• On last.fm: Check Out Samantha Ronson Music

Defense in Depth

December 10, 2008 1:08 PM PST
(Credit: Robert Vamosi/CBS Interactive)

Window Snyder, Mozilla's chief security something-or-other (her official title), is leaving Mozilla, effective the end of the year.

"I am sad to be leaving," she wrote in her blog on Wednesday, "but I am excited to go work on something I have always been passionate about. I wish I could tell you about it now, but that will have to wait for a while."

In an interview earlier this year, Snyder stressed to me how she wants to bring open-source practices to the security community. And her background certainly supports that passion.

Snyder is the co-author of Threat Modeling, a book about application security. Her security work started at @Stake (now a part of Symantec) before continuing at Microsoft. Later she helped found Matasano Security before landing at Mozilla in September 2006.

Johnathan Nightingale, Lucas Adamski, Brandon Sterne, and Mike Shaver will continue to blog about security at Mozilla in Snyder's absence.

November 21, 2008 3:55 PM PST

kids coping

Sometime on October 14, a wide array of furniture and electronics were stolen from a commercial storage facility outside Phoenix. The building was used by the Arizona Early Intervention Program, which helps families of disabled children.

Two weeks ago, the state informed the parents of the nearly 40,000 children in the program that their personal information was potentially at risk for ID fraud. According to the Arizona Department of Economic Security (DES), a backup computer hard drive stolen from the facility was password protected. What happened next is where the controversy arises.

The DES and others in the media suggested that parents concerned about protecting their children against ID fraud seek a credit report for each child, and then put a credit freeze on the credit bureau accounts--advice that initially sounded right to me. But sources tell CNET News that such steps are wrong. Jay and Linda Foley, of the Identity Theft Resource Center (ITRC), said ordering a credit report that technically should not exist is one of the worst things you can do.

Making the problem worse
Julie Fergerson, vice president of emerging technologies at Debix, agreed. "If you actually try to order the credit file, there is a certain number of inquires against the Social Security number that the credit bureaus will create, potentially, on accident, a credit file."

Scott Mitic, CEO of TrustedID said, "according to the Federal Trade Commission, as many as 400,000 children may already be victims of identity theft. To make matters worse, the number of complaints has increased by 78 percent over the past several years, making children the fastest growing segment of identity theft victims." He said common warning signs include the receipt of pre-approved credit offers addressed to your child, calls from a collection agency in which the caller asks for your child by name, or notices addressed to your child from government or law enforcement agencies.

Scott Mitic, CEO of TrustedID

(Credit: TrustedID)

Tom Rusin, president and chief executive officer of Affinion's North America operation, said there should be no credit information being stored for minors with the credit bureaus, but they aren't consistent with what age they start to hold a child's information. "For some they hold information for those 18 and older, with one it's 16 and older. Technically speaking, if you are nine, your information should not reside within the credit bureaus at all."

When is too early?
Children today can get a Social Security number assigned within days of birth. That number may be valuable for setting up college saving accounts and obtaining company health benefits, but, in most cases, that Social Security number sits dormant for about 16 years. No loans. No credit cards. No activity. Pat Dane, chief revenue officer at MyPublicInfo, recommends "as soon as the parents give the kid a Social, they ought to start monitoring it."

"It's a squishy area," said Affinion's Rusin. "If they don't have credit files, how can you monitor them?"

So what kind of monitoring is right for a child?

Julie Fergerson, Debix VP of emerging technologies

(Credit: Debix)

Not traditional credit report monitoring, warned ITRC's Jay Foley. He said it's not a good idea to sign up a child for a service for something that does not exist.

Debix's Fergerson told me when ID theft occurs among children, a credit file is often attached to the child's Social Security number with the suspect's name and date of birth, not the child's. "So doing the traditional things like ordering fraud alerts or credit reports, any of those things, will always come back saying there is nothing there."

Mike Prusinski, VP of public affairs at LifeLock, agreed: "A credit freeze cannot be placed if there is nothing to attach it to. After multiple attempts or inquiries (in)to a child's identity, it is possible that a credit file might be created."

