Thursday, August 11, 2011

Along with Falling Stock Prices, Banks Fret Over Cyber Security

In a new survey conducted by Fundtech, a global supplier of banking software, 100 executives from 50 financial institutions were asked what some of the biggest challenges the industry faced. In a dramatic uptick from last year, 65% said fraud monitoring has become an increasing concern. Last year's poll put that number at 53%.

According to Credit Union Times, who carried the story, "74%[of executives surveyed] said they think thei small and medium-sized enterprise customers would be willing to change financial institutions to get better security and 79% said t think that 'only a small fraction of their business client base understands their liability for fraudulent transactions.'"

"'With little expectation that cyber attacks will be brought under control anytime soon, banks, their customers and their technology suppliers must collaborate in order to effectively quell this growing challenge,' said George Ravich, Fundtech’s chief marketing officer."

This is all the more reason to find out what Razorpoint Security can do for safeguarding your online business in retaining and building customer confidence.

Friday, August 5, 2011

Mobile Payment Device Square Shows It's Not In Shape Yet

The tech world has been buzzing for the last year about the mobile payment device Square. Its inventor, Jack Dorsey, who also founded Twitter, has been marketing it as a boon for small businesses and independent vendors.

But it could be cyber criminals who profit the most, stealing credit card data from the device's easily hacked audio recognition software. Tech blog Mashable reports:

Adam Laurie and Zac Franken, directors of Aperture Labs, discovered that due to a lack of encryption in the current Square app and free dongle for swiping cards, the mobile payment system can be used to steal credit card information, without even having the physical credit card.

Square works by converting credit card data into an audio file that is then transmitted to the credit card issuer for authorization.

In order to bypass the need to swipe a card, Laurie wrote a simple program — in fewer than 100 lines of code — that enables him and Franken to feed magnetic strip data from stolen cards into a microphone and convert that data into an audio file. Once that is played into the Square device via a $10 stereo cable, the data is sent directly to the Square app for processing.

Through a combination of proprietary knowledge and cutting edge tools and technology sets, Razorpoint helps security-minded organizations repel potentially lethal cyber threats that often elude mainstream network security providers. Contact us today to learn more about our security services.

Tuesday, July 26, 2011

US House of Representatives committee approves cybersecurity standards bill

The U.S. House of Represenatives is getting more serious with cyber security by pushing a new bill through the Senate. According to Computer Weekly:

The US House of Representatives has passed a bill designed to increase education, research and development to counteract cyberthreats.

The House Science, Space and Technology Committee last week approved the Cybersecurity Enhancement Act of 2011, which mirrors legislation passed last year by the House, but that never made it to the Senate, according to US reports.

With technology developing at faster rate than ever, Razorpoint Security, along with members of the U.S. Government, are working harder than ever in increasing cyber security.

Wednesday, June 1, 2011

Sony Continues To Be Threatened By Cyber Criminals

The Sony Corporation, after suffering a cyber attack on its Playstation Network of 70 million users in late April, is still receiving formative threats.

A group of cyber criminals who have taken responsibility for breaking into PBS' site last week, calling themselves LulzSec, are upping the ante with the technology company.

From CNET:

The group...has been promising Sony attacks since this past weekend when it posted to its Twitter account that it is engaged in an operation it calls "Sownage," shorthand for Sony Ownage. The group stated at the time that it was working on hatching a plan that would be the "beginning of the end" for Sony. It has yet to reveal what it has planned. But yesterday the group said that the attack was already under way, seemingly without Sony's knowledge.

We at Razorpoint Security continue to take a serious interest in this story. If you feel your company needs tighter network security in defending against cyber-criminality, reach out to us.

Wednesday, May 25, 2011

Security Provider Finds Vulnarabilities In Cisco System's Devices

At Razorpoint Security, we always stress that gadgets are not always the answer to finding holes in network security. But when it's the devices themselves that are allowing this breach, the network could at times be more complex to monitor. Such is the case with Cisco Systems, who recently found out their equipment has vulnerabilities they've been trying to patch up since 2010.

According to PC World's Business Center,

"The findings hint at two apparently contradictory themes, that of uniformity and complexity.

