By Eric Chabrow
Could (or should) the bane of music aficionados who like to, but can't, share recordings - digital rights management - be adapted to produce another layer of protection of sensitive or classified government information?
In a phone conversation Tuesday, Jeff Nigriny, president of security provider CertiPath, raised the idea of employing the technology behind digital rights management to help secure sensitive documents. Digital rights management would be ideal in situations where a limited number of individuals need access to information.
Nigriny said the Joint Strike Fighter Program could benefit from digital rights management. JSF, as the program is known, is a joint effort by the U.S. military and nearly two dozen of our allies to define affordable, next-generation jet fighters. He says a problem our government faces is sharing sensitive and classified documents associated with JSF, even with such close friends as Britain:
"The U.S. government has not been able to get our heads around sharing the technical data with the U.K. It's not that we don't want to do it; the U.S. government has concerns that the people who would receive it in the U.K. might not have the same technical wherewithal to protect it the same way as Lockheed Martin would."
To read the entire article, click here - http://blogs.govinfosecurity.com/posts.php?postID=672&rf=2010-08-18-eg
Wednesday, August 18, 2010
Saturday, August 14, 2010
ATM Access: Getting In Is Too Easy
By Tracy Kitten
Security is an interesting topic. We're all concerned about it, but we often overlook the most fundamental things.
Yesterday, I tapped a few bankers for comments about ATM security. In particular, I was fishing for some reaction to last week's ATM hack at the Black Hat Technical Security Conference. Two Windows CE-based ATMs were breached during a staged attack by security expert Barnaby Jack.
With ease, Jack opened the ATM's enclosure with a universal key he ordered over the Internet.
The ATMs - a Triton RL2000 and a Tranax 1700 - are most often deployed by retailers, community banks and credit unions. As Lilia Rojo, the director of operations for the $476 million El Monte, Calif.-based SCE Federal Credit Union, points out, credit unions are often looking for less-expensive ATM alternatives, relative to those produced by NCR and Diebold. "But we still want to know that the machines are secure," she says.
The Triton and Tranax ATMs are lower-volume machines, so they make sense for locations that aren't getting hit with, say, 2,000 cash withdrawals a month. But are they less secure? "It's certainly unsettling," Rojo tells me. "Not having the technical expertise, you rely on the manufacturer to help you with something like this - to stay one step ahead of these problems."
The problems Rojo refers to include the ease with which Jack showed how any hacker could access an ATM's operating system and ultimately take it over. In one case, Jack bypassed the ATM's remote management system. In another, he walked up and physically accessed the ATM's PC and infected it with malware saved to a thumb drive.
The former mode of attack is definitely disturbing - Jack bypassed the Tranax RMS. Triton, whose ATM was attacked by a thumb-drive-carried culprit, responded to the hacking of its authentication methodology with a patch.
How many institutions have downloaded and installed the patch? How many even know about the patch? That's definitely a concern. But more concerning is that the latter breach again exposes a security gap that has come up several times in recent weeks. With ease, Jack opened the ATM's enclosure with a universal key he ordered over the Internet.
To read the entire article, click here - http://blogs.bankinfosecurity.com/posts.php?postID=651&rf=2010-08-13-eb
Security is an interesting topic. We're all concerned about it, but we often overlook the most fundamental things.
Yesterday, I tapped a few bankers for comments about ATM security. In particular, I was fishing for some reaction to last week's ATM hack at the Black Hat Technical Security Conference. Two Windows CE-based ATMs were breached during a staged attack by security expert Barnaby Jack.
With ease, Jack opened the ATM's enclosure with a universal key he ordered over the Internet.
The ATMs - a Triton RL2000 and a Tranax 1700 - are most often deployed by retailers, community banks and credit unions. As Lilia Rojo, the director of operations for the $476 million El Monte, Calif.-based SCE Federal Credit Union, points out, credit unions are often looking for less-expensive ATM alternatives, relative to those produced by NCR and Diebold. "But we still want to know that the machines are secure," she says.
The Triton and Tranax ATMs are lower-volume machines, so they make sense for locations that aren't getting hit with, say, 2,000 cash withdrawals a month. But are they less secure? "It's certainly unsettling," Rojo tells me. "Not having the technical expertise, you rely on the manufacturer to help you with something like this - to stay one step ahead of these problems."
