Thursday, November 27, 2008
The World Bank has effectively dumped a vice president who served as its chief information officer while it scrambles to deal with a series of embarrassing hacker attacks, which were first reported on Foxnews.com.
Robert Van Pulley, a computer security director, will take responsibility for the institution’s embattled information system “effective immediately and until more permanent arrangements are in place,” according to an e-mail sent to staffers Tuesday evening by Juan Jose Daboub, one of three managing directors at the World Bank.
Van Pulley will report to a new executive council on computer security that includes Daboub and two other top World Bank officials. He replaces World Bank Vice President Guy-Pierre De Poerck, who was not mentioned in Daboub's e-mail and whose fate remains unclear.
World Bank officials would say Wednesday only that De Poerck's employment had not changed; they declined to offer any further information.
Daboub’s internal announcement also said the World Bank was launching a "comprehensive external review" of its information systems, including its "security-related technology, protocols and guidelines for securing business and information within the Bank Group.”
FOXNews.com has reported that the World Bank Group's network — one of the largest repositories of sensitive data about the economies of every nation — had been raided repeatedly by outsiders for more than a year.
Click here ro read "World Bank Under Cyber Siege.
Sources inside the bank also told FOXNews.com that servers in the institution's highly restricted Treasury unit were deeply penetrated with spy software, and that the invaders also had full access to the rest of the bank's network for nearly a month in June and July. At least six major breaches have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.
Daboub’s announcement repeated earlier World Bank claims that the institution has found “no evidence that these hacker attacks have compromised protected Treasury, Human Resources, Procurement and Institutional Integrity systems.”
But the note acknowledged what it called a recent “inadvertent” posting of confidential information on a publicly accessible Web site that included names and bank accounts for a number of World Bank staffers.
Other observers asked if the World Bank had done or was doing enough to address the problem.
“This is like locking the barn door after the horse -- and the key -- have been stolen,” said Bea Edwards, International Program Director for the Government Accountability Project (GAP). “It’s a cosmetic fix. The bank’s information system has been breached repeatedly for months, and may need a massive overhaul.”
The GAP posted a copy of
Daboub’s announcement on its website.
Luxottica Retail, the former owner of the Things Remembered stores seemed to have forgotten to have the right amount of security on the company mainframe.
The red-faced retailer has admitted that more than 59,000 of its former workers could be affected after a huge security breach.
A routine check by the information technology department discovered that a hacker had been inside a computer mainframe and downloaded the personal information of more than 59,000 former workers.
The victims are all over the US and will have lost names, addresses and Social Security numbers to the hacker.
However the cyber-raider cannot have been all that clued up either. Investigators were allegedly able to trace the hacker’s IP address to one Molly Burns.
The 30-year-old has a five-page long arrest record that includes theft, forgery and drug charges.
Inspector Knacker of the Arizona Yard swooped on her apartment during a heroin raid earlier this year and already has a number of her computers at the station.
Investigators are now waiting on the results of a forensics examination of the computers in the hope of finding some of the Luxotta files.
Burns apparently didn’t hang around to answer copper's questions. She has apparently legged it.
Three different police departments in Arizona are also looking for her so her hacking exploits will be only one of many things coppers want a word with her about.
Meanwhile the company sent letters to all the former employees letting them know what happened.
Apparently Luxottica Retail has improved its computer security so that a hacker who is such a novice they don’t think to hide their own IP address can't break down the door.
That's the problem with heroin... it does cloud your judgement a bit.
Starbucks Corp. has issued a troubling e-mail to more than half of its workforce, alerting workers a stolen laptop could put the personal information of 97,000 employees in jeopardy.
"We are writing to inform you of a recent incident that may have involved a breach of your private information (including name, address and social security number)," stated the e-mail sent out on Monday.
According to Starbucks, the laptop was stolen back on October 29 at an unspecified location. It's unclear why the company waited four weeks to notify its employees.
So far, there's no indication the data has been misused. Still, the company is advising employees to monitor their financial accounts, and be on the lookout for signs of identity theft.
This is not the first time Starbucks has had employees' personal information compromised due to a laptop theft.
