NewsBits for June 30, 2003 sponsored by, Southeast Cybercrime Institute - www.cybercrime.kennesaw.edu ************************************************************ Young cyber-terrorists hold top US firms to ransom in Transylvania Several top American companies have been blackmailed to the tune of $50,000 a head by Romanian hackers practising 'cyber- terrorism' from the backwoods of Transylvania. Astonishingly, the cyber wizards who penetrated the databases of security-conscious corporate America turned out to be a group of Romanian high school drop-outs, work-shy provincials and students manqu. Romania is not exactly in the vanguard of the high-tech revolution and the medieval Transylvanian town of Sibiu, the hub of the daring hacking operation, has hitherto been better known as the birthplace of Vlad Dracula the Impaler than the new Silicon Valley of the Balkans. http://www.sundayherald.com/34961 - - - - - - - - - - PetCo Plugs Credit Card Leak Pet supply retailer PetCo.com plugged a hole in its online storefront over the weekend that left as many as 500,000 credit card numbers open to anyone able to construct a specially-crafted URL.. The pet site was vulnerable to the same kind of SQL injection vulnerability that lead to an FTC complaint against the fashion label Guess, in a case that settled earlier this month. Twenty-year old programmer Jeremiah Jacks discovered both holes. Jacks say news media interest in the Guess case prompted him to check a few other large e-commerce sites for similar bugs. He chose PetCo.com because a competing e-tailer had been vulnerable last year, "so I was wondering about other pet sites," says Jacks. http://www.securityfocus.com/news/6194 http://www.theregister.co.uk/content/55/31478.html - - - - - - - - - - Jail warden is ousted in badge incident Michael Abode was forced to retire as warden of the Middlesex County jail yesterday after officials revealed "unacceptable" actions he took involving Alan Haag, the former county road supervisor arrested on illicit sex charges in Pennsylvania. County officials said Abode gave Haag a badge that was found in the county-owned car Haag drove to Pennsylvania a month ago when he allegedly arranged to pay a woman $300 to have sex with her and her daughters, ages 7 and 10. The woman turned out to be an undercover agent with a special task force formed to crack down on Internet crime. http://www.nj.com/news/ledger/index.ssf?/base/news-9/105678074383470.xml - - - - - - - - - - Suspect charged in rape of 11-year-old girl he met on internet A 26-year-old Catskill man faces felony rape and sexual abuse charges after police said he met an 11-year-old Delmar girl on the Internet and took her to a motel. State Police arrested Cory Knoth, an unemployed musician, around 7 p.m. Friday at his parents' house at 166 Spring St., where he lives. Officers said he admitted to having sex with the girl. Troopers questioned him at the Catskill barracks for several hours before bringing him to Colonie after midnight, where he was arraigned by Town Justice Peter Crummey at 3:30 a.m. Saturday, said Lt. Joseph Fitzsimmons of the Colonie police. http://www.timesunion.com/AspStories/story.asp?storyID=147113&category=REGION&BCCode=&newsdate=6/29/2003 - - - - - - - - - - Two jailed for child porn Clinton John Gooch has been jailed for nine months after pleading guilty to 16 charges of possessing objectionable publications and of making it available for gain. The Christchurch District Court heard that Gooch had been operating within an Internet child pornography trading channel and had sent pictures to a Department of Internal Affairs officer, including one hard core image involving a very young child. Peter William Pearson was sentenced to 18 months in prison after admitting 40 charges of making, copying and possessing objectionable publications. In sentencing, Judge Graeme Noble said both cases were serious and the harm done to children by such material was incalculable. http://onenews.nzoom.com/onenews_detail/0,1227,201936-1-7,00.html - - - - - - - - - - North Fort Myers man charged with child pornography A North Fort Myers man is accused of using his mother's e-mail to pose as a teenage girl and sending pornographic images over the Internet. Alan Robert Johnson, 24, has pleaded innocent to federal charges of possession of child pornography. He was arrested after FBI agents raided the home of Paul Bardotz in West Seneca, N.Y., during a child pornography investigation and seized Bardotz's computer, authorities said. According to a search warrant affidavit, investigators found several child pornographic images of young girls and an infant on Bardotz's computer that were sent to him. Investigators traced the e-mail address to Johnson's mother and began investigating Johnson's residence. Bardotz told FBI agents he believed he met the sender in an Internet "chat room" that catered to "female to female relationships" and that the person who used the e-mail address claimed to be a 13-or 14-year-old girl, the affidavit