Suprise! Crime is going up in a bad economy!

Calendar April 9, 2009 | Posted by Dave

Report says online crime surging in recession

 

 

By Jason Szep

Reuters
Monday, March 30, 2009; 3:53 PM
 

BOSTON (Reuters) – Fraud on the Internet reported to U.S. authorities increased by 33 percent last year, rising for the first time in three years, and is surging this year as the recession deepens, federal authorities said on Monday.

Internet fraud losses reported in the United States reached a record high $264.6 million in 2008, according to a report released on Monday from the Internet Fraud Complaint Center, run by the FBI and the National White Collar Crime Center.

Online scams originating from across the globe — mostly from the United States, Canada, Britain, Nigeria and China — are gathering steam this year with a nearly 50 percent increase in complaints reported to U.S. authorities in March alone.

“2009 is shaping up to be a very busy year in terms of cyber-crime,” the report’s author, John Kane, told reporters in a telephone briefing.

Last year’s losses compared with $239.1 million in 2007 and dwarfs the $18 million of losses of 2001.

The most common complaint of 2008 was non-delivery of promised merchandise, followed by auction fraud, credit card fraud and investment scams, according to the report.

Of 275,284 complaints received by the center in 2008, some 72,940 were referred to U.S. law enforcement agencies for prosecution. Those referrals spiked this year with 40,000 in the first quarter alone, said Kane.

“It is our belief that these numbers, both the complaints filed and the dollars, represent just a small tip of the iceberg,” said Kane, managing director of the National White Collar Crime Center in Richmond, Virginia.

UNDERREPORTED CRIME

“Our own research suggests that as few as 15 percent of cases of cyber-fraud are being reported to crime control agencies,” he said.

Scammers in the United States comprised 66 percent of complaints referred to authorities, followed by Britain at 11 percent, Nigeria 7.5 percent, Canada 3 percent and China 1.6 percent. Within the United States, the bulk originated in California (16 percent), followed by New York and Florida.

Fraudulent sales on online auction sites like eBay Inc and classified sites like craigslist.com contributed to a 32 percent rise in the hottest area of online fraud — non-delivery of promised merchandise, the report said.

That area alone made up about 33 percent of all complaints serious enough to be referred to law enforcement.

Other important areas included investment scams such as mini-versions of the $65 billion Ponzi scheme committed by New York financier Bernard Madoff in which money from new investors is used to pay existing investors.

About 74 percent of the scams were through e-mail messages last year, especially spam, while about 29 percent used websites. But criminals were increasingly tapping new technologies such as social networking sites and instant messenger services, said Kane.

The report highlights one new “significant’ identity-theft scam involving e-mail messages that give the appearance of originating from the FBI but seek bank account information to help in investigations of money being transferred to Nigeria. Recipients of the e-mails are told they could be richly rewarded by cooperating.

The report said almost 80 percent of known perpetrators of online scams are male. Of those bringing complaints, nearly half are between the ages of 30 and 50. The median dollar loss was $931 per complaint, although the median losses for check fraud reached $3,000 and that for investment scams was $2,000.

(Editing by Bill Trott)

Category Categories: Recent News | Tag Tags: , , , | Comments No Comments »

Brother can you spare $100,000,000?

Calendar April 7, 2009 | Posted by Dave

File this under “It really is less expensive to prevent an attack then to pay for cleaning up an attack”

Pentagon spends $100 million to fix cyber attacks

By LOLITA C. BALDOR, Associated Press Writer Lolita C. Baldor, Associated Press Writer 12 mins ago

WASHINGTON – The Pentagon spent more than $100 million in the last six months responding to and repairing damage from cyber attacks and other computer network problems, military leaders said Tuesday.

Air Force Gen. Kevin Chilton, who heads U.S. Strategic Command, said the military is only beginning to track the costs, which are triggered by constant daily attacks against military networks ranging from the Pentagon to bases around the country.

“The important thing is that we recognize that we are under assault from the least sophisticated — what I would say the bored teenager — all the way up to the sophisticated nation-state, with some pretty criminal elements sandwiched in-between,” said Chilton, adding that the motivations include everything from vandalism to espionage. “This is indeed our big challenge, as we think about how to defend it.”

