Home Podcasts Videos Guest Posts Q&A My Take Bio Contact

USAToday stories


How social networks foster persistent intrusions of corporate networks

By Byron Acohido, USA TODAY 31Mar2011, p1B

Not long after airstrikes began in Libya earlier this month, certain attorneys at four U.S. law firms, known for having high-profile clients in the oil industry, each received a personally addressed e-mail message.

Each message carried an Adobe PDF attachment, purportedly an analyst report describing the impact of Libya’s uprising on oil futures. Each lawyer clicked on the attachment.

But the PDF was actually pre-set to deliver a quick-acting computer intrusion, says Chris Day, chief security architect at data security firm Terremark, who watched the attack unfold. Within a few seconds, the PC of each attorney who clicked on the attachment began sending a silent beacon to a command server controlled by the intruders.

Terremark alerted law enforcement, and the law firms were notified, cutting off yet another persistent intrusion — a distinctive type of hack that has quietly become a staple of the cyberunderground.

“We’re seeing criminal gangs using these tactics against commercial enterprises simply because they work so well,” says Day.

Such so-called spear-phishing attacks, which often enlist social-media tools to meticulously wedge into corporate networks, are increasingly used in computer thefts that pinpoint valuable corporate data, according to a report released today by IBM’s X-Force cybersecurity team.

“Cybercriminals have become more focused on quality of attacks, rather than quantity,” says Tom Cross, X-Force threat intelligence manager.

Elite cybercriminals are tapping into search engines and social networks to help them target specific employees for social-engineering trickery at a wide range of companies, professional firms and government agencies.

They wait patiently for an opportune moment to seed an infection, knowing they need only infect one well-placed PC to gain a foothold inside a company network. They then proceed to stealthily probe deeper over many months.

“It’s become very common for advanced groups to be in systems for a year or longer without being detected,” says Kim Peretti, forensics director at PricewaterhouseCoopers.

The … more

Carbon registries heist: part digital con-game, part digital burglary

By Byron Acohido, USA TODAY, p.6A, 22 Feb. 2011

An Eastern European cybergang has perfected an emerging form of digital theft to steal $50 million from Europe’s carbon registries.

Elite cybergangs are gaining deep access to corporate networks and carrying out Ocean’s 11-like capers that are equal parts digital con game and digital burglary.

Another such gang, for instance, gained recent media attention for its deep access to Nasdaq’s Directors Desk, a cloud-based collaboration service for senior executives. Authorities have released few details. But that gang went undetected for at least a year, giving it plenty of time to try different ways to pilfer sensitive corporate documents from 175 organizations.

“It’s become very common for advanced groups to be in systems for a year or longer without being detected,” says Kim Peretti, forensics director at PricewaterhouseCoopers. “What’s frightening is their motives aren’t so clear as to what they’re looking for and what they’re trying to do.”

Europe’s carbon registries let companies buy and sell pollution credits. The gang that gamed them put a fresh spin on phishing, the art of tricking users into clicking on a poisoned link. They also tweaked a commonplace tool, called a banking Trojan, used to highjack online accounts, says Uri Rivner, senior researcher at RSA, the security arm of EMC.

Rivner disclosed details at the RSA conference last week. He outlined how the gang impersonated employees charged with buying and selling carbon emission permits. After gathering intelligence about the carbon registries in 25 nations, the gang began to target specific employees, most likely sending them carefully crafted e-mails enticing them to open a work document infected with the Nimkey banking Trojan.

From that foothold, the crooks methodically harvested account log-ons and closely monitored trading processes. At the proper moment, someone would log on as an authorized trader, execute a transaction and divert the proceeds into accounts controlled by accomplices.

“Creativity has never been in … more

Poll shows majority of Google, Facebook users worry about online privacy and security

By Byron V. Acohido

Most Americans are worried about privacy and viruses when using Facebook or Google (GOOG), according to results of a USA TODAY/Gallup Poll released Tuesday.

Related article: Proof that Google, Facebook and Microsoft are spying on you

Nearly seven out of 10 Facebook members surveyed – and 52% of Google users – say they are either “somewhat” or “very concerned” about their privacy while using the world’s most popular social network and dominant search engine.

