Security Bytes: Is Miami the data theft capital of America?

By SearchSecurity.com Staff 26 Jul 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

The data theft capital of America
Is downtown Miami the data theft capital of the United States? It is, if recent investigations are any indication. The lesson for any small business is that data thievery isn't just something the big credit card companies and banks have to worry about.

The New York Times reported that criminals were able to snatch up cardholder information on tens of thousands of customers at four major stores in a shopping area along a crowded stretch of highway just south of Miami's downtown. Those stores include a DSW Shoes retail outlet that appears to have been the initial source of a chain-wide data breach.

Using laptops, thieves singled out stores with strong wireless signals and weak security. Their exact methods are not known, but The New York Times said they could have parked a car outside a store or set up in the local Starbucks, using a laptop with an off-the-shelf wireless receiver. They may have even received help from Web sites listing the geographic coordinates of easy-to-target stores, the newspaper said.

For more than a month, hackers repeatedly "robbed" the same shops of premium card account numbers stored in their databases, the paper added. Then, after security upgrades were announced or investigators showed up on site, the data thieves moved on to another shop on the same side of the street.

"It was as if they would hit one, drive down the road, and find another," Bryan Sartin, a lead investigator for Cybertrust, the security services firm that was called in after each of the incidents, told the newspaper.

Security experts say there's a lesson in all this: Banks and payment processors may be targets in the largest and highest-profile attacks, but the payment system's most vulnerable points may be the estimated 5 million merchants where cards are accepted.

Unlike banks and other financial institutions, merchants often lack the security know-how to secure customer information, the report said. And widespread use of wireless technology by businesses, as in homes, has left merchants' computer systems increasingly susceptible.

TippingPoint to pay for vulnerability intelligence
Austin-based TippingPoint, a subsidiary of 3Com, has announced that it will now pay for intelligence on software vulnerabilities through its "Zero Day Initiative." The amount of the reward will depend on the severity of the security hole discovered, the firm said, adding that it will inform the maker of a flawed product when glitches are found while also updating its own security products. The program will officially launch Wednesday.

"Through this program, we seek to ensure that newly discovered vulnerabilities are managed, disclosed and remediated responsibly, so they don't pose a threat to businesses," 3Com Chief Technology Officer Marc Willebeek-LeMair said in a statement. "The sooner we have information about a vulnerability, the sooner we can deliver protection to our customers. Ultimately, this benefits everyone: security and technology vendors, security researchers, end users, as well as 3Com and its TippingPoint division customers."

This isn't the only instance of a security firm paying researchers for vulnerability intelligence. Mountain View, Calif.-based VeriSign Inc., for example, runs the somewhat controversial Vulnerability Contributor Program (VCP), in which underground researchers are paid to supply information on new software vulnerabilities. The company acquired the program when it purchased Reston, Va.-based iDefense for $40 million earlier this month.

Critics of the program have argued that it's nearly impossible to verify the identity of hackers peddling their wares, especially if they want to remain anonymous. They've also argued that there's no way to control information once it's released to a third party. Program supporters have said that as threats grow grimmer, information on possible security holes must be brought to light so IT professionals can protect their networks -- even if it means the bad guys might make use of the intelligence as well.

As far as VeriSign is concerned, VCP isn't just worth keeping -- it's worth expanding. The company will announce plans to do just that at the Black Hat Briefings in Las Vegas later this week.

Free Web-hosting sites a haven for hackers
San Diego-based Websense, Inc. warns that hackers are increasingly exploiting free personal Web hosting sites, using them as an affordable and anonymous place to store and disseminate mobile malicious code and spyware.

Websense Security Labs said it has discovered more than 2,500 incidents of these Web sites distributing such malcode as Trojan horses and keyloggers since the start of the year. In the first two weeks of July alone, the lab discovered more than 500 incidents of free Web hosting sites being created to spread malicious programs. Recently uncovered sites include those available for hosting online journals, photo albums, greeting cards, music, sports 'fan' pages and online scrapbooks, among many other popular purposes.

"The growth of this trend is alarming. July has seen a major boom -- in the first two weeks alone we found more instances than in May and June combined," Dan Hubbard, senior director of security and technology research for Websense, said in a statement. "Some of the sites may be created with automated shared hacking software and free online tools, while others are built to appear more legitimate. For example, one of the sites found by the Labs included music that accompanied a greeting-card message which runs while your computer is being infected with spyware."

Netscape plugs security holes
Netscape users should upgrade to version 8.0.3.1 to patch security holes attackers could exploit to execute malicious commands. Version 8.0.2 is affected, as are earlier versions of the browser.

Netscape said the upgrade fixes:

• An input validation error in the processing of javascript URLs opened by media players. Attackers could exploit this to steal sensitive information such as login cookies or passwords, and launch malcode.
• Improper cloning of base objects that allows Web content scripts to walk up the prototype chain to get to a privileged object. This could be used to execute code with enhanced privileges.
• Two other flaws in which the vendor offered no additional details.

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary