Download Web
The Motion Picture Association of America (MPAA) has filed lawsuits
in New York state courts against six web sites. The MPAA alleges
the sites are violating federal copyright laws by pretending to
be legitimate movie and music downloading web sites, but actually
charging people to redirect them to file sharing sites where they
have access to illegally copied content.
October 2005 - Three Indicted in Software and Music Piracy Scheme
Three California men have been indicted for their alleged roles
in a music and software piracy scheme; the three were allegedly
involved in illegally copying CDs. Charges in the indictments
include conspiracy to commit criminal copyright infringement and
traffic in counterfeit labels, criminal copyright infringement,
trafficking in counterfeit labels, and aiding and abetting. The
arrests and searches were part of the US Department of Justice's
"Operation Remaster" which focused on the replicators
in the chain of digital media piracy. http://www.computerworld.com/printthis/2005/0,4814,105374,00.html
October 2005 - British Malware Authors Jailed for Conspiracy to
Two members of a hacking gang who wrote malware to remotely control
innocent people's computers have been sentenced to three months
and six months jail. Have your say on their sentence - do you
think it was too harsh or too soft? http://s431.link.sophos.com/threatkrew?pl_id=9
October 2005 - Suspected zombie kings who ran botnet of 100,000
Dutch police have arrested three men alleged to have been involved
in a gang controlling a zombie network of more than 100,000 computers. http://s431.link.sophos.com/dutchbot?pl_id=9
October 2005 - Banks, Internet Companies Dealing with Phishing
Because law enforcement seems to give phishing a low priority,
banks and companies that conduct business on the Internet are
taking matters into their own hands. The organizations work with
ISPs, web hosting services and regional Internet authorities to
track down the servers the phishing email is coming from and work
with contacts to shut the sites down. They have also been setting
up phony accounts and working with banks and law enforcement organizations
to track the stolen data and ultimately arrest the thieves. http://www.newsfactor.com/story.xhtml?story_id=38544
October 2005 - Former White House Aide Allegedly Stole Intelligence
US federal investigators say an FBI analyst who had previously
worked as an aide in the office of the Vice President from 1999-2001
used his top-secret security clearance to steal classified intelligence
documents from White House computers. Leandro Aragoncillo was
allegedly spying for a group in the Philippines who was opposed
to the government there. A US District Court judge in Newark,
NJ has signed an order to continue the case in order that the
defendant's attorney may negotiate a plea agreement, indicating
that Mr. Aragoncillo is likely to be cooperating with federal
October 2005 - City University of New York Notifies Those Affected
by Data Leak
City University of New York (CUNY) has informed more than 750
students and current and former employees that their personal
information, including Social Security numbers, may have been
compromised. A law student Googling her own name found among the
results documents that contained sensitive personal student data.
School administrators apparently posted the documents on the university's
central web site. Even after the school became aware of the situation
and removed the files, Google's caching feature made the information
available for a few more days.
October 2005 - Phishers Target Swedish Bank
phishing attack has broken new ground by attacking a Scandinavian
bank operating a one-time password.
October 2005 - FTC Asks Court to Shut Down Alleged Spyware Company
The Federal Trade Commission has filed a complaint with a US court
in New Hampshire asking that a company in that state be shut down.
Odysseus Marketing maintains that its Kazanon software is anonymous
peer-to-peer file sharing software, but the FTC alleges that it
behaves as a Trojan horse, allowing other programs to infiltrate
users' computers and deliver pop-up advertisements and track their
web surfing activities. In addition, people's search results have
been meddles with to send them to look-alike search engines that
display Odysseus customers prominently in the search results.
A software tool from Odysseus that is supposed to correct the
problem actually brings in more spyware, according to allegations.
The FTC asked court to permanently halt downloads from Odysseusmarketing.com.
October 2005 - China Expels American Convicted of Piracy to US
to Face More Charges
Randolph Hobson Guthrie, who has been convicted in China of trafficking
in pirated digital media, has been expelled from that country
to face additional charges in the US. Mr. Hobson was scheduled
to appear in US federal court for a bond hearing on October 4;
he will then be sent to Mississippi to face charges of copyright
infringement, trafficking and money laundering. Mr. Hobson was
sentenced to two years in prison in China in April. He and another
American convicted along with him were ordered deported after
completion of their sentences; it has not been made clear why
Mr. Guthrie was released early.
October 2005 - Florida Man Arrested for Alleged Fraudulent Donation
A Florida man has been arrested and charged with four counts of
wire fraud for allegedly using a web site to solicit donations
for medical supplies and evacuation flights to hurricane-ravaged
Louisiana; Gary Kraser allegedly never made any of the flights,
though he wrote stories of having done so on the web site. Mr.
Kraser allegedly raised US$40,000 in just two days. According
to the indictment, he collected the money through PayPal accounts
and through direct wire transfers to his bank account.
4 October 2005 - Eight People Arrested in Scheme to Defraud
Eight people have been arrested and one more person is being sought
in connection with a scheme to defraud the American Red Cross.
Some of the people hired to work a Red Cross call center in Bakersfield,
California that was set up to provide hurricane evacuees with
PIN numbers they could use to obtain relief aid through Western
Union gave those numbers to friends and family. So far, US$25,000
has been documented as stolen, but a US attorney expects that
figure to increase. If convicted of the wire fraud charges against
them, the defendants could face up to 20 years in prison and fines
of US$250,000. Law enforcement officials say they expect to make
1 October 2005 - Governor Schwarzenegger Signs Anti-Phishing
Phishing is now a civil offense in California. Governor Arnold
Schwarzenegger signed a bill on September 30, 2005, that allows
people to sue the senders of deceptive emails that attempt to
steal personal data; they can seek to recover actual damages or
US$500,000 for each violation, whichever is greater.
September 2005 - Trojan Exploits Unpatched Microsoft Office Vulnerability
A Trojan horse program called Backdoor.Hesive exploits an unpatched
hole in Microsoft Office and could allow attackers to take control
of vulnerable machines. Machines become infected when users are
tricked into opening a specially crafted .mdb file in Microsoft
Access. All recent Windows releases are vulnerable. Backdoor.Hesive
exploits a flaw in Microsoft's Jet Database Engine. Microsoft
was alerted to the problem in April, 2005, but has not yet issued
September 2005 - Gartner: Unattended PCs Pose Risk
Recent Gartner research indicates that organizations tend to overlook
the security threats posed by unattended PCs that are logged onto
corporate networks. The situation could allow people to access
and alter confidential information to commit fraud or to send
email from others' accounts. In addition, when network connected
PCs are left unattended, employees can offer the "someone
else used my machine" defense when faced with evidence that
their machine was improperly used. Some companies would benefit
from using timeouts, which make users of back on to the system
after specified periods of inactivity. another solution would
be to use proximity tokens, which disconnect users and log back
onto on the system based on their proximity to their PCs.
September 2005 - Software Pirate to Pay More Than US$1 Million
Li Chen has pleaded guilty to one count of copyright infringement
and will pay US$1.1 million in restitution to Symantec and Microsoft
for software piracy under the terms of his plea agreement. A Symantec
spokesperson said, "This guy was one of the largest distributors
of pirated software. He had direct ties to China, where the counterfeit
product was being produced."
September 2005 - IM Malware on the Rise
A recent report noted 25 IM viruses circulating in September and
47 in August, the highest monthly total recorded since they began
keeping track a year-and-a-half ago. The report also noted that
in the past, IM viruses have been variants of email viruses, but
they are increasingly seeing malware created specifically to spread
over IM systems. According to the report, attackers are using
IM malware to take control of computers and use them in zombie
September 2005 - Sys Admins Believe Users Could Put Companies
A Sophos survey has revealed that 79% of syadmins believe that
employees are putting their companies at risk by failing to act
safely online. Despite instructions from IT departments, many
employees continue to open unsolicited email attachments and download
malware from websites. Read more and find out about the 'sinful
seven' online activities that employees find hard to resist.
14 September 2005 - Malware time bomber banged to rights
Californian man has been convicted of planting a malware "time
bomb" in his former employer's computer.
September 2005 - Users likely to take more online risks at work
users are more apt to click on suspicious links or visit suspicious
web sites at work than home, according to a survey conducted by
anti-virus supplier Trend Micro.
September 2005 - New Law Likely to Spur IT Security Spending at
Small and medium sized businesses in Japan are likely to increase
their IT security spending to comply with the country's Personal
Information Protection Law, which took effect April 1, 2005. The
law requires organizations holding personal information of 5,000
or more people to take certain precautions to protect those data;
failing to protect the data could result in stiff penalties. AMI-Partners
predicts that small and medium businesses in Japan will spend
US$824 million on IT security in 2005; that figure is expected
to grow to US$1.5 billion in 2009.
September 2005 - Softly softly scammers steal money on the sly
thieves are resorting to a "softly softly" approach
in order to steal money from users' accounts without arousing
September 2005 - Indian Call Center Employee Arrested for Alleged
Police in India have arrested a man who worked at the Saffron
Global call center for allegedly stealing customer data. Company
officials say the man was discovered copying data onto a CD; they
then alerted police. The suspect was booked under the Information
Technology Act and the Indian Penal Code and has been placed in
judicial custody for 14 days.
September 2005 - Ireland's First Spam Conviction
Ireland has seen its first conviction under its new anti-spam
law; a company called 4's A Fortune Limited was found guilty of
sending unsolicited commercial messages to five mobile telephones.
The company actually made 165,000 calls, but only five complaints
were registered. The law under which 4's A was found guilty took
force in November 2003. 4's A was fined 300 Euros for each call
and ordered to pay court costs of 1,000 Euros. The law allows
fines of as much as 3,000 Euros per message sent. There is presently
no provision for jail time in spam cases in Irish law, but that
may change in the future.