"And if there is a credit report file (associated with your child's name), it's not always necessarily identity theft said ITRC's Linda Foley. "It could be that someone mixed up the numbers and instead of a six they put down a five. And sometimes credit files are created because of clerical errors," said Foley. "The key here is to identify it early so we can fix it."

ID monitoring is not credit monitoring
Different from credit monitoring is ID monitoring. MyPublicInfo's Dane explained to me the subtle distinction between credit monitoring and ID monitoring, the difference that has ID fraud experts upset with those spreading misinformation about protecting children. Credit monitoring and ID monitoring are not the same, said Dane, who sent me some Gartner studies showing that credit report monitoring isn't as effective today as ID monitoring when it comes to detecting new account creation, for example. ID monitoring casts a much wider net, looking for activity on a person's Social Security number, not their credit report.

"If someone stole my son's Social," he said, "they could walk into Verizon, T-Mobile and open the easiest form of credit there is." Establishing a utility record is a common way that identity fraud is committed in part because it is harder to identify. Instead of appearing on a credit report, it needs a separate monitoring process, which the Gartner reports say most people do not have. When this so-called "synthetic ID theft" happens to a child, it may occur for years and years before the child needs to establish credit and finds he or she cannot.

"To me (new account creation) is probably one of the more egregious forms of identity theft," ITRC's Linda Foley said.

ITRC's Jay Foley said there's the classic story of a child in foster care. The kid turns 18 and the county ceases supervision. The kid then learns that through a bad parent or other means there's a bad credit report. "Instead of that child going on straight from high school to college, the child's going to end up working low- to pathetic-wage jobs while they clean up this mess in order to qualify for a student loan," he said.

Linda Foley, Founder, ID Theft Resource Center

(Credit: ITRC)

What should you do?
ITRC's Linda Foley said "if you think that your child may be a victim of identity theft, parents need to fire off registered letters to each of the credit bureaus. The letters should include the child's full name, Social Security number, parent (or guardian's) name and address. The letter should ask that a search for a credit file be done of the child's Social Security number since often the name will be different. Additionally you should include photocopies of your driver's license (proof of your identity), a copy of the child's birth certificate showing you as the parent, any guardianship papers if you are not the parent and a copy of the child's Social Security card. Foley said it sounds like a lot, but that's what photocopiers are for.

The credit bureaus want to make sure you are the correct person before releasing information, Foley said. If you are told, "there is no file," that is a good answer and you should stop worrying. Check again when the child is 16 and then again when they are 17 and getting ready to apply for a job or college. "If you are told there is a file, contact one of the non-profits or government agencies that provide victim assistance at no charge," she said. "They will walk you through the steps to clear the records."

LifeLock's Prusinski said for minors 15 and under, his company attempts to set a fraud alert every six months; for children over the age of 16, it is every 90 days, just like adults. "Although we cannot place an actual alert if no credit file exists, we still take the necessary measures to ensure that we are preventing a credit file from being fraudulently created." In addition LifeLock does a credit report audit for minors once a year through the FACT Act, which only requests a credit file. "This action has not created an inquiry because there is nothing with the bureaus that matches that SSN or name." Ideally, parents should then receive the letter that states "a credit file cannot be found." LifeLock also performs a separate Social Security Administration audit for children to see if work history exists.

Debix will also monitor a child's ID and if there's a problem, it'll clean it up. Recently Debix partnered with Javelin research to study the first 500 children who signed up with its service. Of that group, researchers found 5 percent had a pre-existing problem. Debix' Fergerson said that 12 percent were aged 5 and younger, and the average amount of each fraud was about $12,000. She said the company saw one case where a 17-year-old found his Social Security number had been used by a woman for the last two decades, a woman who had $325,000 in debt, a mortgage, and car loan. The 17-year-old boy was a few months away from applying for college. "This case, the woman wasn't a criminal, she legitimately believed the number was hers." Debix straightened out the accounts.

Trusted ID offers similar protection for minors.

Affinion's Rusin said his company is in the process of creating a children's identity protection program.

