After Activision’s Blizzard studios launched the highly anticipated PC game on May 15, players had problems logging on and said their accounts were being hacked.

“Despite very aggressive projections, our preparations for the launch of the game did not go far enough,” the company said in an apology issued last week. Yesterday, the company issued another statement, confirming that some accounts “may have been compromised.”

In addition to selling 3.5 million copies on day one, Activision said more than 1.2 million players received Diablo III as part of signing up for the World of Warcraft Annual Pass promotion. Based on that total, internal calculations and reports from distribution partners, Activision believes this makes Diablo III the biggest PC game launch in history.

By the end of the first week, Diablo sales reached 6.3 million. The game costs $60 for either the physical copy or the digital version.

“We’re definitely thrilled that so many people around the world were excited to pick up their copy of Diablo III and jump in the moment it went live,” said Blizzard’s CEO and co-founder Mike Morhaime. “We also regret that our preparations were not enough to ensure everyone had a seamless experience when they did so. I want to reaffirm our commitment to make sure the millions of Diablo III players out there have a great experience with the game moving forward, and I also want to thank them for their ongoing support.”

In the game, players take on one of five heroic characters — barbarian, witch doctor, wizard, monk or demon hunter. As that character, they must save the world of Sanctuary from the forces of the Burning Hells. As they engage in the virtual world, players gain new abilities and acquire artifacts.

For the first time ever, those artifacts can be traded for real-world currency through an auction house.

During the company’s first-quarter conference call two weeks ago, it confirmed that consumer feedback from the beta test had gone well, especially when it came to the new trading method.

Blizzard does not intend to sell any items in the auction house, in contrast to other game models where companies profit from selling in-game virtual goods. But interestingly, Blizzard will charge players a transaction fee on sales, or roughly 15 percent on most items.

The report says Mr. Murdoch and his son, News Corp. Deputy Chief Operating Officer James Murdoch, presided over a culture of “willful blindness” at News Corp. It also singles out James Murdoch for displaying a “lack of curiosity,” even “willful ignorance,” when handling fallout from the phone-hacking scandal as the manager overseeing News Corp.’s British newspaper unit, News International, from late 2007 to 2012.

Read the rest of this post on the original site »

There’s an interesting new fundamental thought emerging among computer security companies. The logic goes like this: First, your digital assets are going to be attacked. Second, no matter what preparations you make to defend those assets, a determined attacker is going to find a hole or a method of penetrating your defenses that you didn’t think of.

Most attacks are relatively cheap to carry out, because they’re not that sophisticated. More often than not, attackers copy the methods they use from each other. Attacks are inexpensive, and most attackers have the luxury of limitless time.

The exception is attacks using so-called “zero day” vulnerabilities, where a previously unknown vulnerability, usually in the operating system, is used to gain access to a system. Most — but not all — of the time, once a zero-day vulnerability is seen and documented, the weaknesses it reveals are patched, making it the type of weapon that can be used only once.

As such, zero-day vulnerabilities are often traded on the black market and sold at a high price. For example, when the Stuxnet worm — the malware that was used to attack and sabotage the Iranian nuclear program — was first discovered, security researchers were impressed that it used no fewer than four distinct zero-day vulnerabilities in Microsoft Windows. So many used at once indicated that the cost to carry out the attack was high, leading to the conclusion that only a state-sponsored attacker would have the funds to carry it out. This led to the logical conclusion that either the U.S. or Israel had been behind Stuxnet.

I bring it up because Stuxnet is an example of the conclusion of this new fundamental thought I mentioned at the start. Why not make attacks expensive for the attackers? The early estimates on Stuxnet put its cost at $3 million, and it is believed that it required a team of 10 skilled programmers and as long as six months to develop. It was not a cheap attack. It was expensive.

That’s the idea behind Shape Security, which today announced that it has landed a $6 million Series A round of venture capital funding led by Kleiner Perkins Caufield & Byers and TomorrowVentures, the fund led by Google Chairman Eric Schmidt.

Peter Wagner, a former partner at Accel Partners, as well as executives from LinkedIn, Twitter, and Facebook, will also join the round. Ted Schlein, managing partner at Kleiner Perkins, has joined the board of directors, along with Gaurav Garg, a limited partner at Sequoia Capital and personal investor in the round.

We don’t as yet know a great deal about Shape Security or its intentions. But we do know who’s running it: According to this filing with the U.S. Securities and Exchange Commission, its CEO is Derek W. Smith. Another key exec and director is Sumit Agarwal, the former head of Google’s mobile product management, who in 2010 took a post in the Department of Defense as senior adviser for Cyber Innovation.

Another key exec is Troy Tribe, who appears to be the same person who used to be VP for business development at Solera Networks, which specializes in network-security analytics and forensics.

This is the second time in as many weeks that I’ve noticed a security company talking about changing the economics for attackers. The first was Crowdstrike, which announced that it had hired Shawn Henry from the FBI and landed a $26 million investment from Warburg Pincus. Neither has said yet exactly what you do to make launching a computer attack more expensive. I’m certainly eager to know more.

That remains the reality, even after a bunch of media reports on how a vulnerability in Java has led to the creation of a Mac botnet about 600,000 strong.

Today I’ve been getting calls from people who say something roughly in line with the following: “I thought you said Macs didn’t get viruses? What about this?”

No, I explain, I never said Macs will never get viruses or other Malware. But historically its record versus other platforms compares favorably. As is the case with investment instruments, past results are no guarantee of future performance, and let’s face it, there’s no such thing as a perfectly secured computing platform.

But let’s look closely at the facts around the Flashback Trojan causing all this consternation, and clear up what it is versus what it is not, and put the results of the incident in perspective.

Yes it’s true that some 600,000 Macs are confirmed to have been infected. The claim, first made by Dr. Web, an outfit I had never heard of, has since been corroborated by Kaspersky Labs, whose research and analysis capabilities are well-respected. More than half of the compromised machines are in the U.S., 95,000 in Canada, 47,000 in the U.K., and 41,000 in Australia.

The trojan targets a vulnerability in software that is not even an Apple product: Java. You’ll recall that Java is add-on software created by Sun Microsystems and now the property of the software giant Oracle. Rather common, it is no longer shipped as a default add-on to Apple’s Mac OS X beginning in 2011, when Apple first shipped Lion.

Through this hole in Java, certain Web sites are serving up malicious Java applets. Once inserted on the machine, the software then prompts the user to enter the password they use to run the machine. It attempts to trick the user by appearing as an update to Adobe’s Flash video and animation software.

If the user doesn’t fall for the trick, it tries something else. Here again it checks to see if there are any Microsoft Office applications on the machine, or Skype. If there are, it deletes itself.

Then it does something interesting. It scans the contents of the Mac’s hard drive to determine if certain applications are present, and if they are, it deletes itself. Among those applications are security tools such as Little Snitch, a networking security tool, or Packet Peeper, another security tool. It also deletes itself if it sees the user has installed XCode Mac developers tools, and any kind of anti-virus software.