According to Army Brig. Gen. John Davis, deputy commander for network operations, the money was spent on manpower, computer technology and contractors hired to clean up after both external probes and internal mistakes. Strategic Command is responsible for protecting and monitoring the military’s information grid, as well as coordinating any offensive cyber warfare on behalf of the U.S.

Officials would not say how much of the $100 million cost was due to outside attacks against the system, versus viruses and other problems triggered accidentally by Defense Department employees. And they declined to reveal any details about suspected cyber attacks against the Pentagon by other countries, such as China.

Speaking to reporters from a cyberspace conference in Omaha, Neb., the military leaders said the U.S. needs to invest more money in the military’s computer capabilities, rather than pouring millions into repairs.

“You can either pay me now or you can pay me later,” said Davis. “It would be nice to spend that money proactively … rather than fixing things after the fact.”

Officials said that while there has been a lot of anecdotal evidence on the spending estimate, they only began tracking it last year and are still not sure they are identifying all the costs related to taking computer networks down after a problem is noticed.

The Pentagon has acknowledged that its vast computer network is scanned or probed by outsiders millions of times each day. Last year a cyber attack forced the Defense Department to take up to 1,500 computers off line. And last fall the Defense Department banned the use of external computer flash drives because of a virus threat officials detected on the Pentagon networks.

The cost updates come as the Obama administration is completing a broad government-wide review of the nation’s cybersecurity.

 

Category Categories: Recent News, Security Tools | Tag Tags: , , , , , | Comments No Comments »

The twits tweeting on Twitter..

Calendar April 3, 2009 | Posted by Dave

So I know this post will be a very unpopular among many of my social marketing friends who feel that tweeter is the best thing since sliced bread.  I will admit while I find most technologies coming out today as fairly useful.  I could not find any useful purpose for twitter in my daily life.  Until Today….

Electronic Survellance

When you are trying to pull off an attack, any attack, the first thing you have to do is gain as much intelligence about your target as you can.  When performing a social engineering attack, we have to find as much information about our victim employees as   possible.  If I am going to successfully trick you into clicking an unsolicitated email, I must send you an email that will perk your interest.  Before, this involed scouring websites, forums, and social networking sites.  While these were very useful, it could be static, you were into cars 6 months ago, but now not so much.   The key to a successful social engineering based attack is simple – If you know enough information, the victim will never suspect you are an attacker.

So what is Twitter?  It is a micro blogger that only allows 140 characters at a time.  So people are forced to blog on very small timely subject.  From what they ate for breakfast to about current events, ”Tweets” are frequent and the subjects are far reaching.  This can be likened to a cyber glimpse into someone’s life.  And that is a dream for a malicous attacker.  If I as an attacker am trying to find information about you that I can use,  then twitter becomes a must read for me.  Granted it may seem like what song your listening to doesn’t seem like a security issue.  Remember, a successful social engineering attack conviences you I am someone harmless.  Sending an email from the Hannah Montanna fan club saying to join may not be a draw for alot of people, but if I find that employee who is Tweeting about Hannah Montana then I have found my ticket in.

The key to gathering successful intelligence is to first linking the employee’s business information to a personal identity.  Tweeter can again help.  If I am trying to find information on a  Dr. Jane Doe who is a chemical engineer.  I do a search for a Jane Doe on Twitter and I find a tweeter who is tweeting about working on a chemical molacule chances are I have found a match.  From there I would look at her handle and see if that handle is used anywhere else on the internet.

Tweeter to a Jailbird

Your employees are twittering, do you know what they are saying?  Have they said anything negative about your company?  Have they let out any company/trade secrets? I did a twitter search for Layoffs and check out some of these hits I found. (These are hits from within the last hour) 

“I can’t “publicly” confirm or deny any layoffs. You will see a press release soon on Q1 results with details contained therein. “
My co. offered 65 + 5 yrs. employees or 20 yr. employees a BUYOUT that sucks. Insulting offer. I sense layoffs are coming next.
“Just entered the ranks of the unemployed!!! Layoffs at *****! Couldn’t have come on a brighter, sunshiney-er day!!! “
“They have bhind scenes. So far I’m ok but they can’t cut too much from me. We knew layoffs in works. Fred always said he wouldn’t “
 

Most companies have a procedure in place to determine  what company information is release, when it is release, and who releases it.  I find it highly unlikely that these  tweets were approved by the company’s management as offical statements from the company.  Let’s think about other instances, is your company about ready to release a new offering that is secret right now?  Do you have an expected new offering that has some issue?  Were your financials not quite where they were expected? 