"The uniformity derives from the commoditization of IT equipment over the last decade, which has left companies of all sizes, in all countries and in all business sectors using similar families of products which are therefore open to the same vulnerabilities, including PSIRT 109444.

"As networks have become more uniform around standards and more commoditized, vendors have responded by competing in terms of features and development, which has created more complexity within the product families of dominant vendors such as Cisco. As complexity rises, so do the problems associated with management. Dimension also found that many network devices looked at in its assessments suffered from a range of configuration and policy violation issues in ways connected to this theme."

Friday, April 29, 2011

Cloud Computing Security

The next rush into creating complex networks for corporations and personal computing has been to store personal data on a cloud. The cloud uses a large network instead of localization to run applications and devices.

With so many people investing in the cloud to bring server costs down, it would seem obvious that the more people working on the same network, the more vulnerable it becomes.

Many service providers understand this, but have put the burden on their customers to keep information secured.

From The Wall Street Journal:

"The majority of cloud service providers do not consider security as one of their most important responsibilities according to a surprising survey released yesterday.

"The survey of 127 cloud service providers, 24 in six European countries, the others in the U.S., by the U.S.-based Ponemon Institute found that a majority of providers believe it is their customer’s responsibility to secure data."

Friday, February 25, 2011

Experts: Web Generation Clueless About Online Privacy

Last April Fool's Day, the online game store created a customer license agreement that asked gamers for their immortal souls. About 7,500 gamers unthinkingly clicked the "agree" button without reading the devilishly fine print.

The gamers kept their souls, but plenty of netizens have clicked "I agree" to download a new music service, software update or game demo without realizing that they had agreed to let the service provider access their personal information. Many more don't bother to figure out how to update their ever-changing privacy settings on social networks such as Facebook.

Thoughtless users don't deserve all the blame for giving up their personal privacy so easily. Online privacy safeguards have been deliberately designed to be irrelevant or annoying to the online experience, said Bruce Schneier, a security consultant who works with British Telecom.

The challenge is whether new generations that have never known a world without the Internet can adapt their online habits to better secure their privacy.

"The business of social networking sites is to invade privacy, because they want more users who lead to more revenue," Schneier explained. "The [user settings] are deliberately designed to be difficult to navigate and opaque."

Schneier spoke as a member of a panel at a symposium titled "Promoting Security and Sustaining Privacy: How Do We Find the Right Balance?" at the American Association for the Advancement of Science conference in Washington, D.C. on Feb. 19.

The Internet generation gap

Some of those who inherit the digital age often don't realize just how much information is being gathered about them all the time when they surf the Web. Others have simply become used to trading away personal information in exchange for Internet-based services that they find useful.

Either way, sometimes it seems the "kids don't give a damn," according to Stephan Lechner of the European Commission's Joint Research Centre Institute for Protection and Security of the Citizen.

But Lechner, who sat on the panel, also pointed to the clunky legal language of long customer license agreements by bringing up the April Fool's example.

Schneier put a slightly different spin on the problem.

"The Internet generation cares very much about privacy," Schneier said. "They might be terrible at it, but they care about it."

Many young netizens have "social fluency" when it comes to navigating the Internet, but they lack the technical knowledge of "where the computer ends and the Internet begins," Schneier pointed out.

They may not know that much of the information which they disclose to social networking websites and consumer websites is no longer as "private" in any strong sense of the word.

But teaching people to better safeguard their privacy can prove tricky as people spend more and more of their time doing computer-related tasks and storing data purely online – the huge trend known as cloud computing.

Other issues come up because of shifting privacy safeguards, such as Facebook's habit of regularly changing its privacy policies.

"This is a problem if you are educating the young and the unknowledgeable; how would you educate them if the info you tell them is outdated in a very short time?" Lechner said.

Forever playing catch-up

The panel experts mostly agreed that humans may never catch up if they hope to adjust social noms and behaviors to the rapid pace of new technological advances.

"I'm wondering if we can't educate users," Schneier said. "I'm not sure we can. I think things are moving too fast."

