Twitter

Follow palashbiswaskl on Twitter

Memories of Another day

Memories of Another day
While my Parents Pulin babu and Basanti devi were living

Saturday, June 20, 2009

RE: [Control-Computer-Crimes] CRPCC-> CRPCC News Update 2009 May 25 - ALIVE : Conficker - Hold the funeral, it's not dead yet / DANGER : 62% of companies experienced security breaches in critical applications in last 12 months / CATCHMENT : Pentagon Se


 

Date: Tue, 26 May 2009 20:51:33 +0530
Subject: [Control-Computer-Crimes] CRPCC-> CRPCC News Update 2009 May 25 - ALIVE : Conficker - Hold the funeral, it's not dead yet / DANGER : 62% of companies experienced security breaches in critical applications in last 12 months / CATCHMENT : Pentagon Seeks High School Hackers / DEMAND : T
From: rakesh@sysman.in

 IT and Related Security News Update from
Centre for Research and Prevention of Computer Crimes, India
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)

May 25, 2009

Editor - Rakesh Goyal (rakesh@sysman.in)


In today's Edition -                                                                             (This is a news-letter and not a SPAM)
*Direct Circulation - 84,000+
ALIVE : Conficker - Hold the funeral, it's not dead yet
DANGER : 62% of companies experienced security breaches in critical applications in last 12 months
CATCHMENT : Pentagon Seeks High School Hackers
DEMAND : Tracking down fraud is now in demand
IT Term of the day
Quote of the day
 
Approved Organizations can get a two months free subscription of focused news at: http://2mthsfree.e-secure-it.com/


To Join this group - http://groups.google.co.in/group/control-computer-crimes/subscribe

* Direct Circulation in 4 Google groups (control-computer-crimes@googlegroups.com and IT-Sec-NSE@googlegroups.com) and 2 more

 P Please don't print this newsletter unless you really need to. Save Tree. 
SAY NO TO PLASTIC WATER BOTTLES. 



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "control-computer-crimes" group.
To post to this group, send email to control-computer-crimes@googlegroups.com
To unsubscribe from this group, send email to control-computer-crimes+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.co.in/group/control-computer-crimes?hl=en
-~----------~----~----~----~------~----~------~--~---



--Forwarded Message Attachment--

IT and Related Security News Update from

Centre for Research and Prevention of Computer Crimes, India

(www.crpcc.in)

Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)

May 25, 2009


Today�s edition �

 

ALIVE : Conficker - Hold the funeral, it's not dead yet

DANGER : 62% of companies experienced security breaches in critical applications in last 12 months

CATCHMENT : Pentagon Seeks High School Hackers

DEMAND : Tracking down fraud is now in demand

IT Term of the day

Quote of the day

 

(Click on heading above to jump to related item. Click on �Top� to be back here)

 

Top


ALIVE : Conficker - Hold the funeral, it's not dead yet

50,000 new Windows systems hit every day

By John Leyden

21st May 2009

http://www.theregister.co.uk/2009/05/21/conficker_continued_spread/

 

Media coverage of the Conficker superworm has died down over recent weeks but variants of the worm are still infecting 50,000 new PCs a day.

 

The US, Brazil and India are the main cultivation grounds for the worm, according to reports from the Symantec threat intelligence team.

 

Symantec has knocked up a colour-coded map illustrating the spread of the worm, which can be found here (http://viewfromthebunker.com/2009/05/20/conficker-continues-to-spread).

 

Conficker (aka Downadup) infects a Windows system by either exploiting systems unprotected against the MS08-067 vulnerability patched by Microsoft back in April, or by taking advantage of weak password security to spread across network shares. Infected USB sticks and other items of removable media can also spread the infection.

 

The worm infected millions of systems in the run-up to 1 April, where it changed the way it phoned home to pre-programmed servers to poll for updates. Nothing happened, apart from excitable media coverage of the date itself, but on 9 April some infected systems began to download additional items of malicious code via P2P update functionality built into the latest variants of the worm. The updated components included copies of the Waledac Trojan, a botnet application used to send spam.

 

Despite this there have been no reports of use of Conficker-compromised machines in either sending spam or running denial of service attacks. The overall population of the Conficker worm is constantly eroded by clean-up efforts, so even though 50,000 new machines might be getting infected every day the overall population of infected machines is probably in long-term decline.