Presuming it finds none of them, it proceeds to contact a command-and-control server for the purpose of downloading and installing more malware. That malware is being used to commandeer the Macs and generate Web traffic to boost revenue for some pay-per-click ads on Web sites, making money for someone who’s behind the scheme. Nothing surprising there.

Apple has issued a fix to Mac OS X that closes the hole in Java, and you can protect yourself by running Software Update from within your machine’s System Preferences. Today would be a good day to do that if you haven’t already. Once you’ve done this you’re no longer vulnerable to the attack.

If you’re among the 600,000 already compromised you can turn to third parties to help you remove it. F-Secure has some instructions here for determining if your machine is affected. If you’re comfortable running some commands in the Mac’s terminal program, there are also some good instructions here at ArsTechnica.

So what does all this say about the state of security on the Mac? Nothing that wasn’t true already. No system is perfectly secure, and this, along with MacDefender, amounts to exactly the second security incident worth mentioning to hit the Mac in about a year. The number of machines affected is less than 1 percent of the 63 million Macs currently in use around the world.

The conventional wisdom has often held that Macs are targeted by malware less often than Windows machines because of their relatively small market share. This still has some merit, but the fact is that Windows is also where the vulnerabilities are. Historically, Mac OS X has been substantially less vulnerable to this sort of thing than Windows.

Does that let Apple off the hook entirely? No, though to its credit, Apple had a fix ready within a week of learning of this vulnerability. That’s not exactly a pokey response, especially when the problem lies not directly within Apple’s software, but in Oracle’s.

Here’s a thought: Turn off Java in your Web browsers. You probably won’t miss it. Here’s some instructions for that.

Those fears were theoretical for a while. If you could attack the industrial computers controlling nuclear centrifuges and make them explode, as happened in the case of Stuxnet, you could, in theory, use the same approach to attack industrial computers controlling critical infrastructure in the U.S. The only thing needed is knowledge about vulnerabilities lurking in those systems.

The bad news is that, as of yesterday, those vulnerabilities are no longer a theory. The good news is that the good guys found them first.

Yesterday, researchers for a volunteer program called Project Basecamp have discovered three vulnerabilities inside a common model of industrial computer known as a programmable logic controller (PLC). These PLCs basically sit between a regular computer running Windows and a big piece of industrial equipment — say, a pump or a generator or a nuclear centrifuge.

PLCs are part of a larger set of industrial computers known as Supervisory Control And Data Acquisition (SCADA) systems. Security research into SCADA systems has increased dramatically since the revelation of the Stuxnet worm in 2010.

The work was done by researchers at Digital Bond, a security research firm specializing in work on SCADA systems. What they built was a software module called “modiconstux,” which carries out a Stuxnet-like attack on a PLC device called a Modicon Quantum, made by Schneider Electric.

Borrowing techniques learned from the Stuxnet worm, modiconstux does two things: It downloads the current set of instructions the PLC is using — a set of programming commands known as “ladder logic” — giving the attacker the ability to understand what the PLC is doing day in and day out. This is key: If you’re going to hijack a PLC to make the machine it’s controlling explode, you have to first understand the process you’re going to sabotage.

The second thing that modiconstux does is upload new ladder logic. The classic example I think of in explaining this comes from the first public demonstrations of Stuxnet carried out by researchers at Symantec. In that case, a Siemens PLC had been programmed to blow up a balloon by instructing a pump to send a certain amount of air to the balloon and then stop. After being hijacked by Stuxnet, the logic was changed in such a way that the pump didn’t stop, and the balloon popped. Not very menacing, but if you use your imagination, you can see that popping balloon as a metaphor for a lot of very dangerous outcomes.

What’s even scarier than the outcome is the fact that the exploit works without any actual computer hacking having to take place beforehand. Dale Peterson, Digital Bond’s CEO, said the attack works because the PLC is insecure in the first place. There isn’t so much as a password required to download the existing ladder logic, nor to upload the altered ladder logic. And if that PLC is connected to the Internet in any way, it is wide open to attack.

The team also released two other vulnerabilities. One tells the same Scheider Electric PLC to stop, essentially freezing it in place until it can be reset. The third is a vulnerability for a type of PLC device made by General Electric.

The vulnerabilities have been released to the wider world through Metasploit, an open source vulnerability monitoring service that’s owned by Rapid7, a Cambridge, Mass-based company that specializes in helping companies stay ahead of new computer security vulnerabilities. Metasploit subscribers can download the exploit code and test it on their own systems, and demonstrate simulated attacks that in all likelihood will scare the heck out of their bosses.

It should also scare the heck out of legislators and policymakers who have talked incessantly about the need to prepare for a “cyberattack.” Chances are, the next time there’s a serious conflict, attacks carried out by way of a computer will be used to sabotage infrastructure, sow confusion, interfere with logistics and so on. Stuxnet proved what could be done, and what to that point had generally been considered only a theory.

Created by parties unknown — though the smart money says it was Israel, with some help from the U.S. — the Stuxnet worm burrowed its way into PLCs at an Iranian nuclear installation, made the centrifuges spin too fast, and caused some of them to explode. The Iranian nuclear enrichment program was thought to be set back by anywhere from one to two years.

Since then, researchers have been on the lookout for the next Stuxnet, assuming that a second worm would be easier to construct. They’ve also been studying the inherent weaknesses in SCADA systems like PLCs. What they’re finding should give us all pause.

At a meeting in Washington, the Senate Armed Services Subcommittee on Emerging Threats and Capabilities heard testimony from experts that, essentially summarized, goes like this: The attackers already have access to the systems, so rather than try to lock them out, it’s now a matter of managing them, now that they’re in. Just as in the real world, spies are going to get into the country whether you want them to or not. So, knowing that they’re there, it makes more sense to make their day-to-day spying activities as difficult and costly as you can. DOD security practices currently focus on trying to keep intruders out.

“I think we have to go to a model where we assume that the adversary is in our networks,” James Peery, director of the Information Systems Analysis Center at the Sandia National Lab, told legislators, as reported by Threatpost, a blog produced by security firm Kaspersky Labs. “They’re on our machines, and we’ve got to operate anyway. We have to protect the data anyway.”

The hearing echoed some things we’ve been hearing on the security front from the likes of Art Coviello, the EMC vice president and former CEO of RSA Security, who spoke to AllThingsD recently.

Current practice calls for perimeter-based defenses that aim to put a defensive ring around a network to keep intruders out. That thinking is out of date and in need of a significant rethink, the panelists said. It should be noted that most of the agencies represented at the hearing were doing what government executives usually do when they go before the U.S. Senate: Jockeying for more funding.

That is, except for one agency: Michael Wertheimer, director of research and development at the super-secret National Security Agency (NSA), an agency whose budget is classified to begin with, said that current levels are sufficient, but that money needs to be spent more wisely. Then again, the NSA just built a massive data center in the Utah desert, which didn’t exactly come cheap.

