AMSTERDAM, Netherlands - Three suspects in a Dutch crime ring hacked 1.5 million computers worldwide, setting up a "zombie network" that secretly stole credit card and other personal data, prosecutors said Thursday.
The three, who were arrested Oct. 6 and originally were estimated to have hacked 100,000 computers, have yet to enter a plea.
A court in the town of Breda extended the custody of the 19-year-old main suspect and a 22-year-old accomplice for a month Thursday, and ordered the release of the third, aged 27, pending trial, prosecution spokesman Wim de Bruin said. The suspects' names have not been released.
Prosecutors said, however, more arrests were likely as the investigation continues.
The two still being held are accused of blackmailing a U.S. company by threatening it with a "denial of service" attack, in which thousands of computers that have been infected are used to bombard a target with e-mail. De Bruin said the company did not want its identity known.
The software the hackers used, a variation of the worm known as "W32.Toxbot," was first detected this year. Antivirus software can remove it, but the hackers adjusted the program constantly to defeat protections.
The existence of the "zombie network" of infected computers was first detected by Dutch Internet provider XS4ALL. The company noticed unusual activity coming from a handful of its users' infected computers, said the company's chief technical officer, Simon Hania.
The company traced the network as far as it could, and then turned the matter over to prosecutors.
De Bruin said prosecutors worked with computer crime experts to trace the network to its source and then installed taps on the suspects' computers. The taps showed the suspects manipulating the zombie network to steal passwords and credit card data, De Bruin said.
They also are accused of stealing PayPal and EBay Inc. account information to order goods without paying for them, he said. Authorities have seized computers, a bank account, an undisclosed amount of cash and a sports car in the investigation.
About 30,000 of the infected computers were in the Netherlands. When investigators dismantled the global network, they found more than 15 times the number of infected computers they originally estimated.
XS4ALL's Hania said that although the zombie network may be the largest of its kind whose controllers were busted, it was only a "drop in the ocean."
"It destroys the Internet," he lamented.
By TOBY STERLING, Associated Press Writer
Thursday, October 20, 2005
Tuesday, October 18, 2005
Consumer confusion abounds over spyware
According to exclusively provided results from the 2005 National Spyware Study, prepared by The Ponemon Institute, sponsored by Unisys Corporation and assisted by Chappell Associates, while most consumers believe that they have been victims of spyware and many of them are confused when it comes to issues relating to spyware, most prefer access to free downloadable software than laws designed to grapple with spyware problems.
An astounding 84% of respondents report that they have been spyware victims. From this group, an overwhelming 97% do not remember viewing end user licensing agreements (EULAs) before downloading spyware software on their computers.
Many respondents do not know how spyware is downloaded on their computers. Indeed, more than 42% report that they have "no idea" where the spyware comes from.
The primary reported negative consequence of spyware appears to be computer malfunctioning. This results in reported productivity losses for many people.
Approximately 15% of respondents report that they have suffered monetary damages from spyware on their computers. The average loss for this group is estimated at about $50 over the past 12 months. While this amount is not large on an individual basis, it is on a macro level.
A substantial number of respondents, 76%, report that they have experienced time losses emanating from spyware on their computers. The average time loss is estimated at 1.6 hours over the past 12 months. Again, while this time loss is not huge for an individual, it represents a large time loss on a cumulative basis.
Most respondents report downloading free software on the Internet. The most common of such programs include games, screen savers, and music players. These types of software programs are known to download spyware and adware desktop applications.
The respondents generally do not have a clear understanding of differences between spyware and adware. Indeed, almost half of them failed a test question that properly seeks definitions of spyware and adware.
The majority of respondents appear not to understand Internet economic issues. For example, they do not know how "free" software programs earn profits for their suppliers.
Interestingly, when available, most respondents concede that they do not read EULAs. The main cited reason is that language contained in EULAs is too complex and confusing.