7 September 2005 - Former Student Sentenced for University Computer
Intrusion & Data Theft
Christopher Andrew Phillips, formerly a student at the University
of Texas at Austin, has been sentenced to five years of probation
for breaking into the school's computer system and stealing people's
personal data, including Social Security numbers. In addition,
Mr. Phillips has been ordered to pay more than US$170,000 in restitution
to the university. Mr. Phillips is prohibited from accessing the
Internet except with the approval and supervision of his parole
officer, and even then may use it only for school and work.
September 2005 - Hackers, scammers and phishers exploit Hurricane
In the wake of the natural disaster in the United States, internet
criminals are expoiting the situation by distributing malware
and setting up bogus charity websites.
September 2005 - Top ten viruses and hoaxes in August 2005
Which virus topped the chart in August 2005? Find out which viruses
and worms were spreading the most across internet email systems
in the last last month in this hall of shame.
September 2005 - Consumer Reports: One Third Of Net Users Damaged
In the 2005 Consumer Reports State of the Net survey, the team
led by Jeff Fox found that home users of the Internet have a 1-in-3
chance of sustaining computer damage and/or financial loss due
to malware. According to the survey, Americans spent over US$2.6
billion on software to protect their computers last year, but
also spent US$9 billion on repairs, parts and replacements due
to the damage caused by malware. Consumer Reports maintains that
on line threats are worse than they were a year ago due to "government
inertia and consumers' imprudent practices." In addition
the researchers discovered that major consumer products companies
are actually providing the economic sustenance for spyware by
buying advertising distributed using the scourge. The culprits
include computer companies that then make money when users find
their systems so overrun with spyware that they give up and buy
a new computer.
September 2005 - ChoicePoint hacker indicted
man who received 16 months jail time for dealing in personal information
taken from ChoicePoint has now also been indicted for fraudulently
accessing consumer financial records.
August 2005 - Phony Yahoo Site Tries to Collect User Names and
A web site pretending to be a free Yahoo game service actually
attempts to gather information that could be used to steal identities.
The site is being hosted on a Yahoo Geocities account; site visitors
to supply their Yahoo user IDs and passwords. Users are being
lured to the site by spam sent through Yahoo's instant messaging
service; the message, which urges the recipient to visit the malicious
site, appears to come from someone on the user's friends list.
August 2005 - Man Pleads Guilty to Selling Windows Source Code
William P. Genovese, Jr. has pleaded guilty to one charge of unlawfully
distributing a trade secret; Mr. Genovese sold chunks of source
code from Microsoft's Windows NT 4.0 and Windows 2000. He apparently
obtained the code on the Internet after someone else stole it
and made it available. Mr. Genovese entered his guilty plea in
a federal court in Manhattan; he will be sentenced this fall.
Federal prosecutors have recommended a prison sentence of 10-30
months, although the maximum penalties for this crime are 10 years
in prison and a US$250,000 fine.
August 2005 - MPAA Uses Data from Shuttered File-Sharing Sites
in New Lawsuits
The Motion Picture Association of (MPAA) America's latest round
of lawsuits was based on information the organization obtained
from file trading sites - largely BitTorrent hubs -- that were
shut down earlier this year. The MPAA filed suits against 286
individuals for illegal file sharing. The MPAA and those it represents
are hopeful that the action will discourage people from illegally
trading copyrighted digital content. The lawsuits at present are
filed against John Does along with Internet addresses; the MPAA
will seek their identities at a later date.
August 2005 - Legal Action Against File Sharing Sites Does Not
A study has indicated that the legal action taken against BitTorrent
has not reduced the amount of file trading that takes place on
the Internet, but merely caused file traders to shift to a different
August 2005 - Two Arrested in Connection with Zotob Worm
Authorities in Morocco and Turkey arrested two men in connection
with the Zotob worm that caused computer outages at organizations
around the world two weeks ago. Farid Essebar of Morocco allegedly
wrote both the Zotob worm and the Mytob worm in February. Atilla
Ekici of Turkey is alleged to have paid Essebar to write them.
Authorities say the pair was interested in using the worms for
financial gain. The men will be prosecuted in their countries
of origin. The Washington Post also reported that these same criminals
were suspected of authoring and distributing Rbot, a family of
trojans that allow attackers to maintain access to many tens of
thousands of infected systems on the Internet.
August 2005 - Use USBs at your peril, survey warns
are putting their company's data at risk by not using encrypted
USB devices, a new survey has revealed.
August 2005 - Three indicted in connection with spam operation
grand jury in Phoenix, Ariz. has indicted three people on charges
of violating the federal Can-Spam Act for operating a pornographic
August 2005 - Raid In Brazil Serves Up Arrests of 85 Alleged Cyber
A four-month investigation into on-line banking theft in Brazil
culminated in a raid last week that netted Brazilian police 85
arrests. The raid, which was given the moniker "Operation
Pegasus," was carried out by 410 police in seven Brazilian
states. The suspects allegedly stole roughly 80 million BRL (approximately
US$33.5 million) by breaking into online bank accounts.
August 2005 - Anti-Phishing Working Group Reports Phishers are
Honing Their Skills
According to the Anti-Phishing Working Group's July 2005 phishing
report, spammers are fine-tuning their techniques to evade conventional
spam detection and prevention technologies. APWG noted a significant
increase in screenscrapers, which send screenshots of users actions
to phishers' servers. In this case, shots of users clicking on
graphical keyboards were surreptitiously taken; graphical keyboards
are sometimes implemented as an anti-keystroke-logging mechanism.
In addition, as larger financial institutions implement stronger
safeguards against phishing, the phishers are starting to target
smaller financial institutions. The report also notes that the
total number of reported phishing campaigns in July was down slightly
from June numbers.
August 2005 - Former University Employees Charged in Grade-Altering
Ellis Peet and Clifton Franklin, both former Florida Memorial
University employees, have been charged in connection with a grade-altering
scheme. The men allegedly accepted money and favors in return
for changing students' grades. Mr. Peet was a computer technician
in the registrar's office and Mr. Franklin a data entry clerk.
Officials believe the pair changed their own grades while they
attended the school. According to Mr. Peet's attorney, his client
has pleaded not guilty to racketeering and violating intellectual
property and computer access laws. Mr. Franklin faces the same
charges. In addition, three of five students who allegedly acted
as middlemen in the scheme have been arrested and charged with
August 2005 - Effective Spear Phishing Defense: Positive Social
Although there is no technological defense against spear phishing,
New York State has discovered an alternative means of defending
against those targeted attacks: positive social engineering. New
York sent "safe" phishing emails to 10,000 employees
and told them more would be coming. When the second one arrived
the number of people who fell for the scam fell by 50%.
August 2005 - Media organizations struck hard by new worm
Sophos has advised computer users not to panic, but to ensure
appropriate defenses are in place, following reports that a worm
has disrupted business at CNN, ABC, The Financial Times, and the
New York Times. The worm exploited the new Microsoft MS05-039
security vulnerability live on air in front of
millions of viewers.
August 2005 - Trespassing thief and fraudster convicted
has been convicted of 120 counts of unauthorized access in what
is claimed to be the biggest "computer theft" case of
August 2005 - Bulk eMailer Guilty of Data Theft
A Florida jury found Scott Levine guilty on 120 counts of unauthorized
access to data, two counts of access device fraud and one count
of obstruction of justice; Mr. Levine was found not guilty on
15 other counts, including conspiracy and unauthorized access
of a protected computer. Mr. Levine ran the now-defunct bulk email
company Snipermail.com. According to prosecutors, Mr. Levine and
Snipermail.com stole 1.6 billion customer records including names,
home addresses, email addresses and bank account and credit card
numbers from the Acxiom Corp. data management company. Mr. Levine
is to be sentenced on January 9, 2006. Six of Mr. Levine's Snipermail.com
employees pleaded guilty to conspiracy charges and testified against
him in this case.
August 2005 - High School Students Charged with Felonies for School
13 Pennsylvania high school students have been charged with felony
computer trespass for breaking school rules regarding the use
of their school-issued laptop computers. The state defines the
altering computer data, programs or software without permission."
The students discovered the administrative password that allowed
them to reconfigure their machines and bypass Internet filters.
Some students turned off a remote monitoring function and some
used that function to view administrators' computer screens; some
students also downloaded instant messaging tools. There is no
evidence that the students altered grades, disabled the school's
network or otherwise acted maliciously. School district officials
maintain the students violated the code of conduct and acceptable
use policy that warned of legal repercussions. The school had
tried detentions and suspensions before turning the matter over
to police. A hearing is scheduled for August 24, 2005.
August 2005 - Microsoft, Spammer Reach Settlement
Microsoft has settled a lawsuit against Scott Richter who was
known as a "spam king." As part of the settlement, Richer
will pay Microsoft US$7 million, $5 million of which Microsoft
will put toward expanding
technology and support available to law enforcement for investigating
August 2005 - University of Texas Server Breached; 39,000 People
School officials at the University of North Texas say a security
breach of a school server may have compromised data belonging
to about 39,000 current and former students as well as some applicants.
Although there is no evidence that any information was stolen,
the intruders may have had access to names, Social Security numbers
and some credit card numbers. The school says it has blocked access
to the server. University of Northern Texas has set up a web site
with more information.
August 2005 - Identity Thieves Using Browser Hijackers to Steal
An identity theft ring is using CoolWebSearch browser hijacking
tools to steal information from people's computers; the researchers
who stumbled upon this fact say a great deal of information has
been uploaded to a remote server. The stolen information includes
chart sessions, usernames, passwords and banking data as well
as other personal details including eBay account information,
salary data and vacation plans. The FBI is reportedly involved
in the case.
