Hackers Steal 13,000 Credit Card Numbers Navy Says No Fraud Has Been Noticed

[thedrifter]

Hackers Steal 13,000 Credit Card Numbers
Navy Says No Fraud Has Been Noticed

By Anitha Reddy
Washington Post Staff Writer
Saturday, August 23, 2003; Page E01


The Navy has canceled 13,000 credit cards used for government expenses after discovering that hackers had downloaded card numbers and billing records, Defense Department officials said.

Citibank, the card issuer, has found no unusual activity in the card accounts since the hacking began in July and no fraud related to the incident had been reported as of Thursday, according to a Defense Department official.

Officials and investigative teams from the Navy and Department of Defense are still trying to figure out what vulnerabilities the hackers exploited and how to prevent such attacks in the future.

"You'd think that the military would have some of the best systems in place," said Doug Howard, vice president of strategy and product development for Counterpane Internet Security Inc. "But often you'll find that the administrative networks are segmented from the core of the Department of Defense and that maybe they don't provide as much as security as some of the core networks."

Citibank finished mailing new cards Wednesday to replace the 13,000 that were compromised, said Glenn Flood, a Defense Department spokesman. More than half of the new cards have already been activated.

To reduce the chance of any unauthorized charges being made, the Navy is also beginning a gradual replacement of 9,000 other cards in the program that do not appear to have been compromised. Most of the cards have a $2,500 spending limit.

Federal Computer News reported the hacker attack and cancellation of the cards on Thursday.

The Navy discovered the breach on July 30, when a logistics center at Wright-Patterson Air Force Base in Dayton, Ohio, detected an unusual amount of traffic on one of its servers, a Defense Department official said.

The heightened activity included invoices from Citibank credit cards in the Navy's purchase card program, which managers use to order routine office supplies, such as telephones, copy paper or catered meals.

Hackers began probing the site as early as July 10, investigators determined, but they did not begin downloading the invoices, which contained card numbers, until July 24.

Two groups from the Defense Department, a criminal investigative unit and a team from the department's accounting division are studying how the attack was launched.

Howard, the security expert, noted that while banks often scramble credit card numbers for electronic transmission, the numbers often reside in a plainly readable form on a customer's network.

The Navy has been reviewing emergency purchase requests on a case-by-case basis while the cards are suspended, according to a statement from the Defense Department's purchase card management office.

The Navy, the Defense Department's inspector general, the Defense Department's Purchase Card Program Management Office, and other agencies are meeting to review the cause of the intrusion and study how to prevent such security failures in the future, a Defense official said.




TechNews.com Home


? 2003 The Washington Post Company


http://www.washingtonpost.com/wp-dyn...2003Aug22.html


Sempers,

Roger

[thedrifter]

Sobig.F Worm Believed to Start at Web Porn Site
Fri August 22, 2003 08:39 PM ET

By Elinor Mills Abreu
SAN FRANCISCO (Reuters) - Computer security experts thwarted an attack by computer worm Sobig.F on Friday just as the FBI subpoenaed an Arizona Internet service provider in order to trace the fast-spreading virus experts believe was first posted on an adult-oriented Web site.

One expert said the Sobig.F e-mail virus was disguised so that anyone who clicked on a link purporting to show a sexually graphic picture became infected with the self-replicating worm, which then spread itself to other e-mail addresses.

"Sobig.F was first posted to a porn Usenet group," said Jimmy Kuo, research fellow at anti-virus software maker Network Associates Inc. Usenet is a popular forum on the Internet where computer users with similar interests post and read messages.

So far, as many as 100,000 computers have been infected with Sobig.F, which in turn has spewed "millions upon millions of infected e-mails" to other Internet users, Kuo added.

Sobig.F spreads when unsuspecting computer users open file attachments in e-mails that contain such familiar headings as "Thank You!," "Re: Details" or "Re: That Movie."

Once the file is opened, Sobig.F resends itself to e-mail addresses from the infected computer and signs the e-mail using a random name and address from the computer's address book.

Since Monday, computer users from Korea to Norway have struggled to fend off attacks that have crippled corporate e-mail networks and have filled home users' inboxes with a glut of messages, before fanning out to find more victims.

Consulting firm Booz Allen Hamilton, Air Canada, transport company CSX Corp. are among hundreds of companies that have suffered network attacks from recent viruses.

ATTACKS, SHUTDOWNS, NEW THREATS

Employees at the New York Times headquarters in midtown Manhattan were asked to shut down their computers, but a spokesman declined to comment on the cause of the shutdown.

"We will not speculate on the cause, effect or scope of the problem ... We plan to get the paper out tomorrow."

Sobig.F was written to expire on Sept. 10, but experts said they expect another version to follow. This is the sixth version of the portentously named virus since it first appeared in January.

The worm has been clogging e-mail inboxes with a hidden command directing infected PCs to make contact with one of 20 vulnerable computers at 12:00 PT California time every Friday and Sunday until it expires, said Steve Trilling, chief researcher at anti-virus vendor Symantec Corp. .

Government and industry security experts raced against the clock on Friday to take offline 19 of the 20 home computers, thwarting an attack before the 12 noon deadline, said Mikko Hypponen, anti-virus research manager at F-Secure of Finland.

The computers were located in the United States, Canada and South Korea, he said. The remaining master computer, which was in the United States, was taken down shortly after the deadline, experts said.

Experts had worried that the timed attack would slow down Internet traffic and possibly set in motion a new set of commands to launch new attacks. However, they cautioned that it was too early to tell whether the threat of Sobig.F had ended. The next expected attack could spur new problems, they said.

Internet service provider Easynews.com of Phoenix, Arizona said it had been contacted by investigators by telephone on Thursday and the company was issued a subpoena on Friday.

"It looks like the original variant was posted through us to Usenet on the 18th (of August)," Michael Minor, the Internet service provider's chief technology officer, told Reuters.

An FBI spokesman said the organization was working with the U.S. Department of Homeland Security to investigate who was behind the e-mail attacks. He declined to comment further. (Additional reporting by Eric Auchard, Kenneth Li and Derek Caney in New York, Tim McLaughlin in Boston, Jim Christie and Andrea Orr in San Francisco and Bernhard Warner in London)

Disinfection Tool

http://www.f-secure.com/v-descs/sobig_f.shtml#disinf


http://www.reuters.com/newsArticle.j...toryID=3324804



Sempers,

Roger

[BLUEHAWK]

Roger -
The only thing that amazes me about this is that it doesn't happen more often, especially from the source of terrorist organizations, or India, or China.
I keep having this eerie feeling about it, like one of these days somebody is gonna wake up and find something really unstoppable happening on a truly vital government system... if it isn't already there.
Mike