Roughly half of respondents believe that it never is acceptable or appropriate to be tracked by spyware or adware on the Internet.
Still, most respondents do not desire new anti-spyware laws to prevent them from obtaining free software.
Thus, while most respondents have been subject to spyware, do not want to be tracked by such programs, and have confusion about some spyware issues, they appear more interested in obtaining free software than thwarting spyware problems.
Written by: Eric Sinrod is a partner in the San Francisco office of Duane Morris
His Web site is www.sinrodlaw.com, and he can be reached at ejsinrod@duanemorris.com.
An astounding 84% of respondents report that they have been spyware victims. From this group, an overwhelming 97% do not remember viewing end user licensing agreements (EULAs) before downloading spyware software on their computers.
Many respondents do not know how spyware is downloaded on their computers. Indeed, more than 42% report that they have "no idea" where the spyware comes from.
The primary reported negative consequence of spyware appears to be computer malfunctioning. This results in reported productivity losses for many people.
Approximately 15% of respondents report that they have suffered monetary damages from spyware on their computers. The average loss for this group is estimated at about $50 over the past 12 months. While this amount is not large on an individual basis, it is on a macro level.
A substantial number of respondents, 76%, report that they have experienced time losses emanating from spyware on their computers. The average time loss is estimated at 1.6 hours over the past 12 months. Again, while this time loss is not huge for an individual, it represents a large time loss on a cumulative basis.
Most respondents report downloading free software on the Internet. The most common of such programs include games, screen savers, and music players. These types of software programs are known to download spyware and adware desktop applications.
The respondents generally do not have a clear understanding of differences between spyware and adware. Indeed, almost half of them failed a test question that properly seeks definitions of spyware and adware.
The majority of respondents appear not to understand Internet economic issues. For example, they do not know how "free" software programs earn profits for their suppliers.
Interestingly, when available, most respondents concede that they do not read EULAs. The main cited reason is that language contained in EULAs is too complex and confusing.
Roughly half of respondents believe that it never is acceptable or appropriate to be tracked by spyware or adware on the Internet.
Still, most respondents do not desire new anti-spyware laws to prevent them from obtaining free software.
Thus, while most respondents have been subject to spyware, do not want to be tracked by such programs, and have confusion about some spyware issues, they appear more interested in obtaining free software than thwarting spyware problems.
Written by: Eric Sinrod is a partner in the San Francisco office of Duane Morris
His Web site is www.sinrodlaw.com, and he can be reached at ejsinrod@duanemorris.com.
Regulators: Banks Must Beef Up Web Security
BOSTON (AP)--Federal regulators will require banks to strengthen security for Internet customers through authentication that goes beyond mere user names and passwords, which have become too easy for criminals to exploit.
Bank Web sites are expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council said in a letter to banks last week.
In two-factor authentication, customers must confirm their identities not only through something they know, like a PIN or password, but also with something they physically have, like a hardware token with numeric access codes that change every minute.
Other types of two-factor authentication include costlier hardware involving biometrics or "smart" cards that would be inserted into designated readers on a user's computer.
Banks might also issue one-time passwords on scratch-off cards or require "secret questions" about a customer's account, such as the amount of the last deposit or mortgage payment.
The council also suggested that banks explore technology that can estimate a Web user's physical location and compare it to the address on file.
The most common way of stealing consumers' personal identity data and financial account credentials online, known as phishing, typically involves sending e-mails that direct unwitting users to phony Web sites. Data harvested at such sites is then used fraudulently.
The Anti-Phishing Working group, an industry association, reported 13,776 unique types of phishing attacks in August.
While some financial institutions have given their customers electronic password tokens, those have tended to be optional. Other banks have instituted password entry through mouse clicks instead of typing, a protection against keystroke-snooping programs.
But in general, the industry can do more to stop account fraud and identity theft, according to the financial institutions council--which includes the
Federal Reserve' name=c1> SEARCHNews News Photos Images Web' name=c3> Federal Reserve; the Federal Deposit Insurance Corp.; the U.S. Comptroller; the Office of Thrift Supervision, and the National Credit Union Administration.
