Archive for the ‘Device ID’ Category

Documents obtained by The New York Times said the European Commission is proposing a regulation that compels “Web sites to tell consumers why their data is being collected and retain it for only as long as necessary. If data is stolen, sites would have to notify regulators within 24 hours. It also offer[ed] consumers the right to transport their data from one service to another — to deactivate a Facebook account, for example, and take one’s trove of pictures and posts and contacts to Google Plus.”

Legal systems in every part of the world are working to come to grips with who owns online personal data, what happens to it after it’s posted, and what’s fair game to use for marketing.

Viviane Reding, the European Commission’s vice president for justice, told The Times, “Companies must be transparent about what they are doing, clear about which data is being used for what.”

If the European Parliament passes the new law, it would still not go into effect before 2014 and would not directly affect American consumers. As to American companies…well, they would only have to deal with one privacy law for the European Continent instead of the current twenty-seven different ones; Germany, a special case, has different data protection laws for each of its sixteen federal states. On the other hand, penalties for breaking the law could be as high as two percent of a company’s annual global revenue.

Plus, it’s not always easy to adhere to the letter of newly proposed law. Microsoft’s Ronald Zink, chief operating officer for European affairs, brought up concerns in discussing Microsoft’s Xbox Kinect system, which stores body measurements so it can visually recognize repeat players. He questioned whether the law would require players to provide consent every time they played a game, even if the information never left the game console. “We have designed the product to be private. We put a lot of thought into how this controls our work in terms of privacy by design.”

One of the law’s most controversial provisions is an Internet user’s right to demand that his or her accumulated data on a particular site be deleted forever. Viviane Reding states, “When a citizen has asked to get [personal data] back, then the data has to be given back. When an individual no longer wants his data to be processed, it will be deleted.”

In her New York Times article, Somini Sengupta cites critics who say deleting an individual’s personal data is not that simple and clear cut. “Data does not always stay in one place; if it is transferred to another company it cannot easily be withdrawn. A company might license some of the data it collects to a third party to analyze market sentiments or social trends: reviews of kebab joints in Amsterdam or public opinion about burqas. Moreover, it may be less feasible to erase someone’s credit history, for instance, or employment record than to, say, do away with her shopping history on Amazon.”

German Green Party member, Malte Spitz, said the proposed law should restrict how companies hold onto personal information. “Lots of companies are collecting as much information as possible, and lots of this information isn’t really necessary.”

According to Reuters, Facebook, which has been investigated by European regulators for the way it retains data, warned against rules that might not keep up with the pace of change on the Internet, saying, “There is a risk that an excessively litigious environment would impede the development of innovative services that can bring real benefit to European citizens.”

Europe, the U.S., or anywhere in the world, you can count on ThreatMetrix™ to provide both online security and custom data privacy.

Without relying on passwords, user names and cookies to protect its clients, the ThreatMetrix™ Cybercrime Defender Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to sniff out cybercriminals. The ThreatMetrix Cybercrime Defender Platform is the first industry solution that integrates sophisticated malware detection and advanced device identification technologies in a single, unified platform. This unified approach to cybersecurity is a game changer. By integrating malware detection and device identification with shared, centralized intelligence, ThreatMetrix delivers the unique ability to protect the integrity of entire online transactions.

It may be big news, but it’s not exactly news. Likely the only people who didn’t know it was coming are two Bushmen in Tanzania and some San Quentin cons stuck in solitary. Yes, it has arrived. Facebook has filed to go public.

The IPO, or Initial Public Offering, is for $5 billion. And, according to CNBC “[t]he company is currently looking at a valuation of $75 billion to $100 billion, which would be one of the largest initial public offerings in U.S. history.” Oh and one more thing. Again according to CNBC, “[t]he current winner in the race for Facebook equity, with nearly $500 million, is Russian entrepreneur Yuri Milner, head of investment group DST.”

This is the kind of nuts and bolts you can read about anywhere.

Now, here’s something that’s really news. As Facebook goes public, the public’s privacy just goes.

Of Facebook’s latest move, ThreatMetrix’s Chief Products Officer, a highly-respected industry security expert, Alisdair Faulkner, says, “You can’t put a value on your privacy, but with Facebook filing for an IPO you can now put a price on your friends. That may just become the rallying cry that privacy advocates need to force greater government intervention.”

“Unfortunately, Facebook and its advertisers aren’t the only ones making money from this social network,” continued Faulkner. “Users have come to feel Facebook is secure and they can trust it to protect both their personal data and that of their friends. Hackers are taking advantage of that misplaced trust.”

“In January alone, 45,000 usernames and passwords were stolen by Ramnit malware and the traditionally banking-focused Trojan, Carberp, started targeting Facebook users to trick them into handing over e-cash,” said Faulkner.