The problems Rojo refers to include the ease with which Jack showed how any hacker could access an ATM's operating system and ultimately take it over. In one case, Jack bypassed the ATM's remote management system. In another, he walked up and physically accessed the ATM's PC and infected it with malware saved to a thumb drive.
The former mode of attack is definitely disturbing - Jack bypassed the Tranax RMS. Triton, whose ATM was attacked by a thumb-drive-carried culprit, responded to the hacking of its authentication methodology with a patch.
How many institutions have downloaded and installed the patch? How many even know about the patch? That's definitely a concern. But more concerning is that the latter breach again exposes a security gap that has come up several times in recent weeks. With ease, Jack opened the ATM's enclosure with a universal key he ordered over the Internet.
To read the entire article, click here - http://blogs.bankinfosecurity.com/posts.php?postID=651&rf=2010-08-13-eb
Tuesday, August 10, 2010
ACH Fraud: 1 Year Later
What Results Have Come from Conflicts Between Banks, Businesses?
By Linda McGlasson, Managing Editor
In Rockwall, Texas, a suburb of Dallas, Hi-Line Supply, a business telephone equipment company, is trying to force Community Bank, Inc. into court to settle a liability claim for $50,000 over an alleged incident of corporate account takeover.
By itself, this incident is a footnote among legal disputes. But seen in the context of similar incidents that have swept the country for the past year, the Hi-Line/Community Bank case is the latest in a series of troubling conflicts between banking institutions and business customers.
It's been almost exactly one year since the growing scourge of ACH/wire fraud was exposed by the Federal Deposit Insurance Corporation in a warning about fraudsters using the online channel to prey upon small and medium-sized businesses.
Since then, the industry has seen many incidents and several high-profile cases, including:
Hillary Machinery vs. PlainsCapital Bank - the notorious case of a bank suing its own customer;
Experi-Metal Inc. vs. Comerica Bank - the concurrent case of a customer suing its bank over fraud losses;
PATCO vs. Ocean Bank - one of the more recent conflicts to emerge nationwide, impacting banks and businesses of all sizes.
To read the entire article, click here - http://www.bankinfosecurity.com/articles.php?art_id=2829&rf=2010-08-10-eb
By Linda McGlasson, Managing Editor
In Rockwall, Texas, a suburb of Dallas, Hi-Line Supply, a business telephone equipment company, is trying to force Community Bank, Inc. into court to settle a liability claim for $50,000 over an alleged incident of corporate account takeover.
By itself, this incident is a footnote among legal disputes. But seen in the context of similar incidents that have swept the country for the past year, the Hi-Line/Community Bank case is the latest in a series of troubling conflicts between banking institutions and business customers.
It's been almost exactly one year since the growing scourge of ACH/wire fraud was exposed by the Federal Deposit Insurance Corporation in a warning about fraudsters using the online channel to prey upon small and medium-sized businesses.
Since then, the industry has seen many incidents and several high-profile cases, including:
Hillary Machinery vs. PlainsCapital Bank - the notorious case of a bank suing its own customer;
Experi-Metal Inc. vs. Comerica Bank - the concurrent case of a customer suing its bank over fraud losses;
PATCO vs. Ocean Bank - one of the more recent conflicts to emerge nationwide, impacting banks and businesses of all sizes.
To read the entire article, click here - http://www.bankinfosecurity.com/articles.php?art_id=2829&rf=2010-08-10-eb
Wednesday, August 4, 2010
New Fraud Spree Investigated
Retailers, Restaurants Struck by String of Crimes Targeting Cards
By Linda McGlasson, Managing Editor
The arrests of two men in Florida on multiple identity theft charges represent "just the tip of the iceberg" in payment card crimes against merchants and consumers across the U.S., according to law enforcement officials.
While these two suspects aren't believed to be the masterminds behind the string of fraud incidents that have hit retail chains such as Hancock Fabrics, the spike in the number of these crimes is undeniable, investigators and fraud analysts says.