"The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of information to other parties," the council wrote. "Account fraud and identity theft are frequently the result of single-factor ... authentication exploitation."
FDIC spokesman David Barr said the rules will serve as standards that will be checked when banks' practices are audited.
Although the requirements apply just to financial services companies, the policy could stimulate wider use of two-factor authentication by other merchants that are willing to "federate" their Web sites with banks, said Michael Aisenberg, director of government relations for Internet services provider VeriSign Inc.
VeriSign is a member of the Liberty Alliance, a group that is working to develop standards for federated authentication.
In a federated system, a two-factor login at one site would be recognized by another, so a travel agency associated with your bank would automatically grant you access if you came straight from the financial institution's Web site.
At the very least, Aisenberg said, "The securities industry is going to have to go along and other regulated sectors will no doubt follow along as well."
Written by: Brian Bergstein @ TechWeb.com
Bank Web sites are expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council said in a letter to banks last week.
In two-factor authentication, customers must confirm their identities not only through something they know, like a PIN or password, but also with something they physically have, like a hardware token with numeric access codes that change every minute.
Other types of two-factor authentication include costlier hardware involving biometrics or "smart" cards that would be inserted into designated readers on a user's computer.
Banks might also issue one-time passwords on scratch-off cards or require "secret questions" about a customer's account, such as the amount of the last deposit or mortgage payment.
The council also suggested that banks explore technology that can estimate a Web user's physical location and compare it to the address on file.
The most common way of stealing consumers' personal identity data and financial account credentials online, known as phishing, typically involves sending e-mails that direct unwitting users to phony Web sites. Data harvested at such sites is then used fraudulently.
The Anti-Phishing Working group, an industry association, reported 13,776 unique types of phishing attacks in August.
While some financial institutions have given their customers electronic password tokens, those have tended to be optional. Other banks have instituted password entry through mouse clicks instead of typing, a protection against keystroke-snooping programs.
But in general, the industry can do more to stop account fraud and identity theft, according to the financial institutions council--which includes the
Federal Reserve' name=c1> SEARCHNews News Photos Images Web' name=c3> Federal Reserve; the Federal Deposit Insurance Corp.; the U.S. Comptroller; the Office of Thrift Supervision, and the National Credit Union Administration.
"The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of information to other parties," the council wrote. "Account fraud and identity theft are frequently the result of single-factor ... authentication exploitation."
FDIC spokesman David Barr said the rules will serve as standards that will be checked when banks' practices are audited.
Although the requirements apply just to financial services companies, the policy could stimulate wider use of two-factor authentication by other merchants that are willing to "federate" their Web sites with banks, said Michael Aisenberg, director of government relations for Internet services provider VeriSign Inc.
VeriSign is a member of the Liberty Alliance, a group that is working to develop standards for federated authentication.
In a federated system, a two-factor login at one site would be recognized by another, so a travel agency associated with your bank would automatically grant you access if you came straight from the financial institution's Web site.
At the very least, Aisenberg said, "The securities industry is going to have to go along and other regulated sectors will no doubt follow along as well."
Written by: Brian Bergstein @ TechWeb.com
Nigeria and Microsoft sign deal to fight e-mail fraud
ABUJA (AFP) - Nigeria and the US software giant Microsoft have formed an alliance to combat the Internet fraudsters who have damaged the country's international image, Nigeria's anti-graft agency said.
"Millions of people all over the world can only link the country and her nationals to the infamous scam letter," said Nuhu Ribadu, chairman of the Economic and Financial Crimes Commission (EFCC), in a statement released here.
"EFCC and Microsoft have teamed up to fish out Internet fraudsters in Nigeria and the west African sub region," he said.
Computer users across the world have become accustomed to being bombarded by e-mails from Nigerians seeking to trick them into handing over bank details or making advance payments on non-existent money-making schemes.