You can watch a video of the 81-minute hearing here.

I’m working on getting copies of the criminal complaints, and will add them here when I do, but here’s the rundown: It looks like one of the group’s insiders got caught and probably made some kind of misstep in covering his tracks, and then worked secretly with the government to inform on other members. This is exactly what I said was likely to happen in this case, way back in June.

According to Fox, the one who turned is a New Yorker named Hector Xavier Monsegur, who worked under the handle Sabu. He’s 28 years old and the father of two, and lives on the Lower East Side of Manhattan. This is his Twitter feed. He’s been a cooperating witness since June, which coincides nicely with the moment when the first rumors started to emerge that the FBI had penetrated the group.

Fox says that according to documents that will be unsealed in a New York federal court today, Monsegur pleaded guilty in August to several hacking-related crimes. His cooperation led to charges against five more people in Chicago, the U.K. and Ireland. Among them is Jake Davis, the 18-year-old resident of the Shetland Islands, who went by the handle Topiary, and whom police in the U.K. collared on Aug. 1.

The other four are Ryan Ackroyd, who went under the handle “Kayla.” He’s a Londoner. Two people from Ireland were also charged: Darren Martyn, whose handle was “pwnsauce,” and Donncha O’Cearrbhail, who called himself “palladium.” Jeremy Hammond of Chicago went by the handle “Anarchaos.”

The news makes the following tweet by Monsegur, a.k.a. Sabu, seem sort of ironic. Among his final tweets, before word emerged that he had helped turn in his comrades, were several railing against informants and other “cowards.” Clearly, he was keeping up a brave public face:

Without informants or companies bending over+giving up their customer data the feds would be further behind than they are now. Ride up.

March 5, 2012 7:59 am via Twitter for BlackBerry®ReplyRetweetFavorite

@anonymouSabu

The Real Sabu

Anonymous, the wider hacker group with which LulzSec teamed up last year, was quick to urge its followers to block Sabu’s Twitter account.

@anonymouSabu is now controlled by feds. We have blocked the account and we suggest you do as well. #BlockAnonymouSabu

March 6, 2012 10:38 am via TweetDeckReplyRetweetFavorite

@anonops

AnonOps

Hammond, the one in Chicago, was said to be the one who led the hack against the private intelligence company Stratfor. He was profiled by Chicago Magazine in 2007 and portrayed as something of a digital Robin Hood.

Ackroyd is said to be the one who found the weaknesses in the servers of the U.S. Senate that led to its being attacked in June. Hacking federal computer systems is considered a serious crime in the U.S., but is something that LulzSec said, in the posting to Pastebin at the time, that they carried out “just for kicks.”

Update: So the US Attorney’s Office in New York has issued its press release confirming most of what Fox reported. Here it is.

Six Hackers in the United States and Abroad Charged for Crimes Affecting Over One Million Victims

Four Principal Members of “Anonymous” and “LulzSec” Charged with Computer Hacking and Fifth Member Pleads Guilty; “AntiSec” Member also Charged with Stealing Confidential Information from Approximately 860,000 Clients and Subscribers of Stratfor

U.S. Attorney’s Office March 06, 2012

Five computer hackers in the United States and abroad were charged today, and a sixth pled guilty, for computer hacking and other crimes. The six hackers identified themselves as aligned with the group Anonymous, which is a loose confederation of computer hackers and others, and/or offshoot groups related to Anonymous, including “Internet Feds,” “LulzSec,” and “AntiSec.”

RYAN ACKROYD, a/k/a “kayla,” a/k/a “lol,” a/k/a “lolspoon”; JAKE DAVIS, a/k/a “topiary,” a/k/a “atopiary”; DARREN MARTYN, a/k/a “pwnsauce,” a/k/a “raepsauce,” a/k/a “networkkitten”; and DONNCHA O’CEARRBHAIL, a/k/a “palladium,” who identified themselves as members of Anonymous, Internet Feds, and/or LulzSec, were charged in an indictment unsealed today in Manhattan federal court with computer hacking conspiracy involving the hacks of Fox Broadcasting Company, Sony Pictures Entertainment, and the Public Broadcasting Service (“PBS”). O’CEARRBHAIL is also charged in a separate criminal complaint with intentionally disclosing an unlawfully intercepted wire communication.

HECTOR XAVIER MONSEGUR, a/k/a “Sabu,” a/k/a “Xavier DeLeon,” a/k/a “Leon,” who also identified himself as a member of Anonymous, Internet Feds, and LulzSec, pled guilty on August 15, 2011 in U.S. District Court to a 12-count information charging him with computer hacking conspiracies and other crimes. MONSEGUR’S information and guilty plea were unsealed today. The crimes to which MONSEGUR pled guilty include computer hacking conspiracy charges initially filed in the Southern District of New York. He also pled guilty to the following charges: a substantive hacking charge initially filed by the U.S. Attorney’s Office in the Eastern District of California related to the hacks of HBGary, Inc. and HBGary Federal LLC; a substantive hacking charge initially filed by the U.S. Attorney’s Office in the Central District of California related to the hack of Sony Pictures Entertainment and Fox Broadcasting Company; a substantive hacking charge initially filed by the U.S. Attorney’s Office in the Northern District of Georgia related to the hack of Infragard Members Alliance; and a substantive hacking charge initially filed by the U.S. Attorney’s Office in the Eastern District of Virginia related to the hack of PBS, all of which were transferred to the Southern District of New York, pursuant to Rule 20 of the Federal Rules of Criminal Procedure, in coordination with the Computer Crime and Intellectual Property Section (“CCIPS”) in the Justice Department’s Criminal Division.

Late yesterday, JEREMY HAMMOND, a/k/a “Anarchaos,” a/k/a “sup_g,” a/k/a “burn,” a/k/a “yohoho,” a/k/a “POW,” a/k/a “tylerknowsthis,” a/k/a “crediblethreat,” who identified himself as a member of AntiSec, was arrested in Chicago, Illinois and charged in a criminal complaint with crimes relating to the December 2011 hack of Strategic Forecasting, Inc. (“Stratfor”), a global intelligence firm in Austin, Texas, which may have affected approximately 860,000 victims. In publicizing the Stratfor hack, members of AntiSec reaffirmed their connection to Anonymous and other related groups, including LulzSec. For example, AntiSec members published a document with links to the stolen Stratfor data titled, “Anonymous Lulzxmas rooting you proud” on a file sharing website.

The following allegations are based on the indictment, the information, the complaints, and statements made at MONSEGUR’s guilty plea:

Hacks by Anonymous, Internet Feds, and LulzSec

Since at least 2008, Anonymous has been a loose confederation of computer hackers and others. MONSEGUR and other members of Anonymous took responsibility for a number of cyber attacks between December 2010 and June 2011, including denial of service (“DoS”) attacks against the websites of Visa, MasterCard, and PayPal, as retaliation for the refusal of these companies to process donations to Wikileaks, as well as hacks or DoS attacks on foreign government computer systems.