A BBC story on the cybertheft reported security researchers saying, “We suspect that the attackers behind Ramnit are using the stolen credentials to login into victims’ Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware’s spread. They added that “cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services to gain remote access to corporate networks.”

Faulkner notes that “Twitter’s recent acquisition of Dasient, the anti-malware company, is an acknowledgement that social networks are not only a goldmine of personal data for hackers, but the best malware distribution platform ever invented.”

So if Facebook users can’t trust Facebook to protect their assets, who can they trust? They can trust any social network that uses the type of security ThreatMetrix™ provides.

Without relying on passwords, user names and cookies to protect its clients, the ThreatMetrix™ Cybercrime Defender Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to sniff out cybercriminals. The ThreatMetrix Cybercrime Defender Platform is the first industry solution that integrates sophisticated malware detection and advanced device identification technologies in a single, unified platform. This unified approach to cybersecurity is a game changer. By integrating malware detection and device identification with shared, centralized intelligence, ThreatMetrix delivers the unique ability to protect the integrity of entire online transactions.

Casus belli is polite diplomatic Latin for an act of war. Except for maybe the Greeks getting a bit annoyed over losing Helen and attacking Troy, acts of war have pretty much been confined to blockades (naval and otherwise) and direct military strikes.

Now the Pentagon is in the process of officially redefining acts of war to include hacking that poses a significant threat to U.S. nuclear reactors, subways, pipelines, etc. In poker terms, what it comes down to is we’ll see your virus and raise you the U.S.S. Enterprise – and we ain’t talkin’ Star Trek.

Recently, the Wall Street Journal obtained unclassified portions of the Pentagon’s formal cyber strategy. In Siobhan Gorman and Julian E. Barnes’ WSJ article, they said attacks on Pentagon systems including military contractor, Lockheed Martin, and sabotage against Iran’s nuclear program using the Stuxnet computer worm spurred the U.S. military to action.

One nagging problem is determining where an attack originated. Another is, how strongly to retaliate once the source of the attack is determined. For example, if a cyberattack produces death, damage, destruction or high-level disruption, the offending party could get a visit from Seal Team Six, Predator Drones or the entire Fourth Infantry Division.

The Wall Street Journal story notes attacks that impacted nations since 2007:

• June 2009: First version of Stuxnet virus starts spreading, eventually sabotaging Iran’s nuclear program. Some experts suspect it was an Israeli attempt, possibly with American help.
• November 2008: A computer virus believed to have originated in Russia succeeds in penetrating at least one classified U.S. military computer network.
• August 2008: Online attack on websites of Georgian government agencies and financial institutions at start of brief war between Russia and Georgia.
• May 2007: Attack on Estonian banking and government websites occurs that is similar to the later one in Georgia but has greater impact because Estonia is more dependent on online banking.

The article notes that the “Pentagon itself was rattled by the 2008 attack, a breach significant enough that the Chairman of the Joint Chiefs briefed then-President George W. Bush. At the time, Pentagon officials said they believed the attack originated in Russia, although didn’t say whether they believed the attacks were connected to the government. Russia has denied involvement.”

Cyberwarfare isn’t governed by the traditional rules of armed conflict based on international treaties, i.e., the Geneva Conventions and customary international law.

“Act of war” according to retired Air Force Major General and Duke University law school professor Charles Dunlap is a political phrase rather than a legal term. He also argued that cyber attacks that have a violent effect are the legal equivalent of armed attacks, or what’s called in military parlance, “use of force” and should be governed by basically the same rules as any other kind of attack. In other words, the U.S. “would need to show that the cyber weapon used had an effect that was the equivalent of a conventional attack.”

Center for Strategic and International Studies’ computer security specialist James Lewis says many military planners believe retaliation should be judged by the amount of real or attempted damage the attack caused. Therefore, if a hack attack shut down as much commerce as a naval blockade, it would be considered an act of war the same way a naval blockade is.

The Gorman and Barnes WSJ story says the origin of the Stuxnet virus, meant to sabotage Iran’s nuclear centrifuges, could not be positively identified. “While some experts suspect it was an Israeli attack, because of coding characteristics, possibly with American assistance, that hasn’t been proven. Iran was the location of only 60% of the infections, according to a study by the computer security firm Symantec. Other locations included Indonesia, India, Pakistan and the U.S.” Cyberattacks on American online assets have often been attributed to China or Russia. The difficulty proving exactly where attacks originate have some Pentagon planners seeking to deter attacks by holding the countries that build cyberweapons, themselves, responsible for their use.

Whatever international law comes to recognize as a cyberspace act of war, a growing number of companies have already come to recognize that ThreatMetrix™ offers the best protection available. Without relying on passwords, user names and cookies to protect its clients, the ThreatMetrix™ Cybercrime Defender Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to sniff out cybercriminals. The ThreatMetrix Cybercrime Defender Platform is the first industry solution that integrates sophisticated malware detection and advanced device identification technologies in a single, unified platform. This unified approach to cybersecurity is a game changer. By integrating malware detection and device identification with shared, centralized intelligence, ThreatMetrix delivers the unique ability to protect the integrity of entire online transactions.