Experts say that the so-called 419 fraudsters -- named after the relevant section in Nigeria's criminal code -- steal hundreds of millions of dollars every year from unsuspecting marks.
In the biggest such case to date, a Brazilian bank collapsed after Nigerian confidence tricksters persuaded a corrupt employee to divert 242 million dollars (192 million euros) of his employer's capital into an imaginary deal to develop Abuja airport.
Microsoft markets the most popular computer programmes controlling access to the Internet, and Nigeria hopes that after signing a deal with the company in London at the weekend, the firm will help it track scammers, who now face stiffer laws at home.
The Nigerian parliament recently passed the stringent "Advance Fee Fraud Act 2005", which holds liable not only the fraudster but also cybercafe owners and office managers who allow their premises and facilities to be used for the crime.
President Olusegun Obasanjo has proposed an amendment to the act to make it a crime for scammers -- who are known in Nigeria as "Yahoo-Yahoo boys" after the popular free e-mail service -- to send unsolicited messages.
"Millions of people all over the world can only link the country and her nationals to the infamous scam letter," said Nuhu Ribadu, chairman of the Economic and Financial Crimes Commission (EFCC), in a statement released here.
"EFCC and Microsoft have teamed up to fish out Internet fraudsters in Nigeria and the west African sub region," he said.
Computer users across the world have become accustomed to being bombarded by e-mails from Nigerians seeking to trick them into handing over bank details or making advance payments on non-existent money-making schemes.
Experts say that the so-called 419 fraudsters -- named after the relevant section in Nigeria's criminal code -- steal hundreds of millions of dollars every year from unsuspecting marks.
In the biggest such case to date, a Brazilian bank collapsed after Nigerian confidence tricksters persuaded a corrupt employee to divert 242 million dollars (192 million euros) of his employer's capital into an imaginary deal to develop Abuja airport.
Microsoft markets the most popular computer programmes controlling access to the Internet, and Nigeria hopes that after signing a deal with the company in London at the weekend, the firm will help it track scammers, who now face stiffer laws at home.
The Nigerian parliament recently passed the stringent "Advance Fee Fraud Act 2005", which holds liable not only the fraudster but also cybercafe owners and office managers who allow their premises and facilities to be used for the crime.
President Olusegun Obasanjo has proposed an amendment to the act to make it a crime for scammers -- who are known in Nigeria as "Yahoo-Yahoo boys" after the popular free e-mail service -- to send unsolicited messages.
Monday, October 17, 2005
Feds Want Banks to Strengthen Web Log-Ons
BOSTON - Federal regulators will require banks to strengthen security for Internet customers through authentication that goes beyond mere user names and passwords, which have become too easy for criminals to exploit.
Bank Web sites are expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council said in a letter to banks last week.
In two-factor authentication, customers must confirm their identities not only through something they know, like a PIN or password, but also with something they physically have, like a hardware token with numeric access codes that change every minute.
Other types of two-factor authentication include costlier hardware involving biometrics or "smart" cards that would be inserted into designated readers on a user's computer.
Banks might also issue one-time passwords on scratch-off cards or require "secret questions" about a customer's account, such as the amount of the last deposit or mortgage payment.
The council also suggested that banks explore technology that can estimate a Web user's physical location and compare it to the address on file.
The most common way of stealing consumers' personal identity data and financial account credentials online, known as phishing, typically involves sending e-mails that direct unwitting users to phony Web sites. Data harvested at such sites is then used fraudulently.
The Anti-Phishing Working group, an industry association, reported 13,776 unique types of phishing attacks in August.
While some financial institutions have given their customers electronic password tokens, those have tended to be optional. Other banks have instituted password entry through mouse clicks instead of typing, a protection against keystroke-snooping programs.