Tom Rusin, president and CEO of Affinion's North America operation

(Credit: Robert Vamosi / CNET)

Catch it young
Right now parents and guardians cannot put a block on a child's Social Security number saying it "belongs to a minor," but Linda Foley said she's working to make that a federal law by the end of 2009. Affinion's Rusin further suggested that the Social Security Agency also needs to improve its database so that two names don't show up under one SSN.

"The reality is if we catch it when they are young, before they are 16 or 17 years old," Linda Foley said, "it is far easier to take care of than if you were to become a victim of identity theft because we can show that anyone under the age of 18 who is still a minor, not emancipated, cannot be held legally responsible for any contract." Knowing early on makes it easier for parents to repair the situation, she said.

November 20, 2008 1:42 PM PST

White lists will be on every desktop within the next five years, according to Patrick Morley, CEO of Massachusetts-based Bit9. Morley was in town to address the Dow Jones VentureWire Technology Showcase in Redwood City, Calif., on Tuesday. He stopped by CNET News afterward to discuss why he believes white listing will be important in the next few years.

The basic idea behind "white listing" is to define a set of software, a set of vendors, and allow only those trusted applications or files from those vendors to run on your machine. If a file or application is not approved, it will not run. This is the opposite of how we've blocked malware from our machines in the past.

Patrick Morley

Patrick Morley, CEO of Bit9, believes white listing will be important in the next few years.

(Credit: Bit9)

Of the more than 1 million viruses detected by antivirus vendors last year, more than two-thirds were new. Loading 1 million antivirus signatures (or even a percentage of that if generic signatures are used) is a pretty serious undertaking. The idea with white listing is to identify the applications and files we know to be good, which, in theory, should be considerably less than a million.

Over the years Bit9 has created one of the largest catalogs of "known good" and "known bad" applications. Its Global Software Registry (GSR) serves as the policy enforcement center for Bit9's enterprise offerings, ranging from Fortune 100 companies to retail companies like Marks & Spencer, 7-Eleven, and Ritz Camera.

Morley told me his company will continue to concentrate on enterprise solutions, but it is open to licensing agreements with consumer security companies. Already one agreement is public: Kaspersky is using a limited subset of the Bit9 GSR in its Kaspersky Anti-Virus 2009 and Kaspersky Internet Security 2009 product.

The challenge with commercial applications, Morley said, is not to turn the end user into a system administrator. In this case, Kaspersky made policy decisions for the end user and further allows the more advanced end user to customize the settings based on overall comfort level, not individual files.

During our talk, Morley took issue with antivirus vendors who are saying they too have white listing within their products. He said most have lists of good and bad software, but that they stop monitoring the applications after checking it once.

And many of the antivirus products are using community feedback to determine reputation. So if 1,500 users are showing this file on their PC, then Symantec, for example, is going to be more inclined to say that file probably should be on a person's desktop. Symantec says community feedback is just one of the criteria; there are researchers who will be confirming the reputation of a file as well.

"We look at the executable," Morley said. This gives Bit9 the ability to block an application even after it has launched, and then pass that knowledge to all its customers so everyone is protected.

November 19, 2008 8:14 AM PST

Since its introduction in 2006, Microsoft's Windows Live OneCare has altered the antivirus landscape. With Tuesday's announcement that Microsoft will no longer be selling the product in retail outlets but offering a new free version, code-named Morro, starting in the second half of 2009, it's sure to change the field once again.

Since Microsoft bought Romania-based antivirus firm GeCad five years ago, there has been fear among the commercial antivirus vendors that the software giant would simply bundle its malware protection within the next version of Windows. While that didn't happen--and it's unlikely to happen--Microsoft's addition to the market has forced its competitors to make some changes even though Microsoft hasn't become the huge player once feared.

Even before the first beta in 2005, McAfee and Symantec were talking about plans to go head to head with the software giant. McAfee announced plans around Project Falcon, and Symantec launched Project Genesis.

Microsoft OneCare entered the market in May 2006 as a "desktop IT department" and inspired a new breed of "omni security suites" that went beyond the traditional Internet security suite. I wasn't impressed. Although OneCare offers the revamped GeCad antivirus engine, Microsoft Windows Defender antispyware protection, and the Windows Firewall, along with system diagnostic tools, backup capabilities, and a way to monitor home networking, I think that the interface is clunky and that the tools aren't necessarily top of the line. And, I'm on record as calling OneCare SopranoCare since it seems wrong to me to have to pay the company that broke your operating system to fix it.