Two years ago, the personal information of more than 60,000 employees and contractors were compromised when four computers disappeared. At the time, the company said it was implementing a policy that forbids putting critical data such as social security numbers on mobile equipment.
On Monday, on a popular blogging site for Starbucks workers, comments echoed nervousness from those who got the emailed warning.
"This is very frustrating! I try so hard to watch who I give my personal information to and the company I work for doesn't seem to have any security guarding my information," one commenter wrote.
To help those 97,000 workers keep on the lookout for identity theft, Starbucks is providing them with a full year of credit watch service for free.
Starbucks could not be reached for comment.
The Electronic Frontier Foundation (EFF) 'Grey Hat' Guide ponders such questions as what a security researcher should do if they unintentionally "violate the law" in the course of their investigations.
"A computer-security researcher who has inadvertently violated the law during the course of her investigation faces a dilemma when thinking about whether to notify a company about a problem she discovered in one of the company's products," the guide states. "By reporting the security flaw, the researcher reveals that she may have committed unlawful activity, which might invite a lawsuit or criminal investigation. On the other hand, withholding information means a potentially serious security flaw may go unremedied."
The EFF said that researchers in this situation could reconstruct research using technology they are authorised to use, or report the flaw in general terms. However, both of these options are "undesirable", the EFF said.
In terms of US law, researchers could inadvertently flout include the Computer Fraud and Abuse Act, anti-circumvention provisions of the Digital Millennium Copyright Act, other copyright law, and other state and international laws, the EFF warned.
The EFF, therefore, recommended that security researchers consult with an attorney before undertaking potentially risky research."Because the regulatory regime is complicated and non-intuitive, security researchers may have more reason to worry about legal challenges than other scientists," the guide states. "Potentially, a researcher may unintentionally violate the law through ignorance or misplaced enthusiasm, or an offended party can stretch or misuse the law to challenge research that casts its products or services in a negative light."
The guide adds that companies that regularly deal with vulnerabilities, such as software firms, are less likely to sue "innocent researchers".
UK IT professionals also need to try to avoid legal entanglement, penetration-testing company First Base Technologies told ZDNet UK on Tuesday. Potential pitfalls include transgression of the Computer Misuse Act (CMA) and breaking anti-terrorism, privacy and human-rights laws, according to Peter Wood, chief of operations for First Base Technologies.
"We engage the owner of a system to get explicit permission before doing penetration testing," said Wood. "Some internal employees get a bit over-enthusiastic and unintentionally bring down systems — more frequently than you would expect. Clients have experienced someone doing something silly a couple of times a year. Doing research on the web and then testing exploits on systems will leave you on very dodgy ground."
Using tools such as TCP port scanners inappropriately can transgress the CMA, Wood warned. "Even tools like SuperScan will connect to a service and are not non-invasive," he said.
Use of such tools can be illegal under the CMA, as the researcher would be using the system for a purpose other than that for which it was originally intended, said Wood.
"For example, to do a vulnerability analysis on an SMTP mail server, it's likely you'd connect to a scanning tool, to answer questions about how the mail server is configured," said Wood. "But that would be using the mail server for a purpose [for which] it was not intended."
Gaining explicit consent from the owner of the systems to be tested could circumvent this problem, and also overcome potential problems with privacy and human-rights issues, Wood added.
"People evaluating security on individual workstations may not have thought of privacy considerations," said Wood. To overcome potential copyright issues, non-disclosure agreements could be entered into, he added.
The same type of data security breach that has menaced retail stores, restaurants, and other businesses has made its way into the Sandwich treasurer's office, where a hacker with possible international ties stole tens of thousands of dollars from town coffers in a complex computer-fraud scheme.
Sandwich officials have warned their counterparts in surrounding towns of the computer breach.
Police believe the hacker used a virus to attack Treasurer Craig Mayen's computer and implant a logger that monitored any keystrokes he entered. With technology similar to what is known as a sniffer, a device that tracks computer information, the hacker was able to record Mayen's security code and password as he typed them, and used that information to make withdrawals from town bank accounts.
The money was then transferred to four accounts - three in Florida and one in Georgia.
