News & Events

October, 27. 2006

Banks scramble to boost online security

By January 2007, anyone who banks online should be better protected against fraud and identity theft. That's because, by the end of this year, all financial institutions – brokerages, banks, credit unions – must add an extra layer of security for high

This increased security is mandated by the Federal Financial Institutions Examination Council (FFIEC), an organization of five financial industry enforcement agencies: the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision. Any institution that is governed by one of those agencies is also covered by the new guidelines. And it also faces a potential fine or other penalty if it fails to comply.

July, 12. 2006

Citibank Phish Spoofs 2-Factor Authentication

Security experts have long touted the need for financial Web sites to move beyond mere passwords and implement so-called "two-factor authentication" -- the second factor being something the user has in their physical possession like an access card -- as t

These methods work, however, only so long as the bad guys don't fake those as well.

June, 13. 2006

Microsoft releases 13 security patches, eight critical

Microsoft delivered 13 security bulletins Tuesday, the most it's delivered in a monthly update in more than a year. Eight updates are considered critical, addressing issues in Windows, Internet Explorer, Exchange, Media Player, PowerPoint and Word.

MS06-021 a cumulative update for Internet Explorer resolving several issues that could enable remote code execution. Most notably, it implements a permanent change in ActiveX behavior, effectively terminating support for a temporary compatibility patch released along with Microsoft Security Bulletin MS06-013. The temporary patch fixed the widely publicized createTextRange exploit.

May, 19. 2006

Zero-day threat targets Microsoft Word

Targeted exploit code has been discovered in the wild that takes advantage of Microsoft Word to open a backdoor for attackers.

Cupertino, Calif.-based antivirus giant Symantec Corp. this morning informed customers of its DeepSight Threat Management System that it has raised its ThreatCon level from 1 to 2 (on a scale of 4) as a result of the exploit, currently known as Trojan.Mdropper.H. In its message to customers, Symantec said the zero-day exploit arrives as a Word document attached to an email. Vincent Weafer, senior director at Symantec's Security Response unit, said the document appears to be of Japanese origin and includes text summarizing a recent U.S.-Asian political summit.

March, 16. 2006

Ignoring data breaches means ignoring risk management

Corporate America's concept of "consumer loyalty" has been replaced with its struggle to keep pace with an onslaught of privacy compliance mandates. Fostering customer confidence and trust is arguably the most critical element of maintaining reputation.

Current consumer census reinforces that fact. Information transparency dictated by environment in the wake of the Sept. 11 terrorist attacks has evoked feelings of cynicism and helplessness among the American public, and for good reason. Banks, government organizations, retailers and healthcare providers now possess 24/7 access to personal data that, in the wrong hands, could pose an identity theft massacre.

February, 20. 2006

Strict liability for data breaches?

A recent case involving a stolen laptop containing 550,000 people's full credit information sheds new night on what "reasonable" protections a company must make to secure its customer data - and what customers need to prove in order to sue for damages.

Let's say you open your mailbox, and there is a letter from the financial organization that holds your student loan. "Dear valued customer.." the letter begins, and then it informs you that "due to circumstances beyond their control" your personal information has been compromised. Your name, home address, social security number, credit information, account balances - everything - is now sitting on a computer in Belarus, with the information being hocked for sale on a half a dozen websites.

January, 13. 2006

Data leaks and losses abound

People's Bank loses 90,000 people's data. Connecticut state and People's Bank officials revealed Wednesday that a storage tape holding confidential data on 90,000 People's customers was lost while being transported to a credit reporting bureau.

Lost in Atlantis: Data on 55,000 Bahamas hotel guests stolen. Apparently data thieves enjoy Paradise Island, too. The Bahama's Atlantis Resort reported this week that cybercriminals broke into its database and may have made off with sensitive information on 55,000 guests.

December, 2. 2005

A Chronology of Data Breaches

Each week it seems news of yet another customer data breach hits the headlines, whether it's Bank of America, ChoicePoint, LexisNexis, TransUnion, etc.. While they may seem like no big deal, experts warn against the loss or exposure of customer data.

An increasing number of data breaches have been reported in the USA during 2005 because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. This chronology below begins with ChoicePoint's 2/15/05 announcement of its data breaches because it was a watershed event in terms of disclosure to the affected individuals. Since then, the "best practice" has been to disclose breaches to individuals nationwide.

February, 25. 2005

The case for two-factor authentication: Customer vs. Bank of America.

According to a report in The Register, Joe Lopez, a small businessman from Florida, alleges that Bank of America was negligent because it failed to protect his account from compromise through known risks.