Between December 2010 and May 2011, members of Internet Feds similarly waged a deliberate campaign of online destruction, intimidation, and criminality. Members of Internet Feds engaged in a series of cyber attacks that included breaking into computer systems, stealing confidential information, publicly disclosing stolen confidential information, hijacking victims’ e-mail and Twitter accounts, and defacing victims’ Internet websites. Specifically, ACKROYD, DAVIS, MARTYN, O’CEARRBHAIL, and MONSEGUR, as members of InternetFeds, conspired to commit computer hacks including: the hack of the website of Fine Gael, a political party in Ireland; the hack of computer systems used by security firms HBGary, Inc. and its affiliate HBGary Federal, LLC, from which Internet Feds stole confidential data pertaining to 80,000 user accounts; and the hack of computer systems used by Fox Broadcasting Company, from which Internet Feds stole confidential data relating to more than 70,000 potential contestants on “X-Factor,” a Fox television show.

In May 2011, following the publicity that they had generated as a result of their hacks, including those of Fine Gael and HBGary, ACKROYD, DAVIS, MARTYN, and MONSEGUR formed and became the principal members of a new hacking group called “Lulz Security” or “LulzSec.” Like Internet Feds, LulzSec undertook a campaign of malicious cyber assaults on the websites and computer systems of various business and governmental entities in the United States and throughout the world. Specifically, ACKROYD, DAVIS, MARTYN, and MONSEGUR, as members of LulzSec, conspired to commit computer hacks including the hacks of computer systems used by the PBS, in retaliation for what LulzSec perceived to be unfavorable news coverage in an episode of the news program “Frontline”; Sony Pictures Entertainment, in which LulzSec stole confidential data concerning approximately 100,000 users of Sony’s website; and Bethesda Softworks, a video game company based in Maryland, in which LulzSec stole confidential information for approximately 200,000 users of Bethesda’s website.

The Stratfor Hack

In December 2011, HAMMOND conspired to hack into computer systems used by Stratfor, a private firm that provides governments and others with independent geopolitical analysis. HAMMOND and his co-conspirators, as members of AntiSec, stole confidential information from those computer systems, including Stratfor employees’ e-mails as well as account information for approximately 860,000 Stratfor subscribers or clients. HAMMOND and his co-conspirators stole credit card information for approximately 60,000 credit card users and used some of the stolen data to make unauthorized charges exceeding $700,000. HAMMOND and his co-conspirators also publicly disclosed some of the confidential information they had stolen.

The Hack of International Law Enforcement

In January 2012, O’CEARRBHAIL hacked into the personal e-mail account of an officer with Ireland’s national police service, the An Garda Siochana (the “Garda”). Because the Garda officer had forwarded work e-mails to a personal account, O’CEARRBHAIL learned information about how to access a conference call that the Garda, the FBI, and other law enforcement agencies were planning to hold on January 17, 2012 regarding international investigations of Anonymous and other hacking groups. O’CEARRBHAIL then accessed and secretly recorded the January 17 international law enforcement conference call, and then disseminated the illegally-obtained recording to others.

***

MONSEGUR, 28, of New York, New York, pled guilty to three counts of computer hacking conspiracy, five counts of computer hacking, one count of computer hacking in furtherance of fraud, one count of conspiracy to commit access device fraud, one count of conspiracy to commit bank fraud, and one count of aggravated identity theft. He faces a maximum sentence of 124 years and six months in prison.

ACKROYD, 23, of Doncaster, United Kingdom; DAVIS, 29, of Lerwick, Shetland Islands, United Kingdom; and MARTYN, 25, of Galway, Ireland, each are charged with two counts of computer hacking conspiracy. Each conspiracy count carries a maximum sentence of 10 years in prison.

O’CEARRBHAIL, 19, of Birr, Ireland, is charged in the indictment with one count of computer hacking conspiracy, for which he faces 10 years in prison. He is also charged in the complaint with one count of intentionally disclosing an unlawfully intercepted wire communication, for which he faces a maximum sentence of five years in prison.

HAMMOND, 27, of Chicago, Illinois, is charged with one count of computer hacking conspiracy, one count of computer hacking, and one count of conspiracy to commit access device fraud. Each count carries a maximum sentence of 10 years in prison.

DAVIS is separately facing criminal charges in the United Kingdom, which remain pending, and ACKROYD is being interviewed today by the Police Central e-crime Unit in the United Kingdom. O’CEARRBHAIL was arrested today by the Garda.

The case is being prosecuted by the U.S. Attorney’s Office for the Southern District of New York. The investigation was initiated and led by the FBI, and its New York Cyber Crime Task Force, which is a federal, state, and local law enforcement task force combating cybercrime, with assistance from the PCeU; a unit of New Scotland Yard’s Specialist Crime Directorate, SCD6; the Garda; the Criminal Division’s CCIPS; and the U.S. Attorneys’ Offices for the Eastern District of California, the Central District of California, the Northern District of Georgia, and the Eastern District of Virginia; as well as the Criminal Division’s Office of International Affairs.

The charges contained in the indictment and complaints are merely accusations, and the defendants are presumed innocent unless and until proven guilty.

And here’s the initial indictment on Hector Monsegur, initially filed in the US District Court for the Southern District of New York in August of last year. I’m gathering up documents on the other people charged in this and will share it as I get it.

Monsegur

Anonymous is a handful of geniuses surrounded by a legion of idiots.

– Cole Stryker, an author who has researched the hacker group

It went on to explain some of the circumstances of the attack, a little bit about what data was taken, and then later conceded that at least some of that information was used to launch an ultimately unsuccessful attack against the defense contractor Lockheed Martin.

Last year was a tough one for RSA. Its security tokens, which generate six-digit numbers that act as a second constantly-changing password to help keep intruders out of sensitive computer systems, are the backbone of the security systems of many companies and government agencies.

Art Coviello, the onetime CEO of RSA and now executive vice president of its parent EMC, will be giving a keynote address tomorrow at the annual RSA Security Conference in San Francisco. I thought it might be a good chance to talk with him about the legacy of the attack on RSA, see if there was anything new he could share about what was learned about the attack, and how what happened is shaping RSA’s thinking about the computer security landscape.

AllThingsD: Art, You’ll be speaking at RSA about a year after the infamous attack on your company. How are you approaching the speech, and what are you going to say?

Coviello: Part of what I’ll be talking about is the renewed sense of dedication we have to our mission, our responsibility to customers to regaining and maintaining their confidence. And also applying the lessons learned and sharing them vigorously, not only with our attack, but some of the other attacks that we have privileged insight into. And the bottom line is that we do hope, in the final analysis, that people have more of a sense of urgency in protecting themselves, because the truth of the matter is that we weren’t alone. The theme will be how security has to change from the kind of perimeter defenses that seemed to be dissolving even before our attack, to the requirement for more resilient security based on intelligence that you can get on a more real-time basis. So I’ll be outlining RSA’s vision for intelligence-driven security.