But at its introduction, Microsoft did shake up the antivirus landscape. OneCare was priced at an absurdly low $49.95, and it protected up to three PCs. At the time, Symantec's Norton Internet Security and McAfee's Internet Security were both priced at over $100 for their three-user packages. Today, three-user packages well under $100 are common.

Symantec responded in 2007 with its Project Genesis-produced Norton 360, a unified product that took Norton Internet Security and added online backup. But Symantec didn't just add to its existing product, it reinvented the product, producing a new one with a fully integrated interface marketed for the average home user. And at around $70, it could be used on up to three PCs.

McAfee also responded with its Project Falcon-produced McAfee Total Protection, also priced around $70 for up to three PCs. It too offers home network monitoring and premium or enhanced versions of the McAfee Internet Suite.

But McAfee and Symantec both had something Microsoft did not: effectiveness.

Almost two years ago, independent antivirus-testing organizations faulted OneCare for missing known malware. Andreas Clementi of AV-Comparatives.org wrote in his February 2007 report (PDF) that OneCare did not meet the minimum requirements for participation. "Due (to) that, its inclusion in future tests of this year (will) have to be re-evaluated."

Microsoft began hiring longtime antivirus experts from competitors, and it appears to have paid off. A few years ago, Vincent Gullotto came over from McAfee to head Microsoft's Security Research and Response team. Microsoft has since added experts from F-Secure, Sophos, and elsewhere to the team. And it shows. In the latest On Demand scanning test from AV-Comparatives.org, Microsoft OneCare 2.5 scored as well as McAfee VirusScan Plus 2008.

All is not perfect, however. In May, Microsoft mistook Skype for a piece of malware. And the Windows Firewall, while Microsoft insists otherwise, is not a truly two-way firewall; there are a great many outbound exceptions within the Microsoft version. A Microsoft representative said "If we turned on outbound filtering by default for consumers, it forces the user to make a trust decision for every application they run which touches the network." Given that other firewalls have outbound filtering, I still don't see why Microsoft can't.

The free version of Morro won't have all the current bells and whistles of OneCare; Microsoft says the diagnostic tools won't be included. Although the final feature set won't be known for a while, just having a free antivirus/antispyware/personal firewall product from Microsoft is bound to shake things up.

With traditional antivirus protection perhaps becoming obsolete, maybe it's time that Symantec and McAfee start offering free versions of their own antivirus products--something that I've said for years.

November 12, 2008 1:53 PM PST

One week after a breached corporate health care company refused to pay extortionists, the criminals now are seeking money from the corporate clients whose employee data might have been exposed.

St. Louis-based Express Scripts said on Tuesday that a limited number of its clients--which include government agencies, unions, and employers--have received letters threatening to expose the personal information of its members. The company said the letters sent to its clients were similar to the original extortion threat it received in October.

The company also said it was establishing a reward totaling $1 million to anyone providing information that results in the arrest and conviction of the criminals responsible.

"We are cooperating fully with the FBI to assist them in their investigation and doing what we can to protect our members," said George Paz, CEO and chairman of Express Scripts, in a statement on the company's site.

In a separate announcement, Express Scripts announced that Knoll, a New York-based risk-consulting firm, has been contracted to offer expert assistance to members who become victims of identity fraud as a result of this incident.

Originally posted at Security
November 11, 2008 10:20 AM PST

Arbor Networks found that DDoS attack size (in gigabits) nearly doubled in 2008 from the previous year.

(Credit: Arbor Networks)

Internet service providers now spend most of their IT security resources detecting and mitigating distributed denial-of-service attacks, concludes a report from Arbor Networks.

The fourth edition of the Worldwide Infrastructure Security Report, released Tuesday, was based on how 70 lead security engineers responded to 90 questions. As in the previous three reports, ISPs reported attacks where their networks were overloaded with packets, what's called a distributed denial-of-service (DDoS) attack. However, this year, the ISPs indicated the attacks were not only larger in size but that most of them were stretching the upper limits of their security resources in order to deal with such attacks.