Even so, technologists and privacy experts say most people lack a clear grasp of the complex risks they accept whenever they’re on the Internet. “Consumers generally do not understand who’s getting access to their data and for what purpose,” says Ryan Calo, director of the Consumer Privacy Project at the Stanford University Center for Internet and Society.

Many of us “have a general sense of unease” when we’re online, Calo says.

Many consumers perceive they are being tracked online by advertisers, government and cybercriminals and that their data could be use to embarrass them or steal their identities. But most surf the Web intensively anyway.

Privacy entwined with security

The poll found that a similar percentage of Facebook and Google users, respectively, say they are worried about Internet viruses.

“In my mind, that shows a lower level of concern (about viruses) than folks really ought to have,” says Lisa Sotto, head of privacy and information management at law firm Hunton & Williams. “There is probably a lack of understanding about how very dangerous viruses can be.”

The erosion of security and privacy often go hand in hand. Social networks, banks, tech companies and retailers continue to make it easier than ever to create accounts, share personal details and do most activities on the Web.

This is being driven largely by advertisers’ desire to make online pitches to the person most likely to buy. “The only way that happens is through the collection of huge amounts of … more

Privacy implications of ubiquitous digital sensors

By Byron Acohido, USA TODAY, 26Jan2011, P1B

Odds are you will be monitored today — many times over.

Surveillance cameras at airports, subways, banks and other public venues are not the only devices tracking you. Inexpensive, ever-watchful digital sensors are now ubiquitous.

They are in laptop webcams, video-game motion sensors, smartphone cameras, utility meters, passports and employee ID cards. Step out your front door and you could be captured in a high-resolution photograph taken from the air or street by Google or Microsoft, as they update their respective mapping services. Drive down a city thoroughfare, cross a toll bridge, or park at certain shopping malls and your license plate will be recorded and time-stamped.

Several developments have converged to push the monitoring of human activity far beyond what George Orwell imagined. Low-cost digital cameras, motion sensors and biometric readers are proliferating just as the cost of storing digital data is decreasing. The result: the explosion of sensor data collection and storage.

Over the next couple of years, the volume of data generated by digital sensors will surpass the flow of e-mails and social-network entries combined, predicts Stephen Brobst, chief technical officer at data analytics firm Teradata. “Sensors will touch nearly every aspect of our lives,” he says.

Meanwhile, technology is rapidly being developed to efficiently mine this mushrooming trove of sensor data in novel ways. Affectiva, a Waltham, Mass., start-up, for instance, recently introduced biometric wristbands capable of monitoring tiny changes in sweat-gland activity to gauge emotional reactions. Therapists are using the wristbands with autistic children to better understand emotional outbreaks. Marketing consultants use the bands to pinpoint what pleases or frustrates shoppers.

At the recent International Consumer Electronics Show in Las Vegas, Intel and Microsoft introduced a prototype of an in-store digital billboard that can memorize your face. The technology soon could be used in billboards capable of keeping track of the products you’re interested in, much as depicted … more

Protesters, botnet gangs accelerate DDoS attacks against corporations

By Byron Acohido, USA TODAY, 05Jan2010, P1B

It will be much harder this year for companies to deflect the rising onslaught of cyberattacks orchestrated to knock them off the Internet.

Hundreds of times each day, attackers use a technique called distributed denial of service, or DDoS, that involves coordinating home PCs to flood targeted websites with nuisance requests — to the point where no one else can access the site.

Most DDoS attacks get blocked or filtered. But the volume and sophistication of such attacks accelerated in 2010, a trend that looks to intensify in 2011. “The good guys are slightly ahead,” says Craig Labovitz, chief scientist at network security firm Arbor Networks. “But it’s not clear this equilibrium will continue.”

One major driver: More home PCs than ever have broadband connections capable of sending large streams of data to commercial websites. That’s made it easier for protest groups to rally like-minded cohorts to join in attacks.

“It doesn’t take many computers any more to take down a website,” says Joel Parrish, Redspin application security engineer.

Brand damage

In September, protesters used their home PCs to bombard the Motion Picture Association of America’s website, knocking it offline for 20 hours. The motive: payback for MPAA’s alleged efforts to shut down PirateBay.org, a popular site for downloading pirated music and movies.

