Thursday, January 18, 2007

Boeing Employee Fired After Laptop With Employee Info Is Stolen

The employee violated company policy by downloading the information onto the laptop and not encrypting it, according to a Boeing spokesman.

Boeing has fired an employee whose stolen laptop contained identifying information on 382,000 current and former employees.

The employee, who hasn't been identified, was fired because he violated company policy by downloading the information onto the laptop and not encrypting it, says Tim Neale, a spokesman for Boeing. The laptop, which had been taken out of the office, was stolen the first week of December, he added.

This was the third laptop theft in two years that resulted in lost employee data at Boeing. This latest missing laptop contained the names, Social Security numbers, and in some instances the home addresses of both current and former (mostly retired) employees.

The theft is under investigation.

"This was somebody who was authorized to be working with the data," says Neale. "The company policy discourages people from saving those types of files with personnel info to their laptop. We encourage people to work off the server, which would keep the information behind the firewall. If you do download the information onto a laptop, it's supposed to be temporary and the information is supposed to be encrypted."

Neale adds that the employee "had fair warning" because after the other laptop theft incidents, Boeing managers had made sure that everyone working with employee data was educated about the rules.

"If there's any good piece of news in all of this, it's the fact that [the laptop] was not turned on," said Neale. "Whoever may have that computer would have to know or figure out the user's password to get into the files."

On Thursday, Boeing's president and CEO Jim McNerney sent an e-mail about the data loss to the company's 156,000 employees. The memo was printed in The Seattle Times. Neale confirmed the memo's legitimacy.

"I've received many e-mails over the past 24 hours from employees expressing disappointment, frustration, and downright anger about yesterday's announcement of personal information belonging to thousands of employees and retirees being on a stolen computer. I'm just as disappointed as you are about it," McNerney wrote. "I know that many of us feel that this data loss amounts to a betrayal of the trust we place in the company to safeguard our personal information. I certainly do."

McNerney also told employees he believes it was a petty theft and not an attempt at identity theft.

The company is providing credit monitoring services to affected employees for the next three years.


Brief: Cybersaboteur Sentenced To Eight Years

Former systems administrators took down ex-employer's servers.

The former systems administrator convicted in July of launching a cyberattack on UBS PaineWebber four years ago was sentenced to 97 months in jail in U.S. District Court in Newark, N.J., last week. Roger Duronio, 64, stood impassive as Judge Joseph Greenaway Jr. handed down the sentence. "This wasn't an instance when an individual argues that 'I had a bad day, and I made a mistake,'" said the judge.

Duronio was found guilty of computer sabotage and securities fraud for planting a so-called logic bomb that took down as many as 2,000 servers in UBS PaineWebber's central data center in Weehawken, N.J., and in branch offices around the country.


Outsourcing Security Doesn't Mean You're Desperate

Handing over security to a service provider just might be the best way to stay safe.

On the surface, giving the security of your networks, systems, and data over to someone else seems like a desperate move--an acknowledgement that the threats are more than you can handle. The reality is that tapping into a service provider might be the best way to protect your company and comply with the latest government regulations.

One caveat: Do your homework. You must know what's in your networks, systems, and databases and clearly define how the service provider is going to help your company meet its security and compliance needs. You also must be sure the service provider is financially stable before trusting it to manage intrusion detection and prevention, log analysis, firewall, or other security services.

Offload AgendaLack of resources and expertise is most often the reason for subscribing to security services. "In the security world, it's a game of catch-up. I couldn't possibly throw enough resources at it internally," says Ken Emerson, director of strategic planning and CIO at Boiling Springs Savings Bank in New Jersey. He tapped Perimeter Internetworking to manage e-mail security and an intrusion-detection system. "I didn't feel like I had the necessary knowledge on my staff, especially with the rapidly growing volume of spam," he says.