Rob Malan, founder and chief technology officer of Arbor Networks, said the DDoS attacks seen this year broke the 40-gigabit barrier, nearly double the volume of last year's attacks. He warned that if next year's attacks again double in size, "most carriers will be unable to deal with those attacks."

In assessing the attacks, Arbor Networks found "brute force," a catch-all term, was the dominant method used. The security firm looked at traditional means of DDoS--syn flood, udp flood--as well as anything else that artificially created network congestion. Malan told CNET News that despite the massive size, the attacks themselves demonstrated "little sophistication" and were simply "trying to overwhelm network bandwidth."

One consequence of this method was that upstream providers of the targets were increasingly being affected. "If an attacker takes out capacity of (the upstream) routers you're (also) starving the target," he said. Malan said attackers were also using reflective attacks, which use different pieces of DNS structure to redirect traffic away from a target.

While flood-based attacks represented 42 percent of the attacks reported, followed by protocol exhaustion-based at 24 percent, Arbor Networks also saw a sharp increase this year in application-based attacks, which accounted for 17 percent of the attacks.

Malan explained that with application-based attacks, bot-infected computers worldwide make connections to a targeted site, then "use an application protocol to deliver a perfectly valid request, not a vulnerability, not something that an IDS or other type of firewall would necessarily flag." For example, a botnet might instruct its zombie computers worldwide to do a back-end query off a database. "By itself it's not bad, but if you have multiple such requests, then you tie up the application--in this case database--resources on the back end," he said.

The report does contain some good news. Arbor Networks found detection and mitigation of these attacks to be increasing as well. Fifteen percent of the respondents said, on average, they can mitigate an attack within 10 minutes of detection. However, 30 percent said mitigation still takes them over an hour.

But finding the criminals responsible for these attacks is not a high priority. Arbor Networks found that ISPs have little time to involve law enforcement. "It's hard on carriers," said Malan. "They get paid on traffic, not to do forensic analysis. So it's hard from their perspective to make the economics work."

(Credit: Arbor Networks)

Originally posted at Security
November 7, 2008 2:14 PM PST

In February of 2005, a Miami man sued Bank of America for not adequately protecting him against a $90,000 fraudulent wire transfer to the Parex Bank in Latvia. Joe Lopez was the first online user to sue his financial institution for not protecting his assets from a computer hacker.

Lopez, owner of a computer and copier supply business, accused Bank of America of negligence and breach of contract for not alerting him in advance to the existence of a piece of malware known as "Coreflood" prior to April 6, 2004, when the alleged theft took place.

Shortly after the wire transfer occurred, a sum of $20,000 was withdrawn from Parex by unknown individuals, according to the complaint filed in court. The remaining $70,000 was, however, frozen by Latvian banking authorities. Bank of America has since settled this case; neither side has revealed the terms.

"I had probably heard the news about Joe Lopez, but (until recently), I hadn't thought twice about the whole Coreflood episode of a few years ago," admitted Joe Stewart, director of Malware Research at SecureWorks, when I spoke to him at last summer's Black Hat conference in Las Vegas.

In particular, Stewart recalled hearing that the U.S. Secret Service had found evidence of Aflood or Coreflood on the Lopez computer.

"The Secret Service actually named Coreflood. That was very surprising. Normally, we don't get the final tally. We don't know who's account got stolen. It's very unusual to actually have a victim that is public, and everybody knows exactly what (was) taken."

Unlike a lot of bots and botnets, most of which exist primarily to relay spam, Stewart said Coreflood has a different agenda: "Its goal is to steal the data directly from users." The much more popular Storm botnet, he said, is more of a nuisance. "Coreflood has a real financial impact for people like Joe Lopez."

Who's behind Coreflood? Stewart declines to say, but in an interview in The New York Times, he suggested that the gang responsible was based somewhere in Russia. He would not tell me the name of the group because of ongoing criminal investigations.

In this video, Stewart talks about what first drew him to study the Coreflood botnet.