Police Chief Michael J. Miller said yesterday that Mayen discovered the breach two weeks ago, and notified police detectives. Investigators were able to determine that the scheme netted close to $50,000.
Miller said yesterday that detectives will ask the state attorney general's office and the FBI for help in what he called a complex case. "That's the problem with tracking all this stuff, we don't have that ability," the chief said. "At this point, it's outside our realm of expertise."
Police have been working with the town's banks and a white collar crime-fighting collaboration of law enforcement and bank security officials. Miller said police in Florida were able to question a man who opened one of the accounts there, as he was trying to make a withdrawal.
However, police do not believe the man is criminally involved in the scheme.
The chief said the man in Florida, who was not identified, told authorities he answered an advertisement offering to pay him to open an account. The hacker would then move funds from Sandwich into the account, and the Florida man would then wire it through Western Union to St. Petersburg, Russia.
Miller would not say how much money was stolen from town coffers, but said it was less than $50,000.
He said the culprits have been systematic in the account transfers in that each has been in amounts of less than $10,000 - the threshhold that banks use to notify FBI officials of significant monetary transfers.
Mayen noticed the problem when he was conducting a bank transaction for the town and noticed a series of unauthorized withdrawals, beginning on Nov. 4, under his security code.
Gail Marcinkiewicz, a spokeswoman for the FBI, would not say yesterday whether her agency would assist in the investigation. The FBI has jurisdiction to participate in such investigations, but any number of factors could determine whether the agency gets involved.
A spokeswoman for Attorney General Martha Coakley's office would not comment yesterday.
The elaborate scheme is part of a larger, underground computer fraud economy that has netted hundreds of billions of dollars through identity theft, credit card fraud, and other breaches, said Dean Turner, director of global intelligence network for Symantec, a security software company.
Miller downplayed reports that police are investigating whether the hacker has ties to Russian organized crime, because of where the money was being sent. But Turner said computer fraud is a booming industry in Russia and Eastern Europe, with organized crime rings offering all types of information, and hacking equipment, on the black market.
"This is only a small slice of what's going on in the economy," he said.
The data breach that occurred is similar to the type of scheme that attacked retailers such as TJX and BJ's Wholesale Club, in one of the largest computer fraud cases in the country, Turner said.
In this case, a hacker was able to implant a malicious code in the treasurer's computer.
That could have been done in several ways: by e-mail or through a website that was carrying the virus.
From there, the hacker could have begun reading the keyboard strokes.
Turner said hackers sell tool kits that can accomplish such fraud on the underground market.
"This is, what this really is, is a data breach - an ability to compromise information," he said. "In this case, it's banking information.
As an automated network-flow analysis tool, BotHunter uses IDS routines to scan inbound and outbound network packet headers and payloads.
Most people whose computers have been turned into bots and linked to a botnet have no idea that their machines have been commandeered by cybercriminals. Their PCs send spam, steal information, and participate in denial-of-service attacks without any obvious sign.
But new software, funded by a grant from the U.S. Army Research Office and developed by SRI International, promises to provide users with more insight into what their computers are doing.
BotHunter, announced on Monday, is a free malware-detection application for Mac OS X, Linux/Unix, and Windows that monitors network activity. Unlike intrusion detection system (IDS) tools that scan only incoming data, BotHunter looks for patterns that indicate malware activity in both incoming and outgoing data.
"We do a lot of inbound egress monitoring," said Phillip Porras, SRI program director of enterprise and infrastructure security and lead developer of the BotHunter project. "BotHunter really flips that paradigm around."
As an automated network-flow analysis tool, BotHunter uses IDS routines to scan inbound and outbound network packet headers and payloads. It does so without revealing packet payload contents, which is necessary to protect privacy and make it usable in government environments. The machine profiles it sends to the BotHunter repository are anonymized to remove local network identification data.
The software has been downloaded some 35,000 times to date and several thousand instances are running in the U.S. military. So far, about 250 users have reported finding that their PCs have been turned into bots, said Porras.
Though the software is aimed at technically savvy users, specifically network administrators, the Windows version should install easily and should be usable by those without deep networking expertise. The Mac version requires the target machine to have Apple's developer tools installed to function.