Emerson thoroughly checked Perimeter and found it had passed the Statement on Auditing Standards No. 70, a standard set by the American Institute of Certified Public Accountants that requires an in-depth audit of a service provider's control activities. "The other outsource firms I looked at didn't have SAS 70 certification," Emerson says. "I'm not going to have depositors if I can't protect their information."

After Boiling Springs signed with Perimeter, a worm got into a PC at one of its branches. Perimeter notified the bank so it could shut down the infected computer, Emerson says.

Kettering Medical Center Network, a group of 50 health care facilities around Dayton, Ohio, turned to managed security services to augment its internal IT security resources, particularly the time-consuming task of sifting through data collected by its Check Point Software Technologies and Cisco Systems firewalls, which protect remote physicians' offices that are part of the Kettering network.

Kettering owns the network security equipment, but for the last two years it has had Symantec collect and analyze data from firewall logs. "We need to be concerned if someone is trying to do a port scan against our systems or if our network contains ad bots or spy bots trying to communicate out," says Bob Burritt, Kettering's IS network and technology manager.


Phishers' Latest Platforms: VoIP, SMS

Symantec has also accumulated evidence that shows some phishers are collecting user names and passwords fast enough to defeat two-factor authentication number generators and are using one-time, quickly disposed URLs to avoid site blacklisting, a common anti-phishing technique.

Phishers have branched out beyond e-mail, a security researcher said, and are now exploring both VoIP and text messaging as attack avenues.

Voice over IP is attractive to identity fraudsters, said Zulfikar Ramzan of Symantec's Advanced Threat Research group, in a company blog entry Tuesday, because it's an affordable way to dial large numbers of phone numbers. Dubbed "vishing" for voice phishing, "such attacks can be conducted cheaply enough that phishers might see a sufficient return on their investment," Ramzan said. Phishers substitute phone numbers for URLs in traditional e-mailed come-ons or dial consumers directly, circumventing e-mail entirely.

Another tactic, said Ramzan, is "smishing," for SMS phishing. "A victim might receive a phone [text] message saying that he or she will be charged $x per day if a fictitious order at a particular Web site isn't cancelled," he said. "In a panic, the victim then visits the site to cancel the order [but] in the process the victim will end up with malicious software on his or her machine."

Symantec also has accumulated evidence that shows that some phishers are collecting user names and passwords fast enough to defeat two-factor authentication number generators and are using one-time, quickly disposed URLs to avoid site blacklisting, a common anti-phishing technique.

"Phishers have demonstrated that they really mean business," Ramzan said. "Their attacks have become more frequent, more varied, and quite frankly more innovative. We must continuously out-innovate them and persistently redouble our efforts."


Prosecutors: Medco 'Bomber' Would Have Wreaked Havoc

Former systems administrator, charged with planting a logic bomb on prescription manager's network, pleads not guilty in federal court

A former systems administrator at Medco Health Solutions is being charged for allegedly writing and planting malicious code that could have crippled a network that maintained health care information on customers. A co-worker found the so-called logic bomb before it went off.

Yung-Hsun Lin, 50, of Montville, N.J., pleaded not guilty on Jan. 3 to two counts of computer fraud. If convicted, he could face 20 years in prison and a fine of $500,000, $250,000 for each charge.

Had the logic bomb gone off, prosecutors say, it would have eliminated pharmacists' ability to know whether Medco customers' new prescriptions would interact dangerously with their current prescriptions. It also would have damaged the company financially, they say.

Lin, who is known as Andy Lin, had access to the company's network of about 70 HP Unix servers, according to the indictment. The network handled Medco's billing, corporate financial, and employee payroll information, as well as the Drug Utilization Review, a database of patient-specific information on conflicting drug interactions.

"The potential impact, had it gone off, would have been devastating. And more so, it would have been devastating to patients," said Assistant U.S. Attorney Erez Lieberman in an interview. "Taking a logic bomb and putting it in a system where it could not just cause financial harm but could also harm databases, which he knows and administers, that affect patient drug information adds to the enormity of the situation." Lieberman will prosecute the case, along with Assistant U.S. Attorney Marc Ferzan, in U.S. District Court in Newark, N.J.