But in general, the industry can do more to stop account fraud and identity theft, according to the financial institutions council — which includes the
Federal Reserve' name=c1> SEARCHNews News Photos Images Web' name=c3> Federal Reserve; the Federal Deposit Insurance Corp.; the U.S. Comptroller; the Office of Thrift Supervision and the National Credit Union Administration.
"The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of information to other parties," the council wrote. "Account fraud and identity theft are frequently the result of single-factor ... authentication exploitation."
FDIC spokesman David Barr said the rules will serve as standards that will be checked when banks' practices are audited.
Although the requirements apply just to financial services companies, the policy could stimulate wider use of two-factor authentication by other merchants that are willing to "federate" their Web sites with banks, said Michael Aisenberg, director of government relations for Internet services provider VeriSign Inc.
VeriSign is a member of the Liberty Alliance, a group that is working to develop standards for federated authentication.
In a federated system, a two-factor login at one site would be recognized by another, so a travel agency associated with your bank would automatically grant you access if you came straight from the financial institution's Web site.
At the very least, Aisenberg said, "The securities industry is going to have to go along and other regulated sectors will no doubt follow along as well."
By BRIAN BERGSTEIN, AP Technology Writer
Bank Web sites are expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council said in a letter to banks last week.
In two-factor authentication, customers must confirm their identities not only through something they know, like a PIN or password, but also with something they physically have, like a hardware token with numeric access codes that change every minute.
Other types of two-factor authentication include costlier hardware involving biometrics or "smart" cards that would be inserted into designated readers on a user's computer.
Banks might also issue one-time passwords on scratch-off cards or require "secret questions" about a customer's account, such as the amount of the last deposit or mortgage payment.
The council also suggested that banks explore technology that can estimate a Web user's physical location and compare it to the address on file.
The most common way of stealing consumers' personal identity data and financial account credentials online, known as phishing, typically involves sending e-mails that direct unwitting users to phony Web sites. Data harvested at such sites is then used fraudulently.
The Anti-Phishing Working group, an industry association, reported 13,776 unique types of phishing attacks in August.
While some financial institutions have given their customers electronic password tokens, those have tended to be optional. Other banks have instituted password entry through mouse clicks instead of typing, a protection against keystroke-snooping programs.
But in general, the industry can do more to stop account fraud and identity theft, according to the financial institutions council — which includes the
Federal Reserve' name=c1> SEARCHNews News Photos Images Web' name=c3> Federal Reserve; the Federal Deposit Insurance Corp.; the U.S. Comptroller; the Office of Thrift Supervision and the National Credit Union Administration.
"The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of information to other parties," the council wrote. "Account fraud and identity theft are frequently the result of single-factor ... authentication exploitation."
FDIC spokesman David Barr said the rules will serve as standards that will be checked when banks' practices are audited.
Although the requirements apply just to financial services companies, the policy could stimulate wider use of two-factor authentication by other merchants that are willing to "federate" their Web sites with banks, said Michael Aisenberg, director of government relations for Internet services provider VeriSign Inc.
VeriSign is a member of the Liberty Alliance, a group that is working to develop standards for federated authentication.
In a federated system, a two-factor login at one site would be recognized by another, so a travel agency associated with your bank would automatically grant you access if you came straight from the financial institution's Web site.
At the very least, Aisenberg said, "The securities industry is going to have to go along and other regulated sectors will no doubt follow along as well."
By BRIAN BERGSTEIN, AP Technology Writer
Cisco adds security to switches, wireless devices
NEW YORK (Reuters) - Cisco Systems Inc. (Nasdaq:CSCO - news) is adding security features to its network switches and wireless products, in the networking gear maker's latest push to sell software to help corporations combat spyware, worms and viruses.
Cisco already sells security software for its routers, which allows businesses to add a layer of security to their Web-based networks, which are often used by far-flung workforces. On Monday, Cisco said it is now selling the software for its switches, which companies often use in simpler local area networks within their own buildings.
The expansion of the security features to business' internal networks also includes wireless access points, which corporations are increasingly installing on their campuses.