Home PCs were behind the December attacks that disrupted the websites of PayPal, Visa, MasterCard and PostFinance, a Swiss bank. Protesters sought to punish them for cutting off services to the WikiLeaks whistle-blower site.

While such outages are temporary, “brand damage” can be lasting, says Danny McPherson, head of research at Internet infrastructure firm VeriSign.

“When a site is knocked out, consumers simply go elsewhere to purchase goods and services, and they’ll stay with the vendor until that site becomes unavailable,” says McPhereson. “Losing customer trust can translate into lost revenue.”

No industry estimates of such losses are available.

Another … more

Do Not Track law would empower consumers, disrupt advertising status quo

By Byron Acohido and Jon Swartz, USA TODAY, P1A

If you’re like most Web users, you probably don’t realize how intensively your visits to many of the most popular pages on the Internet are scrutinized.

In fact, the art of anonymous, Internetwide monitoring of who visits what webpage has been advancing dramatically, driven by advertisers’ desire to tailor their messages to specific groups of customers.

This month, however, the Federal Trade Commission — responding to complaints that “tracking” software can violate the privacy of those using the Web — moved to put the brakes on such monitoring. The FTC called for a “Do Not Track” mechanism that would enable consumers to opt out of being tailed around the Web.

Privacy advocates praised the move, saying that tracking has gotten out of hand.

“Consumers have a right to know what information is gathered about them, how it is used and whether it is gathered at all,” says John M. Simpson, spokesman for the advocacy group Consumer Watchdog.

Opponents counter that the Do Not Track plan would disrupt the burgeoning online advertising industry, putting at risk the estimated $300 billion of U.S. economic activity it helps to foster, as calculated by the Interactive Advertising Bureau (IAB).

Display ads, video ads and animation ads that rely heavily on Internet tracking could be thrown out of whack in unpredictable ways, critics of the FTC plan say. And that could negatively affect a $25.8 billion-a-year advertising and marketing industry that’s expected to swell to $40.5 billion by 2014, according to research firm eMarketer.

The debate over the FTC’s plan reflects long-simmering tensions over how privacy and commerce intersect on the Internet. And it’s raising questions about the necessity for a federal law that would require ad networks to heed consumers’ Do Not Track requests.

The technology that would enable people to opt out of being spied on while surfing the Internet is easy to build … more

Tech industry moves to better protect children online

By Byron Acohido, USA TODAY, 30 Nov. 2010 p. 1B

The technology industry is making an intensified national push to try to keep children safer online.

Children are facing heightened exposure to cyberbullying, sexual predation and identity theft, thanks to the proliferation of cool devices that connect to the Internet, including smartphones, tablet PCs, Internet TVs and even video gaming consoles.

Multiplying ways to connect to the Internet means youngsters have more access to Web sites like Facebook, YouTube and Twitter where bullies, predators and criminals prey on minors ranging from infants to teenagers.

“You really can’t hide from them,” says Richard Harrison, spokesman for the International Information Systems Security Certification Consortium, a trade group, better known as (ISC)2,  that sends volunteers into schools to discuss cybersecurity. “Kids really need to know the risks that are out there and what sensible behavior is.”

Numerous studies show teens routinely  engage in risky online behavior, such as befriending and sharing personal data and photos with strangers, and dodging parental restrictions by using Internet browsers at school or a friend’s house.

And one recent study by antivirus firm AVG found mothers of young children may be unwittingly abetting online miscreants by posting prenatal sonograms and baby photos online. Of the 2,200 mothers of children age 2 and younger who participated in the 10 nation study, 82% had posted images of their offspring on the Internet.

Many parents fail to grasp the notion that photos intended to be shared with close acquaintances can be widely viewed and copied, if they aren’t meticulous about privacy settings that are often cumbersome to deal with, says J.R. Smith, AVG’s chief executive officer.

Another rule of thumb: once online, always online. “What parents need to understand is that information persists online for a long time and can affect your child’s reputation as they grow,” says Caroline Knorr, parenting editor at Common Sense Media, a non-profit advocacy group. “Every … more