When Stewart heard about Lopez, he renewed his research on the Coreflood. With the help of Spamhaus, an antispam organization, Stewart and SecureWorks were able to gain cooperation from a Wisconsin-based provider of one of the command and control centers for the botnet. What he found was not only the bot's source code but also 50 gigabytes of compressed data, searchable in a MySQL database.

Within that database were 378,758 unique bot IDs over a 16-month period. There, for everyone to see, was the time-stamped life cycle--from infection to removal--of each compromised computer. Stewart found the average to be about 66 days.

The graph shows how one state policy agency was infected with Coreflood from April 2007 through January 2008.

(Credit: SecureWorks)

Apparently, Coreflood would enter a network via a drive-by browser exploit, download a copy of the installer, then run PcExec, a legitimate Windows administration tool available from Microsoft.

"It could happen to anybody," Stewart said, "any user who happened to go to the wrong site." If the user also happened to be on the corporate network when that happens, the bot is then able to take advantage of that structure and is able to be a threat to everyone on that network.

"So it's not so much a targeted attack," Stewart said. "But I think they have intentionally set a trap for the domain administrator and are leveraging that in order to have access to the entire company."

Later, the criminal gang responsible for the attack can find out which company it has infected by looking into the registry of the infected computer. "They pull out of the registry a separate request to say who is the registered owner the Windows license. They ship that information back up to the botnet controller."

Just looking at that one C&C; server in Wisconsin, Stewart estimates that the gang responsible has infected more than 35,000 domains. It may sell those Web mail accounts to a spammer, because spammers love Web mail accounts. But over the years, Coreflood seems to have targeted only banks. Stewart knows this from the forensic evidence he's collected.

In this video, Stewart talks about digital forensics and what it can tell us about botnets such as Coreflood.

Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say, by a keylogging application. The Coreflood script will then capture the HTML data on the post-log-in page.

In most cases, that page also contains the account's bank balance. This is so that after running the test, the hackers have a picture of what the highest dollar amounts are, he said.

"I don't know whether they steal from all of them. We don't have access to the accounts; the bank is not going to tell us how much was stolen out of any given account," he said. "We're not going to get that information, but we know they're actively logging and checking accounts to collect the balance data. The only reason (the script) can see that data is to target the biggest accounts first."

Coreflood does not take a screenshot, Stewart said, but rather scrapes the text out of the HTML. "When they run these tools, it leaves a log file behind, and all the post log-in (data)...are saved in that directory. So we have all of the account balances. So we can parse out what everyone's balance is and see actually how much (the thieves) had access to at any one institution."

In this video, Stewart talks about why Coreflood has been around since 2001, yet hardly anyone has been talking about it.

The problem is that Coreflood has been around since 2001.

"It's unique in that's been around for so long," Stewart said. Moreover, it's unusual that it seems to have been maintained by the same group, "not something that's been sold to another group," as is the case with some botnets.

The way it's managed to evade detection, Stewart said, is that it hasn't really crept high on anyone's list of botnets. "It's not on anyone's radar." Yet it's managed to seriously impact some enterprises that use Windows domains. In companies that have been hit, every employee is potentially sending everything they do back to these guys in Russia.

"To me, (Coreflood) is far more insidious because it doesn't get the attention," said Stewart. Unlike Storm, Coreflood is not constantly in your face. "You're not seeing new social-engineering campaigns every week, not seeing a new news article about it every week talking about all the great innovations the peer-to-peer thing has now. It's been quiet, and just does a few things, and tries not to garner any attention."

So the story of Lopez is significant. It's a tangible event about how online criminals are actually affecting people. It illustrates how much money got taken from an actual bank account, and the real impact on the victim's life. Unfortunately, there are many more botnets--and many more victims to talk about.

November 6, 2008 4:32 PM PST

The customer database of Express Scripts, a company used by employer health care services to provide prescription medicine by mail, has been breached. In a twist, the company said it learned of the breach in "a letter from an unknown person or persons trying to extort money from the company."

The company posted details on its Web site Thursday. The letter, received in October, threatened to reveal millions of customer records--including Social Security numbers, addresses, dates of birth, and in some cases, prescription information--on the Internet if the extortion demands were not paid. The company did not disclose what those demands were.