But a more hopeful view came from Katharina Zweig, a computer science researcher at the University of Heidelberg in Germany, who attended the symposium as an audience member.

The problem is that people fail to realize how the software behind social networks or consumer websites can easily dig up personal information online without direct consent of the human user, Zweig said. She suggested teaching people the difference between the capabilities of a computer and a human.

"I think we can educate people about the fundamental difference between computer thinking and human thinking," Zweig told LiveScience.

If successful, such an approach could help young generationsbetter appreciate the faceless programs behind the Internet websites and services.

After all, "the Internet never forgets," said Jeremy Pitt at the Institute for Security, Science and Technology of the Imperial College in London, and the third member of the panel.

"One question my five-year-old daughter asked, which completely floored me, was 'Does the Internet know who I am?'" Pitt said. "This question was wrong on so many levels."

Schneier jumped in before Pitt had finished.

"It's easy -- the answer is yes," Schneier said.

Wednesday, February 23, 2011

Facebook Phishing Scam Uses Fake Login Page

A new phishing scam currently spreading through Facebook is proving how important it is to read the fine print.

The scam uses chat messages and wall posts on friends’ pages to trick users into thinking they are being directed to a Facebook application, according to the security firm F-Secure.

Instead of landing on the app page, users instead find themselves on a genuine-looking Facebook login page, where they are asked to re-authenticate their account by entering their e-mail address and password.

But if users look carefully at the login page, they realize the URL in the browser’s menu bar includes “.ru” after the regular address, meaning it’s not a legitimate Facebook site, and any information entered can be easily swiped by the cybercriminals perpetrating the phishing scam.

F-Secure says that although this particular Facebook scam hasn’t spread quickly, Facebook users should always be careful when asked to enter any information, and to be especially wary of links, even if they appear to come from friends.

Defend and protect your identity with Razorpoint Security Services!

Friday, January 21, 2011

IPad Hackers Charged For Email Scheme

Back in the Summer of last year, a hacker group called Goatse iPad Hackers Charged for Email SchemeSecurity found a breach in AT&T's server security that allowed them to access the email addresses of iPad 3G users. They downloaded over one hundred thousand of those email addresses, then alerted AT&T, who promptly fixed the hole. This past week, two of the hackers belonging to that group were each charged with crimes related to that breach.

Andrew Auernheimer and Daniel Spitler have each been charged with "one count of conspiracy to access a computer without authorization and one count of fraud," according to the New York Times article on the subject. Last July, after the events transpired, the FBI received more than 150 pages of chat logs which detail how the men were able to download these email addresses. What it basically came down to was a program on the AT&T servers which when given an iPad's ID number, would return the email address associated with that iPad. Mr Auernheimer and Mr. Spitler then only had to write a small script to guess ID numbers and store the returned addresses.

Both of the men charged insist they did nothing illegal. Mr. Spitler, when asked why he felt that way, replied by saying "cause I didn't hack anything." Their defense rests in the fact that they were accessing data on a public server with no password or encryption, basically that this data was available to anyone on the Internet. There is no evidence thus far that shows anyone trying to sell the data they uncovered, and they informed AT&T of the security hole, allowing them to fix the problem. AT&T on the other hand, is labeling the data mining as "malicious" and claim that their customers could have been "exposed ... to spam or fraud."

If you feel the need to increase your company network and server security, call Razorpoint today, 212.744.6900!

Tuesday, January 18, 2011

Researcher Breaks Wi-Fi Passwords Using Cloud Computing Power

According to a press report, a German security specialist plans to give attendees at a hackers convention next week code that they can run on high-performance cloud computer systems to help them break passwords on seemingly secure, low-cost wireless networks – Wi-Fi, for instance.

As much as anything else, however, it's a demonstration of how much computing power is becoming available to larger numbers of people as a service for a fraction of what it costs to buy and maintain a supercomputer.

According to a report in Reuters, Thomas Roth, a security consultant in Cologne, used high-performance capabilities in's (NASDAQ: AMZN) Elastic Compute Cloud (EC2) service to "brute force" breaking passwords on wireless networks.