August 2005 - Sonoma State University Security Breach Affects
Students and Applicants
Sonoma State University in California said that cyber intruders
gained access to the names and Social Security numbers of people
who attended or applied to the school between 1995 and 2002.
4 August 2005 - Cal Poly Pomona Notifies 30,000 of Security
Cal Poly Pomona has sent notices to more than 31,000 people notifying
them that their personal data may have been compromised when cyber
intruders accessed two of the school's servers earlier this summer.
The information compromised includes the names and Social Security
numbers of applicants and current and former students, faculty
3 August 2005 - University of Colorado Hires Outside Auditor
After Third Breach
A third intrusion into University of Colorado computer over the
course of several weeks has prompted the school to hire an outside
auditor to examine its "security safeguards." The school
also plans to put firewalls on some of its systems. The most recent
breach involved a computer that holds information related to the
school's Buff OneCards, which allow students and staff to access
buildings after hours and to purchase food. The files contain
Social Security numbers, photographs and other personal information
belonging to 29,000 students and 7,000 staff members.
August 2005 - Report Estimates US$2.75 Billion in Losses From
Phony ATM/Debit Cards
According to a recent Gartner report, phishing attacks are responsible
for US$2.75 billion in losses from ATM and debit cards over the
past year; based on a survey of 5,000 Americans Gartner estimates
that 3 million people have each lost an average of US$900. The
thieves obtain card information through phishing attacks and with
the aid of keystroke loggers; they then use the information to
create phony cards. Card-issuing banks should validate security
codes on the cards' magnetic strips, but not all are doing it.
August 2005 - Phishers use little old lady to steal from eBay
Users of the eBay auction website have been warned about a new
phishing campaign which pretends to be a message from a wheelchair-bound
old lady. However, if recipients respond they risk passing their
confidential login details and password to a criminal gang.
August 2005 - British Phonographic Industry Takes Five to Court
Over Alleged Illegal Music Downloading
The British Phonographic Industry is taking five alleged illegal
music downloaders to court. The five defendants allegedly made
nearly 9,000 songs available on line. More than 60 other people
in the UK who shared music illegally have already settled out
of court, paying fines of up to 6,500 GBP (US$11,507).
August 2005 - Darkmail growth is hidden bandwidth menace
mailers are increasingly hitting systems with email flooding attacks
never designed to appear in inboxes.
July 2005 - Woman held over spammer death
A woman is being held in connection with the violent death
of mega-spammer Vardan Kushnir.
26 July 2005 - Identity Theft Woes Linger
A study from Nationwide Mutual Insurance Company found that 28%
of those who experienced identity theft were unable to completely
restore their good names even a year after the theft had been
discovered and efforts had been made to remediate the damage.
The average fraudulent charge made to accounts was nearly US$4,000;
16% of those answering the survey said they had to pay for some
or all of those charges. Only 17% of those surveyed said they
were notified of suspicious activity by their banks or creditors. http://www.techweb.com/wire/security/166402606
July 2005 - Microsoft Genuine Advantage Now Mandatory for Updates
Microsoft's Genuine Advantage program has now become mandatory.
As of July 26, 2005, users who want downloads from Windows Update,
Microsoft Update for Windows, or the Microsoft Download Center
must allow the program to verify that they are using a valid version
of the Windows operating system. If the OS is found to be counterfeit,
users have several options. Some will be eligible for free legitimate
copies of Windows; they need to provide Microsoft with the source
of the phony software, proof of purchase and the actual CD. Users
who do not have all the information can still file a report and
will be permitted to purchase a legitimate copy of Windows at
a discounted price. Security updates are exempt from Windows Advantage
and will be available to everyone.
July 2005 - Two Servers Breached at University of Colorado
The University of Colorado has hired a forensic investigator to
look into security breaches of two of the school's servers. A
server at the College of Architecture contains information on
approximately 900 students and faculty members, while a Health
Services server contains information on approximately 42,000 students
and university staff. No credit card information was stored on
either server and there is no
evidence that the information was stolen or has been misused.
The university is informing people whose information was stored
on the servers by letter and by email; in addition, the school
has established a web site and a hot line to answer questions
and provide information to those affected by the breaches.
July 2005 - While Computer Attack Costs are Down, Data Theft Costs
A survey from the Computer Security Institute (CSI) and the FBI
found that the average losses due to computer attacks dropped
61% in 2004. The 700 companies and government agencies who responded
to the survey reported an average cost for cyber attacks of US$204,000
in 2004 compared to an average of US$526,000 in 2003. This is
the fourth consecutive year in which the cost has dropped. However,
associated with information theft has increased more than US$51,000
from last year. Theft of proprietary information cost the respondents
an average of US$355,000 in 2004, compared to US$169,000 in 2003.
July 2005 - Number of Zombie Computers Growing Quickly, Says McAfee
A report from McAfee says that the numbers of computers infected
with zombie code are increasing at an alarming rate. Incidents
involving bot code increased to 13,000 in April through June of
this year, four times
the number for the preceding three months.
July 2005 - Alleged Defense Computer Intruder Says Security Was
Gary McKinnon, the British man who faces extradition to the US
on charges he broke into and damaged US defense-related computer
systems, says weak security on those systems enabled him to exploit
them. Mr. McKinnon maintains that in one system, the local administrator's
passwords was blank.
July 2005 - GAO Report Finds DHS Information Security Lacking
A Government Accountability Office report says the Department
of Homeland Security's computer systems do not adequately ensure
their own security and the security of the information they contain.
Among the problems are risk assessments that have not been completed
and incomplete implementation of security plans and policies.
The applications and agencies selected for review in the GAO report
US-VISIT, the Transportation Security Administration and the Emergency
Preparedness and Response Directorate.
July 2005 - Police Arrest Florida Man for Unauthorized Wireless
Police have arrested Benjamin Smith III and charged him with using
another individual's home wireless computer network without permission.
Mr. Smith was allegedly sitting in his car outside the person's
using his laptop computer. The owner of the network says he is
less concerned with the fact that Mr. Smith accessed his network
than with what Mr. Smith was doing while on the network. The law
under which Mr. Smith was charged prohibits unauthorized access
of a computer or network. His arrest is the first for unauthorized
July 2005 - University Student Arrested for Alleged Data Theft
Police in Japan have arrested a university student from China
who allegedly broke into more than a dozen companies' computer
systems and stole customer information. The student allegedly
sold the data on
line. He has admitted to the allegations, saying he was seeking
additional funds for tuition and related school expenses. The
man was arrested for a specific intrusion and is being questioned
about the others.
July 2005 - IM-Based Attacks Increasing Rapidly
A study from the IMlogic Threat Center found that IM-based attacks
rose from 20 in all of 2004 to 571 in just the second quarter
of 2005. People who use IM would be well advised to block all
attachments on IM and filter IM traffic to allow it to come from
trusted sites only.
July 2005 - IM Threats Skyrocket
number of attacks targeting instant message programs shot up 400
percent in the second quarter of this year, according to research
from IM security firm Akonix.
1 July 2005 - RIAA to File More Suits Against Downloaders
The Recording Industry Association of America (RIAA) says it plans
to take legal action against 784 people suspected of illegally
downloading music to their computers. Those being targeted include
Grokster and Limewire. http://news.bbc.co.uk/2/hi/entertainment/4640415.stm
1 July 2005 - Operation Shuts Down Internet Pirates' Servers
Around the World
Raids on suspected Internet piracy groups in 11 countries around
the world netted seven arrests and the seizure of US$50 million
worth of pirated materials, including software, games and movies.
In addition, eight servers used to distribute the pirated material
were shut down.
June 2005 - Alleged Spammer Could Face Three-Year Prison Sentence
A Florida man could face a prison sentence of up to three years
for sending unsolicited email messages. Peter Moshou said he would
plead guilty to one count of violating the CAN-SPAM Act. Moshou
sent millions of spam messages through EarthLink; the messages
used phony "from" addresses, deceptive subject lines
and did not provide a means to unsubscribe electronically, all
of which are violations of the law. Moshou could also be fined
as much as US$350,000.
June 2005 - Deloitte 2005 Global Security Survey
According to Deloitte's 2005 Global Security Survey, financial
services organizations are experiencing more internal security
breaches than external security breaches. 28% of those responding
to the survey had an IT security breach last year, a decrease
of 55% from last year's figures. However, internal breaches rose
from 14% last year to 35% this year.
June 2005 - Government Computer Intruder Sentenced
Robert Lyttle, one half of the Deceptive Duo team that broke into
government computers and defaced web sites, was sentenced to four
months in jail. Lyttle pleaded guilty to five counts of unlawfully
computer systems in April 2002. He was also ordered to pay US$72,000
in damages and will remain on probation for three years following
his release from federal prison; for the first four months of
he will be confined to his home by electronic monitoring. Mr.
Lyttle's accomplice, Benjamin Stark, pleaded guilty last year,
to similar offenses, but has not yet been sentenced.
June 2005 - Two UK Men Sentenced in Phishing Scheme
Two UK men have been sentenced to jail for their roles in a phishing
scheme that netted the pair approximately GBP 6.5 million (US$11.4
million). Douglas Havard received a six-year sentence while Lee
Ellwood received a four-year sentence. Their arrests were the
result of a British National Hi-Tech Crime Unit (NHTCU) investigation
into Eastern European phishing schemes.