Child identity theft is exactly like stealing candy from babies. Easy. It’s easy because the crime is often not detected until the baby is an adult and has his/her credit and reputation ruined.

The Huffington Post relates the story of Jennifer Andrushko.   

When Jennifer Andrushko applied for public aid two years ago, a state employee entered her son Carter’s Social Security number into a computer and discovered something strange: The boy appeared to have been earning wages for the past eight years.

“I thought, ‘How could this be happening? He’s only three years old,’” Andrushko said.

It turned out an undocumented immigrant had been using Carter’s number to acquire jobs since before [Carter] was born. But Carter proved relatively fortunate. Unlike many child identity theft victims who do not realize their credit is ruined until they reach adulthood, his case was caught while he was young, giving him time to recover his good name.

Carter was lucky. He was living in Utah, one of the few states that cross-references its employment database with a list of children receiving public assistance. Well he wasn’t all that lucky. His mother was applying for public assistance.  Anyway, according to the Huffington Post, Utah found thousands of instances of child identity theft, including one where nine people used one nine-year-old’s Social Security number to get employment.

Parents hand over children’s Social Security numbers to schools and health care providers, and other institutions that often don’t have sufficient safeguards in place. It’s been suggested that a solution, or at least a partial one, would be if the Social Security Administration could do something with the numbers to make it possible for credit agencies to know that the holder is a minor.

Last year, more than 18,000 cases of child identity theft were reported to the Federal Trade Commission. The Huffington Post suggests even 18,000 doesn’t come close. “The real figure…is probably much higher because the crime often goes undetected….. ID Analytics estimates that more than 140,000 children are victims of identity theft each year, based on a one-year study of those enrolled in the firm’s identity protection service.

“In the largest study on child identity theft to date, researchers at Carnegie Mellon University found that 10 percent of children were victims of identity theft, compared with less than 1 percent of adults. The study, which was published this spring, analyzed more than 800,000 records — including 40,000 belonging to minors — compromised by data breaches in 2009 and 2010. The data was provided by the credit monitoring service Debix.”

The Huffington Post story says, “Thieves now exploit a gap in the system used by the three major credit bureaus to check consumer credit. When the bureaus pull reports, they look for matching names, birthdates and Social Security numbers. But identity thieves escape detection by pairing a child’s number with a different name and birth date, creating the appearance of a consumer who is applying for credit for the first time. Debix says it recently ran credit reports on 381 cases of confirmed child identity theft and found that credit reports only turned up fraudulent activity in four cases, or 1 percent.”

Companies are able to cross check names, birthdates and SSNs with the Social Security Administration, but the agency charges a $5,000 fee upfront, plus $1 for each check – a tab many companies don’t care to pay.

Stuart Pratt, president of the Consumer Data Industry Association, the trade association for the three credit reporting agencies, asked, “How can somebody open up any kind of account with just a name and Social on its own? Authentication should be much more than that. It has to be robust.”

In the late 1980s, the Social Security Administration started requiring parents to list their children’s SSNs to claim them as dependents. Newborns got spanking new credit histories that remained that way till they turned eighteen. It was an open invitation to crooks.

So what happens when thieves have a multi-year head start?  The Huffington Post relates the story of Jaleesa Suell of Oakland, California.  When Jaleesa was 17, a thief stole her identity to open a credit card. She didn’t find out until she turned 21 and was denied her first credit card. The reason?  She had a $300 unpaid credit-card debt, which had been sent to a collection agency.

Now 22, Suell has spent the last six months disputing the fraud with Plains Commerce Bank, based in South Dakota, where the account was opened. Before accepting the charges were fraudulent, the bank insisted that Suell provide a full police report. But the Oakland Police Department has refused to provide such a report because $300 does not meet the department’s threshold.

Identity Theft 911, which is working pro-bono to help Suell, plans to write letters to the FDIC, FTC and the Better Business Bureau to pressure the bank to “do the right thing,” according to Kelly Colgan, a spokeswoman for Identity Theft 911.

If her case is not resolved, Suell fears she will graduate college in May and be unable to rent an apartment or acquire student loans for graduate school due to her damaged credit.

“I’m at an impasse,” she said. “It’s extremely frustrating.”

Story after story follows the same pattern. Even when victims are able to clear their names, they have still been forced to devote big chunks of time and energy to that end. And that’s time and energy that could be put to better use like improving their grades, finding jobs, etc.

Amending agency regulations and federal and state laws could help stop ID theft.  Another thing that could help the cause is for online businesses to use ThreatMetrix™ solutions.