According to the indictment, Lin created the malicious code early on Oct. 3, 2003, just days before a planned layoff. Medco, which had just been spun off from Merck & Co., was going through a restructuring. The Medco Unix group was merging with the e-commerce group to form a corporate Unix group, the government says.

Several systems administrators were laid off on Oct. 6. Lin was not one of them.

The indictment points out that during the month before the layoffs were made, Lin sent out e-mails discussing the anticipated layoffs. In one message, he indicated he was unsure whether he would survive the downsizing, according to government documents.

The logic bomb was set to deploy on April 23, 2004, Lin's birthday. But it failed to take down the servers that day, prosecutors say, because of a coding error. Lin allegedly modified the code in September 2004, resetting it to go off on April 23, 2005.

However, on Jan. 1, 2005, an unidentified co-worker investigating a system error discovered the malicious code embedded with other scripts on the Medco servers. The company's IT security team "neutralized" the code, the government says.


Lin's arrest last month came just a week after Roger Duronio, 64, of Bogota, N.J., received the maximum sentence of eight years and one month in prison for building and disseminating a logic bomb at his former employer, UBS PaineWebber. Prosecutors from the U.S. Attorney's Office in Newark also handled that case, and six years ago they prosecuted the very first computer sabotage case. Tim Lloyd was found guilty in 2000 of planting a logic bomb that took down the network he helped build at Omega Engineering.

A trial date has not been set for Lin, who is free on bail. In a previous court appearance, Lin's attorney said the government's case was based on a bias against Asians. That attorney is no longer representing Lin, and his new attorney, Kevin Marino of Marino & Associates, says he has "no reason to suspect a bias of any kind."


U.S. financial transactions database delayed

Program to monitor cross-border transfers not feasible before 2010

January 17, 2007 (IDG News Service) -- A proposed database that would keep track of hundreds of millions of money transfers in and out of the U.S. will not be ready by the original target date of late this year, according to a report issued by the U.S. Department of the Treasury Wednesday.

The program to monitor cross-border electronic funds transfers -- targeted at cutting off funding for terrorism -- isn't feasible before March 2010, according to the report, issued by the Treasury Department's Financial Crimes Enforcement Network (FinCEN). The Treasury Department's goal had been to have the program running by December after the U.S. Congress authorized it in the Intelligence Reform and Terrorism Prevention Act of 2004.

The program would collect between 350 million and 500 million funds transfer reports each year, FinCEN estimates.

The cost of the technology needed to implement the program, both to U.S. banks and to the U.S. government, is a "significant concern," the FinCEN report said. FinCEN estimated the development costs to be $32.6 million to the U.S. government, including nearly $3 million for servers and other hardware and $4.4 million for software, including a relational database management system and online analytical processing tools.

FinCEN estimated the project would require spending $1.5 million for hardware and software maintenance over three years and $800,000 for vendor support services.

Members of the American Bankers Association (ABA) "remain unconvinced that FinCEN would be able to substantially benefit" from the program, wrote Richard Riese, director of the ABA's Center for Regulatory Compliance, in a letter to FinCEN last April. A requirement to track cross-border fund transfers would "require substantial changes to U.S. payment systems," the letter said.

The FinCEN report says, however, that such a tracking system is feasible, if the Treasury secretary "determines that reporting of such transmittals is reasonably necessary to conduct the [agency's] efforts against money laundering and terrorist financing." However, it would take FinCEN about three and a half years to develop the program, the report said.

FinCEN will put together a development plan and permit pilot programs for the system, the report said.

The surveillance program would require banks and other U.S. financial institutions to report any cross-border funds transfer of more than $3,000. The 2004 intelligence reform law required the Treasury Department to study the feasibility of such a program.