said. http://www.newsday.com/news/local/wire/ny-bc-ny--childpornography0629jun29,0,7646149.story - - - - - - - - - - SEX-TRAP FEAR FOR RUNAWAY Police are searching for a 15-year-old runaway whose desperate mother fears she's fallen prey to people who use the Internet to promote sex parties. Virginia Gandee disappeared from her Staten Island trailer home on Friday, leaving a note claiming she was planning to stay with a friend in Texas. But her mom, Christine, suspects her daughter left to be with a man the teen considers her boyfriend. Gandee knows him only by the name "Cano." When she searched Ginny's room after she left, she found references to a Web site that includes the name Cano. The site, which advertises sex parties, includes photos of near-naked women in lewd poses. Some are bound, and one has a snake wrapped around her. http://www.nypost.com/news/regionalnews/2091.htm - - - - - - - - - - Ex-Intel worker wins in Calif. high court An ex-Intel worker did not trespass on company computer systems when he e-mailed thousands of messages critical of his former employer to staffers at work, the California Supreme Court ruled Monday. The 4-3 decision hands Ken Hamidi a victory in his 6-year-old dispute with the chip giant, finding that California's trespass law does not offer a cause of action absent evidence of damages, which was lacking in this case. http://news.com.com/2100-1028_3-1022279.html - - - - - - - - - - The Ukrainian service of domain names was attacked by hackers Stop Cyber Crime The American server of the company iName.com.ua (Ukrainian registrar of domain names) has been attacked by hackers. According to representatives of iName.com.ua, cyberattack has caused significant damage to the company and its clients. Attack has taken place in the beginning of this week. According to the press-service iName.com.ua, malefactors have put an appreciable loss both the company, and its clients. "It is difficult to estimate real sum of loss as we have lost a lot of information which was very important for our clients", - the general director iName.com.ua Liubomir Gaydamak said. http://www.crime-research.org/eng/news/2003/06/Mess2901.html - - - - - - - - - - Virus infections way up in 2003 Virus writing and high-profile infections have been on the rise this year, with significant activity over the past couple of months in particular. Figures from Sophos reveal the first six months of 2003 have seen a 17.5 per cent increase in virus activity over the same period last year--and this shows no sign of abating. Bugbear and Klez have done much to boost the figures, but Sobig variants and viruses which have employed specific social engineering, such as the Avril worm, have also added to the tide of malicious attacks. http://zdnet.com.com/2100-1105_2-1022164.html http://www.theregister.co.uk/content/56/31489.html Mindjail worms way through IRC http://www.theregister.co.uk/content/56/31480.html - - - - - - - - - - Law aims to reduce identity theft A California law that requires e-commerce companies to warn consumers when their personal information may have been stolen could provide a boost for security firms. The Security Breach Information Act (S.B. 1386), which goes into effect Tuesday, requires companies that do business in California or that have customers in the state to notify consumers whenever their personal information may have been compromised. Companies that fail to properly lock down information or to notify consumers of intrusions could be sued in civil court. http://news.com.com/2100-1012_3-1022341.html http://www.cnn.com/2003/TECH/biztech/06/30/hacker.bill.ap/index.html - - - - - - - - - - Bracing for the New Privacy Laws One would think that, some eight years into the Internet age, enlightened self-interest would have motivated financial services and e-commerce vendors to put a higher value on maintaining the integrity of customer data. But companies' seeming inability to follow a consistent and reliable security model for the use of customer data, and the secretive approach taken to handling credit card security breaches, have helped create a consumer backlash - and a torrent of state and federal legislation. http://computerworld.com/securitytopics/security/privacy/story/0,10801,82547,00.html - - - - - - - - - - Whats thwarting the sharing of homeland security information? Scanty funding, turf rivalries, congressional inaction and policy clashes are holding homeland security information sharing hostage, current and former political leaders said today. Money is a key problem, said retired Gen. Wesley K. Clark, who was among the speakers at the Information Sharing for Homeland Security Conference. http://www.gcn.com/vol1_no1/daily-updates/22591-1.html http://computerworld.com/securitytopics/security/story/0,10801,82646,00.html Government Certification of Software Proposed to Boost Homeland Security http://computerworld.com/securitytopics/security/story/0,10801,82609,00.html Emergency workers need $100 billion over five years, report says http://www.govexec.com/dailyfed/0603/063003gsn1.htm Homeland