He regularly used the bank's online services to send and receive money from the U.S. and Latin America, but last April he discovered an unauthorized wire transfer for $90,348 sent to a bank in Latvia. When he became aware of the fraud, he notified the police, and when the Secret Service performed a forensic examination of his PCs, they uncovered an infection by a Trojan called Coreflood. According to the accounts, Lopez's legal case is that Bank of America did not inform its customers of the risk posed by Coreflood, even though they knew it posed a risk. He goes on to allege several other charges, including negligence and intentional misrepresentation. He is bringing the lawsuit to reclaim his stolen money, plus lost interest. In the same report, Bank of America denied a breach of its e-banking system, and denies responsibility for its customer's losses.

January, 14. 2005

Personal details of 400 T-Mobile USA's customers were obtained over a 10 month period, including those of a special agent

A hacker broke into a wireless carrier's network over at least seven months and read e-mails and personal computer files of hundreds of customers, including the Secret Service agent investigating the hacker, the government said on Wednesday.

The hacker obtained an internal Secret Service memorandum and part of a mutual assistance legal treaty from Russia. The documents contained "highly sensitive information pertaining to ongoing ... criminal cases," according to court records. The break-in targeted the network for Bellevue, Washington-based T-Mobile USA, which has 16.3 million customers in the US.....The hacker was able to view the names and Social Security numbers of 400 customers, all of whom were notified in writing about the break-in, T-Mobile said. It said customer credit card numbers and other financial information never were revealed.

August, 6. 2004

Security Cavities Ail Bluetooth

Serious flaws discovered in Bluetooth technology used in several portable devices and computers, can let an attacker remotely download contact information from victims` devices.

Security professionals Adam Laurie and Martin Herfurt demonstrated the attacks last week at the Black Hat and DefCon security and hacker conferences in Las Vegas. Phone companies say the risk of this kind of attack is small, since the amount of time a victim would be vulnerable is minimal, and the attacker would have to be in proximity to the victim. But experiments, one using a common laptop and another using a prototype Bluetooth "rifle" that captured data from a mobile phone a mile away, have demonstrated that such attacks aren`t so far-fetched.

July, 26. 2004

The U.S. Government is officially withdrawing DES as an encryption standard

Announcing Proposed Withdrawal of Federal Information Processing Standard (FIPS) for the Data Encryption Standard (DES) and Request for Comments

The Data Encryption Standard (DES), currently specified in Federal Information Processing Standard (FIPS) 46-3, was evaluated pursuant to its scheduled review. At the conclusion of this review, NIST determined that the strength of the DES algorithm is no longer sufficient to adequately protect Federal government information. As a result, NIST proposes to withdraw FIPS 46-3, and the associated FIPS 74 and FIPS 81.

June, 30. 2004

Net Threat Targets Banks

Trojan horse program spreads through pop-up ads, targets user`s financial info.

The Trojan horse file poses as an image file named "img1big.gif" but is actually an executable that installs a malicious add-on to Microsoft`s Internet Explorer browser. The add-on, known as a BHO, or browser helper object, then monitors for and records outbound data to the Web sites of several dozen financial institutions, according to an analysis posted on the SANS Institute`s Internet Storm Center Web site.

June, 16. 2004

Internet Scams Cost Consumers $2.4 Billion

Internet-based scammers illegally accessing checking accounts ripped off consumers to the tune of $2.4 billion in the last 12 months, research firm Gartner said.

Using data from an April, 2004, survey of 5,000 U.S. adults who use the Internet and e-mail, Gartner estimated that nearly 2 million Americans fell victim to checking account fraud in the last 12 months. The cost to banks and consumers: a staggering $2.4 billion in direct losses, or an average of $1,200 per victim.

April, 16. 2004

Samsung plans 30% NAND flash price drop in 2H

Samsung Electronics, the world`s largest NAND flash maker, plans to drop its prices for NAND flash by up to 30% in the second half of this year, raising the barrier for new entrants in the market, according to a company source.

NAND flash spot prices have been dropping since January of this year due to seasonal factors, according to DRAMeXchange. Although the move will hurt Samsung`s profitability, the source indicated that Samsung could still enjoy over 50% gross margins on the product, claiming that the company`s costs-per-chip for the 1Gbit part are at US$10.

April, 8. 2004

Doom or Boom?

Fearing the worst, companies are diversifying their security spending.