DOJ: Surveillance program now court-approved

FISA judge OKs previous warrant-dodging NSA program

January 17, 2007 (IDG News Service) -- A controversial surveillance program to wiretap telephone and Internet communications in and out of the U.S. will now fall under the jurisdiction of a U.S. court, the Department of Justice (DoJ) said Wednesday.

A judge with the secret U.S. Foreign Intelligence Surveillance Act (FISA) court on Jan. 10 authorized the U.S. government to wiretap phone or Internet communications involving suspected members of al Qaeda or other terrorist organizations, the DOJ said. The FISA-approved surveillance would replace the Terrorist Surveillance Program at the National Security Agency (NSA), authorized by U.S. President George Bush in 2002 to create wiretaps without court-issued warrants.

The FISA ruling will allow the surveillance program to essentially continue as it has, only with court approval, a senior DoJ official said. Under the NSA program, U.S. agents were allowed to wiretap Internet and telephone communications into and out of the U.S. in which one participant was suspected to be linked to al Qaeda.

Civil liberties groups had protested the NSA program, saying its lack of court oversight violated the U.S. Constitution. The Electronic Frontier Foundation (EFF) has filed a lawsuit against AT&T Inc. for allegedly participating in the NSA program, and in August, a U.S. district judge in Michigan ruled the NSA program was illegal.

Bush is "committed to using all lawful tools to protect our nation from the terrorist threat," U.S. Attorney General Alberto Gonzales wrote in a Wednesday letter to members of the U.S. Congress. "Although ... the Terrorist Surveillance Program fully complies with the law, the orders the government has obtained will allow the necessary speed and agility while providing substantial advantages," Gonzales wrote.

Bush will not reauthorize the old NSA program when it expires sometime in the next 45 days, the senior DoJ official, who requested anonymity, said Wednesday. But the FISA-authorized program will have the same capability as the old program, the official said.

The FISA court will approve wiretap requests for 90 days at a time, the DoJ official said. The court will have authority to review individual wiretap requests, but the DoJ official declined to provide specific information about how the FISA program will work.

Bush administration officials denied that the FISA court acted to provide political and legal cover for the NSA program, but the DOJ official said the FISA ruling will allow Congress to step back and look at the wiretap program without legal questions hanging over it. The FISA ruling "should take some of the political heat off the debate," the DOJ official said.

The EFF didn't have an immediate comment on the FISA decision.


Retail breach may have exposed card data in four countries

TJX discloses network intrusion, says full extent of info theft not yet known

Jaikumar Vijayan   

 January 17, 2007 (Computerworld) -- The credit and debit card data of a large number of shoppers in the U.S., Puerto Rico and Canada, and possibly in the U.K and Ireland, may have been compromised as the result of a hacking incident at The TJX Companies Inc. last month.

According to a statement issued today by the Framingham, Mass.-based retailer, the network intrusion took place in mid-December and involved systems used to process credit, debit, check and merchandise-return transactions at its TJ Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S and Puerto Rico.

Also affected was customer transaction data from TJX's Winners and HomeSense stores in Canada, the company said. Data collected at its T.K. Maxx stores in the U.K and Ireland, and at its Bob's Stores unit in the U.S. may have been put at risk as well.

"While TJX has specifically identified some customer information that has been stolen from its systems, the full extent of the theft and affected customers is not yet known," the company said in its statement.

Credit and debit card data involving transactions processed during 2003 and between May and December of last year may have been accessed as part of the intrusion, according to TJX. The company said that thus far, it has identified "a limited number" of card holders whose data was removed from its systems. All major card brands accepted by TJX have been affected, including Visa, MasterCard, American Express and Discover.

In addition, the retailer said it has identified "a relatively small number" of customers whose driver's license information was also stolen from the compromised systems. No information was released on the total number of people that might have been affected by the breach. Neither did TJX disclose any details on how exactly the intruder gained access to the systems and the data.