June 2005 - Security is Banking Sector's Top IT Spending Priority
According to the Info-Tech Research Group 2005 IT Budget and Staffing
Report, security is the banking sector's top IT spending priority.
59% of the banks surveyed plan to increase security spending;
70% of bank IT executives plan to spend money on security software.
June 2005 - Some FDIC Employees' Data Compromised
The Federal Deposit Insurance Corporation has notified 6,000 current
and former employees that their personal data may have been compromised
in a security breach that occurred in 2004. In several cases,
the stolen data were used to obtain loans at a credit union. The
FDIC says the case is one of "unauthorized release"
of personal information rather than an intrusion. The FBI is investigating.
June 2005 - Equifax Canada Notifies People of Security Breach
Equifax Canada has notified 600 Canadian citizens that their credit
files were illegally accessed. Most of those affected reside in
British Columbia. The breach was reportedly due to "improper
use of the access
codes and passwords of one of Equifax's customers."
June 2005 - Japanese Police Arrest Phishing Suspect
Japanese police have arrested Kazuma Yabuno who is suspected of
creating and operating a web site that appeared to be a known
Internet auction site but which was instead used to harvest unsuspecting
users' personal information. Police confiscated 12 computers from
Mr. Yabuno's home; he will also face charges of copyright violation.
The arrest is Japan's first related to phishing.
June 2005 - CitiFinancial Blames UPS for Tape Loss
Citigroup Inc. subsidiary CitiFinancial says a box of computer
tapes being transported by United Parcel Service has been lost.
The missing tapes hold unencrypted data, including names and Social
numbers, for approximately 3.9 million customers. The company
has sent letters to all affected customers, warning them to pay
special attention to their accounts for suspicious activity. CitiFinancial
videos show the UPS driver failing to observe the agreed upon
"special security procedures." The tapes were sent in
early May; there have been no reports of unauthorized account
activity. CitiFinancial has been planning to switch to encrypted
data sent electronically in July of this year. The Secret Service
6 June 2005 - Phishers Target Smaller Financial Institutions
A report from the Anti-Phishing Working Group indicates that phishers
are broadening their base of attack targets to include small financial
institutions such as credit unions. The Anti-Phishing Working
Group also said that the number of phishing attempts reported
in April rose to 14,411, although the number of unique phishing
messages dropped from 4,100 in March to 3,930 in April.
June 2005 - Texas HS Student Arrested for Unauthorized Computer
A South Houston (Texas) High School student has been arrested
on charges of breaching computer security for allegedly using
software he obtained from the Internet to gain unauthorized access
to the school district's computer network. The student's actions
hastened the district's security implementation activities.
May 2005 - Stolen Laptop Holds Dept. of Justice Workers' Credit
A laptop computer stolen from Fairfax, Virginia-based Omega World
Travel contains names and credit card numbers of approximately
80,000 US Department of Justice employees. The data were password-
protected. The FBI and local police are investigating the theft.
May 2005 - Arrests Made in Cyber Espionage Case
An Israeli husband and wife living in London have been remanded
in custody after Israeli police requested their extradition. Michael
and Ruth Haephrati were arrested for allegedly designing Trojan
horse software that other businesses used to spy on rivals' computer
systems. 18 people in Israel have also been arrested for using
May 2005 - Private Citizen Files Suit Against Alleged Spammer
A New York attorney has filed a lawsuit against China Digital
Media for using his email address to send spam. Between April
29 and May 3, attorney Scott Ziegler saw his email box fill up
with bounced promotional emails with his business address in the
"From" field. He contacted the owner of the company
being promoted and got told they hired a promoter but didn't know
anything about spam. He sued the
unknown spanners and is seeking millions of dollars in damages.
May 2005 - Site Registration and Password Reminder Attacks Help
Spammers Tailor eMail
Phishers and spammers are reportedly using site registration and
password reminder attacks to gather information about their targets
in order to customize their scams. People are more likely to open
that appears to come from sites they are familiar with, and customized
email messages are less likely to be caught by spam filters.
May 2005 - Feds Shut Down Network Offering Pirated Movie Downloads
US law enforcement authorities executed search warrants in a raid
targeted at administrators and content providers of a network
that allowed people to download new release movies including Star
Wars -- Episode III. The main server of the Elite Torrents network
was seized in the raid. After the raid the site displayed the
following notice: "This site has been permanently shut down
by the Federal Bureau of Investigation and the US Immigration
and Customs Enforcement."
May 2005 - Bank of America to Roll Out Anti-Phishing and Anti-Spyware
Bank of America is planning to introduce a system to protect its
customers from phishing, spoofing and spyware. The program will
use visual images from a list and a customer-generated text passage
to verify that they are visiting an authentic BoA web site instead
of a phishing site. The program, called SiteKey, is scheduled
to premiere in Tennessee and will remain optional until it is
available nationwide. SiteKey also connects the users' PC to the
online banking service; if an attempt is made to access the account
from a different computer in the future, the user will be required
to answer one of three previously
selected security questions.
May 2005 - Stolen Laptop Holds MCI Employee Data
A laptop computer stolen from the car of an MCI financial analyst
in Colorado contains the names and Social Security numbers of
approximately 16,000 current and former employees. A company spokesperson
said the computer was password-protected but declined comment
on whether or not the data were encrypted and on whether or not
the employee was authorized to have the data on the laptop. Those
whose data have been put at risk were notified, and the company
is investigating the incident; the employee may face disciplinary
action if the investigation determines that company policies were
May 2005 - Cyber Intrusion at Georgia University Exposes 40,000
As many as 40,000 people may be at increased risk for identity
theft after a computer intrusion at Valdosta State University
in Georgia. The breached server held information for VSU 1cards,
combined identification and debit cards that can be used to purchase
food and books on campus and check out library materials. All
students from 1997 onward are at risk, as are current employees
and employees who left the school between 1997 and 1999.
May 2005 - DrinkorDie Piracy Ring Members Receive Jail Time
Three members of the DrinkorDie Internet piracy group have received
jail sentences of between 18 months and two years for their roles
in a massive software piracy ring that defrauded major companies,
Microsoft, of millions of dollars in revenue. The group allegedly
stole software and allowed people to download it from the Internet
at no cost. A fourth defendant received a suspended sentence.
May 2005 - Phishers Increasingly Using Keystroke Loggers
According to the Anti Phishing Working Group (APWG), the use of
keystroke loggers to steal computer users' personal and financial
information has increased tenfold in the past six months. The
logging software is surreptitiously placed on users' computers
via browsers with unpatched known vulnerabilities. http://www.vnunet.com/news/1162890
May 2005 - Chinese Student Arrested for Alleged Industrial Espionage
Police in Versailles, France have arrested a Chinese student who
is suspected of stealing proprietary information from her job
at Valeo, a car parts manufacturer. Law enforcement officials
who raided her house found computer equipment containing information
about Valeo products, including "confidential" designs.
A Valeo executive became suspicious when the woman, Li Li, was
noticed walking around the office with a portable computer. She
has denied the charges.
May 2005 - Air Canada Alleges Industrial Espionage Against WestJet
Court documents allege that WestJet Airlines Ltd. stole confidential
data from Air Canada that gave WestJet the impetus to move its
eastern hub from Hamilton to Toronto. Forensic auditors analyzed
seven WestJet computers and allegedly found flight comparison
reports as well as information about AirCanada's load factor --
the percentage of available seating capacity filled by travelers.
May 2005 - Secret Service Investigating Disappearance of Time
Warner Backup Tapes
Time Warner Inc. says that the US Secret Service is investigating
the disappearance of backup tapes containing the names and Social
Security numbers of 600,000 current and former employees. Time
Warner says that an outside company, Iron Mountain, was responsible
for the tapes at the time of their loss. Time Warner is notifying
those whose data may have been compromised.
1 May 2005 - Judge Rules Two Schools Do Not Have to Surrender
Information to RIAA
US Magistrate Judge Russell A. Eliason ruled that the University
of North Carolina at Chapel Hill and North Carolina State University
do not have to disclose the names of students who allegedly used
computer networks to share music illegally. The Recording Industry
Association of America had subpoenaed both schools to obtain the
information. An attorney representing the students said that the
case is not about whether students have the right to share music
in this way, but about Internet users' right to privacy.
April 2005 - Nine charged in Bank Account Data Theft Ring
Nine people have been charged for their alleged roles in a scheme
in which financial records belonging to half a million people
were stolen and sold to collection agencies. Orazio Lembo Jr.,
the alleged ringleader of the operation, apparently obtained lists
of people who were being sought by debt collection agencies. Lembo
allegedly shared those names with accomplices who worked in banks
where they could compare the list to the names of bank customers
and provide Lembo with the names and account details when they
found matches. Lembo in turn allegedly sold that information to
collection agencies for a tidy profit. If convicted of all charges
against him, Lembo could face 130 years in prison and a fine of
April 2005 - Florida International University Computer Systems
Some Florida International University students, faculty and staff
have been notified that their personal information may have been
compromised after it was discovered that computer systems at the
school had suffered security breaches. A file found on one of
the computers indicates that the intruders had access to user
names and passwords for 165 university computers. Users have been
advised to remove sensitive data from their computers and to place
fraud alerts on their credit files. University "technology
experts" are examining 3,000 computers at the school for
evidence of intrusions.
April 2005 - New York AG Spitzer Files Spyware Suit Against California
New York state Attorney General Eliot Spitzer has filed a lawsuit
against Intermix Media Inc. for allegedly installing spyware and
adware on people's computers without their knowledge. According
to the lawsuit, New York residents downloaded 3.7 million programs,
including games and screen savers, from Intermix web sites, but
they were not properly notified that the downloads also contained
spyware and adware.