Roth will be speaking at next week's Black Hat Security Conference in Washington, D.C. His talk is titled "Breaking encryption in the cloud: GPU accelerated supercomputing for everyone."

The main focus of Roth's recent demonstration, however, was to show how easy, given the availability of such high-powered computing power in the cloud, it is today to break passwords that use an encryption algorithm he says was never meant to secure systems.

Roth reportedly said he was able to breach the relatively sophisticated encryption technology -- SHA-1 (Secure Hash Algorithm) -- by tapping a cluster of Nvidia graphics processors, available through Amazon's services, to provide the horsepower needed for the task of zipping through 400,000 possible passwords per second.

"SHA-1 was never made to store passwords. [It] is a hash algorithm ... made for verifying data. It was made to be as fast and as collision free as possible, and that's the problem when using it for storing passwords: It's too fast," Roth said on his blog in November.

Prices for the equivalent of a supercomputer provided as a service via the cloud are low as well. Roth told Reuters that it took 20 minutes to break into a network in his neighborhood, at a cost of 28 cents per minute -- and that, with improvements in the code, he could do the same in as few as six minutes now.

The problem is, as computing speeds climb ever higher and the price falls, the barrier to hackers falls as well.

"The speed of computers is increasing incredibly fast, and so brute forcing will get faster and faster, and the new cloud offerings make parallelization of such use tasks easy and affordable," Roth continued.

An Amazon spokesperson was not available at publication. However, in speaking with Reuters, a spokesperson made the point that the same feat could be achieved on competing cloud computing services as well.

By Stuart J. Johnston
January 12, 2011

Friday, January 14, 2011

1 in 4 AT&T iPhone users say they'll switch to Verizon

ChangeWave survey finds many AT&T customers dissatisfied with reception/coverage

A new ChangeWave Research survey of 4,050 consumers, completed just days before Verizon announced plans to offer Apple's iPhone, reveals that the carrier will be able to draw significant numbers of new subscribers from its rivals.

Of the sample, 10% said they plan on switching wireless providers in the next 90 days: 2-points higher than a previous ChangeWave survey in September and the highest churn level of the past 18 months.

It seems most of Verizon's success will be from switchers coming from rival carriers, instead of its existing customers: only 4% of Verizon's customers plan to switch in the next 90 days, compared with 10% of Sprint customers, and 15% of both T-Mobile and AT&T subscribers.

A new ChangeWave Research survey of 4,050 consumers, completed just days before Verizon announced plans to offer Apple's iPhone, reveals that the carrier will be able to draw significant numbers of new subscribers from its rivals.

Of the sample, 10% said they plan on switching wireless providers in the next 90 days: 2-points higher than a previous ChangeWave survey in September and the highest churn level of the past 18 months.

It seems most of Verizon's success will be from switchers coming from rival carriers, instead of its existing customers: only 4% of Verizon's customers plan to switch in the next 90 days, compared with 10% of Sprint customers, and 15% of both T-Mobile and AT&T subscribers.

No matter your cell phone provider, Razorpoint Security hopes that you take all precautions necessary to protect yourself from hackers!  If you are wondering how to best protect yourself, contact our data security experts in New York City today.

VERIZON IPHONE: 7 key facts you should know

ChangeWave found that AT&T's churn rate has more than doubled since June 2009, from 6% to 15% of AT&T customers saying they are "very likely" or "somewhat likely" to switch wireless carriers in the next 90 days.

These AT&T customers apparently have had it with the network's quality: 42% of these switchers cite poor reception/coverage as their top reason for leaving, followed by dropped calls, cited by 27%.

A total of 16% of existing AT&T subscribers say they'll switch to Verizon once it begins offering the iPhone; 23% say they don't know if they'll switch; 60% will stay with AT&T. Current Apple iPhone owners are the most likely group of all to switch: 26% saying they'll leave AT&T for Verizon.

In asking respondents how often they experienced dropped calls in the past 90 days, ChangeWave found major improvements for AT&T, though it still lags far behind Verizon Wireless at least in perception of network quality. The results showed 4.7% of the AT&T users in the survey had dropped calls, compared with 6.0% in the September 2010 survey.

