Daedalus Books of Columbia, Maryland, has informed customers that credit card information, order data, names and addresses placed on its website between August 25 and November 23 may have been compromised. Customers of ING Funds were similarly notified, after one of its clients found that she could access client information on the ingfunds.com website. The offending file, which contained 106 shareholders, had been available online since August 2008. Even though ING removed a link to the file, it was appearing in search engine results.
In the most bizarre case of self-referential spamming we've seen to date, spam used to install the Zeus crimeware trojan is now luring users by warning them not to install…the Zeus crimeware trojan. The mail quotes a blog post by security writer Brian Krebs warning users about Zeus, before offering them a download to a supposed security fix. The security fix is, of course, nothing of the sort.
Zeus is also being spread by a spam mail purporting to be from the 'tax commissar' and offering victims an income tax report. The Zeus malware writers are also putting messages in their code to taunt anti-malware companies. The message suggests that they are testing their code against anti-malware products.
Hackers have stolen $50 000 from a Bank of America account owned by Fan Bao. The money was siphoned off to Croatian accounts, and the bank has told him that he has no way of getting the money back because he agreed to the terms and conditions, which said that the bank needn't make any special efforts to detect errors in wire transfer requests.
Other hackers still seem to be busy. The attackers behind the Operation Aurora hack that targeted at least 30 companies, including Google, are still hard at work and are exploiting more firms, according to a report released by security firm HBGary.
Google may have been smarting over Operation Aurora, but it doesn't seem to have stopped it censoring its results in China. A month to the day after it told China that it didn't want to censor results in that country anymore, it showed no signs of stopping.
Google was at least true to its word when it came to paying out researchers. The search giant, which earlier in the month vowed to pay researchers who uncovered flaws in its Chrome browser, gave money to multiple researchers who revealed vulnerabilities.
CNet has an example of chatbots masquerading as real people in order to steal credit card information. Alan Turing would have been proud.
'Mudge' - aka Peiter Zatko, has been appointed as a program manager at DARPA, where he will coordinate the funding of research to help give the US tools to defend itself against cyberattacks. Sadly he didn't trump Howard Schmidt for the cybersecurity czar role that he originally hoped for (see September 17th entry - Sign the Mudge for Cyber-Security Czar Petition). Mudge was a member of L0pht Heavy Industries, which produces the L0phtcrack password cracking tool.
Mudge may have an uphill struggle. Former US Army computer security specialist Christopher Tarnovsky hacked into a Trusted Platform Module (TPM) – the computer chip that was supposed to be utterly secure from practical attack, and which forms the basis for all kinds of tamper-proof equipment.