It will be a fairly strong call to action for the industry. We’ve had a great run in creating a trusted digital world, for all its weaknesses and idiosyncrasies. But as you see with trends like the consumerization of IT, we’ve never had a generation of employees and consumers that has been as technology-savvy as we have today, and in many instances they’re getting ahead of the enterprise IT organization’s ability to absorb the technologies they use day in and day out. And that puts an even bigger burden, from a security perspective, on IT organizations. And so they need to manage what they can’t directly control, and secure what they can’t directly control, and that means perimeters are nonexistent. So how do you get the intelligent controls you do have deployed more intelligently, so that even if things are out of reach, they’re not out of your ability to secure them? Our attack did not only raise awareness, but also the action level of people.

The attack that RSA suffered last year caught a lot of people by surprise. For those who haven’t kept track, have there been any new disclosures or information disclosed since, or is there anything new that you’ve learned?

No. And the funny part about it, as with all things in the press, if nothing bad happens, nothing gets written about. To date, there has been only one instance where it has been suggested that the information stolen from us has been used in another attack. And that was Lockheed Martin. And that attack was unsuccessful. There have been no other attacks, and believe me, we have stayed close with law enforcement and other sources, and have run down every one of these that has been reported, and there’s no substantiation of even another attempted attack, let alone a successful one. So we stand by the original decision we made in March, which was to announce that information had been stolen, to announce that you couldn’t launch a direct attack with the information stolen, and that if you took the remediation steps that we advised our clients to take, you’d be fine.

I think — and this is my theory — the attacker thought that they would be able to get in, steal the information they got from us without being caught, and then steal information from others, and combine them. And, quite frankly, because of our quick action in detecting that we were breached and some information stolen, we blew their cover. I can’t think of a reason to explain why they would go to all that trouble and you would only see one instance of a follow-up attack, and that one instance was stopped. And that got lost in all the coverage.

The impression I got was that the attacker seemed to get that this was an attack that was only partially successful, and that whoever it was — the speculation was that it was China — they only got a little of what they had hoped to get, and once detected, the jig was up. Is that more or less how you see it?

I couldn’t put it better than that. And we said that everything we saw pointed to a nation-state, but we never had the smoking gun to point to a particular country as the source of the attack.

So then what happened after the attack was that, since a lot of people and companies and government agencies had put a lot of faith in the RSA dongles and your system to keep people out, there was a bit of a crisis with that faith.

Totally true, let me step in here. That was one of the issues we had to wrestle with when the Lockheed incident happened. Because of the Lockheed thing, people thought we had to issue new tokens to everyone. That was not the case. We continued to stand by the remediation. But we had to recognize the angst and the perception among customers. And that is why we had to offer to replace the tokens. And sure, there were a number of customers who did, but the vast majority did not. No one likes the fact that it happened, but our concern right from day one was for the customers. The proof of the pudding is that our customers are still taking tokens. We’ve lost a negligible number of customers. And, in fact, we’ll be talking this week about some surveys showing that people are still buying tokens.

So you say in your remarks you plan to talk about real-time security intelligence, which is something I’ve talked about with IBM recently. Is real-time intelligence the direction where the entire security industry has to go?

First of all, the NetWitness — and this is another irony in all this — I signed the purchase and sale agreement to purchase NetWitness just a few days before the attack on RSA. And one of the reasons we bought it is that we had it deployed all across EMC. And we viewed it as being very effective in spotting anomalies in network traffic. So the issue today, especially with the porous perimeters that we have, is not whether or not you can or will be breached, because you can be breached. The issue is how fast can you spot it.

The Verizon data-breach report (PDF here) says that more than 90 percent of exfiltrations occur within hours or days of the initial breach. But about 79 percent of breaches aren’t spotted until weeks after they occur. We were able to see the attack in progress, which is why we were able to minimize the information that did get out, and we were within a blink of an eye of stopping the attack altogether. And it was based on this NetWitness technology. But since we acquired it, we have been leveraging it to see not just movements of packets, but to combine with our (Security Event Management) product to not just log information, but ingest all kinds of contextual information. This is unprecedented in security technology and, frankly, IBM doesn’t have it.

And one of the things that I’ll be saying in the keynote is that the age of Big Data has arrived for security, and it has. It is a Big Data problem. If you’re going to be able to spot these attacks in real time and have a resilient security system, as opposed to one that breaks and doesn’t bend, which is what the perimeter defenses do today, then you have to have real-time analytical capability. Only today do we have the storage and analytical capability, and the ability to deploy it at scale. One disadvantage of the attackers is that they are not legitimate. There will always be something in how they get access, or what they do, that will allows us to find them out.

The observation I made in talking with IBM last week is that there are so many new problems and threats emerging that it’s not only difficult to keep track of them, but it’s also hard to filter security vendors who offer conflicting visions and products they all say are a panacea. CIOs are getting confused, and are having a hard time calibrating their priorities. How do they find any clarity these days?

Let me read a line from my keynote: We have to stop being linear thinkers, blindly adding controls on top of failed models. It’s the model itself that is broken. If a vendor is coming to you, saying, “I’ve got this new control, just add it to this uncoordinated silo of controls that already exist,” then they are not doing you much of a service. What we’re advocating is that people double down on some of the qualitative things that have nothing do with technology. So the first element of having what we call an intelligence-driven security system is doing a better job of assessing and managing risk. And I’m going to put a challenge out to the audience, and I’m going to say that no one does this meaningfully, and no one does it well.

So what needs to change?

When I talk about understanding the threats outside-in, as well as inside-out, what I mean is not only understanding what your material assets are, but marrying that knowledge to an understanding of who might attack you, how they might come at you. The next step is getting leverage from the controls that you have. You have to disinvest in some. Let’s face it, 10 or 12 years ago, antivirus signatures numbered in the tens of thousands. Now they number in the tens of millions. How can that make any sense? As soon as you have a signature, someone has a new virus to overcome it. It’s these static models that don’t bend, but break, that have to change. The controls that we have have to be more intelligent.

AllThingsD.com

Yet now that the attacks have subsided, it’s time to see them for what they are: Nothing more than a blunt instrument that accomplishes nothing constructive.

As of today, only one of the Web sites attacked by the hacker troupe Anonymous is still apparently affected, and that belongs to the Universal Music Group recording label. It currently displays only a message saying “The Site is under maintenance. Please expect it to be back shortly.” Others that had been attacked yesterday, including the sites of the U.S. Department of Justice, the Recording Industry Association of America and the Motion Picture Association of America all seemed to be operating normally.

Thursday’s attacks, which have been described as the biggest action yet organized by Anonymous, were launched in apparent revenge for the FBI’s arrest of several people associated with the file-sharing site Megaupload.com over suspicions of online piracy. Taking place against the backdrop of a wider, more civil protest against anti-piracy legislation currently before the U.S. Congress, the atmosphere around the attacks has been politically charged.