Intermix senior VP and general counsel Christopher Lipp said such
practices are part of Intermix's past, and were established under
prior leadership and that the company has ceased distributing
the programs in
question of its own volition in April 2005. The lawsuit follows
a six-month investigation.
April 2005 - Backup Tape Disappearances Underscore the Need to
Rethink Policies and Procedures
The recent spate of revelations from companies that backup tapes
containing customer data have been lost has pointed out the fact
that organizations may need to reconsider their backup policies
and procedures. One poll of 400 companies found that more than
60% do not encrypt any of their backup data and that just 7% encrypt
all their backup data. Another problem is that the job of making
tends to fall to those ranking low on the IT department scale
of importance, which increases the possibility that they could
April 2005 - Heckencamp Sentenced for eBay and Qualcomm Intrusions
Jerome Heckencamp has been sentenced to eight months in prison
followed by eight months of electronically monitored home confinement.
In January 2004, Mr. Heckencamp pleaded guilty to breaking into
computer systems of several high profile companies, including
eBay and Qualcomm, and installing Trojan horse programs. Mr. Heckencamp
has also been ordered to pay nearly US$270,000 in restitution
and for three years; he may not use an Internet-connected computer
without permission from a probation officer. http://www.crime-research.org/news/27.04.2005/1186/
April 2005 - Lawsuit Alleges Kraft Foods Sent Spam
The founder of a small California ISP has filed a lawsuit against
Kraft Foods, Inc., alleging the company is responsible for 8,500
spam email messages in violation of both the federal CAN-SPAM
Act and California
anti-spam law; the headers of the unsolicited commercial email
messages were faked. The attorney representing the man who filed
the suit says his client is entitled to US$11.7 million in damages.
April 2005 - Carnegie Mellon Computer Breach Exposes Personal
Carnegie Mellon University is informing more than 5,000 people
that their personal information, including Social Security numbers,
may have been compromised during a computer network breach that
was discovered on April 10. The compromised computers contain
information about current graduate students and administrative
staff as well as those who received graduate degrees from and
those who applied to several different graduate programs.
April 2005 - UK Ministry of Defence Files Found on Discarded Computer
A UK man found 70 "top-secret" Ministry of Defence files
on a laptop he obtained at a garbage dump. The MoD is conducting
an investigation to find out whether or not the computer was official
MoD equipment. In 2002, the ministry admitted that nearly 600
laptops had been stolen or gone missing in the five preceding
years. An MoD spokesman said the ministry has procedures in place
to ensure that the equipment it disposes of does not contain sensitive
April 2005 - China Has Highest Number of New Zombie Computers
According to a recent report, over 20% of the 157,000 new zombie
computers identified daily are in China. The US is next on the
list with 16%, followed by South Korea with 10%. Zombies are computers
infected with malware which allow them to be used by others to
launch denial of service attacks or to send spam or phishing email. http://asia.internet.com/news/print.php/3499491
April 2005 - Ameritrade Notifying 200,000 Customers Whose Data
is on Missing Tape
Ameritrade has begun sending letters to approximately 200,000
current and former customers informing them that a tape containing
their personal data kept on file by the company has been misplaced.
A spokeswoman for the company says there is every reason to believe
the tape is still somewhere in the facility of the shipping company
that initially misplaced it or that it has been destroyed. She
also said the
data were compressed but not encrypted.
April 2005 - DSW Ups Number Affected by Data Breach to 1.4 Million
DSW Shoe Warehouse now says that the number of people affected
by a massive theft of customer data is as high as 1.4 million,
a number ten times greater than had previously been acknowledged.
DSW says it has begun contacting those people for whom they have
contact information. The thieves managed to steal credit card
numbers, driver's license numbers and checking account numbers,
but no customer names or addresses were affected. The Secret Service
April 2005 - Shanghai Court Sentences Two Americans to Prison
Shanghai's No. 2 District Court sentenced two American men to
prison for selling pirated DVDs over the Internet. Randolph Hobson
Guthrie received a prison sentence of two-and-a-half years and
was fined 500,000 yuan (US$60,400). Abram Cody Thrush received
a one-year prison term and was fined 10,000 yuan (US$1,200). Both
will be deported at the completion of their sentences. Guthrie
reportedly earned about US$160,000 selling the pirated material.
April 2005 - Nine years in jail for $24 million spammer
A US court has sentenced a 30-year-old man to prison for sending
spam messages said to have earnt him a fortune of $24 million.
Read more about the case now.
8 April 3005 - Fake Microsoft security update delivers Trojan
Users are warned to be on their guard against an attempt by hackers
to break into their computers under
the disguise of being a Microsoft security update. Find out more
now and ensure you are properly protected. http://s388.link.sophos.com/fakeupdate?pl_id=9
7 April 2005 - Sophos Reveals the Dirty Dozen Spamming Countries
Sophos researchers have identified which countries are pumping
out the most spam. Find out which country is the worst offender,
and how innocent unprotected computers are adding to the spam
April 2005 - Car Sales Firm Fined for Sending Spam to Mobile Phones
A car sales website based in Melbourne has become the first Australian
company fined for spamming mobile phones, after authorities found
it had sent unwanted SMS text messages to phone numbers taken
from newspaper classified ads.
April 2005 - Microsoft Files More Phishing Lawsuits
Microsoft has filed civil lawsuits against 117 alleged phishers.
The "John Doe" suits were filed in the US District Court
for the Western District of Washington in Seattle and are targeted
at phishing sites that pretend to be Microsoft MSN and Hotmail
1 April 2005 - Google Tests Anti-Phishing Technology
Google is testing methods of protecting its Gmail users from on
line fraud. When users open a suspect message, a dialog box appears
warning that the message may not be from whom it appears to be
from and advising against clicking on any hyperlinks or providing
the sender with any personal information. Gmail also now removes
hyperlinks from HTML email. In fall of last year, Google implemented
DomainKeys technology as a precautionary measure against email
March 2005 - Blaster Author To Do Community Service Instead of
Paying US$500,000 Fine
Microsoft has asked that Jeffrey Lee Parson, the man who created
a Blaster variant, be required to serve 225 hours of community
service in lieu of a $500,000 fine that would have been paid to
Microsoft. In January, Parson was sentenced to 18 months in prison
and ordered to pay half million dollars in restitution. Parson's
community service cannot involve the Internet or computers.
March 2005 - Sophos Reports on the Top Ten Viruses and Hoaxes
Which virus topped the chart in March 2005? Find out which viruses
and worms were spreading the most across internet email systems
in the last last month in this hall of shame.
March 2005 - Kelvir-F worm spreads malicious message via chat
Experts at Sophos have warned users to be on their guard against
a worm which spreads via instant messaging, posing as a funny
screensaver. Find out more now.
March 2005 - Microsoft Moves Toward Restricting Downloads to Authenticated
Windows users who want to download one of Microsoft's 22 Language
Interface packs will soon have to verify that they are running
a legitimate copy of the software. The Windows Genuine Advantage
authentication program began last year as an optional program.
Over time, Microsoft has begun offering benefits to those people
who verify they are running legitimate copies of the operating
system, and are
moving toward withholding updates from users whose copies are
determined to have been pirated.
March 2005 - South Korea Fines SMS Spammers
Korea's Ministry of Information and Communication has fined premium
phone service operators between w15 million (US$14,744) and w30
million (US$29,483) for sending "unsolicited promotional
text messages to cell phones." The fines were larger for
companies that operated more than one call service; fines totaled
w720 million (approximately US$707,700). The ministry is also
investigating nearly 200 more cases of spam. http://english.chosun.com/w21data/html/news/200503/200503300027.html
March 2005 - Israeli Military Commander Jailed After his Laptop
An Israeli Defense Forces commander was sentenced to two weeks
in military prison following the theft of his laptop computer.
The commander says he left his computer, which contains classified
military information, on his desk while he was on a field trip
with his soldiers; military protocol requires that laptops containing
classified material be kept in a vault while not in use. Military
police are investigating the theft.
March 2005 - Nearly Half of Retailers Surveyed Said they Share
A study from The Customer Respect Group found that data brokers
aren't the only ones playing fast and loose with customer data.
43% of financial services firms surveyed said they share customer
data with business partners or third parties. 47% of retailers
surveyed said they "shopped customer data around." Of
insurance companies surveyed, 35% said they shared customer information
with third parties. Airline and
travel companies fared the best in the survey, with only 28% sharing
data with other sources.
March 2005 - Laptop Stolen from UC Berkeley Has Data on 100,000
Alumni and Applicants
A laptop computer stolen from a restricted area of a University
ofCalifornia, Berkeley office contained personal information belonging
to nearly 100,000 former graduate students and graduate school
Notifying all those affected could prove difficult as some received
their degrees nearly 30 years ago. The data included Social Security
numbers and some birthdates. A university spokesperson said there
is no evidence the thief has used the information; it is more
likely that the thief was after the machine and not the data it
contained. University officials announced the March 11 theft on
Monday, March 28 in accordance with California law requiring notification
of consumers when their personal data is stolen.
March 2005 - Japanese Data Protection Law Imposes Penalties for
Managers/ Data Handlers
Japan's Personal Information Protection Law, which took effect
on April 1 of this year, requires companies to comply with a set
of rules for handling consumers' personal data. The law applies
to companies holding
the personal data of 5,000 or more individuals, including employees
and affects foreign companies as well. Companies are required
to designate a corporate privacy officer and staff who will be
responsible for compliance with the law. Penalties include fines
of up to 300,000 yen approximately US$2,760 and jail sentences
of up to 6 months for the managers and data handlers who fail
to comply. Under the provisions of the law, the companies must
specify why they are collecting the information, obtain consent
from the individuals before using it for any other purpose and
take measures to prevent theft and leaks.
