Record bad year for tech security
Paper says 2005 saw the most computer security breaches ever; more than 55M Americans exposed.
CNNMoney.com

2005 saw the most computer security breaches ever, subjecting millions of Americans to potential identity fraud, according to a report published Thursday.

Over 130 major intrusions exposed more than 55 million Americans to the growing variety of fraud as personal data like Social Security and credit card numbers were left unprotected, according to USA Today.

The Treasury Department says that cyber crime has now outgrown illegal drug sales in annual proceeds, netting an estimated $105 billion in 2004, the report said.

At the same time, the Department of Homeland Security's 2005 research budget for cybersecurity programs was cut 7% to $16 million.

It is difficult to gauge the true number of security failures because many companies are unaware they've been hacked, the paper said.
__________________________
Ford recently saw 70,000 employee records stolen -- read more here.

US hacker pleads guilty to eBay attack
A hacker who was charged with using approximately 20,000 virus-infected computers to attack online auction firm eBay in 2003 has pleaded guilty, the United States Attorney's office said on Wednesday.

The hacker, Anthony Scott Clark, 21, of U.S. state Oregon, helped to launch distributed Denial of Service attacks on the Internet against eBay, according to prosecutors.

Clark and his accomplices used a worm program called "bot" that exploited a vulnerability in the Windows Operating System. The "bots" were then directed to an Internet chat server, where they connected, logged in, and waited for instructions.

"Mr. Clark personally commanded the 'bots' to launch DDOS attacks on the name server for eBay.com," and, "as a result of these commands, Mr. Clark intentionally impaired the infected computers and eBay.com," the Attorney's office said in a statement.

Clark admitted to the charges at a federal court in San Jose, California, on Tuesday afternoon. Prosecutors said Clark faces a potential sentence of up to 10 years in prison, a fine of 250,000 U.S. dollars, and three years supervised release.

But the arrest is unlikely to make a dent in the number of botnets or their usage, security experts warned. Attacks using botnets are difficult to track, because they are usually cross-border attacks and anonymous.
"It is difficult to tell who's pushing the buttons," said Joseph Telafici, director of operations for the Anti Virus Emergency Response Team at anti-virus software maker McAfee.

"Botnets are the biggest source of cash flow in organized Net crime as they are used to drop adware into user computers, for spam relays, data theft, and to launch DDOS attacks," Telafici told Red Herring, a well-known technology magazine.

Marriot Chain Reports 200,000 Customer Records Missing
In addition to searching for ways to protect Internet-connected networks from hacker attacks, companies are scrambling to prevent the pilfering of sensitive records by their own employees. Insider identity theft will be a major trend in 2006, Joseph Ansanelli, CEO of data security firm Vontu, recently predicted.

In the latest of several high-profile cases of database breaches that could be connected to identity theft, the timeshare unit of hotel giant Marriott International says it can't find computer backup tapes containing personal data of more than 200,000 customers and employees.

Marriot Vacation Club International (MVCI) set out to notify those potentially affected, as required under some state laws, that their personal data may have been compromised after tapes stored at the unit's Orlando, Florida, headquarters were discovered missing.

The tapes included a host of personal data -- including Social Security numbers, as well as bank and credit card numbers.

Marriot said it was offering those affected by the data loss a chance to enroll in a credit-monitoring service without charge.

"We regret this situation has occurred and realize this may cause concern for our associates and customers," MVCI President Stephen P. Weisz said. "We have recently mailed notifications to associates, timeshare owners and timeshare customers, and [we] are available to answer any questions they may have."

Marriot joins several other high-profile corporations that have been forced to reveal breaches into systems holding personal data of their customers. Citigroup, Bank of America (NYSE: BAC) and DSW Shoe Warehouse have all revealed similar problems in recent months.

Multiple Weak Points
Often, such breaches involve computer hackers finding their way into protected databases, but information security experts have long warned that companies that focus too much on virtual security of their networks may be neglecting physical security issues, such as protection of backup storage media.