ThreatMetrix doesn’t rely on passwords, user names and cookies to protect its clients.  Instead the ThreatMetrix™ Cybercrime Defender Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to sniff out cybercriminals. The ThreatMetrix Cybercrime Defender Platform is the first industry solution that integrates sophisticated malware detection and advanced device identification technologies in a single, unified platform. This unified approach to cybersecurity is a game changer. By integrating malware detection and device identification with shared, centralized intelligence, ThreatMetrix delivers the unique ability to protect the integrity of entire online transactions.

Use Google?  Incidentally, does anybody out there know if Yahoo still does searches? Bing? Okay — some serious questions: Do you have a YouTube account? Use Gmail? Do you know what Google’s up to?

Everybody with an account on Gmail and YouTube already has an idea something’s in the works. That’s because they have to use the same name and password to logon to Gmail and YouTube. In fact, that’s the way it is across all Google platforms except for Google Wallet, Chrome and Google Books. So, what if you don’t feel like changing your user name or password?  Well, Google took a page from Mike C’s book.  Mike was a guy we used to play touch football with in college.  If he couldn’t play quarterback, he’d take his regulation professional ball and go home.

Mike played quarterback — a lot.  And, if you want to maintain both YouTube and Gmail accounts, you’ll have to play along, too.

So what’s this all about? Google says the move will help the company to better tailor its ads to users’ tastes, benefitting consumers. Notes Cecilia Kang in the Washington Post, “When someone is searching for the word “jaguar,” Google would have a better idea of whether the person was interested in the animal or the car. Or, the firm might suggest e-mailing contacts in New York when it learns you are planning a trip there.”

Common Sense Media chief executive James Steyer observes, “Google’s new privacy announcement is frustrating and a little frightening. Even if the company believes that tracking users across all platforms improves their services, consumers should still have the option to opt out — especially the kids and teens who are avid users of YouTube, Gmail and Google Search.”

Jeffrey Chester, executive director of the privacy advocacy group, the Center for Digital Democracy, says, “There is no way a user can comprehend the implication of Google collecting across platforms for information about your health, political opinions and financial concerns.”

Added Rep. Ed Markey (D-Mass): “It is imperative that users will be able to decide whether they want their information shared across the spectrum of Google’s offerings.”

In a touch of irony…okay, a red-hot branding iron of irony…Google is a partner in sponsoring Data Privacy Day, an annual international celebration designed to promote awareness about privacy and education about best privacy practices.

So, why would Google support Data Privacy Day and in the same calendar quarter change policy to gather even more consumer information?

“The change to its privacy policies,” says Kang in the Post article, “comes as Google is facing stiff competition for the fickle attention of Web surfers. It recently disappointed investors for the first time in several quarters, failing … to meet earnings predictions. Apple, in contrast, reported record earnings …that blew past even the most optimistic expectations.

“Some analysts said Google’s move is aimed squarely at Apple and Facebook — which have been successful in building a unified ecosystem of products that capture people’s attention. Google, in contrast, has adopted a more scattered approach, but an executive explained in interviews that the company wants to create a much more seamless environment across its variety of offerings.”

In addition to consumer privacy advocates, Google’s actions aren’t sitting too well with regulators in Washington. The Washington Post reports, “The company recently settled a privacy complaint by the Federal Trade Commission after it allowed users of its now defunct social network, Google Buzz, to see contacts’ lists from its e-mail program. And a previous decision to use its social network data in search results has been included in a broad Federal Trade Commission investigation, according to a person familiar with the matter who spoke on the condition of anonymity because the investigation is private.”  Well at least some things are still private…more irony…okay a hint of sarcasm.

To keep your company’s and its customers’ online private information private, select ThreatMetrix™. Without relying on passwords, user names and cookies to protect its clients, the ThreatMetrix™ Cybercrime Defender Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to sniff out cybercriminals. The ThreatMetrix Cybercrime Defender Platform is the first industry solution that integrates sophisticated malware detection and advanced device identification technologies in a single, unified platform. This unified approach to cybersecurity is a game changer. By integrating malware detection and device identification with shared, centralized intelligence, ThreatMetrix delivers the unique ability to protect the integrity of entire online transactions.

“It” refers to data. Data Privacy Day, scheduled for January 28, is about keeping data to yourself and out of the hands of cybercriminals.  This annual international celebration is designed to promote awareness about privacy and education about privacy best practices. Official sponsors for Data Privacy Day are EBay and Intel, who are joined by a host of partners including Microsoft, Intuit, Comcast, MasterCard, AT&T, Facebook, Google, the International Association of Privacy Professionals, the State of West Virginia and….

Did we leave anybody out? Probably. But it’s a long list because Data Privacy Day is an excellent cause. Without it, literally the financial, social and political structure of society is at risk. HOLD ON. Just remembered somebody we left out —ThreatMetrix™.  ThreatMetrix strongly supports Data Privacy Day.