 

Top


DANGER : 62% of companies experienced security breaches in critical applications in last 12 months

Study clearly shows organizations are At-Risk from Insecure Software

May 25,2009

http://newsblaze.com/story/2009052519214100052.we/topstory.html

 

Veracode, announced today the findings of an independent commissioned study conducted by Forrester Consulting on behalf of Veracode titled, "Application Risk Management in Business Survey."The survey revealed that enterprises are struggling to protect their organisations from the costly and growing threat of application security breaches.The study interviewed development, security and risk professionals across the UK and US, and confirmed that risk associated with insecure software is a very real concern and a top priority for management and developers alike.

 

The survey of over 200 respondents from 180 different businesses across various industry sectors, found that more than 62% of organisations have experienced a security breach in the past 12 months due to exploitation of vulnerabilities in their critical software applications.The study also found that while companies feel they know the make-up and business criticality of their mixed application portfolios, there is little confidence in the security quality of their applications.

 

"Companies are not doing enough to ensure the security of open source code, outsourced code and commercial applications," according to the study by Forrester Consulting.

 

Other key findings:

 

  • Exploitation of vulnerabilities in software is a major cause of data breaches.62% of companies responded that they have experienced security breaches which exploited vulnerabilities in software in the last 12 months

 

  • Security as part of the software development process is not widely practised.

Only 34% of companies have a comprehensive SDLC (software development life cycle) process which integrates application security.

 

  • More than half of companies (57%) use outsourcing regularly for business critical.Yet only one third of companies require rigorous security testing before accepting and implementing code from outsourcers

 

  • Only 13% of companies know the security quality of business critical applications.Very few respondents know the security quality of all their business applications which they deem critical to the enterprise.

 

  • Considering that 50% of companies are using COTS (custom-off-the-shelf software) or Outsourced code to handle sensitive data (financial information, PII, health info etc). this indicates why the risk and resultant fallout from breaches is so great.

 

  • Enterprises are increasing scrutiny on ISVs (independent software vendors) and outsourcers for delivering secure code.

60% of respondents stated they are actively incorporating (or have already adopted) third party security assessments as part of software procurement processes for COTS or outsourced code.

 

  • Most enterprises lack formal secure development training programmes.

57% of organisations don't have systematic training programmes addressing application security training for their developers.

 

  • Security spending is not immune to economic conditions.

64% of respondents stated that while application security is important to them, they are struggling to meet the challenge on existing budgets.

 

The results of the survey were consistent between UK and US organisations.�� The UK uses less open source and outsourced applications extensively for business critical functions and has a lower of ratio of security personnel to developers, but the results in terms of breaches were in essence the same. More detailed specifics on this are available on request.

 

"The same economic forces driving enterprises to use third party applications are also increasing the risk of insecure software" says Matt Moynahan, CEO of Veracode. "Given the prolific use of third-parties to build business critical applications, global enterprises need a single flexible and cost-effective solution to seamlessly test the security across their entire application portfolio regardless of whether it was built internally or externally."

 

Top


CATCHMENT : Pentagon Seeks High School Hackers

Andy Greenberg,

May 21 2009

http://www.forbes.com/2009/05/21/cybersecurity-students-hackers-technology-security-cybersecurity_print.html

 

High school hackers, crackers and digital deviants: Uncle Sam wants you.

 

As part of a government information security review released as early as Friday, White House interim cybersecurity chief Melissa Hathaway likely will mention a new military-funded program aimed at leveraging an untapped resource: the U.S.' population of geeky high school and college students.

 

The so-called Cyber Challenge, which will be officially announced later this month, will create three new national competitions for high school and college students intended to foster a young generation of cybersecurity researchers. The contests will test skills applicable to both government and private industry: attacking and defending digital targets, stealing data, and tracing how others have stolen it.

 

The competitions, as planned, go far beyond mere academics. The Air Force will run a so-called Cyber Patriot competition focused on network defense, fending off a "Red Team" of hackers attempting to steal data from the participants' systems. The Department of Defense's Cyber Crime Center will expand its Digital Forensics Challenge, a program it has run since 2006, to include high school and college participants, tasking them with problems like tracing digital intrusions and reconstructing incomplete data sources.

 

The security-focused SANS Institute, an independent organization, plans to organize what may be the most controversial of the three contests: the Network Attack Competition, which challenges students to find and exploit vulnerabilities in software, compromise enemy systems and steal data.

 

More is at stake in these games than mere geek glory. Talented entrants would be recruited for cyber training camps planned for summer 2010, nonprofit camps run by the military and funded in part by private companies, or internships at agencies including the National Security Agency, the Department of Energy or Carnegie Mellon's Computer Emergency Response Team.