The company released few details on the missing tapes, keeping mum about when they were discovered missing or what may have become of them. It has commissioned its own investigation and said it would work with authorities where appropriate.
Marriot did not say whether any reported incidents of identity theft, or credit-card or bank-account fraud, have been tied to the missing tapes. The company said the tapes would only be useful if those who had them also had the right hardware and software to read the information they contain.

The fact that major companies -- including many in the financial services industry, where trust is seen as critical -- are still falling victim to database breaches underscores the difficult nature of the problem.

In June, MasterCard disclosed a security breach at a third-party that handled transactions processing duties, which exposed as many as 40 million credit-card accounts. Around the same time, Citigroup notified nearly 4 million of its customers that computer tapes containing information about their accounts had apparently been lost.

Smaller companies have found themselves in similar situations, sometimes with extortion by those who steal the data blended into the mix. Game developer White Wolf Publishing recently said hackers stole information about users of its role-playing games and threatened to post the data online if the company failed to make a cash payment.

Guidance software, which makes database-protection products, recently revealed that its databases were breached in November, potentially exposing around 4,000 credit-card numbers.

Justifying the Cost
In addition to searching for ways to protect Internet-connected networks from hacker attacks, companies are scrambling to prevent the pilfering of sensitive records by their own employees. Insider identity theft will be a major trend in 2006, Joseph Ansanelli, CEO of data security firm Vontu, recently predicted.

The Marriot breach comes just weeks after two other major occurrences: ABN AMRO Mortgage Group said a computer tape containing data on approximately 2 million customers was lost while being transported to a backup facility. Also, discounter Sam's Club said 600 customers who used credit cards to buy gas at its stores had fallen victim to credit-card fraud.

Companies that must hold sensitive personal data should "move quickly to end their reliance on data tapes" and instead transmit data in encrypted form to off-site storage centers, advised Gartner analyst Avivah Litan. Those that must continue to use tape should ensure all data is protected with strong encryption.

"Protecting customer data is much less expensive than dealing with a security breach in which records are exposed and potentially misused," Litan said. Additional legislation will help spur companies to justify investments in strong data protection as well.

In fact, the latest breach may help accelerate the passage of new laws pending in the U.S. Congress. Several lawmakers are pushing for a federal bill similar to one in the state of California that requires companies to notify anyone who might be affected by a security problem in a timely manner.

Hacker cracks police force network
RCMP, OPP and Toronto service may be among victimsThieves raid database favoured by law enforcement agencies

OTTAWA—Major police forces across Canada, including the RCMP, OPP and the Toronto force, are among thousands of law enforcement agencies and forensic investigators whose private and financial information may have been stolen this month in a hacker attack, a published report says.

Guidance Software, Inc., a private Pasadena, Calif., firm, said in a letter sent out to law enforcement agencies last week that thieves had raided its database sometime in November, stealing credit card numbers and in certain cases information such as addresses and telephone numbers for 3,800 customers.

Guidance makes EnCase, a suite of forensic investigation software that has become the standard tool used by computer crime units of police, insurance companies, banks and private computer forensics specialists.

The RCMP, the OPP and the Toronto police are among Canadian agencies that say they received letters from Guidance informing them that their units' confidential information had been exposed. Guidance became aware of the breach Dec. 7, the Ottawa Citizen reports.
Toronto Police Service spokesman Mark Pugash told the Star's Betsy Powell yesterday the matter will be investigated to see what, if anything, the breach means to Canada's largest municipal force.

EnCase products are used, among other things, to extract and analyse digital evidence from computers to identify hacker attacks.

Guidance's own software "certainly should have set off some alarms that `someone is downloading our entire database,'" said Ryan Purita, an EnCase-certified investigator with Totally Connected Security Ltd. in Vancouver. He is one of a handful of Canadian computer forensics experts authorized to testify in court.