“We have entered a world of unprecedented identity theft and surveillance for monetary gain,” said Alisdair Faulkner, chief products officer, ThreatMetrix. “Every site we visit, everything we search for, to everything we now do, buy and share online is tracked by a growing number of powerful players. Unfortunately the evidence suggests that no data is unreachable or un-exploitable by adversaries or advertisers. Whether it be due to data breaches, phishing attacks or over-sharing, the implication is that identity can no longer be relied-on to authenticate a customer online. The distribution of our identities across the net not only threatens our privacy but also makes us all preposterously easy to impersonate.”

We  should all be concerned about data security being at risk in today’s cybercrime infested environment. And the list of companies and institutions that have had data compromised continues to grow at an alarming rate. From the criminals’ perspective, it just makes good sense. Why try knocking over a bank with a gun and a good chance of getting caught or killed when you can sit back on a beach six time zones away and with your trusty laptop steal more money in one day than bank robbers Willie Sutton, John Dillinger and Baby Face Nelson and Bonnie and Clyde did in their whole lives?
Just a cursory glance at the number and types of recent breaches that compromised personal data from finance to health records and employment histories underscores the importance of calling attention to this Pandora’s Box.

• Facebook (Social Networks): A computer worm stole 45,000 login credentials from Facebook accounts in the UK and France.

• Yale University (Academic Institutions): 43,000 Yale University faculty, staff, students and alumni names and Social Security numbers were made public via Google because a File Transfer Protocol (FTP) where data was stored became searchable.

• Cyworld (Online Gaming): 35-million records including phone numbers, email addresses, names and encrypted information about the sites’ members were taken from South Korea’s largest social networking site, Cyworld.

• PBS (Communities): Thousands of user names and passwords were compromised when a PBS Website was hacked.

• Patco Construction (Online Banking): $300,000 was stolen from Patco Construction Company’s online bank account when hackers gained access to the company’s account credentials by sending employees email with Zeus, a password stealing trojan, that infected the company’s computers.

• Citbank (Financial Services): 360,000 Citibank customers (originally Citibank said it was 210,000 customers) had their account numbers and contact information stolen by hackers.

• Pittsford, N.Y. (Government): $139,000 was stolen from the hamlet of Pittsford, a town of 25,000 near Rochester, N.Y. when cyberthieves logged onto the town’s online commercial bank account. Initiating a small batch of automated clearing house (ACH) transfers, the thieves covering their tracks by sending the transfers to “money mules” around the country.

• Comerica Bank (Banking): $560,000 of Experi-Metal Inc. (EMI) hard-earned cash slipped away when Comerica Bank let fraudsters waltz away with it.

• Sony PlayStation (Online Gaming): 70-million Sony customers were put at risk when hackers broke into Sony’s PlayStation Network (PSN) and stole credit card details. The security breech caused Sony to take down the network for “maintenance.” Subsequently, 93,000 Sony customer accounts were hacked in a separate incident. Sony believed those customers used the same Sony login credentials to logon to other sites and that the other sites were hacked, providing access to the customers’ PII (personally identifiable information).

• Sega (Online Gaming): 1.3 million users had personal information put at risk by a Sega online network breach causing the company to temporarily shut down its online network.

• Washington Post (Media): Either 1.27 million, 1.3 million or 1.6 million user IDs and email addresses were ripped off from the Washington Post’s job section.

• Pentagon (Government): 24,000 military files were stolen from a defense contractor doing business with the Pentagon in a cyberattack. On a side note, the Pentagon is now consider cyberattacks as an act of war.

• Zappos (E-Commerce): 24 million customers’ personal information was put at risk when Zappos, the online shoe outlet owned by Amazon, was hacked.

• Toshiba (Computer Manufacturing): 7,520 Toshiba customers’ email addresses, telephone numbers and passwords were stolen by cybercriminals.

• NATO (Government/Military): A Gigabyte of NATO data was stolen by Anonymous which had accessed NATO servers.

• FTC (Government): More than 18,000 cases of child identity theft were reported to the Federal Trade Commission. Children’s identities provide the kind of clean backgrounds that make it possible for thieves to create entire fictional credit histories. Often the theft is not found until the person turns 18 and starts college or looks for a job.

• Credit Card Fraud: Restaurant workers, bank tellers and other service employees skimmed, swiped and scammed millions of dollars worth of personal credit information from thousands of American and European consumers. The cost to victims, financial institutions and retail business?  More than $13 million over a 16-month period.

• RSA (Security): After a junior employee at security firm RSA fell prey to a run-of-the-mill phishing attack, hackers were able to make their way into the company’s network and hack into its SecurID servers. The attack compromised RSA tokens requiring users to enter a unique number generated by the token each time they connected to their networks. Facebook, Amazon, Abbot Laboratories, Charles Schwab, Microsoft — In all 20% of the Fortune 100 had been compromised.