 

Alan Paller, director of the SANS Institute, says companies including EMC, AT&T and Verizon have all expressed interest in sponsoring elements of the program. (EMC and AT&T spokespeople didn't respond to requests for comment, and Verizon declined to comment in advance of the program's announcement.)

 

The ultimate goal, according to the initiative's mission statement, is a new sort of grassroots cybersecurity education designed to keep America ahead of a growing threat of cyber attacks from both criminal and state-sponsored enemies. "In the 1950s and 1960s, Sputnik and the space race inspired young people to pursue careers in science and engineering," reads a draft of the statement. "We have a similar opportunity to inspire today's young people to tackle the important challenges we face, including cybersecurity.

 

Fears of cyber-sabotage or espionage were brought home last month by revelations, reported in The Wall Street Journal, that Russian and Chinese intruders had gained access to and mapped out the networks of U.S. power systems, leaving behind software designed to sabotage them. Cyberspies have also repeatedly hacked government and military networks going back as early as the beginning of the decade. Forbes reported in 2007 that military contractors including Lockheed Martin, Raytheon, Boeing and Northrup Grumman had suffered security breaches that had the potential to reveal classified information.

 

One element of ending those cyber debacles, says the SANS Institute's Paller, will mean a renewed focus on cyber education. "We have probably only 1,000 very skilled hackers working for government and industry," he says. "We need 20,000 or 30,000. Those hackers are out there. We just need to get them into a much more important and useful role."

 

China, for its part, may be well ahead of the U.S. in cybersecurity education and recruiting, Paller argues. In a hearing before the Senate's Homeland Security last month, Paller told the story of Tan Dailin, a graduate student in China's Sichuan province who in 2005 won several government-sponsored hacking competitions and the next year was caught intruding on U.S. Department of Defense networks, siphoning thousands of unclassified documents to servers in China. "China's People's Liberation Army is running these competitions all the time, aiming their recruits at the U.S.," Paller says. "Shouldn't we be looking for our best talent the way other countries are?"

 

But a parallel track of domestic cyber training raises the specter of U.S. government-trained hackers not only stealing data from foreign enemies--a diplomatically thorny prospect in itself--but also hacking other targets for fun or profit, and potentially becoming a rogue collection of skilled cybercriminals. "There probably could be a couple people we train that go to the dark side," admits Jim Christy, director of the Department of Defense's Cyber Crime Center. "But we'll catch them and send a message. The good guys will outweigh the bad."

 

Teaching offensive hacking is a necessary element of protecting networks, argues the SANS Institute's Paller. "Offense must inform defense," he says. "We'd like it to be just training defenders, but if they don't know how attacks are performed, they'll be incompetent."

 

He adds that even without formal training, teens are already becoming active hackers. According to a survey released by Panda Security earlier this month, one in five U.K. teens says he or she knows how to find online software tools for gaining unauthorized access to data. A third of those respondents claimed to have used them. "This isn't about educating hackers," says Paller. "It's about finding them."

 

Training games used in digital espionage and data theft, including offensive tactics, are nothing new: The military has long put cadets through defensive and offensive simulations. Programs like the SANS Institute educate so-called white-hat hackers, penetration testers paid to test the security of private companies and government institutions. And cybersecurity conferences like Las Vegas' DefCon host games of "Capture the Flag," in which teams win points by compromising the opposition's PCs.

 

But the Cyber Challenge would be the military's first attempt to reach civilian students. And despite the controversy it likely will raise, it may be the kind of early education push American cybersecurity needs, argues the Department of Defense's Christy. "As cybersecurity comes to the forefront, we're going to start seeing fratricide between in agencies and the private sectors as everyone tries to recruit a small number of experts," he says. "We have to grow this workforce."

 

Top


DEMAND : Tracking down fraud is now in demand

By Tammy Joyner

The Atlanta Journal-Constitution

May 24, 2009

http://www.ajc.com/services/content/printedition/2009/05/24/bizoffbeat0524.html

 

Patrick Taylor is a conniving worker�s worst nightmare. The Atlanta fraud expert is called upon a lot these days to help companies sniff out fake sales transactions, bogus expense reports, illegal kickbacks and those trying to cook the company books.

 

�There�s a lot of pressure on companies and individuals,� said Taylor, chief executive of Oversight Systems. Home and stock values have fallen and consumer debts have risen. Companies are held to much higher accounting standards and under laws such as Sarbanes Oxley.

 

Consequently, �When people are under financial pressure there�s more of a temptation to cross the line,� said Taylor. That line usually traverses the company�s bottom line.

