KrebsOnSecurity.com reports that “cyber thieves stole more than $600,000 from the Catholic Diocese of Des Moines, Iowa earlier this month. The funds were spirited away with the help of dozens of unwitting co-conspirators hired through work-at-home job scams, at least one of whom was told the money was being distributed to victims of the Catholic Church sex abuse scandals.”
According to Krebs “In a statement released last week, the diocese said the fraud occurred between Aug. 13 and Aug. 16, apparently after criminals had stolen the diocese’s online banking credentials. The Diocese it was alerted to the fraud on Aug. 17 by its financial institution, Bankers Trust of Des Moines. … The diocese also said the FBI and U.S. Treasury Department were notified, and that the FBI had taken possession of several diocesan computers. To date, roughly $180,000 has been recovered. … The diocese added that law enforcement had advised them that the theft seems to have been the work of a highly sophisticated operation based overseas, which moved the stolen money out of the United States by recruiting people who unknowingly act as intermediaries.”
According to a story in the Washington Post, the Pentagon is developing a suite of advanced generation cyber-defense weapons that can best be described as “taking the battle to the enemy.” The tools can “attack and exploit adversary information systems” and can “deceive, deny, disrupt, degrade and destroy” information and information systems, according to Defense Department budget documents.
Gen. Keith Alexander, the head of the Pentagon’s new Cyber Command, told an audience in Tampa this month “We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us.”
Deputy Secretary of Defense William J. Lynn III has said the approach includes “reaching out” to block malicious software “before they arrive at the door” of military networks. “We need to be able to protect our networks,” Lynn said in a May interview. “And we need to be able to retain our freedom of movement on the worldwide networks.”
Military officials have declared that cyberspace is the fifth domain – along with land, air, sea and space – and is crucial to battlefield success.
KrebsOnSecurity.com reported recently that “a business telephone equipment company in Texas is trying to force its bank to settle a liability claim over an attack by organized cyber thieves last year that cost the company $50,000.”
This is a common story which we continue to write about. [See many of our postings under the tag: Financial Systems Security.]
The unfortunate truth [as we wrote in an earlier blog] is that banking laws put the responsibility for cybercrime losses onto the customer. If the customer wants the bank to reimburse it for the fraud losses, it’s up to the customer to prove that the bank’s security procedures are not commercially reasonable [as that phrase is defined in the Uniform Commercial Code, Article 4A-202]. The result, all too often, is that the customer has little choice but to sue the bank. [See our blog post, for example.]
The good news: There’s a very good chance the bank’s procedures fail the test of commercial reasonableness. In an analysis of a bank whose customer lost $600,000 when cyberthieves uploaded fraudulent payroll databases, our firm found significant technical, procedural and managerial weaknesses in the banks security procedures. These weaknesses were so egregious that they left us no alternative to the conclusion that the bank’s security procedures were not commercially reasonable.
The bad news: The cost of proving the bank’s procedures are not commercially reasonable [so that the bank will share in the responsibility for the loss] is huge. I have no idea of the legal fees involved but I do know that fees for expert analysis do not come cheap. Consequently most organizations will not have the deep pockets to sustain a lawsuit, particularly under the cash flow pressures that will inevitably follow a large loss.
That’s why Citadel continues to recommend that every organization discuss cybercrime insurance with their insurance broker. As Brian Krebs wrote in his blog KrebsOnSecurity.com “cyber theft insurance can be a reasonable and effective investment in an era when ultra-sophisticated cyber thieves increasingly are defeating the security that surrounds many commercial online banking accounts.”
William J. Lynn III, U.S. Deputy Secretary of Defense, has confirmed a previously classified computer attack in which a foreign intelligence agent used a flash drive to infect computers, including those used by the Central Command in overseeing combat zones in Iraq and Afghanistan. Writing in the latest issue of the journal Foreign Affairs, Lynn describes the 2008 incident as “the most significant breach of U.S. military computers ever.”
According to Lynn, “The flash drive’s malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control. It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.”
According to the New York Times, Lynn’s “article appeared intended partly to raise awareness of the threat to United States cybersecurity — “the frequency and sophistication of intrusions into U.S. military networks have increased exponentially,” he wrote — and partly to make the case for a larger Pentagon role in cyberdefense…. Various efforts at cyberdefense by the military have been drawn under a single organization, the U.S. Cyber Command, which began operations in late May at Fort Meade, Maryland, under a four-star general, Keith B. Alexander…. But under proposed legislation, the Department of Homeland Security would take the leading role in the defense of civilian systems.”
KrebsOnSecurity reports that both Adobe and Apple have released security updates or alerts in the past 24 hours. Adobe pushed out a critical patch that fixes at least 20 vulnerabilities in its Shockwave Player, while Apple issued updates to correct 13 flaws in Mac OS X systems.
Apple’s update affects Mac OS X Server 10.5, Mac OS X 10.5.8 , Mac OS X Server 10.6 , Mac OS X 10.6.4 and is available via Software Update or from Apple Downloads.
Krebs writes “The Adobe patch applies to Shockwave Player 11.5.7.609 and earlier on Windows and Mac operating systems. Adobe recommends that users upgrade to Shockwave Player 11.5.8.612, available at this link. But before you do that, you might want to visit this link, which will tell you whether or not you need to update, and indeed whether you currently have Shockwave installed at all. If you visit it and don’t see an animation, then you don’t have Shockwave (and probably aren’t missing it either).”