• Online Advertising: An East European cybergang hijacked at least four million computers in over 100 countries. Included in the half-million hijacked computers in the United States were some at NASA.  Using these computers, the gang stole $14 million in four years with a PPC and ad scheme based on redirecting traffic and replacing genuine ads with their own.

• Steam (Online Video Game Distribution): In a major hack, 35 million user accounts at Steam, one of the world’s largest distribution networks for online video games, may have been compromised exposing credit card details and billing addresses.

• Stratfor Global Intelligence Service (Security): Stratfor Global Intelligence Service, a company which helps clients with security and is famous for its secrecy and its top-secret client list was hacked resulting in names, emails, credit card details, passwords and home addresses for some 4,000 people being compromised. Additionally, this information was used to have clients involuntarily donate to charity to the tune of a million bucks.  The hackers also said they had details for more than 90,000 credit card accounts.

• San Francisco City College (Education): For more than a decade San Francisco City College servers have been stealing personal banking information and other data from thousands, or even tens of thousands, of students, faculty and administrators in what the San Francisco Chronicle refers to as “an infestation” of computer viruses with origins in criminal networks in Russia, China et al.

• South Africa’s Postbank (Government): $6.7 million was stolen from South Africa’s Postbank when cyberthieves accessed a computer from a remote location and hacked into Postbank’s server system using stolen login details for a Postbank teller and a call-center agent.

• Epsilon (Email Marketing Services): Epsilon, a large email marketing services company, reported a data breach that could affect the email addresses of thousands of customers of major banks, retail and hotel chains. This impacted financial services institutions such as Capital One, US Bank, JPMorgan Chase, Citi and Barclays Bank of Delaware. However, the only Barclays Bank of Delaware customers affected were the ones who have an LL Bean VISA card. In addition to the banks, other impacted companies included hotel brands Ritz-Carlton Rewards and Marriott Rewards, and retail heavyweights Home Shopping Network, Walgreens, Brookstone, New York & Company and Kroger. TiVo is also included in this list.

• WordPress.com (Blogs): WordPress.com, which hosts more than 19 million blogs, had its servers compromised and sensitive data taken.

• The State of Texas (Government): 3.5 million Texans had their names and Social Security numbers (and in some cases their dates of birth and driver’s license numbers publicly posted in a data breach at the Texas state comptroller’s office.

• International Monetary Fund (Banking/Government): Damage still not assessed or admitted to by the International Monetary Fund which fell victim to a large and sophisticated cyberattack that led the IMF to cut the link that allowed it and the World Bank to share confidential information.

Keep it to yourself. Protect your data with ThreatMetrix solutions. Without relying on passwords, user names and cookies to protect its clients, the ThreatMetrix™ Cybercrime Defender Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to sniff out cybercriminals. The ThreatMetrix Cybercrime Defender Platform is the first industry solution that integrates sophisticated malware detection and advanced device identification technologies in a single, unified platform. This unified approach to cybersecurity is a game changer. By integrating malware detection and device identification with shared, centralized intelligence, ThreatMetrix delivers the unique ability to protect the integrity of entire online transactions.

Okay, the Chinese probably didn’t say “Je suis innocent.” (I am innocent). French Army Captain Alfred Dreyfus famously did upon being convicted of spying for the Germans in 1894 and sent to Devil’s Island.  Ultimately, Dreyfus was proven innocent.  However, the same may not be said of the Chinese about the attacks on the Chamber of Commerce — though they claimed they didn’t do it.

Reports the Wall Street Journal, “A spokesman for the Chinese Embassy in Washington, Geng Shuang, said [presumably not in French] cyberattacks are prohibited by Chinese law and China itself is a victim of attacks. He said the allegation that the attack against the Chamber originated in China ‘lacks proof and evidence and is irresponsible, adding that the hacking issue shouldn’t be ‘politicized.’”

However, somebody did hack the Chamber and people who should know from Richard Clarke, former White House counter-terrorism adviser, to congressional leaders to the FBI either hint or come right out and state the attacks came from China.

Clarke told ABC News, “The Chinese have attacked every major U.S. company, every government agency, and NGOs [non-governmental organizations]. Their attacking the Chamber of Commerce is part of a pattern of their attacking everything in the US. If you’re working on U.S.-China relations with an NGO [or] government agency, you can be sure the Chinese are reading your emails on your computer.” He went on to say, “I don’t think the Chamber of Commerce has anything worth stealing, but it’s part of a pattern of the Chinese stealing everything they can, and that’s worrying.”

The Wall Street Journal characterized the attack as “one of the boldest known infiltrations in what has become a regular confrontation between U.S. companies and Chinese hackers. The complex operation, which involved at least 300 Internet addresses, was discovered and quietly shut down in May 2010.”