March 2005 - Yahoo Messenger Targeted by Phishers
Phishers are taking aim at Yahoo Messenger users. The attackers
are sending messages that appear to come from friends and that
contain a link to a phony web site. The web site looks authentic
and asks for
Yahoo usernames and passwords. Once in possession of this information,
attackers would have access to the user's Messenger profile and
contact list. A recent report from SurfControl found that while
90% of the more than 7,5000 US businesses surveyed have established
policies for email use, just over half have policies that address
IM and peer-to-peer technology use.
March 2005 - GAO: SEC Information Security Controls are Lacking
A General Accounting Office report says that the Securities and
Exchange Commission needs to improve controls over user accounts
and passwords, access rights and permissions, network security
and audit, and monitoring of events to detect and prevent intrusions.
The weaknesses put sensitive data at risk of being stolen or modified.
SEC passwords were easily guessed, and former employees were not
blocked from using SEC computers. In one case, someone who had
not worked for the SEC for eight months still had access to the
system. The SEC will incorporate the recommendations made by the
GAO by June 2006. http://www.govexec.com/story_page.cfm?articleid=30858&printerfriendlyVers=1&
March 2005 - Ten Worst Security Practices
A list of the ten worst security practices includes buying products
to fix security holes as they arise, neglecting to create a security
policy, treating all data as equal and backing up all data every
The list includes tips on what to do instead.
March 2005 - Apple Settles Suit Against Developer Who Shared Mac
Apple Computer Inc. has settled a lawsuit it brought against Doug
Steigerwald, one of three men sued for distributing test copies
of Mac OS X 10.4, code-named "Tiger," on a file sharing
site. Steigerwald was a member of the Apple Developer Connection,
which entitled him to early test copies of the new version of
the operating system. Steigerwald will pay "an undisclosed
sum" to Apple, and acknowledged that his
actions were wrong. Steigerwald is also being investigated by
the US Attorney's office.
March 2005 - Acxiom Data Thief Sentenced to Nearly Four Years
Daniel J. Baas has been sentenced to 45 months in prison for breaking
into Acxiom Corp.'s computer systems and downloading encrypted
password files. He was able to access the files of other Acxiom
clients. Although Baas stored the files on computer disks at his
home, he apparently never used or shared the information he took.
At the time, Baas was working as a systems administrator for a
company that was doing data analysis for Acxiom. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/
March 2004 - Financial Institutions Must Notify Consumers of Data
Four government banking agencies, including the Federal Deposit
Insurance Corporation (FDIC) and the Federal Reserve, have issued
rules that require banks and other financial institutions to inform
customers as soon as possible when their information has been
stolen or its security has been breached and there is reason to
believe it will be misused. Notice could be delayed if a law enforcement
agency determines that it would interfere with a criminal investigation.
Financial institutions are also required to inform their primary
federal regulators whether or not customers are being informed.
March 2005 - Korean Bank Under Investigation for Allegedly Using
Police in Seoul, Korea are investigating a complaint lodged by
Microsoft Korea against a local bank for using pirated software;
61% of the bank's 11,400 computers are allegedly running pirated
software. Microsoft is also charging that the bank has not renewed
its contract for the 4,500 computers for which the software was
initially purchased. The bank maintains that under the terms of
its contract with Microsoft, it can make as many copies of the
software as it pleases.
March 2005 - FBI Arrests Two in Denial-of-Service for Hire Case
The FBI has arrested two people in connection with a denial-of-service-for-hire
case. Jason Arabo allegedly hired a 17-year-old to launch an attack
on the web site of Jersey-joe.com, a business competitor. The
17-year-old allegedly used a botnet to conduct the attack. Arabo
could face up to five years in prison and a fine of as much as
twice the amount of loss incurred by the victims.
March 2005 - Security Managers Take Proactive Measures
Security managers are increasingly taking a proactive stance toward
network security. This shift is driven by several factors, including
Sarbanes-Oxley compliance requirements, increasing use of wireless
technology, remote workers and web services and the ever-shrinking
lag time between the disclosure of a vulnerability and the appearance
of malware to exploit it. General Motors Corp. denies network
anyone the company has not vetted. Texas Tech University deployed
network behavior modeling tools to establish baseline network
behavior and quickly detect and identify anomalies. Companies
are also looking
to build security into application software and to encourage the
software industry to incorporate security into the development
March 2005 - Legislators Introduce Spy Block Act
The Spy Block Act, introduced last week by US Senators Conrad
Burns (R-Mont.) and Ron Wyden (D-Ore.), is based on the premise
that people have the right to know and control what software is
installed on their machines. "The bill bans the surreptitious
installation of software" in cases when the user did not
request installation and it also takes aim at software that prevents
efforts to uninstall or disable it. Also banned under the bill
are the collection and transmission of information about computer
users without their consent. http://www.internetnews.com/security/print.php/3491731
March 2005 - University of Nevada-Las Vegas Server Breached
The records of as many as 5,000 current and former international
students at the University of Nevada-Las Vegas may have been exposed
when an attacker gained access to the school's Student and Exchange
Visitor Information System server. The breach was discovered during
a routine network activity security check; analysts caught the
attack as it was happening and took the server off line. UNLV
has emailed all
affected students and alerted them to the situation. The FBI is
March 2005 - Computer Stolen from Nevada DMV Contains Motorist
Thieves broke into a Nevada Department of Motor Vehicles office
and stole a computer that contains personal data belonging to
more than 8,900 licensed Nevada drivers. The information includes
names, birth dates, Social Security numbers, photographs and signatures.
The Nevada DMV initially said the data was encrypted, but DMV
chief Ginny Lewis said the company that makes the state's digital
driver's licenses told her the data was not encrypted. All Nevada
DMV licensing stations have been ordered to remove personal information
from computers; the department plans to send letters to the people
whose data is on the stolen computer. In addition to the computer,
the thieves also stole 1,700 blank licenses and the equipment
to make licenses. The US Secret Service is investigating.
18 March 2005 - Cyber Thieves Thwarted
Police thwarted an attempt by cyber thieves to steal GBP220 million
(US$41.7 million) from the London offices of Japanese bank Sumitomo
Mitsui. The bank's computer systems were compromised with keystroke
loggers in October 2004 and then used in unsuccessful attempts
to transfer money to 10 overseas bank accounts. The thieves were
stopped before any money was actually transferred. Emerging reports
suggest that the attack was carried out with the help of an insider.
March 2005 - Brazilian Police Arrest Alleged Phishing Ringleader
Brazilian federal police have arrested Valdir Paulo de Almeida,
the alleged leader of a phishing gang. The group allegedly stole
US$37 million from victims' bank accounts with the aid of a Trojan
horse program; as many as 3 million Trojan-laden emails a day
March 2005 - More University Computer Breaches
California State University, Chico has informed more than 59,000
people that the security of their personal information may have
been compromised due to an attack on the school's servers. The
information included the names and Social Security numbers of
current, former and prospective students and well as current and
former faculty and staff. Those affected were notified through
email and the postal service. The
university says it will stop using Social Security numbers as
identifiers. A Boston College computer used for fund-raising purposes
was broken into, but school officials say no personal data were
stolen; they still plan to notify the 120,000 alumni whose information
may have been compromised. Boston College spokesman Jack Dunn
says the school will no longer use Social Security numbers as
March 2005 - Federal Agencies to Face Tougher Security Requirements
US federal agencies will face additional requirements when they
are graded on next year's security report card. The Federal Information
Security Management Act of 2002 requires that agencies categorize
their applications and systems according to the impact a major
security breach would have on their ability to operate. In addition,
agencies will be required to comply with minimum security control
standards for federal systems by December 2006; the standards
are described in the National Institute of Standards and Technology
Special Report 800-53.
March 2005 - IRS Employees Vulnerable to Social Engineering
Treasury Department inspectors posing as information technology
help desk employees addressing a network problem were able to
convince 35 IRS employees to reveal their network logon names
and change their passwords to one suggested by the callers. The
results show a significant improvement from a similar test conducted
in 2001, when 71 of 100 IRS employees changed their passwords.
March 2005 - Former IT Manager Gets Prison for Breaking Into Company's
Mark Erfurt, who in August 2004 pleaded guilty to breaking into
his former employer's computer system and to obstruction of justice
for overwriting backup tapes, was sentenced to five months in
prison. Erfurt will also serve five months under home detention
and three years of supervised release, in addition to being ordered
to pay US$45,000 in restitution. Erfurt had been employed by Manufacturing
Electronic Sales Corp. as an IT manager, but after his termination,
he broke into the company's computer system, read email, deleted
data and downloaded a proprietary database.
March 2005 - State Legislators Introduce Data Theft Customer Notification
Legislators in more than 20 states have already proposed bills
aimed at dealing with data theft like that recently experienced
by ChoicePoint and LexisNexis. Hastily proposed measures run the
risk of being overly broad or narrow, or vaguely worded, impeding
March 2005 - ISP Employee Arrested for Stealing Credit Card info
On March 8, UK police arrested an employee of Zen Internet for
allegedly stealing customer credit card details. The suspect then
allegedly used the information to establish gaming accounts that
he sold over the Internet.
March 2005 - Customer Data Stolen from DSW Shoe Warehouse Stores
Credit card and other customer data from at least 103 DSW Shoe
Warehouse stores has been stolen. The thefts took place over the
last three months. Julie Davis, general counsel for parent company
Retail Ventures, says credit card companies have reported fraudulent
activity. Data provided at the DSW web site was not affected.