 

�You find the way to justify taking money from the company.�

 

Worker theft, fraud and pilfering has increased during this recession, according to a recent survey of 507 certified fraud examiners. More than half said the number of frauds they�ve investigated during the past year has grown, and , 49 percent said they�ve seen more money lost to fraud.

 

Taylor and his team spend a lot of time, with the help of software, combing through a company�s daily transactions looking for fraud, abuse or human error, all of which are costly.

 

Taylor has built a career on fraud-busting, having worked at Internet Security Sytems before running Oversight. Oversight�s board and workforce includes a number of former ISS people.

 

The software Taylor�s company uses acts as a �virtual auditor� often finding human errors and missteps.

 

Carpet and flooring giant Shaw Industries Group Inc. uses the process to help keep mistakes such as duplicate invoices or overpayments to a minimum. No small feat for a $5 billion company with some 25,000 vendors.

 

�We�re finding personnel keying errors on a more timely basis,� said Jim Kirkpatrick, Shaw�s director of internal audit. A task that would have �involved going through tons and tons of data� in the past.

 

Even though fraud is rampant, Taylor says companies are reluctant to talk about the problem for fear of embarrassment. Most let the offending worker go without trying to recover the losses.

 

Taylor has uncovered lots of fraud but one case he found particularly �repugnant� involved a woman who told her company she had cancer. Instead of getting treatments, she spent her sick days at a spa where she charged the expenses to her company credit card and got reimbursed for medical expenses. �That turned my stomach. That�s just wrong in so many ways.�

 

Red flags of fraud

 

Gift cards. Excessive gift cards purchases, especially from Home Depot and Wal-Mart, are often a red flag, Taylor says. Apparently, the two retailers consider sales receipts detailing a shopper�s purchases proprietary information and won�t share it with employers.

 

Company cars, gas cards. As gas prices creep back up, there may be more worker scams at the gas pumps like this one: You take the company car to the gas station, have your spouse bring the family car and fill up both cars at the same time using the company credit card. Solution: Check for exorbitant gas and mileage use.

 

Airline tickets. Taylor recalled a case where a worker who traveled overseas frequently for his company bought an airline ticket. The worker turned the ticket in for a voucher and then sold credit voucher on eBay and stayed home instead of going abroad on business, thereby pocketing the money and getting a mini vacation at the same time. Solution: look for details that accompany travel such as expenses for meals, hotel stay and other costs.

 

Look for patterns of abuse. Wrong-doers always go back to the source of their fraud. If they get away with it once, they�ll try it again, Taylor said.

 

First annual Fraudies Awards

 

The folks at Oversight recently created these awards to highlight outrageous offenses culled from fraud cases nationwide:

 

Best Musical Score: Workers at one company billed more than $100,000 in iTunes purchases to their corporate credit cards.

 

Best Romantic Comedy of Errors: One employee spent $4,000 on Victoria Secret purchases for his mistress , which led to a lot of explaining to his boss �- and his wife.

 

Best Medium for Fraud: One worker racked up $3,400 in charges to a psychic hotline. (Too bad the psychic didn�t tell him about the job loss in his future.)

 

Top


New IT Term of the day


lamer


A slang term used to describe a user who is uneducated in a given topic area or one who behaves stupidly when involved in online communities. The word most often associated with and used in place of newbie. Similar slang terms include llama, which is specifically used in online gaming chat rooms and on multiplayer game servers.

 

Top


Quote of the day


Happiness, like unhappiness, is a proactive choice.

 

Stephen R. Covey

 

Top

 

Note -

  1. As a member of this group, you get useful information to protect yourself and your IT assets and processes from various Computer and Related Crimes.
  2. If you think that your other friends/colleagues/acquaintances/relatives/foes/enemies also needs this information, forward the mail to them and request them to send their e-mail addresses and names to us with subject as "Subscribe".
  3. If you or someone has become victim of Computer Crimes or has any query on prevention, you are welcome to write to us.
  4. If you are not interested in it and would like to unsubscribe - send a reply mail with subject as "Unsubscribe".
  5. Disclaimer - We have taken due care to research and present these news-items to you. Though we've spent a great deal of time researching these matters, some details may be wrong. If you use any of these items, you are using at your risk and cost. You are required to verify and validate before any usage. Most of these need expert help / assistance to use / implement. For any error or loss or liability due to what-so-ever reason, CRPCC and/or Sysman Computers (P) Ltd. and/or any associated person / entity will not be responsible.

 



Videos Get the latest video streams on movies, Try it!

No comments:

Related Posts Plugin for WordPress, Blogger...