As Molly Wood of CNET put it, the #OpMegaUpload attacks — coming as they did on the heels of Wednesday’s peaceful anti-SOPA protest — seem like an “unsettling wave of car-burning hooligans that sweep in and incite the riot portion of the play,” spurring equally unsettling reactions from the powers that be.

Many outlets have portrayed the attacks as “hacks,” implying that someone had picked a lock in order to commit some kind of sabotage. But the tactic used — a distributed denial-of-service (DDoS) attack — is more aptly compared to a blunt instrument, requiring neither skill nor knowledge, only large numbers of willing participants who team up to swarm a site with more requests than it can accommodate and thus overwhelm its ability to function normally.

The adjective “willing” is debatable, and perhaps inaccurate. Anonymous was able to generate such impressive numbers with the operation — it claimed more than 5,000 participants — by spamming a link in chat rooms and via Twitter that, when clicked, triggered a tool used to launch the attack. People tricked into following the link are given no context or information, and so may or may not have any idea that they’re participating in the execution of a crime.

For the record, it is illegal in the U.S., the U.K., Sweden and other countries to launch and participate in a DDoS attack like the one Anonymous organized. As anyone who has observed the evolution of Anonymous (and its various affiliates using the names LulzSec and AntiSec) should know, the FBI arrested 16 people last July, many of them charged with participating in a DDoS attack against PayPal in protest of its shutting down an account used by WikiLeaks.

In 2009, a New Jersey man was sentenced to a year and a day in prison for launching a DDoS attack against the Church of Scientology. And in 2010, a 23-year-old Ohio man was sentenced to 30 months in prison for launching DDoS attacks against several prominent U.S. conservatives, including the author Ann Coulter, former New York City mayor Rudolph Giuliani and Fox News commentator Bill O’Reilly.

Records like that suggest to me that DDoS attacks never accomplish anything that the people who organize and carry them out attempt to do. At most, they inconvenience the people who visit and operate the targeted sites for a few hours, until the attention spans of the attackers shift elsewhere. They also generate headlines that are forgotten by nearly everyone except the targets, and sometimes law enforcement.

And so it will be this time. Mark your calendars, because the Megaupload revenge attacks will spur a series of arrests later this year. Some of those arrested will be people who didn’t know they were committing a crime. And that certainly won’t help Anonymous’ image. Nor will it further a single bit of what passes for the Anonymous agenda.

I wrote then:

“The unvarnished fact is that the networked society to which we’ve become accustomed in the last several years has a soft, vulnerable underbelly.

And the more we rely upon it, the more people with a combination of advanced technical skills and repugnant motivations are going to look for ways to turn it against us.

Some will do so as a means of making a personal profit. Others may see it as a way of advancing a political or ideological agenda.

But others will want to use theirs skills to do serious harm to innocent people on a large scale.”

Part of these predictions or ruminations or whatever you care to call them makes me think of the hijinks of the group that started out in the spring variously known as LulzSec, Anonymous and later adopted the moniker AntiSec. This loosely affiliated group emerged from the wake of the various attacks against Sony, and seemed to have nothing to prove but that it could make mincemeat out of whatever security measures had been put in place by Sony or whatever video game outfit it had targeted on a given day.

Sony’s Playstation Network was a favorite target, and its service was at least partially offline during two months ended in July.

Then, as summer dawned, the group’s members became aware of global politics and teamed up with Anonymous, the Wikileaks-allied band of hackers known for their campaigns of digital civil disobedience. Together they declared “immediate and unremitting war” on governments and corporations, and said their top priority would be to steal and leak any classified government information, including but not limited to email and documentation. They attacked an Arizona police agency as a way of making a statement against anti-immigrant laws in that state, and published the names and home addresses of several officers.

Later they sought to earn some street cred by stealing “secret” documents from NATO, only to learn after the fact that the documents they released had not only been released before, but weren’t even really all that secret to begin with. It wasn’t long before alleged members of the group started showing up in handcuffs, which seemed not to faze them. The prospect of body bags and real-world violence during a confrontation with Mexican drug cartels, however, did.

Yet for all the headlines they garnered and the headaches they caused, the LulzSec/Anonymous/AntiSec gang wasn’t anywhere near the scariest thing to appear on the computer security landscape in 2011. To my mind, one of the top three scariest things was the disclosure of Operation Shady RAT, which Intel-unit McAfee said appeared to be the biggest large-scale compromise ever, affecting 72 organizations and governments around the world, including the U.S., Taiwan, Vietnam, South Korea, Canada and India — some of them dating back as far as 2006. McAfee said the attacker was a “state actor,” though it declined to name it. The candidate highest on the short list was, naturally, China.

The second truly scary incident was the attack carried out against RSA Security, a unit of the IT company EMC, the maker of the popular SecurID tokens that so many people have on their keychains and use to create an added layer of security that goes beyond the password. Months later, the U.S. defense contractor Lockheed Martin was attacked with duplicate SecurID tokens.

Finally, the Stuxnet Trojan (used by parties officially unknown, but probably Israel with a little help from the U.S.) continued to fascinate and confound security researchers in 2011. Having caused nuclear centrifuges in Iran to explode in an attempt to set back that country’s nuclear weapons research program, Stuxnet was found to have a sibling called Duqu. Unlike Stuxnet, which messed with industrial control computers and made them do things they wouldn’t normally do, Duqu’s mission was much simpler: Steal everything in sight.

And after that, it was discovered by researchers at Kaspersky labs that Stuxnet and Duqu are part of an even bigger family, with at least three more siblings still undetected by researchers, and that all five were created by the same people and with the same tools. Chances are we’ll see at least a few of those final three in 2012, particularly as tension with Iran heats up.

So while there was much to consider scary happening on the Internet in 2011, I’m grateful for being wrong on one key prediction: That we didn’t see a significant computer attack used to physically harm innocent people on a large scale. That’s one prediction I hope to miss for years to come.

Identity Finder, a New York-based identity theft protection firm, has analyzed the information breached and summarized what the attackers appear to have made off with.

• 50,277 unique credit card numbers, of which 9,651 are not expired
  
• 86,594 email addresses, of which 47,680 are unique
  
• 27,537 phone numbers, of which 25,680 are unique

• 44,188 encrypted passwords, of which roughly 50 percent could be easily cracked
• 73.7 percent of decrypted passwords were weak
• 21.7 percent of decrypted passwords were medium strength
• 4.6 percent of decrypted passwords were strong
• Average decrypted password length: 7.1 characters
• 10 percent of decrypted passwords were less than 5 characters long
• Only 4.8 percent of decrypted passwords were 10+ characters long
• Presumably the remaining non-decrypted passwords were stronger than the decrypted subset
• 13,973 of the addresses belonged to United States victims; the remainder belonged to individuals from around the world

There are also an additional 2.7 million email messages that the attackers claim to have taken, but that have not yet been released.