This story appeared on Network World at

Thursday, January 13, 2011

Facebook Wants to Issue Your Internet Driver's License

Cybersecurity and privacy-enhancing "identity ecosystem" by Facebook? President Obama put the U.S. Commerce Department in charge of a cybersecurity effort to give each American a unique Internet ID. But Facebook also wants to supply your unique Internet ID and its identity infrastructure is already on millions of websites.

President Obama put the U.S. Commerce Department in charge of a cybersecurity effort to give each American a unique Internet ID. But Facebook also wants to supply your unique Internet ID and its identity infrastructure is already on millions of websites. If participation remains voluntary, could Facebook distribute your Internet driver's license?

Worldwide, e-commerce is estimated at $10 trillion annually. The National Strategy for Trusted Identities in Cyberspace (NSTIC) plan of developing a secure and privacy-enhancing "identity ecosystem" for the Internet is supposed to lower the risks of identity theft, which is rampant, and create a greater confidence in online transactions since less personal information would be collected and stored with each transaction. But there are privacy and civil liberties groups who oppose the idea of any government intelligence agency being in control of its citizens online ID. Many of those same group oppose the government requiring a backdoor into all online programs as part of the Internet's infrastructure.

According to Technology Review, Facebook is becoming a "critical part of the Internet's identity infrastructure" and wants to supply your Internet driver's license. Facebook Login allows any website to use its identity infrastructure by adding a few lines of code so users will see "Connect with Facebook" button on the site. Facebook Connect is one of the most popular codes adopted by websites, so that anyone with a Facebook account is but a click away from logging in, "liking" or sharing a site.

Besides being easy and free for websites to implement, Facebook Connect provides the site with the user's real name as required per Facebook's terms of service. Many sites don't want the hassle and headache of managing their own identity system, but do want users to login for commenting purposes and limiting spam.

On the negative side, Facebook has made horrible privacy mistakes in the past. Since it happened again and again, it seems Facebook showed little regard to its users' outrage of the privacy breaches. It's also a hot target for cyberthugs. Any site is only as strong as the weakest link -- which usually tends to be the user. On any given day on Facebook, there are always phishing scams, busy social engineers, and accounts taken over by hackers. The Firefox plug-in Firesheep makes sniffing out cookies and taking over accounts so easy that even the clueless can manage it over an unsecured Wi-Fi network.

Last fall, making itself a no less appealing target, a New Zealand bank opened the doors to Facebook's first online bank branch. When logged into Facebook, the bank's customers can access their banking information. As more businesses adopt Facebook Connect, it is becoming a universal login on the web, making Facebook a tempting target to cybercriminals.

If participation in Obama's NSTIC cybersecurity program is voluntary and not required, it offers people the ability to stay anonymous by simply not participating. However, if nearly all sites adopt it and then require it, that's not really very optional for people who want to remain anonymous online.

One thing Facebook might have over the Commerce Department issuing unique online IDs is that many people will not trust a government sponsored ID system.  As CDT's Jim Dempsey said, any Internet ID must be created by the private sector and must stay voluntary and competitive. "The government cannot create that identity infrastructure. If it tried to, it wouldn't be trusted," stated Dempsey.

However, Commerce Department Secretary Gary Locke was quick to reassure people that the cybersecurity ID wasn't a guise for more big brother government. "We are not talking about a national ID card," Locke said at the Stanford Institute for Economic Policy Research event. "We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy, and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities."

White House Cybersecurity Coordinator Howard Schmidt assured people that anonymity and pseudonymity will remain possible online. "I don't have to get a credential, if I don't want to," Schmidt stated. He added there is no chance that "a centralized database will emerge."

The Commerce Department beat out other candidates such as the NSA and DHS to head up the new online identity project. Cnet pointed out, this "should please groups that have raised concerns over security agencies doing double duty in police and intelligence work."

Somehow it doesn't seem too hard to see the potential for abuse if either the government or Facebook become the Internet cops handing out IDs. Can we trust either one to guard users' privacy and security above their own interests and motives?