It isn’t clear how much of the compromised data was viewed by the hackers. Chamber officials say internal investigators found evidence that hackers had focused on four Chamber employees who worked on Asia policy, and that six weeks of their email had been stolen.

Another report had it that the penetration into the Chamber of Commerce was so complete that a Chamber thermostat was communicating with a computer in China. Another time, Chamber employees were surprised to see one of their printers printing in Chinese.  Of course it might not have been Chinese. Ever see an inkjet suddenly go haywire?  Sure looks like Chinese.

Anyway…

The Chamber’s Chief Operating Officer David Chavern observed, “What was unusual about it was that this was clearly somebody very sophisticated, who knew exactly who we are and who targeted specific people and used sophisticated tools to try to gather intelligence.”

A Bloomberg report stated that “two people familiar with the Chamber investigation said certain technical aspects of the attack suggested it was carried out by a known group operating out of China. It isn’t clear exactly how the hackers broke in to the Chamber’s systems. Evidence suggests they were in the network at least from November 2009 to May 2010.”

Learning of the break-in, Chamber security experts didn’t tip their hands.  According to Bloomberg, “They first watched the hackers in action to assess the operation. The intruders, in what appeared to be an effort to ensure continued access to the Chamber’s systems, had built at least a half-dozen so-called back doors that allowed them to come and go as they pleased….They also built in mechanisms that would quietly communicate with computers in China every week or two.

“The hackers used tools that allowed them to search for key words across a range of documents on the Chamber’s network, including searches for financial and budget information.”

Cyberspies, who have access to a network for many months, often take measures to cover their tracks and to conceal what they’ve stolen.

According to Bloomberg, “To beef up security, the Chamber installed more sophisticated detection equipment and barred employees from taking the portable devices they use every day to certain countries, including China, where the risk of infiltration is considered high. Instead, Chamber employees are issued different equipment before their trips — equipment that is checked thoroughly upon their return.

Chamber officials say they haven’t been able to keep intruders completely out of their system, but now can detect and isolate attacks quickly.”

The Chamber eventually shut down the hackers by unplugging and destroying some computers and overhauling the security system, which was timed for a 36-hour period over one weekend when the hackers, who kept regular working hours were expected to be off duty. (Not a good idea to mess with hackers about overtime — tough union.)

The Bloomberg story went on to say “U.S. intelligence officials and lawmakers have become alarmed by the growing number of cyber break-ins with roots in China. Last month, the U.S. counterintelligence chief issued a blunt critique of China’s theft of American corporate intellectual property and economic data, calling China “the world’s most active and persistent perpetrators of economic espionage” and warning that large-scale industrial espionage threatens U.S. competitiveness and national security.”

About ongoing hacking of American corporations, Senator Sheldon Whitehouse of Rhode Island observed, “I think there’s a case to be made that this may be the greatest transfer of wealth through theft and piracy in the history of the world and we are on the losing end of it.”

Before your intellectual property or business plans become a casualty of cyberspies, get the best protection available.  Get ThreatMetrix™.

ThreatMetrix doesn’t rely on passwords, user names and cookies to protect its clients.  Instead the ThreatMetrix™ Cybercrime Defender Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to sniff out cybercriminals. The ThreatMetrix Cybercrime Defender Platform is the first industry solution that integrates sophisticated malware detection and advanced device identification technologies in a single, unified platform. This unified approach to cybersecurity is a game changer. By integrating malware detection and device identification with shared, centralized intelligence, ThreatMetrix delivers the unique ability to protect the integrity of entire online transactions.

Perhaps a little birdie told Twitter to buy a malware company or maybe they took a page from the ThreatMetrix™ playbook. On January 10, ThreatMetrix acquired Australia-based TrustDefender, which provides secure browsing technology to protect against malware and man-in-the-browser (MitB) attacks. Or maybe it was done in advance of Twitter’s new advertising launch? Say, didn’t one of the company’s founders say Twitter would never use advertising as a way to monetize the company? Nah, must’ve been another company with the same name. 

In any case, in preparation for its new ad service, Twitter announced the acquisition of spam and malware protection service, Dasient. Rachael Horwitz, a Twitter spokesperson told Mashable.com that Dasient would be integrated into Twitter’s “revenue engineering team because they have a deep understanding of advertising-platform security issues.” Considering the cybercrime-ridden environment into which Twitter is starting its new ad service, it would seem prudent that first and foremost the company would address security.

According to an Aite Group report (“Know Your Enemy: Successful Online Fraud Mitigation Strategies”), 25 million new, unique strains of malware were released in 2011. That number is projected to grow to 87 million strains by the end of 2015.

A Gartner Group report (“The Five Layers of Fraud Prevention and Using Them to Beat Malware”) containing a survey of 76 U.S. banks found malware was the number one cyberthreat.