The software is designed to protect corporations from computers and mobile devices which may have been infected through use outside of the office, as well as from outside attacks against the network itself.
The software, which Cisco sells under the brand name Network Admission Control, has proven to be a popular add-on for Cisco's corporate clients, who are wrestling with a wide range of security threats. The technology has also allowed Cisco to expand into the lucrative area of security software.
The market for network security software and appliances will reach $4.3 billion by the end of 2005 and could grow to $6.3 billion by 2009, according to the Synergy Research Group in Scottsdale, Ariz. Overall security spending will compose 7.9 percent of the U.S. IT budget in 2005, or $59.6 billion, according to Forrester Research Inc. (Nasdaq:FORR - news) in Cambridge, Mass.
This growth is being spurred by the constant assault on corporate and home networks by worms, viruses and other harmful programs.
"I've seen a big increase over the year in terms of attention paid to it by security managers and CIOs to this problem," said Gregg Moskowitz, an analyst at Susquehanna Financial Group.
Cisco's software is designed to be compatible with devices that do not contain Cisco's own verification system, known as the Cisco Trust Agent. This is important for companies that open up their networks to deal with outside business partners, such as suppliers or contractors, who might be running security software from other vendors, said Bob Gleichauf, chief technology officer in Cisco's Security and Technologies Group.
Cisco's focus on network security pits it against traditional rival Juniper Networks Inc, as well as Check Point Software Technologies Ltd, Microsoft Corp (Nasdaq:MSFT - news), Internet Security Systems Inc (Nasdaq:ISSX - news). and McAfee Inc (NYSE:MFE - news).
Cisco officials declined to say how much revenue and profit it expects from its network security business.
Cisco shares were down 7 cents, or 0.41 percent, in after-hours INET trading.
Cisco already sells security software for its routers, which allows businesses to add a layer of security to their Web-based networks, which are often used by far-flung workforces. On Monday, Cisco said it is now selling the software for its switches, which companies often use in simpler local area networks within their own buildings.
The expansion of the security features to business' internal networks also includes wireless access points, which corporations are increasingly installing on their campuses.
The software is designed to protect corporations from computers and mobile devices which may have been infected through use outside of the office, as well as from outside attacks against the network itself.
The software, which Cisco sells under the brand name Network Admission Control, has proven to be a popular add-on for Cisco's corporate clients, who are wrestling with a wide range of security threats. The technology has also allowed Cisco to expand into the lucrative area of security software.
The market for network security software and appliances will reach $4.3 billion by the end of 2005 and could grow to $6.3 billion by 2009, according to the Synergy Research Group in Scottsdale, Ariz. Overall security spending will compose 7.9 percent of the U.S. IT budget in 2005, or $59.6 billion, according to Forrester Research Inc. (Nasdaq:FORR - news) in Cambridge, Mass.
This growth is being spurred by the constant assault on corporate and home networks by worms, viruses and other harmful programs.
"I've seen a big increase over the year in terms of attention paid to it by security managers and CIOs to this problem," said Gregg Moskowitz, an analyst at Susquehanna Financial Group.
Cisco's software is designed to be compatible with devices that do not contain Cisco's own verification system, known as the Cisco Trust Agent. This is important for companies that open up their networks to deal with outside business partners, such as suppliers or contractors, who might be running security software from other vendors, said Bob Gleichauf, chief technology officer in Cisco's Security and Technologies Group.
Cisco's focus on network security pits it against traditional rival Juniper Networks Inc, as well as Check Point Software Technologies Ltd, Microsoft Corp (Nasdaq:MSFT - news), Internet Security Systems Inc (Nasdaq:ISSX - news). and McAfee Inc (NYSE:MFE - news).
Cisco officials declined to say how much revenue and profit it expects from its network security business.
Cisco shares were down 7 cents, or 0.41 percent, in after-hours INET trading.
Subscribe to:
Posts (Atom)