Graham Cluley, of security software maker Sophos, told CNET News that Express Scripts did things right. "It appears they have not paid up." He noted that's important with data theft because the criminals have the data in their possession and can keep going back to the company to get more and more money. Second, Express Scripts went to the FBI and decided to go public about the breach.

"We have identified where the data involved in this situation was stored in our systems and have instituted enhanced controls," Express Scripts said on its site.

Cluley said: "I think it's going to be old-fashioned police work that gets to the bottom of this." For example, it's possible the sender of the extortion request and the attacker used the same servers.

Usually extortion is used in connection with denial-of-service of attacks, when the criminals have nothing of value except the sheer volume of data to spew at a targeted site. A letter is sent asking for money in exchange for ending that attack.

This however is an old-school data theft. The criminals presumably have millions of customer details that can be sold on the Internet. But Cluley notes that "people's identities sell for a relatively small amount, and if you go to an auction site on the Web and try to barter on that, you might not get that much as you might potentially get by embarrassing a company."

A few weeks ago, Sophos noted a similar data breach/extortion attempt at a North American Maserati dealership. Still, Cluley said he does not think this was the beginning of a trend.

Cluley said the thieves in this case might not be connected with the established "carder" world, where personal identities are bought and sold online. "Maybe this is an accidental data leakage, something they stumbled across, maybe they're not part of the criminal community, and they're just taking their chances."

Express Scripts said it will notify affected customers in compliance with state regulations.

November 6, 2008 12:37 PM PST

Researchers have found a method of cracking a key encryption feature used in securing wireless systems that doesn't require trying a large number of possibilities. Details will be discussed at the sixth annual PacSec conference in Tokyo next week.

According to PCWorld, researchers Erik Tews and Martin Beck have found a way to crack the Temporal Key Integrity Protocol (TKIP) key, used by Wi-Fi Protected Access (WPA). Moreover, they can do so in about 15 minutes. The crack apparently only works for data aimed at a Wi-Fi adapter; they have not cracked the encryption keys used to secure data that goes from the PC to the router

TKIP has been known to be vulnerable when using a high volume of educated guesses, or what's called a dictionary attack. The methods to be described by Tews and Beck do not use a dictionary attack. Apparently their attack uses a flood of data from the WPA router combined with a mathematical trick that cracks the encryption.

Some elements of the crack have already been added to Beck's Aircrack-ng Wi-Fi encryption hacking tool used by penetration testers and others.

Tews is no stranger to cracking Wi-Fi encryption. In 2007, he broke 104-bit WEP (Wired Equivalent Privacy) (PDF) in 2007. WEP was used by TJX Corp. to secure wireless cash register transmissions from its stores but criminals were able to exploit weaknesses in its encryption to commit the largest data breach in U.S. history.

Given that WEP and WPA are not secure, experts recommend using WPA2 when securing wireless networks.

November 5, 2008 11:46 AM PST

Last summer, Sen. Barack Obama's presidential-campaign computers came under cyberattack from an "unknown entity." His machines weren't alone; John McCain's computers were also attacked, according to a report appearing Wednesday on the site of Newsweek magazine.

The Obama attack was initially thought to be a piece of malware downloaded from a phishing site. Newsweek reports that "the next day, both the FBI and the Secret Service came to the campaign with an ominous warning: 'You have a problem way bigger than what you understand,' an agent told them. 'You have been compromised, and a serious amount of files have been loaded off your system.'"

The McCain campaign's computer system was also compromised over the summer. Newsweek confirmed with a top McCain official that the FBI had become involved. A federal investigation into both attacks is under way.

According to Newsweek Editor at Large Evan Thomas, the FBI and White House officials told the Obama campaign that a foreign entity or organization was likely responsible, not political opponents. Independently, Obama technical experts have speculated that the hackers were Russian or Chinese. The files accessed appear to be policy-related and thus potentially useful in future negotiations with a new presidential administration.

Earlier this year, during the primaries, an online prank had the Obama campaign site redirected to Sen. Hillary Clinton's campaign site.

The Newsweek report is part of a special edition that will be on newsstands November 6 through 16, and online November 5 through 7.