TJX said it has hired IBM and General Dynamics Corp. to "monitor and evaluate" the intrusion, and to help the company identify the extent of the data compromise. Both vendors also are helping TJX shore up its security following the breach, the retailer said without specifying what measures have been taken in that regard.

The company added that it has notified the U.S. Department of Justice and Secret Service, and the Royal Canadian Mounted Police, of the data breach and "provided all assistance requested" by the law enforcement agencies in an attempt to help track down the perpetrators. The major credit card companies have been notified as well.

In an e-mailed statement, Rosetta Jones, a vice president at Visa U.S.A. Inc., said the credit card company is working with law enforcement officials and TJX to investigate the compromise. "Visa has provided the affected accounts to financial institutions so they can take steps to protect consumers," Jones said. "In addition, Visa is risk-scoring all transactions in real time, helping card issuers better distinguish fraudulent transactions from legitimate ones."

A call seeking comment from MasterCard International Inc. hadn't been returned as of posting time.

TJX has set up toll free numbers for customers who may have concerns regarding the breach. U.S.-based customers can call 866-484-6978. The number for customers in Canada is 866-903-1408, while those in the U.K. and Ireland can call 0800-77-90-15.

The breach at TJX appears to be the most significant one at a retailer since a compromise at an unidentified company -- widely believed to be OfficeMax Inc. -- led to a worldwide outbreak of debit card fraud last March. As a result of that incident, banks and credit unions, including Bank of America Corp., Wells Fargo Bank and Washington Mutual Bank, were forced to cancel and reissue tens of thousands of cards.

Since then, the credit card companies have been aggressively trying to get retailers to adopt the Payment Card Industry Data Security Standard, which requires all entities handling credit and debit card data to implement different levels of prescribed security measures based on the number of transactions they process each year.

A major component of the PCI standard is a requirement that forbids retailers from storing credit and debit card data on point-of-sale systems. All retailers must ensure that their POS systems are purged of such information, which includes magnetic stripe, PIN and card verification value data, by next September.



Dutch prosecutors seek jail time for botnet duo

Phishing, extortion, and keylogging merit more than a fine

Jeremy Kirk   


January 17, 2007 (IDG News Service) -- Dutch prosecutors are pursuing jail terms for two men charged in a large-scale computer hacking scheme in which more than 1 million computers may have been infected with adware and other malicious programs.

The case is the biggest cybercrime case prosecuted so far in the Netherlands, said Desiree Leppens, spokeswoman for the organized crime branch of the National Public Prosecution Service in Rotterdam.

During a one-day trial that ended Tuesday, prosecutors showed how at least 50,000 computers were infected by the two defendants, who are 20 and 28 years old. Police have not released their names.

The pair used a malicious program called "Toxbot," a worm that can be used to gain remote control of a computer and log keystrokes, prosecutors said.

Prosecutors also charge that the defendants threatened an advertising software maker, 180Solutions Inc., now renamed Zango Inc., with a denial-of-service attack after a dispute over payment. Zango settled with the Federal Trade Commission in November for $3 million after concern that distributors of its software were installing it on peoples' computers without their consent, often by exploiting vulnerabilities in operating systems or Web browsers.

Prosecutors also allege the pair were involved in phishing schemes, where fraudulent Web sites are constructed to harvest personal information such as bank-account or credit-card details. The two used a Trojan horse called "Wayphisher", which on an infected machine can redirect a Web site request from a legitimate bank site to a phishing site.

Prosecutors want a three-year sentence for the 20 year old and two years for the 28 year old and each to pay $38,000 to the Dutch government, Leppens said. A judge will return a verdict in the case on Jan. 30.

Four others involved in the ring who are facing lesser charges will go to trial later this year, Leppens said.

The various schemes caused at least $76,000 in losses to victims, through online purchases and other actions, Leppens said.


U.S. agencies given deadline for smart ID testing

Smart-card samples must be submitted by Friday to meet security directive

Jaikumar Vijayan