Information Security`s "2004 Priorities Survey" shows that leading organizations are tackling security problems at multiple strategic, technical and operational levels. Conducted in February and March by Information Security research partner TheInfoPro (TIP)1, the survey is based on 175 one-hour interviews with U.S.-based Fortune 1000 companies, providing a rare behind-the-ly erasing history files, temporary files, caches, cookies, e-mail file attachments and other downloaded data at the close of an SSL VPN user session

September, 15. 2003

EISST to participate at the CSI 30th Annual Computer Security Conference and Exhibition, November 3-5, 2003 in Washington, D.C.

Over 2500 security pros will attend the 30th CSI Annual in Washington, D.C. this November. The CSI 30th Annual Computer Security Conference and Exhibition is The Security Event of the Year. This Event boasts the largest and most comprehensive conference p

The Exhibition November 2-4 features 175 of the leading security vendors on hand to personally answer your questions. Come preview the latest product solutions and visit exhibitors....

September, 4. 2003

GSM phone encryption

The encryption system that protects the almost 900 million users of GSM cell phones from instant eavesdropping or fraud is no longer impregnable, cryptologists claim.

With GSM, the voice is encoded digitally. But, before this data is encrypted, it is corrected to help compensate for any interference or noise, says Eli Biham, who led the Technion team. This gives an opportunity for a "man in the middle" attack, in which the call is intercepted between the handset and the network base station.....

August, 23. 2003

Hackers Steal 13,000 Credit Card Numbers

The Navy has canceled 13,000 credit cards used for government expenses after discovering that hackers had downloaded card numbers and billing records, Defense Department officials said.

Citibank, the card issuer, has found no unusual activity in the card accounts since the hacking began in July and no fraud related to the incident had been reported as of Thursday, according to a Defense Department official....

August, 15. 2003

Network Security: Submarine Warfare

In the new infosec paradigm, the attacker can be anywhere. To defeat him, you`ll have to change your thinking and your tactics.

Perimeter defense is a lost battle. Like old generals, we`re still fighting the last war, in which our network was a castle with impregnable walls, a well-defined entry point across the drawbridge (head-end router), portcullis (firewall) and guards (IDS). Today`s infosec paradigm is submarine warfare. Attacks can come from anywhere, at any time. There`s no well-defined perimeter, and it`s often difficult to tell friend from foe. Defenses should focus on hardened, well-protected assets--not bigger, stronger fences......