Security flooded with antiterror tech plans http://www.govexec.com/dailyfed/0603/063003td1.htm FBI manager keeps agency tech upgrade on track http://www.govexec.com/dailyfed/0603/063003nj1.htm - - - - - - - - - - Average damage from one cyber-fraud - $ 23 000 Stop Cyber Crime The level of cyber crime in the developed countries is measured in thousand offences, and the economic harm makes billions US dollars... The fighting cyber crime is one of priorities of modern society. Conducted researches allow to approve that, the world community has serious problems in this sphere. The American experts have promulgated interesting statistics. The average damage In the USA makes: from one robbery of bank - $ 3,2 thousand; from one swindle - $ 23 thousand; from one cyber theft - $ 500 thousand. http://www.crime-research.org/eng/news/2003/06/Mess2804.html - - - - - - - - - - EBay gets tough on online fraudsters Auctioneer eBay will offer revamped protection for buyers and punish scammers more quickly under new antifraud measures. eBay plans to expand its new buyer-protection programme and take a number of other measures to combat fraud on its site, which has become a popular target for online scam artists. http://news.zdnet.co.uk/story/0,,t269-s2136750,00.html - - - - - - - - - - File-swap firms form lobbying group Internet file-sharing companies are forming a lobbying group in Europe to defend their interests against media companies trying to force them out of business, a member of the coalition told Reuters on Monday. The move is the latest sign that file- sharing outfits, which until recently operated far away from the public eye to avoid litigation, intend to fight for their right to distribute software that enables computer users to share files online. http://zdnet.com.com/2100-1104_2-1022237.html File Swappers Beware http://www.washingtonpost.com/wp-dyn/articles/A51083-2003Jun30.html - - - - - - - - - - Can Microsoft End Spam? Unwanted e-mail saps security budgets and wastes everyone's time. It's nice to see Bill Gates take some responsibility for stopping it. In a company-wide e-mail to Microsoft employees last week, Bill Gates outlined a new corporate directive to augment the company's Trustworthy Computing initiative: Bringing an end to spam. I like it. It's about time we got some real muscle behind the fight against spam. http://www.securityfocus.com/columnists/170 Virginia county fights spam http://www.gcn.com/vol1_no1/daily-updates/22586-1.html Spam growth shows no sign of stopping http://news.zdnet.co.uk/story/0,,t269-s2136809,00.html ISPs deny MP's spam sham charge http://www.vnunet.com/News/1141955 - - - - - - - - - - E-Mail Habits Are Risky Business If your business lacks a strict policy governing e-mail behavior, you could be putting yourself at risk of legal action. That's because e-mail in the workplace now qualifies as a business record, a new survey points out. The 2003 E-Mail Survey, released this week, was gleaned from contact with more than 1100 U.S. companies. Among the findings: Employees spend about one quarter of their workday on e-mail, and 76 percent report a loss of time due to system problems. http://www.pcworld.com/news/article/0,aid,111302,00.asp Corporation Caught In the Cross Hairs http://computerworld.com/securitytopics/security/story/0,10801,82511,00.html Staff ignore email usage warnings http://www.vnunet.com/News/1141947 - - - - - - - - - - New AOL IM program offers encryption America Online released on Monday an updated version of its AOL Instant Messenger service that offers client- to-client encryption. AOL is partnering with VeriSign to provide the feature in AIM 5.2, as the new consumer client is called. Encryption costs $9.95 a year for individuals, but AOL also sells certificates in bulk to companies. As part of the encryption feature, AOL also introduced version 2.0 of its AIM Enterprise Gateway. http://zdnet.com.com/2100-1104_2-1022269.html http://computerworld.com/securitytopics/security/story/0,10801,82633,00.html - - - - - - - - - - White, grey and black hackers hats People attacking computer systems are named as hackers in mass media (and accordingly in a society). However many representatives of a computer underground think that according to the history, the word "hacker" concerns the person who increases functionalities of computers. Hence, hackers are the "good" people acting with noble aims: they train a computer in performance of new functions. The use of a word "hacker" in describing the computer vandals or thieves deforms not only sense of the term, but also the historical concept of "hacking". http://www.crime-research.org/eng/news/2003/06/Mess2803.html - - - - - - - - - - Script kiddies. Warning: the hacking! Persons, who plan and are at cyber-attacks, apply various knowledge and experience. But more often, they are so called "script kiddies" (the low-skilled hackers using "holes" in ready scripts). They have the minimal knowledge and a lot of free time. Actually, the hacking of many systems doesn't require special