Ms. Davis also said that an independent computer security company
will conclude an
investigation within the next week two weeks, and that the Secret
Service is investigating as well.
9 March 2005 - Consumer Data Stolen from Seisint Databases
Data broker LexisNexis said that social security numbers and other
personal data belonging to as many as 32,000 US consumers were
stolen from databases at Seisint, a company recently purchased
LexisNexis parent company Reed Elsevier. The FBI is investigating
the case. The company says it will notify all those whose data
was compromised and will help them monitor their credit reports
and other accounts for problems.
9 March 2005 - MIT, Harvard and CMU Business Schools Will Not
MIT's Sloan School of Management will join Carnegie Mellon
University's Tepper School of Business and Harvard Business School
in rejecting applicants who took advantage of directions posted
on the Internet to
access a web site that manages online school admissions. Sloan
dean Richard L. Schmalensee said rejected applicants may reapply
in later years; in addition, Sloan may consider appeals from individuals
with extenuating circumstances. Mr. Schmalensee said that the
posted instructions involved effort on the part of the information
seekers; they had to know they were doing something unethical.
March 2005 - Worms Spreading Through MSN Messenger
Researchers have detected a variety of worms that are spreading
through MSN Messenger. Some are Bropia variants; two others, Kelvir
and Sumom, are capable of installing the Backdoor.Rbot Trojan.
The number of worms using IM to spread is increasing. In the first
six weeks of 2005 alone there have been 10 IM worms, three times
the number for the same period last year.
March 2005 - Three Plead Guilty in Net Piracy case
Three men have pleaded guilty to being members of organized groups
that distribute pirated video and computer games. The men were
caught as a result of "Operation Higher Education,"
a Net piracy sweep carried out in 12 countries.
March 2005 - University of Arizona Student Pleads Guilty to Piracy
Parvin Dhaliwal, a student at the University of Arizona, has pleaded
guilty to possession of unauthorized copies of intellectual property,
a Class 6 Felony under the state's new piracy law. Mr. Dhaliwal
had uploaded digital copies of recently released films and music
believed to be valued at $50 million dollars; some movies such
as Matrix Revolutions were still playing in theaters. Mr. Dhaliwal
received a sentence of 3 months in jail, 3 years probation, 200
hours of community service and a US$5,400 fine. He is also required
to take a university class on copyright issues.
8 March 2005 - Man Charged with Breaking into Sony Ericsson
Site Csaba Richter of Hungary has been charged with industrial
espionage for allegedly breaking into the Sony Ericsson AB and
Ericsson AB Intranets. He told officials that he hoped the companies
would be impressed with his skills and hire him. Mr. Richter has
admitted to stealing documents concerning telecommunications.
March 2005 - Proposed Anti-Phishing Legislation
The Anti-Phishing Act of 2005, introduced by Senator Patrick Leahy
(D-Vermont), would make it a crime to create phony web sites with
the intent to defraud or commit identity theft. Parody sites would
be exempt from the law. Those convicted could face prison sentences
of up to 5 years and fines of up to US$250,000. The same penalties
would apply to those convicted of pharming.
7 March 2005 - Keystroke Logger Surreptitiously Installed at New
Zealand Internet Cafe
A cyber thief in Wellington, New Zealand apparently installed
keystroke-logging software at an Internet cafe that allowed him
to harvest user names and passwords belonging to people who conducted
online banking there. Consumers are being warned to use caution
while banking on line.
March 2005 - Shareholders Sue ChoicePoint
After the share price dropped more than 20%, stockholders
filed a class action lawsuit in California on behalf of the people
who bought shares over the past 10 months. The suit alleges that
ChoicePoint knew it had inadequate protection measures and that
it was selling data to illegal enterprises, and that security
breaches had occurred twice before.
March 2005 - Identity Theft Investigation Nets Scottish Police
After a months-long investigation, Scottish police have arrested
28 people on charges of identity theft. Among the schemes used
by the alleged identity thieves are collecting trash, shoulder
surfing and phishing to obtain PIN numbers. Nearly 2 million GBP
(US$3.83 million) was stolen as a result.
March 2005 - Government Executives Focus on Security
Two thirds of federal IT managers rate security as one of their
top three concerns. However the federal executives expressed concern
that the government will not make significant cyber security progress
coming year, at least in improved grades given by the House Committee
on Government Reform.
February 2005 - NIST Releases Final Recommended Security Controls
for Federal Systems
On Monday, February 28, the National Institute of Standards and
Technology released the final version of SP 800-53: Recommended
Security Controls for Federal Information Systems. The publication
to serve a a guideline for federal agencies to meet Federal Information
Security Management Act (FISMA) mandates.
February 2005 - Lost Bank of America Backups Contain Federal Employees'
Bank of America has revealed that it has lost backup tapes that
contain personal data, including Social Security numbers and account
information, of 1.2 million federal employees. Band of America
Spokeswoman Eloise Hale said there is no evidence the tapes or
the data they contain have been used, and that the tapes are presumed
lost. Senator Charles Schumer (D-NY) says he was told it is likely
the tapes were stolen from a commercial airliner by baggage handlers
in December. Senator Susan Collins (R-Maine) is drafting a letter
to the General Services Administration and Bank of America asking
how federal employee personal data is going to be protected.
February 2005 - Phony eMail Appears to Come from FBI, Has Virus
The FBI has posted a warning on its web site about email messages
that appear to come from the agency, but which actually contain
a virus as an attachment. The FBI says in its statement that it
never sends unsolicited email and that people should not open
unexpected attachments or those from unrecognized senders. The
FBI also recommends that people who receive one of the fraudulent
emails report it to the Internet Crime Complaint Center at http://www.ic3.gov.
February 2005 - Viral Valentines May Cause Heartbreak for PC Owners
Security experts at Sophos are urging computer users to be on
their guard against the threat of viruses disguised as Valentine's
Day greetings. Find out about the latest threats now and ensure
you are protected.
7 February 2005 - Former AOL Employee Pleads Guilty in Customer
Data Theft Case
Former AOL employee Jason Smathers has pleaded guilty to conspiracy
and interstate transport of stolen property for stealing 92 million
customer names and email addresses and selling them to another
individual. Sean Dunaway paid US$28,000 for the data which he
used to promote his gambling sites before selling them to other
spammers; charges against him are pending. Smathers will face
up to two years in prison when he is sentenced on May 20; he will
also be required to reimburse AOL for the cost of fixing the problem,
which is estimated to be between US$200,000 and $400,000.
February 2005 - Proposed 2006 US Budget Calls for Increased IT
President Bush's proposed fiscal 2006 budget designates US$1.685
billion for IT security spending, a 7.2% increase over the previous
year. In addition, cyber security and information sharing are
now cross-agency lines of business.
February 2005 - Bropia-F Worm Spreading
The Bropia-F worm spreads through MSN Messenger and installs a
variant of Agobot on systems it infects, which can be used to
log keystrokes, collect system information and act as a spam relay.
It spreads by offering pictures to IM contacts of infected machines.
Bropia-F affects MSN messenger running on Windows 95, 98, ME,
NT, 2000 and XP.
February 2005 - SAIC Investor Data on Stolen Machines
Several computers containing names, social security numbers and
other personal data belonging to 45,000 current and former Science
Applications International Corp. shareholders have been stolen
SAIC administrative building in San Diego, CA. SAIC has begun
informing those affected by the security breach. There is no evidence
that the thieves were after the data.
February 2005 - Computer Stolen From Car Firm Contained Customer
In a separate story, three computers stolen from an automobile
sales company in Japan's Shiga Prefecture contained data, including
some credit card numbers, belonging to nearly 1,700 customers.
Officials say the data cannot be accessed without passwords.
February 2005 - Harry Potter Fans Targeted in Phishing Scam
Harry Potter author J.K. Rowling has issued a warning to her fans
not to trust any one purporting to be selling electronic copies
of the upcoming sixth installment in the popular series. Ms. Rowling's
lawyers managed to get one phony web site closed down, but it
is likely there will be others. The people behind the scam are
believed to be collecting personal financial data.
February 2005 - Top Ten Viruses for January 2005
Find out which viruses and worms were spreading the most across
internet email systems last month in this hall of shame.
February 2005 - Student Arrested for Allegedly Stealing Test Info
with Keystroke Logger
A Texas high school student has been arrested for allegedly attaching
a keystroke logger to a teacher's computer, stealing test information
and selling that information to other students. The teen was charged
with breach of computer information, a Class B misdemeanor which
carries a sentence of 180 days in jail or a US$2,000 fine. Police
in area school districts sent out alerts about the keystroke logging
device so that teachers could be made aware of the potential problem.
January 2005 NIST Releases Public Draft of Recommendations For
The National Institute of Standards and Technology has published
the final public draft of Special Publication 800-53, Recommended
Security Controls for Federal Information Systems, which will
become a mandatory Federal Information Processing Standard by
the end of 2005. The publication is one of seven that NIST will
produce as required by the Federal Information Security Management
Act. NIST is accepting comments on the draft through Friday, February
January 2005 - Man Arrested for Attempting Tsunami Donations Site
London (UK) police have arrested a man for allegedly trying to
break into the Disasters Emergency Committee tsunami donations
web site. Police are examining the suspect's computer equipment
for evidence of the attempted intrusion. The suspect has been
released on bail.
January 2005 - Trojan Masquerades as Windows Security Fix
An email purporting to be from Microsoft, claims an attachment
will address security vulnerabilities in Windows. The attachment
actually contains a Trojan horse program. The body of the email
contains errors in grammar and spelling, which should clue people
in to the fact that it is phony. Microsoft has encountered this
type of scam often enough that they have devoted a web page to
it, making clear that the company never sends security updates
as email attachments.