A recent example: On June 3, Buffalo Wild Wings Restaurant near Oklahoma City was one of several regional restaurant chains to report being hit with credit and debit card fraud. Law enforcement has not yet said what the source of the credit card fraud was, but Elaine Dodd, head of the Oklahoma Bankers Association's fraud division, says it may have been a skimmer or point-of-sale compromise. "[Fraudsters] are using multiple routes to get card data because they know it can be done," Dodd says.
To read the entire article, click here - http://www.govinfosecurity.com/articles.php?art_id=2804&rf=2010-08-04-eg
By Linda McGlasson, Managing Editor
The arrests of two men in Florida on multiple identity theft charges represent "just the tip of the iceberg" in payment card crimes against merchants and consumers across the U.S., according to law enforcement officials.
While these two suspects aren't believed to be the masterminds behind the string of fraud incidents that have hit retail chains such as Hancock Fabrics, the spike in the number of these crimes is undeniable, investigators and fraud analysts says.
A recent example: On June 3, Buffalo Wild Wings Restaurant near Oklahoma City was one of several regional restaurant chains to report being hit with credit and debit card fraud. Law enforcement has not yet said what the source of the credit card fraud was, but Elaine Dodd, head of the Oklahoma Bankers Association's fraud division, says it may have been a skimmer or point-of-sale compromise. "[Fraudsters] are using multiple routes to get card data because they know it can be done," Dodd says.
To read the entire article, click here - http://www.govinfosecurity.com/articles.php?art_id=2804&rf=2010-08-04-eg
Monday, August 2, 2010
A Tale of Three Breach Reports
July 30, 2010 - Linda McGlasson
This week a trio of reports came out on data breaches. Talk about information overload! I decided to take a look at these reports to compare commonalities and distinctions.
One of the best and most comprehensive of reports, the annual Verizon Business Data Breach Investigations Report, slams home some really scary statistics for financial services, hospitality and other industries prone to data breaches. Its two top headlines: Organized crime was responsible for 85 percent of all stolen data in 2009. And stolen credentials were the most common way to gain unauthorized access into organizations.
When boiled down to the basics, each of these reports says the same thing: Expect a data breach.
Next, the first annual Cost of Cyber Crime Study by the Ponemon Institute shows the enormous cost that data breaches have on victim organizations. This study doesn't look at types data breaches per se, but rather the costs. Web-borne attacks, malicious code and insiders are the most costly, making up more than 90 percent of all cybercrime costs per organization per year. An average web-based attack costs $143,209; malicious code, $124,083; and malicious insiders, $100,300. The report doesn't paint a rosy picture about the average length of time to resolve a data breach. An incident incurred by a malicious insider, for instance, takes an average of 42 days or more to resolve.
To read the entire article, click here - http://blogs.govinfosecurity.com/posts.php?postID=644&rf=2010-08-02-eg
This week a trio of reports came out on data breaches. Talk about information overload! I decided to take a look at these reports to compare commonalities and distinctions.
One of the best and most comprehensive of reports, the annual Verizon Business Data Breach Investigations Report, slams home some really scary statistics for financial services, hospitality and other industries prone to data breaches. Its two top headlines: Organized crime was responsible for 85 percent of all stolen data in 2009. And stolen credentials were the most common way to gain unauthorized access into organizations.
When boiled down to the basics, each of these reports says the same thing: Expect a data breach.
Next, the first annual Cost of Cyber Crime Study by the Ponemon Institute shows the enormous cost that data breaches have on victim organizations. This study doesn't look at types data breaches per se, but rather the costs. Web-borne attacks, malicious code and insiders are the most costly, making up more than 90 percent of all cybercrime costs per organization per year. An average web-based attack costs $143,209; malicious code, $124,083; and malicious insiders, $100,300. The report doesn't paint a rosy picture about the average length of time to resolve a data breach. An incident incurred by a malicious insider, for instance, takes an average of 42 days or more to resolve.
To read the entire article, click here - http://blogs.govinfosecurity.com/posts.php?postID=644&rf=2010-08-02-eg
Subscribe to:
Posts (Atom)
Do Do You Keep Your Career Options Open?
Call The POWER Group Organization Team at (502) 209-TEAM {8326}!