approaches. Moreover, the most of "script kiddies" do not understand what exactly they do. They just load any program and get access to system or to administrator account. In this way the ordinary user can execute all actions required for hacking without any efforts. http://www.crime-research.org/eng/news/2003/06/Mess3004.html - - - - - - - - - - Trashing is the first stage of hacking Today, the Internet allows learning the bank account condition, looking through a clinical history, finding out a route, buying something and even communicating with foreign partners by IP-telephony. Many companies would crash without organizing their business through the World Wide Web. Unfortunately, this network of networks is also accessible to deliberate criminals who can get privileged information from any other computer in an illegal way. Most of cyberattacks come through social engineering (SE), the manipulation of people to give out critical data about a computer/ network system. http://www.crime-research.org/eng/news/2003/06/Mess3003.html - - - - - - - - - - A Safer System for Home PC's Feels Like Jail to Some Critics Your next personal computer may well come with its own digital chaperon. As PC makers prepare a new generation of desktop computers with built-in hardware controls to protect data and digital entertainment from illegal copying, the industry is also promising to keep information safe from tampering and help users avoid troublemakers in cyberspace. http://www.nytimes.com/2003/06/30/technology/30SECU.html Library filtering software rejects Toppenish as porn http://www.usatoday.com/tech/news/2003-06-30-toppenish-porn_x.htm - - - - - - - - - - IDS Correlation of VA Data and IDS Alerts The sky is falling! The sky is falling! Okay, well the sky isn't really falling, but isn't that they way that we all felt the first time we installed a NIDS and turned it on? We watched the alerts fly by the screen quicker than we could determine what they were. If we were lucky we could just make out what colors the alerts were. Unfortunately that stigma has stuck with the intrusion detection industry. Some people who have NIDS installed have just ignored their screens and been happy with telling the auditors: "Why of course we have intrusion detection. http://www.securityfocus.com/infocus/1708 - - - - - - - - - - Are public court records too public in cyberspace? Courthouses have long been considered stodgy institutions, foreign to the public they serve. The Internet has made them a little less detached, offering the ability to pay tickets, attend traffic school, even monitor dockets online. But most of the documents that are freely available at the courthouse are not online, either for lack of funding and technology or due to concerns that not all public records should be so easily available. http://www.siliconvalley.com/mld/siliconvalley/news/editorial/6201466.htm http://www.usatoday.com/tech/news/techpolicy/2003-06-30-online-courthouse_x.htm - - - - - - - - - - Teamwork from IT and engineering to secure process networks IT and engineering must work together to secure dangerously vulnerable process networks. When an employee from an Australian company that makes manufacturing software got fired in early 2000, he applied for a job with the local government, but was turned down. In retaliation, he got a radio transmitter, went to a nearby hotel where there was a sewage valve, and used the radio to hack into the local government's computerized waste management system. http://computerworld.com/securitytopics/security/story/0,10801,82505,00.html Sidebar: How to get started securing process networks http://computerworld.com/securitytopics/security/story/0,10801,82506,00.html - - - - - - - - - - Computer Bugs Even Infiltrate the Kitchen When his dishwasher acts up and won't stop beeping, Jeff Seigle turns it off and then on, just as he does when his computer crashes. Same with the exercise machines at his gym and his CD player. "Now I think of resetting appliances, not just computers," said Seigle, a software developer in Vienna, Va. (LA Times article, free registration required) http://www.latimes.com/technology/la-adna-bugs29jun29,1,81614.story *********************************************************** Computer Forensics Training - Online. An intense, 150 hour, instructor lead program that teaches you computer forensics and helps prepare you for the Certified Computer Examiner exam. For more information see; www.cybercrime.kennesaw.edu *********************************************************** Search the NewsBits.net Archive at: http://www.newsbits.net/search.html *********************************************************** The source material may be copyrighted and all rights are retained by the original author/publisher. The information is provided to you for non-profit research and educational purposes. Reproduction of this text is encouraged; however copies may not be sold, and NewsBits (www.newsbits.net) should be cited as the source of the information. Copyright 2000-2003, NewsBits.net, Campbell, CA.