Wednesday, January 12, 2011

The 10 biggest hoaxes in Wikipedia's first 10 years

From Stephen Colbert and Rush Limbaugh to Adolf Hitler: a history of Wikipedia hoaxes

Wikipedia will celebrate its 10th birthday on Saturday, with founder Jimmy Wales having built the site from nothing to one of the most influential destinations on the Internet. Wikipedia's goal may be to compile the sum total of all human knowledge, but it's also, perhaps, the best tool in existence for perpetuating Internet hoaxes. Let's take a look at the 10 biggest hoaxes in Wikipedia's history. (Did we miss any? Let us know in the comments).

Wikipedia will celebrate its 10th birthday on Saturday, with founder Jimmy Wales having built the site from nothing to one of the most influential destinations on the Internet. Wikipedia's goal may be to compile the sum total of all human knowledge, but it's also, perhaps, the best tool in existence for perpetuating Internet hoaxes. Let's take a look at the 10 biggest hoaxes in Wikipedia's history. (Did we miss any? Let us know in the comments).

The Essjay controversy

This one's so big it has its own Wikipedia page. In February 2007 a Wikipedia administrator who went by the name Essjay "was found to have made false claims about his academic qualifications and professional experiences on his Wikipedia user page and to journalist Stacy Schiff during an interview for The New Yorker, and to have exploited his supposed qualifications as leverage in internal disputes over Wikipedia content." Essjay had been contributing to Wikipedia since 2005, claiming that he "teaches graduate theology, with doctorates in Theology and Canon Law." He also gained a job with Wikipedia sister company Wikia. "Jimmy Wales proposed a credential verification system on Wikipedia following the Essjay controversy, but the proposal was rejected," according to the Wikipedia article.

Edward Owens

Another hoax worthy of its own Wikipedia page, "Edward Owens" was a "fictional character, part of a historical hoax created by students at George Mason University on Dec. 3, 2008 as a project in a class dealing with historical hoaxes called "Lying About the Past." One tactic was creating a Wikipedia article about Owens, "who supposedly lived from 1852 to 1938 in Virginia ... fell on hard times during the Long Depression that began in 1873 and took up pirating in Chesapeake Bay to survive the economic downturn." After media outlets including USA Today were fooled, the class professor decided in December 2008 to reveal the hoax.

Stephen Colbert inflates the population of African elephants

Oh, Stephen Colbert. What would we do without you? Colbert's brilliant media satire show, the Colbert Report, took on Wikipedia in July 2006, urging viewers to edit the encyclopedia to indicate that the population of African elephants had tripled in the previous six months. Known for inventing the word "truthiness," Colbert also gave us "wikiality," the concept that "together we can create a reality that we all agree on — the reality we just agreed on."

Sinbad dead? No, that was just his career ... hey-ohh!

This bit of wiki-vandalism brought Wikipedia down (or up?) to the level of newspapers, which have been known for publishing quite a few premature obituaries. In this case, Wikipedia falsely reported the death of the 50-year-old Sinbad, who even received a telephone call from his daughter and calls, texts and e-mails from hundreds of others after the hoax spread. The Sinbad Wikipedia page was temporarily protected from editing to prevent further vandalism. But numerous others have been falsely listed as dead on Wikipedia, including Sen. Edward Kennedy (months before his actual death), Miley Cyrus, Sergey Brin and Paul Reiser.

Wikipedia biography controversy, or "the Seigenthaler incident"

In May 2005 a Wikipedia editor created a hoax article declaring that 78-year-old American journalist John Seigenthaler "had been a suspect in the assassinations of U.S. President John F. Kennedy and Attorney General Robert F. Kennedy," and it went uncorrected for more than four months. Seigenthaler ultimately wrote about the incident in a USA Today column. Afterward, Wales "stated that the encyclopedia had barred unregistered users from creating new content," the Wikipedia page on the controversy states. But unregistered users can still edit existing articles.