Stratfor has promised to inform the customers whose information was taken no later than Dec. 28, which is tomorrow. Anonymous, ever seeking to justify its actions in the name of some higher moral purpose, said in a tweet that Stratfor, which sells subscriptions to its intelligence analysis reports to government, law enforcement agencies and businesses, isn’t “the harmless company it tries to paint itself as,” and that the emails will show that.

@techwriterjim It was conducted by #Antisec. Stratfor is not the “harmless company” it tries to paint itself as. You’ll see in those emails.

December 27, 2011 11:27 am via QwitReplyRetweetFavorite

@AnonymousIRC

AnonymousIRC

Whatever. Wired reported that someone who participated in the attack said that a total of four servers were breached, and the data on them wiped. The question that then logically arises is this: What was a firm that’s ostensibly in the business of advising business and government clients on security doing about its own?

The reason? A scary vulnerability in Java that was detected over the summer, and which Oracle has subsequently fixed, is being exploited by people who create the malware and crimeware that causes so many headaches for home users and corporate IT departments.

The risk is especially acute at large companies with big fleets of desktops and notebooks to manage. If you’re a home user, the patch is easy to install. But most employees don’t have administrative privileges on their work desktops or notebooks, so someone from the IT department has to come and install the patch for them.

That’s a big, time-consuming process, says HD Moore, chief security officer at Rapid7, a Cambridge, Mass-based company that specializes in helping companies stay ahead of new computer security vulnerabilities. He’s also the chief architect of Metasploit, which Rapid7 owns.

One of the reasons this particular vulnerability is so bad is that even after it was detected and fixed, it wasn’t fully understood how dangerous it is, Moore says. Crimeware creators somehow figured it out ahead of most security researchers, and started adding code to Web sites designed to take advantage of it. And that’s especially dangerous at this time of the year, when people are shopping online both at home and the office. “It’s kind of like a perfect storm,” Moore told me yesterday. Add to that the fact that many companies have IT staff taking vacation during the holiday season, and the timing couldn’t be worse.

Enterprise is historically bad at patching Java vulnerabilities anyway, because it doesn’t have the same automatic update tools that Windows or Adobe Flash does. “The tools for patching Java aren’t that great,” Moore told me. “A Java update just isn’t treated with the same fervor as a Windows update.”

So how bad is this one? The National Vulnerability Database rates it a 10 out of 10 on the severity scale, and also rates it as “low” on the access complexity scale — meaning it’s really easy for the bad guys to carry out an attack using it.

Security blogger Brian Krebs discovered the vulnerability being “weaponized,” that is, built into the software that computer criminals buy on the black market. For instance, those who have bought something called the Blackhole Exploit Kit, a $4,000 software toolkit used to target Windows machines, are getting automatic updates that include tools to take advantage of the Java vulnerability.

What to do until you can get all your machines updated with the latest version of Java? Simple, really: Disable it and block it at the firewall, until all the machines on the network that need the update have it, Moore says.

Rapid7, incidentally, is a security company on the rise. Just last month it raised a $50 million series C round of funding, led by Technology Crossover Ventures and joined by previous investors Bain Capital Ventures; Tim McAdam, a TCV partner, joined Rapid7′s board.

Printers are Internet-connected devices just like computers. They have their own operating systems and software, and so, in theory, are vulnerable to attacks by hackers just as computers are. There was an old urban myth that in the run-up to the first Iraq War in 1991, hacked HP printers shipped to Iraq were instrumental in shutting down Iraqi radar systems. It wasn’t true — it was published on April 1 of that year by the trade magazine InfoWorld — but the idea stuck, and at least one group of security researchers has been studying the use of Trojans installed into printers.

The Columbia researchers had claimed that a part inside a printer called a fuser, used to dry the ink, could be remotely instructed to overheat, eventually causing paper inside the printer to turn brown and start to smoke.

Conceptually it’s not that different from the Stuxnet attack against the Iranian nuclear research program. The attackers in that case, thought to be Israel with a little help from the U.S., attacked industrial control computers known as SCADA systems that serve as the bridge between typical Windows-based machines and industrial equipment that the SCADA systems control. In the case of Stuxnet, the SCADA systems were controlled — often they have only default passwords or no passwords at all — and the machines they were connected to could be instructed to literally destroy themselves.

Some researchers at the U.S. Department of Energy’s Idaho National Lab did just that in the video below, showing in a controlled environment that a generator could be hijacked over the Internet and made to destroy itself.

But could you do the same thing with a printer? Theoretically, I’d say it’s possible. But in this case, HP says not where its printers are concerned.

Below is an internal HP memo from Vyomesh “VJ” Joshi, the head of HP’s Imaging and Printing Group, that was circulated to employees today.

First off, he says, the fire issue is not true. As noted in the public statement, HP’s printers have a component called a thermal breaker that prevents the fuser from overheating, and it can’t be overcome by a firmware upgrade.

But Joshi also spanks the Columbia researchers for turning to the media and not calling HP first, which is the way security researchers usually operate when they identify a serious vulnerability. There is, he concedes, a vulnerability to malicious firmware modifications, especially on printers that are left unprotected on a network without a firewall running. HP aims to fix that. But usually in these situations, the media doesn’t get called until a fix is ready. “Unfortunately in this situation, a Columbia representative took it upon himself to contact the media and reports were published prior to a solution being available,” he writes.

Joshi’s full memo is below.

From: IPG, Vyomesh Joshi
Sent: Tuesday, November 29, 2011 4:40 PM
Subject: Inaccurate Printer Security Press Coverage

Dear IPG Employees,

As many of you have read today there has been sensational and inaccurate press coverage regarding potential security risks with some HP LaserJet printers. I wanted to make sure you had the most current information and context for this situation. No customer has reported unauthorized access. We have also seen speculation in the media regarding the potential for devices to catch fire due to a firmware change. This claim is inaccurate. We have issued a public statement communicating to customers and partners and refuting inaccurate information.

This information first came to us late last week from a research lab based at Columbia University. As a result, we have identified a specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall or if a malicious effort is made to modify the firmware of the device by a trusted party on the network. Our security team is taking immediate measures to build a firmware upgrade to resolve any potential risk and will be communicating this proactively to customers and partners who may be impacted.

Typically when a security issue is identified, responsible disclosure is followed so that vulnerabilities are not made public until a solution is available. Unfortunately in this situation, a Columbia representative took it upon himself to contact the media and reports were published prior to a solution being available.

We have always taken security very seriously. In fact, HP’s reputation for security continues to be among the highest in the industry. I want to assure you that our security experts are working around the clock to mitigate any potential risk.

We will make every effort to communicate new information as it becomes available.

Regards,

VJ

The techniques described in the trove of 200-plus marketing documents include hacking tools that enable governments to break into people’s computers and cellphones, and “massive intercept” gear that can gather all Internet communications in a country.