January 2005 - Committee Gives Anti-Spyware Bill Top Priority
The House Commerce Committee has given HR29, the Spy Act, high
priority; members hope to get it out of committee in under three
weeks. The bill would require that spyware be easy to identify
and to remove from computers. It would also prohibit the programs
from collecting personal data without the user's express permission
and authorize the Federal Trade Commission to fine violators as
much as US$3 million for each infraction.
24 January 2005 - Financial Services Hardest Hit by Phishers
According to figures from the Anti-Phishing Working Group, there
were 9,019 distinct new phishing attacks in December 2004, a 6%
increase over the number recorded in November. The number of active
phishing sites reported in December was 1,707. Eighty-five percent
of the attacks in December targeted financial services institutions.
January 2005 - Spanish Police Arrest Alleged Webcam Malware Author
Spanish police have arrested a computer programmer who allegedly
wrote malware that allowed him to spy on people with webcams.
The man, identified only by the initials J.A.S., allegedly distributed
his creation over a peer-to-peer file-sharing network in the guise
of a music or picture file. He also allegedly stole online banking
January 2005 - DOJ Nets First two P2P Copyright Theft Convictions
Two men arrested as a result of last summer's Operation Digital
Gridlock have been convicted of copyright theft. William R. Towbridge
and Michael Chicoine each pleaded guilty to one count of conspiracy
to commit felony criminal copyright infringement which carries
a maximum penalty of five years in prison, a US$250,000 fine and
restitution to victims; sentencing is scheduled for April 29.
The men are also required to destroy all copies of copyrighted
software, games, music and movies and the equipment used to create
January 2005 - Two US Citizens on Trial for Piracy in China
Chinese authorities report that two US citizens are on trial for
allegedly selling more than 180,000 counterfeit DVDs, valued at
nearly US$1 million, on the Internet. Two Chinese accomplices
are reportedly on trial as well. Randolph Hobson Guthrie and Abram
Cody Thrush could face 15 years in prison if they are convicted.
A verdict has not been reached in the case.
January 2005 - University of California at San Diego Computers
For the third time in one year, computers containing information
belonging to at University of California San Diego students and
alumni have been breached. The university has been phasing out
the use of Social Security numbers as identifiers, but these computers
were among the last that still contained this data. While there
is no evidence that the data has been used to steal identities,
those whose personal information was compromised have been informed
in compliance with California law. The intruder used the servers
to store music and video files.
January 2005 - Judge Grants Injunction Against Spammers
US District Court Chief Judge Philip M. Pro has granted the Federal
Trade Commission's (FTC's) request for preliminary injunctions
against six companies accused of sending adult-themed spam. The
companies are enjoined from sending out spam for the duration
of the civil suit against them. The FTC alleges that the email
sent by these companies did not have either the required "Sexually
Explicit" labels in their subject lines or a way of opting
out of receiving future email.
16 January 2005 - FBI Arrests Tsunami eMail Scammer
The FBI arrested Matthew Schmieder, who has admitted to sending
out 800,000 unsolicited emails designed to look as if they were
from a charitable organization collecting funds for the tsunami
Schmieder had established a Paypal account to collect the money,
but at the time of his arrest had reportedly received just US$150.
He will face a preliminary hearing this week.
January 2005 - Texas AG Files Suit Against Prolific Spammers
The Texas attorney general has filed a lawsuit against two men
who allegedly run one of the most prolific spam operations in
the world. The federal complaint was filed under the CAN-SPAM
Act, which carries
fines of up to US$250 per violation; the men named in the suit
are also accused of violating two Texas laws that provide for
penalties of up to US$20,000 per violation and US$10 per email
up to US$25,000 a day. The suit names as defendants University
of Texas at Austin student Ryan Samuel Pitylak and Mark Stephen
Trotter of California. The pair allegedly sold the personal information
garnered from phony mortgage refinance offers and other financial
schemes to people for up to US$28 a name. They could face up to
US$2 million in fines if they are convicted.
January 2005 - Gartner Study: Security Spending Tops List of Priorities
A Gartner survey of more than 1,300 CIOs worldwide found that
IT budgets are expected to increase 2.5% this year; security enhancement
tools topped the list of technology priorities.
January 2005 - DHS and Justice Dept. Plan Annual Computer Security
Homeland Security and Justice Department officials plan to conduct
an annual Computer Security Survey to assess the type and frequency
of cyber security incidents. The departments plan to survey 36,000
companies across the country this spring. The data collected could
help in the development of policy and resource allocation both
for the government and for the private sector. The survey is being
reviewed by a number of groups, including the FBI and the President's
Information Technology Advisory Committee, before it is used.
January 2005 - Former Teledata Employee Gets 14 Years for Identity
A New York judge has sentenced former Teledata employee Philip
Cummings to 14 years in prison for identity theft. Mr. Cummings
used his position as a Teledata helpdesk employee to steal customer's
reports which he sold to other criminals. Mr. Cummings will also
have to pay compensation which has not yet been determined, though
losses associated with the theft are estimated to be as much as
US$100 million. Several accomplices in the crime are still on
January 2005 - Hacker Gets Data on Students and Staff at George
A hacker compromised a Windows server and gained access to social
security numbers and other private information of thousands of
students and staff at George Mason University. The university
is one of the
Centers of Excellence in Information Security designated by the
10 January 2005 - Software Pirate Sentenced to 18 Months in
A US federal judge has sentenced Kishan Singh to 18 months in
prison on a charge of copyright infringement. Singh operated a
"pay-for-access" website on which he sold pirated copies
of business software. Under the plea agreement, Singh and the
US prosecutor agreed that the value of the software was between
US$70,000 and US$120,000. Singh has also been ordered to forfeit
the computer equipment he used in the commission of his crime.
January 2005 - BSA Wants Copyright Law Revamped for Prosecuting
The Business Software Alliance has released a white paper outlining
legislative suggestions that would make it easier to prosecute
Internet pirates. In the paper, the BSA maintains that the recent
court decisions have created an "impediment to effective
enforcement" of the Digital Millennium Copyright Act.
January 2005 - Cyber Scams Prey on Tsunami Donors
The FBI says that cyber scam artists are preying on people's efforts
to help the Tsunami victims. There have been reports of sites
being set up allegedly to collect donations, but which actually
place a Trojan
horse program on the computers of users who visit the site. The
FBI advises going directly to sites of known charities to make
donations and verifying the legitimacy of nonprofit organizations.
January 2005 - AntiSpyware Legislation Reintroduced in House
US Representative Mary Bono (R-Calif.) has reintroduced legislation
that could levy fines of up to US$3 million for companies that
make software that steals personal information from computers
or hijacks people's browsers. The Securely Protect Yourself Against
Cyber Trespass Act, or SPY ACT, would require users to give permission
before software is downloaded onto their computers. It also prohibits
software from changing default browser pages, altering security
settings, logging keystrokes and delivering advertisements that
cannot be closed without ending browser sessions or turning off
January 2005 - Google Search Leads to Security Webcams
A simple, well-crafted Google search can provide access to numerous
security webcams, many of which are presumed private. Webmasters
should keep the webcam pages password protected and use the robots.txt
file to instruct Google and other search engines indicating that
the directory should not be spidered. http://www.vnunet.com/news/1160289
January 2005 - "Spam King" to Refrain From Sending Ads
Stanford Wallace, the alleged "Spam King," has reached
an agreement with the Federal Trade Commission to refrain from
sending unsolicited advertisements until a federal case against
him has been resolved. Under the terms of the agreement, Wallace's
companies may send the ads
only to people who actually visit the companies' websites. The
government alleges that Wallace planted spyware on people's computers
that caused them to be deluged with spam; he then offered to sell
he claimed would fix the problem, but they proved ineffective.
January 2005 - eBay Discontinues Use of Microsoft's Passport
eBay has informed its customers that it will no longer allow them
to sign on using Microsoft's Passport web identity service, which
allows users to store information like passwords and credit card
data to be used on the Internet. An eBay spokesman said very few
customers used Passport to sign on regularly. Passport has met
with resistance, as evidenced by the formation of the Liberty
Alliance, which hoped to
develop standards for identity authentication on the Internet
and promote alternatives to Passport. Microsoft has announced
that it will no longer market Passport to third parties, but will
continue to stand
behind Passport, using it for MSN and their partners and providing
support to third party sites that continue to use the service. http://www.computerworld.com/printthis/2005/0,4814,98677,00.html
2 January 2005 - 2004 Cyber Threat Wrap-Up and Trends
Security threats of all kinds have increased significantly over
the past year. Phishing attacks grew 30% a month according to
the Anti-Phishing Working Group, and the number of botnets, that
has fed the spam problem, increased. What has dwindled, however,
is the number of worms written simply for the glory of seeing
how quickly and widely it can spread. Instead, malware writers
are turning an eye to financial gain. Also new in 2004 was Cabir,
the first mobile phone worm that uses wireless protocol to spread
itself. On the bright side, 2004 was a good year for apprehending
and prosecuting cyber criminals: eight virus writers were arrested
and two sites used to trade stolen credit card numbers were shut
January 2005 - Microsoft Wins US$7.4 Million Civil Suit Against
Microsoft has filed notice in Pima County (AZ) Superior Court
that is has won a US$7.4 million civil judgment in King County,
Washington, against Glenn Hannifin. Microsoft says that Hannifin
has sent millions of spam emails. The lawsuit claims that Hannifin
violated both federal and Washington state anti-spam laws. http://www.dailystar.com/dailystar/dailystar/55002.php