The founder of Orange Julius did not invent a shower stall for pigeons

Jeopardy champion and all-around smart guy Ken Jennings apparently discovered this one, blogging in May 2010 about how the Wikipedia article on Orange Julius namesake Julius Freed was "full of all kinds of crazy trivia, like the fact that he invented a shower stall for pigeons." What Jennings calls "the funniest development on this story" is that "Dairy Queen, which now owns Orange Julius, inadvertently used the hoax material as the basis for a 2007 ad campaign!" This was one of the more successful Wikipedia hoaxes, judging by the amount of time it remained on the site, having stayed up there for five years. "How many hundreds (thousands?) of other articles like this are sitting out in the Wiki-ether right now, wreaking havoc and just waiting to be debunked?" Jennings wonders.

College student fools the whole world's media

If you're a journalist, Wikipedia is a great initial source of information. But you should always use primary sources to verify that what Wikipedia says is true before actually running with it (unless you're writing a cheesy top 10 list story like this one). But one student's experiment in 2009 showed that media members are apparently allergic to fact-checking when it comes to lifting material from Wikipedia. A Dublin University student named Shane Fitzgerald inserted a fabricated quote into the Wikipedia article about recently deceased composer Maurice Jarre. The quote wasn't damaging to Jarre himself - it read "One could say my life itself has been one long soundtrack. Music was my life, music brought me to life, and music is how I will be remembered long after I leave this life. When I die there will be a final waltz playing in my head that only I can hear." But it was damaging to the credibility of newspapers such as The Guardian, which were fooled into using the quote in obituaries. No one even noticed the hoax until Fitzgerald himself reported it a month later, and said he was "shocked at the results" of his own experiment.

Rush Limbaugh turns out to be just as incompetent as the rest of the media

Last year, Limbaugh spent a while talking about Roger Vinson, a federal judge involved in a legal challenge to the new healthcare law. According to The New York Times, "The conservative radio host informed his listeners that the judge was an avid hunter and amateur taxidermist who once killed three brown bears and mounted their heads over his courtroom door to 'instill the fear of God into the accused.' ... But, in fact, Judge Vinson has never shot anything other than a water moccasin (last Saturday, at his weekend cabin), is not a taxidermist and, as president of the American Camellia Society, is far more familiar with Camellia reticulata than with Ursus arctos." It was all because Rush (or his staffers) read hoax material on a Wikipedia page and repeated it as fact. Limbaugh's staff claimed they found the information in a Pensacola News Journal article, but no such article existed.

Actually, maybe this is how we know Rush Limbaugh is a real journalist. He trusts Wikipedia.

Henryk Batuta hoax

Another hoax worthy of its own Wikipedia page, this one was "perpetrated on the Polish Wikipedia from November 2004 to February 2006," and concerned "an article about Henryk Batuta (born Izaak Apfelbaum), a fictional socialist revolutionary and Polish Communist. The fake biography said Batuta was born in Odessa in 1898, participated in the Russian Civil War", and that "a street in Warsaw was named 'Henryk Batuta Street.'" Several Polish newspapers and magazines wrote about the Wikipedia article, which was deleted. The article was apparently a protest designed to "draw attention to the fact that there are still places in Poland named after former communist officials who do not deserve the honour."

Tony Blair – Hitler worshipper?

We couldn't get through a whole Wikipedia hoax article without mentioning Hitler, now could we? It's Godwin's law. Anyway, the Wikipedia page on former British Prime Minister Tony Blair once said that he kept posters of Adolf Hitler on his bedroom wall during his teenage years. Actually, I couldn't find any proof that those words ever appeared on his Wikipedia page, but it seems to have been reported on enough sites that it must have happened. Plus, it was in a book or something.

Thursday, January 6, 2011

Fake White House holiday e-mail is cyber attack

It looked like an innocent e-mail Christmas card from the White House.

But the holiday greeting that surfaced just before Christmas was a ruse by cybercriminals to steal documents and other data from law enforcement, military and government workers — particularly those involved in computer crime investigations.

Analysts who have studied the malicious software said Tuesday that hackers were able to use the e-mail to collect sensitive law enforcement data. But so far there has been no evidence that any classified information was compromised.

The targeted e-mail attack comes as the federal government is desperately trying to beef up its cybersecurity after the release of thousands of State Department cables and military documents by the WikiLeaks website. Federal authorities want to improve technology systems and crack down on employees to prevent the theft or loss of classified and sensitive information.