Read the rest of this post on the original site »

The lawyer’s opinion, and other documents released Tuesday by Parliament’s Culture, Sport and Media Committee, add to already mounting pressure on top News Corp. executives, including Deputy Chief Operating Officer James Murdoch, who has insisted he was in the dark about the extent of illegal reporting tactics at the time.

Read the rest of this post on the original site »

It’s been more than 30 years since my favorite American bard, John Prine, sang that lyric, and it came to mind as I sat down today to meet with Brian David Johnson, who is, to my recollection, the first person I’ve ever known to carry the job title “futurist.” And yes, it sounds a little specious, until you find out he works as a futurist for the chipmaker Intel, which certainly has a long-term strategic interest in anticipating the demands of the future well before they happen.

Johnson was a guest today on The Wall Street Journal’s “Digits” program, which I co-hosted with the Journal’s affable Simon Constable. Johnson is in New York to speak at Comic Con about Intel’s Tomorrow Project, which aims to ask honestly what computing may be like 15 or 20 years from now — and the implications for our daily lives.

Think back to 1996 and you probably had some idea of what 2011 would be like. But did you really? You may have had a cellphone, but would you have imagined how much of your daily life would be punctuated by its use, beyond making phone calls? If you were to zap back in time and have a conversation with the 1996 you about life in 2011, you’d probably have to rely on science fiction to get the point across. “You know the communicator and tricorder from ‘Star Trek’? Yeah, we basically have those. We call them smartphones, and they’re kind of a big deal,” the 2011 you might say. “And they’re also the talking computers from ‘Star Trek.’ And you won’t believe who makes them.”

Science fiction makes it possible, Johnson says, to have a conversation about the future, by giving us the metaphors we need to figure out what we want and don’t want to happen. Hence “The Tomorrow Project Anthology,” a collection of short stories set in the future, imagining plausible situations emerging from science fact of today. One volume of the anthology was published earlier this year, and a new one is out now.

What happens, on some hypothetical day in the future, when passwords are easily and readily hackable and all our personal information is more or less available for all the world to see and take and use? That’s what the writer Cory Doctorow asks in his story, “The Knights of the Rainbow Table,” which appears in the new volume.

So these are some of the things that Simon and I talked about with Johnson in today’s closing segment on “Digits,” which you can see below. Enjoy.

*Lyrics from “Living in the Future,” by John Prine, from the 1980 album “Storm Windows.”

It started as curiosity and it turned into just being addicted to what was going on behind the scenes … I was almost relieved when they came and took the computer.

Christopher Chaney, the alleged “celeb hacker” who was arrested on charges of hacking the email accounts of Scarlett Johansson and other celebrities, said he was glad he got caught because he didn’t know how to stop.

The media giant’s News International unit has agreed to pay roughly £2 million to the Dowler family and about £1 million to a charity, the person added. Unlike dozens of other alleged phone-hacking victims, the Dowler family hasn’t filed a lawsuit against the company.

Read the rest of this post on the original site »

Today, HP presented a new strategy intended to boost its role in the business of supplying IT security to large businesses. With two big shifts hitting the corporate computing environment — cloud computing and scores of worker-selected mobile devices entering the workplace — there are a lot of new security challenges giving CIOs headaches.

“If you look at those trends, they challenge the traditional notions of enterprise security,” says Tom Reilly, HP’s VP and general manager for Enterprise Security Products. “So we want to address those challenges.”

The traditional approach in IT security was to establish strong perimeters around the network and around a company’s computers that could keep bad guys out and let good guys in, and then setting strict rules about what people allowed access can do.

Cloud computing obviates the need for a perimeter, because all the computing resources are, well, in the cloud. They live on some virtualized server in someone else’s data center. And someone who brings their iPhone to the office expects to have the same level of access to the resources they need to do the job. The old models don’t really apply anymore.

Meanwhile, attacks are surging. A study by the Ponemon Institute — which, in fairness, was sponsored by HP’s subsidiary ArcSight — found that cyberattacks against a group of 50 large companies grew by 44 percent last year versus the prior year. The companies in the sample group — all of which had 700 or more users — were hit with a combined 72 successful attacks per week, averaging more than one per company per week. The study also found that the costs to mitigate these attacks went up by 56 percent year over year.

“The bad guys are getting better, but as we change our IT environment we’re giving them more surface area from which to launch these attacks,” Reilly says.

So HP is coming into the picture with what it says is a new approach. It turns out HP has been quietly building up its security bona fides through acquisitions. Last year it paid $1.5 billion to acquire security intelligence firm ArcSight, of which Reilly was CEO. In 2009, it acquired TippingPoint, a network security outfit that came with the $2.7 billion acquisition of 3Com. Another pair of acquisitions, Fortify and SPI Dynamics, both specialize in application security.

HP’s plan is to mix these security capabilities into its Enterprise services offerings, Reilly says. Rather than try to sell each company new firewalls or other stuff, HP can come in and augment whatever security the company is already using with better information about threats and a new set of tools that can see how the company’s infrastructure is being used, not just on-premise, but within cloud-based environments, as well.

The point, Reilly says, is not so much to sell specific new security products to companies, but to take a service-based approach that helps a company get a better handle on the new security troubles it may be facing.

The trouble is that HP hasn’t generally been viewed as a player in the IT security market, and risk-averse CIOs are usually slow to embrace new vendors, because they tend to have long-term relationships with suppliers. But with the nature of the threats changing, HP is apparently hoping to use its status as an established supplier of servers, PCs and other IT products and services, to start a conversation around security with its customers.

There has been a lot of activity around security in the last few years. Intel spent more than $7 billion to acquire the security software firm McAfee earlier this year, and IBM already offers a muscular set of security products and services. It will quickly run into competitors, for sure.

If nothing else, following as it does in the wake of HP’s plans to divest itself of PCs and its mobile device business, a robust security offering is something that enterprise customers are going to expect. If there’s really going to be a new enterprise-centric HP, expect to see more moves like this. Whether or not they’ll work is another matter.

“The number of these networked devices has skyrocketed in the past two years,” said Don Bailey, of cyber-security firm iSec Partners, who has been studying the vulnerability problem along with colleague Mathew Solnik. “They aren’t just in automotive systems but in security systems, industrial control systems, medical devices.”

At a conference in August the two iSec researchers demonstrated how they could unlock and start a car by sending certain text messages to the car’s alarm system. The researchers said the real problem isn’t the possibility that hackers will start stealing cars. The ramifications are much broader. The same basic approach could be used by hackers to disrupt businesses or vital services.

Read the rest of this post on the original site »

The U.K. Parliament’s Culture, Media and Sport Select Committee released written statements from Mr. Murdoch, several former top executives and a law firm that was retained by the media company as it dealt with fallout from the scandal over allegations that the now-closed News of the World illegally intercepted voice-mail messages and bribed police to obtain information.

Read the rest of this post on the original site »