Of the advertising platform, Mashable.com reports, “The self-serve platform lets advertisers purchase ads without going through a sales representative. Anyone with a credit card and the desire to utilize ‘Promoted Products’ to boost their brand recognition can get on-board with this service. However, the service is not yet available to the public.”

eMarketer, which does market research and statistics, projected Twitter’s ad-generated revenue could earn the company $399.5 million by 2013. With that kind of money on the table, Twitter would appear to be a magnet for cyberthieves.

Mashable.com observes that Twitter is already the object of malware threats going back to 2010, when “the FTC ruled that Twitter would be subject to a bi-annual security audit after 55 celebrity accounts were hacked, including the accounts of Barack Obama, Britney Spears and Facebook. Spammers have also taken advantage of Twitter’s trending topics in order to target a large amount of people.”

Till now, Twitter’s reputation was on the line with the possibility of a search engine blacklisting any site “overrun” by malware.  However, adding big advertising dollars to the mix raises the stakes considerably and makes the Dasient acquisition a very smart move.

Is buying and integrating a malware company into your company a bit “over the top?”  No worries.  You can still get the best protection on the planet from malware and the full range of cyberthreats from ThreatMetrix.

Without relying on passwords, user names and cookies to protect its clients, the ThreatMetrix™ Cybercrime Defender Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to sniff out cybercriminals. The ThreatMetrix Cybercrime Defender Platform is the first industry solution that integrates sophisticated malware detection and advanced device identification technologies in a single, unified platform. This unified approach to cybersecurity is a game changer. By integrating malware detection and device identification with shared, centralized intelligence, ThreatMetrix delivers the unique ability to protect the integrity of entire online transactions.

From her meat ensemble to arriving at the Grammys in an egg, Lady Gaga manages to get noticed.  This time she had help in the PR department – and not the kind of help a lady wants or needs.  

According to Dark Reading.com, hackers broke into Lady Gaga’s Facebook page telling 45-million of her closest Facebook friends that she was giving away iPads ala Oprah. Not just iPads — her own customized iPads.

Fans, trying to take advantage of the free offer were directed to a Blogspot page, where they were asked to fill out an online form with their personal information. So far there were no reports what was done with the information.

In addition to Lady Gaga, the phishing attack, which lasted about an hour on Lady Gaga’s Facebook page, also targeted Maroon 5 and Blink 182.

So how can Facebook and other social networking sites prevent “phishermen” from trolling in their sea of customers?  ThreatMetrix™.

ThreatMetrix doesn’t rely on passwords, user names and cookies to protect its clients.  Instead the ThreatMetrix™ Cybercrime Defender Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to sniff out cybercriminals. The ThreatMetrix Cybercrime Defender Platform is the first industry solution that integrates sophisticated malware detection and advanced device identification technologies in a single, unified platform. This unified approach to cybersecurity is a game changer. By integrating malware detection and device identification with shared, centralized intelligence, ThreatMetrix delivers the unique ability to protect the integrity of entire online transactions.

Is this the latest round in a fight against McCarthy-ism and fifties-style blacklisting or an overreaction to a law that protects intellectual property, privacy and copyright?

Basically, according to Wikipedia, the Stop Online Piracy Act (SOPA) allows the U.S. Department of Justice, as well as copyright holders, to seek court orders against websites accused of enabling or facilitating copyright infringement. Depending on who requests the court orders, the actions could include barring online advertising networks and payment facilitators such as PayPal from doing business with an infringing website. The bill also includes barring search engines from linking to such sites, and requires Internet service providers to block access.  Additionally, SOPA makes unauthorized streaming of copyrighted content a felony while offering immunity to Internet services that voluntarily take action against websites dedicated to infringement.

SOPA proponents say it protects the intellectual property market and corresponding industry, jobs and revenue, and is necessary to bolster enforcement of copyright laws especially against foreign websites.

Opponents, like the Electronic Frontier Foundation (EFF), hold that SOPA would create blacklists for online censorship, harm cybersecurity efforts, set bad international precedent, and lead to a fractured Internet.

Whatever side you take in regard to SOPA or if you believe both sides have valid points, the one area everyone agrees on is protection of online assets from fraud, theft and other cybercrimes.  And, nobody protects those assets better than ThreatMetrix™.

ThreatMetrix doesn’t rely on passwords, user names and cookies to protect its clients.  Instead the ThreatMetrix™ Cybercrime Defender Platform uses anonymous data from the computer, its connection to the Internet and contextual data from a transaction to sniff out cybercriminals whether they’re in San Jose, Shanghai or St. Petersburg. The ThreatMetrix Cybercrime Defender Platform is the first industry solution that integrates sophisticated malware detection and advanced device identification technologies in a single, unified platform. This unified approach to cybersecurity is a game changer. By integrating malware detection and device identification with shared, centralized intelligence, ThreatMetrix delivers the unique ability to protect the integrity of entire online transactions.