If your company is a publically traded company, Tweets of secret information could be seen as insider information.  At that point you better have a PDA that will survive 5-7 years (with good behavior :) ).

Plugging the holes

Again as with many security fixes it comes down to your end-user employees.  Security Awareness training and proper policies put in place.  Have policies that state what business information that should not be release by unauthorized employees under any form.  Make sure your employees know the risks of tweeting business information and ensure these policies are enforced.

Category Categories: Best Practices, compliance | Tag Tags: , , , , , , | Comments No Comments »

Senate Legislation Would Federalize Cybersecurity

Calendar April 1, 2009 | Posted by Dave

Senate Legislation Would Federalize Cybersecurity
Rules for Private Networks Also Proposed

By Joby Warrick and Walter Pincus
Washington Post Staff Writers
Wednesday, April 1, 2009; A04

 

Key lawmakers are pushing to dramatically escalate U.S. defenses against cyberattacks, crafting proposals that would empower the government to set and enforce security standards for private industry for the first time.

The proposals, in Senate legislation that could be introduced as early as today, would broaden the focus of the government’s cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. At the same time, the bill would add regulatory teeth to ensure industry compliance with the rules, congressional officials familiar with the plan said yesterday.

Addressing what intelligence officials describe as a gaping vulnerability, the legislation also calls for the appointment of a White House cybersecurity “czar” with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway, the officials said.

How industry groups will respond is unclear. Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, which represents private companies and civil liberties advocates, said that mandatory standards have long been the “third rail of cybersecurity policy.” Dempsey said regulation could also stifle creativity by forcing companies to adopt a uniform approach.

The legislation, co-sponsored by Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.) and Sen. Olympia J. Snowe (R-Maine), was drafted with White House input. Although the White House indicated it supported some key concepts of the bill, there has been no official endorsement.

Many of the proposals were based on recommendations of a landmark study last year by the Center for Strategic and International Studies.

Currently, government responsibility for cybersecurity is split: The Pentagon and the National Security Agency safeguard military networks, while the Department of Homeland Security provides assistance to private networks. Previous cybersecurity initiatives have largely concentrated on reducing the vulnerability of government and military computers to hackers.

A 60-day federal review of the nation’s defenses against computer-based attacks is underway, and the administration has signaled its intention to incorporate private industry into those defenses in an unprecedented way.

“People say this is a military or intelligence concern, but it’s a lot more than that,” Rockefeller, a former intelligence committee chairman, said in an interview. “It suddenly gets into the realm of traffic lights and rail networks and water and electricity.”

U.S. intelligence officials have warned that a sustained attack on private computer networks could cause widespread social and economic havoc, possibly shutting down or compromising systems used by banks, utilities, transportation companies and others.

The Rockefeller-Snowe measure would create the Office of the National Cybersecurity Adviser, whose leader would report directly to the president and would coordinate defense efforts across government agencies. It would require the National Institute of Standards and Technology to establish “measurable and auditable cybersecurity standards” that would apply to private companies as well as the government. It also would require licensing and certification of cybersecurity professionals.

The proposal would also mandate an ongoing, quadrennial review of the nation’s cyberdefenses. “It’s not a problem that will ever be completely solved,” Rockefeller said. “You have to keep making higher walls.”

Last week, Director of National Intelligence Dennis C. Blair told reporters that one agency should oversee cybersecurity for government and for the private sector. He added that the NSA should be central to the effort.

“The taxpayers of this country have spent enormous sums developing a world-class capability at the National Security Agency on cyber,” he said.

Blair acknowledged there will be privacy concerns about centralizing cybersecurity, and he said the program should be designed in a way that gives Americans confidence that it is “not being used to gather private information.”

http://www.washingtonpost.com/wp-dyn/content/article/2009/03/31/AR2009033103684_pf.html

Category Categories: Recent News, compliance | Tag Tags: , , , , | Comments No Comments »