The red holiday e-mail card, with its brightly decorated Christmas tree, prompted recipients to click on a link, which would then download the ZueS malware — a well-known malicious code that is often used to steal passwords and other online credentials, primarily to poach Internet banking information. The malware was created several years ago and is widely available for criminals to acquire and adapt. It has been used to steal millions of dollars.

In this case, however, the code downloaded a second payload that is designed to steal documents from the recipient's computer, accessing Microsoft Word and Excel files.

Don Jackson, director of threat intelligence for Atlanta-based SecureWorks, a computer security consulting company, said the attack was somewhat small and targeted to a limited number of groups with law enforcement, military and government affiliations.

It was small enough, he said, to suggest that is was sent out manually and not by a large network of infected computers. He said it was not large enough to be picked up by cybersecurity spam traps or sensors.

Alex Cox, principle research analyst for NetWitness, a cybersecurity firm in northern Virginia, said the e-mail was sent out just a day or so before Christmas, delivered by a control server in Belarus. He and Jackson said they believe this ZueS version was created by the same people who launched a similar but much larger attack last February.

Cox, who discovered the ZueS-infected malware last year when it infected at least 74,000 computers, said it's hard to determine how many people were affected or how many documents were stolen in this latest attack.

Jackson said at the hackers stole at least several gigabytes of data.

Analysts learned of the e-mail attack last week and have spoken with federal authorities about it.

Homeland Security Department spokeswoman Amy Kudwa said officials are aware of the ZueS e-mail and are monitoring it along with other similar malware attacks that have been tracked for some time.

Cox and Jackson would not disclose details on who was attacked or what documents may have been compromised but agreed that the hackers probably were after the documents, rather than any banking or financial passwords.

One theory, said Jackson, is that the hackers were looking for information about law enforcement cases and investigative techniques related to cybercrime so that they could sell it to other criminals.

The e-mail attack, however, underscores the continuing vulnerability of government workers and their computer systems to versions of the ZueS malware. Hackers can easily tweak the code each time so that it does not trigger antivirus software.

"Criminals have found that if they change the files in small ways it can slip past antivirus software," said Jackson.

While ZueS-related attacks are fairly common, this latest one stood out because of the use of the White House connection to lure recipients in and the targeted way it went after law enforcement, analysts said.

One U.S. official said that the code was rather poorly written. The hackers could only get easily accessible documents and not those filed deep within layers of folders on the hard drive, said the official, who spoke on condition of anonymity to discuss ongoing investigations.

Do not get caught in an e-mail cyber attack!  Contact Razorpoint Security today to ensure your systems are well protected!

Wednesday, January 5, 2011

Army kicks off construction of $1.2 billion NSA cybersecurity center

The US Army Corps of Engineers (USACE) is scheduled to begin work this week on a $1.2 billion data center at Camp Williams in Salt Lake City, Utah, that will house a National Security Agency cybersecurity intelligence center.

The 1.5-million-square-foot facility, known as the Utah Data Center, will house an NSA facility that will gather intelligence about cybersecurity threats to federal government networks. Construction on the center is scheduled to begin on Thursday.

The center will consist of 100,000 square feet of raised floor data center space and more than 900,000 square feet of technical support and administrative space, according to a USACE release. Support facilities include an electrical substation, a vehicle inspection facility and visitor control center, fuel storage, water storage and a chiller plant.

The NSA center is being built as part of the White House’s Comprehensive National Security Initiative (CNSI), which is designed to improve cybersecurity efforts to protect federal computer networks.

The CNSI has the following goals:

  • To establish a front line of defense against immediate cybersecurity threats by creating or enhancing shared situational awareness of network vulnerabilities, threats, and events within the federal government and acting to reduce current vulnerabilities and prevent intrusions.

  • To defend against the full spectrum of cybersecurity threats by enhancing counterintelligence capabilities and increasing the security of the supply chain for key information technologies.

  • To strengthen the future cybersecurity environment by expanding cyber education; coordinating and redirecting research and development efforts across the federal government; and working to define and develop strategies to deter hostile or malicious activity in cyberspace.