COMPANY	SERVICES	PRODUCTS	PARTNERS	RESOURCES	SUPPORT

	News & Events
	October, 27. 2006 Banks scramble to boost online security By January 2007, anyone who banks online should be better protected against fraud and identity theft. That's because, by the end of this year, all financial institutions – brokerages, banks, credit unions – must add an extra layer of security for high This increased security is mandated by the Federal Financial Institutions Examination Council (FFIEC), an organization of five financial industry enforcement agencies: the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision. Any institution that is governed by one of those agencies is also covered by the new guidelines. And it also faces a potential fine or other penalty if it fails to comply. Read more » July, 12. 2006 Citibank Phish Spoofs 2-Factor Authentication Security experts have long touted the need for financial Web sites to move beyond mere passwords and implement so-called "two-factor authentication" -- the second factor being something the user has in their physical possession like an access card -- as t These methods work, however, only so long as the bad guys don't fake those as well. Read more » June, 13. 2006 Microsoft releases 13 security patches, eight critical Microsoft delivered 13 security bulletins Tuesday, the most it's delivered in a monthly update in more than a year. Eight updates are considered critical, addressing issues in Windows, Internet Explorer, Exchange, Media Player, PowerPoint and Word. MS06-021 a cumulative update for Internet Explorer resolving several issues that could enable remote code execution. Most notably, it implements a permanent change in ActiveX behavior, effectively terminating support for a temporary compatibility patch released along with Microsoft Security Bulletin MS06-013. The temporary patch fixed the widely publicized createTextRange exploit. Read more » May, 19. 2006 Zero-day threat targets Microsoft Word Targeted exploit code has been discovered in the wild that takes advantage of Microsoft Word to open a backdoor for attackers. Cupertino, Calif.-based antivirus giant Symantec Corp. this morning informed customers of its DeepSight Threat Management System that it has raised its ThreatCon level from 1 to 2 (on a scale of 4) as a result of the exploit, currently known as Trojan.Mdropper.H. In its message to customers, Symantec said the zero-day exploit arrives as a Word document attached to an email. Vincent Weafer, senior director at Symantec's Security Response unit, said the document appears to be of Japanese origin and includes text summarizing a recent U.S.-Asian political summit. Read more » March, 16. 2006 Ignoring data breaches means ignoring risk management Corporate America's concept of "consumer loyalty" has been replaced with its struggle to keep pace with an onslaught of privacy compliance mandates. Fostering customer confidence and trust is arguably the most critical element of maintaining reputation. Current consumer census reinforces that fact. Information transparency dictated by environment in the wake of the Sept. 11 terrorist attacks has evoked feelings of cynicism and helplessness among the American public, and for good reason. Banks, government organizations, retailers and healthcare providers now possess 24/7 access to personal data that, in the wrong hands, could pose an identity theft massacre. Read more » February, 20. 2006 Strict liability for data breaches? A recent case involving a stolen laptop containing 550,000 people's full credit information sheds new night on what "reasonable" protections a company must make to secure its customer data - and what customers need to prove in order to sue for damages. Let's say you open your mailbox, and there is a letter from the financial organization that holds your student loan. "Dear valued customer.." the letter begins, and then it informs you that "due to circumstances beyond their control" your personal information has been compromised. Your name, home address, social security number, credit information, account balances - everything - is now sitting on a computer in Belarus, with the information being hocked for sale on a half a dozen websites. Read more » January, 13. 2006 Data leaks and losses abound People's Bank loses 90,000 people's data. Connecticut state and People's Bank officials revealed Wednesday that a storage tape holding confidential data on 90,000 People's customers was lost while being transported to a credit reporting bureau. Lost in Atlantis: Data on 55,000 Bahamas hotel guests stolen. Apparently data thieves enjoy Paradise Island, too. The Bahama's Atlantis Resort reported this week that cybercriminals broke into its database and may have made off with sensitive information on 55,000 guests. Read more » December, 2. 2005 A Chronology of Data Breaches Each week it seems news of yet another customer data breach hits the headlines, whether it's Bank of America, ChoicePoint, LexisNexis, TransUnion, etc.. While they may seem like no big deal, experts warn against the loss or exposure of customer data. An increasing number of data breaches have been reported in the USA during 2005 because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. This chronology below begins with ChoicePoint's 2/15/05 announcement of its data breaches because it was a watershed event in terms of disclosure to the affected individuals. Since then, the "best practice" has been to disclose breaches to individuals nationwide. Read more » February, 25. 2005 The case for two-factor authentication: Customer vs. Bank of America. According to a report in The Register, Joe Lopez, a small businessman from Florida, alleges that Bank of America was negligent because it failed to protect his account from compromise through known risks. He regularly used the bank's online services to send and receive money from the U.S. and Latin America, but last April he discovered an unauthorized wire transfer for $90,348 sent to a bank in Latvia. When he became aware of the fraud, he notified the police, and when the Secret Service performed a forensic examination of his PCs, they uncovered an infection by a Trojan called Coreflood. According to the accounts, Lopez's legal case is that Bank of America did not inform its customers of the risk posed by Coreflood, even though they knew it posed a risk. He goes on to allege several other charges, including negligence and intentional misrepresentation. He is bringing the lawsuit to reclaim his stolen money, plus lost interest. In the same report, Bank of America denied a breach of its e-banking system, and denies responsibility for its customer's losses. Read more » January, 14. 2005 Personal details of 400 T-Mobile USA's customers were obtained over a 10 month period, including those of a special agent A hacker broke into a wireless carrier's network over at least seven months and read e-mails and personal computer files of hundreds of customers, including the Secret Service agent investigating the hacker, the government said on Wednesday. The hacker obtained an internal Secret Service memorandum and part of a mutual assistance legal treaty from Russia. The documents contained "highly sensitive information pertaining to ongoing ... criminal cases," according to court records. The break-in targeted the network for Bellevue, Washington-based T-Mobile USA, which has 16.3 million customers in the US.....The hacker was able to view the names and Social Security numbers of 400 customers, all of whom were notified in writing about the break-in, T-Mobile said. It said customer credit card numbers and other financial information never were revealed. August, 6. 2004 Security Cavities Ail Bluetooth Serious flaws discovered in Bluetooth technology used in several portable devices and computers, can let an attacker remotely download contact information from victims` devices. Security professionals Adam Laurie and Martin Herfurt demonstrated the attacks last week at the Black Hat and DefCon security and hacker conferences in Las Vegas. Phone companies say the risk of this kind of attack is small, since the amount of time a victim would be vulnerable is minimal, and the attacker would have to be in proximity to the victim. But experiments, one using a common laptop and another using a prototype Bluetooth "rifle" that captured data from a mobile phone a mile away, have demonstrated that such attacks aren`t so far-fetched. Read more » July, 26. 2004 The U.S. Government is officially withdrawing DES as an encryption standard Announcing Proposed Withdrawal of Federal Information Processing Standard (FIPS) for the Data Encryption Standard (DES) and Request for Comments The Data Encryption Standard (DES), currently specified in Federal Information Processing Standard (FIPS) 46-3, was evaluated pursuant to its scheduled review. At the conclusion of this review, NIST determined that the strength of the DES algorithm is no longer sufficient to adequately protect Federal government information. As a result, NIST proposes to withdraw FIPS 46-3, and the associated FIPS 74 and FIPS 81. Read more » June, 30. 2004 Net Threat Targets Banks Trojan horse program spreads through pop-up ads, targets user`s financial info. The Trojan horse file poses as an image file named "img1big.gif" but is actually an executable that installs a malicious add-on to Microsoft`s Internet Explorer browser. The add-on, known as a BHO, or browser helper object, then monitors for and records outbound data to the Web sites of several dozen financial institutions, according to an analysis posted on the SANS Institute`s Internet Storm Center Web site. Read more » June, 16. 2004 Internet Scams Cost Consumers $2.4 Billion Internet-based scammers illegally accessing checking accounts ripped off consumers to the tune of $2.4 billion in the last 12 months, research firm Gartner said. Using data from an April, 2004, survey of 5,000 U.S. adults who use the Internet and e-mail, Gartner estimated that nearly 2 million Americans fell victim to checking account fraud in the last 12 months. The cost to banks and consumers: a staggering $2.4 billion in direct losses, or an average of $1,200 per victim. Read more » April, 16. 2004 Samsung plans 30% NAND flash price drop in 2H Samsung Electronics, the world`s largest NAND flash maker, plans to drop its prices for NAND flash by up to 30% in the second half of this year, raising the barrier for new entrants in the market, according to a company source. NAND flash spot prices have been dropping since January of this year due to seasonal factors, according to DRAMeXchange. Although the move will hurt Samsung`s profitability, the source indicated that Samsung could still enjoy over 50% gross margins on the product, claiming that the company`s costs-per-chip for the 1Gbit part are at US$10. Read more » April, 8. 2004 Doom or Boom? Fearing the worst, companies are diversifying their security spending. Information Security`s "2004 Priorities Survey" shows that leading organizations are tackling security problems at multiple strategic, technical and operational levels. Conducted in February and March by Information Security research partner TheInfoPro (TIP)1, the survey is based on 175 one-hour interviews with U.S.-based Fortune 1000 companies, providing a rare behind-the-ly erasing history files, temporary files, caches, cookies, e-mail file attachments and other downloaded data at the close of an SSL VPN user session Read more » September, 15. 2003 EISST to participate at the CSI 30th Annual Computer Security Conference and Exhibition, November 3-5, 2003 in Washington, D.C. Over 2500 security pros will attend the 30th CSI Annual in Washington, D.C. this November. The CSI 30th Annual Computer Security Conference and Exhibition is The Security Event of the Year. This Event boasts the largest and most comprehensive conference p The Exhibition November 2-4 features 175 of the leading security vendors on hand to personally answer your questions. Come preview the latest product solutions and visit exhibitors.... Read more » September, 4. 2003 GSM phone encryption The encryption system that protects the almost 900 million users of GSM cell phones from instant eavesdropping or fraud is no longer impregnable, cryptologists claim. With GSM, the voice is encoded digitally. But, before this data is encrypted, it is corrected to help compensate for any interference or noise, says Eli Biham, who led the Technion team. This gives an opportunity for a "man in the middle" attack, in which the call is intercepted between the handset and the network base station..... Read more » August, 23. 2003 Hackers Steal 13,000 Credit Card Numbers The Navy has canceled 13,000 credit cards used for government expenses after discovering that hackers had downloaded card numbers and billing records, Defense Department officials said. Citibank, the card issuer, has found no unusual activity in the card accounts since the hacking began in July and no fraud related to the incident had been reported as of Thursday, according to a Defense Department official.... August, 15. 2003 Network Security: Submarine Warfare In the new infosec paradigm, the attacker can be anywhere. To defeat him, you`ll have to change your thinking and your tactics. Perimeter defense is a lost battle. Like old generals, we`re still fighting the last war, in which our network was a castle with impregnable walls, a well-defined entry point across the drawbridge (head-end router), portcullis (firewall) and guards (IDS). Today`s infosec paradigm is submarine warfare. Attacks can come from anywhere, at any time. There`s no well-defined perimeter, and it`s often difficult to tell friend from foe. Defenses should focus on hardened, well-protected assets--not bigger, stronger fences...... Read more »

		Login Register	Search: