Canada, Spain & US Suffer More Cyber Attacks
 

Canada aware of second hacking attack, this time on energy firm

Reuters, 28 September 2012

Canada said on Friday it was aware of an attempt by hackers to target a domestic energy company, the second time in 24 hours Ottawa had acknowledged a cyber security attack against a Canadian firm.
In both cases the Canadian government declined to comment on reports which suggested a Chinese connection.
The news comes at an awkward time for Canada's Conservative government, which is deciding whether to approve a landmark $15.1 billion bid by China's CNOOC Ltd to take over Canadian oil producer Nexen Inc.
Ottawa revealed the second case after being asked about a security report from computer manufacturer Dell Inc, which said it had tracked hackers who targeted a number of firms, including an unnamed energy company in Canada. Dell said on its website that the hackers had used a Chinese service provider based in Beijing Province.
"The Canadian Cyber Incident Response Centre is aware of this incident," said Jean-Paul Duval, a spokesman for Canada's public safety ministry. Dell did not name the firm and Duval declined to comment further.
Less than 24 hours earlier Duval said Canada knew hackers had breached security at a domestic manufacturer of software used by big energy companies.
Calgary-based Telvent Canada Ltd, which is owned by France's Schneider Electric SA, warned customers about the attack, which hit operations in the United States, Canada and Spain, the cyber security news site KrebsOnSecurity.com reported on Wednesday. KrebsOnSecurity.com cited experts who said digital fingerprints left during the attack pointed to Chinese hackers.
Some Conservative legislators are wary of the proposed CNOOC takeover, in part because of what they say are China's unfair business practices.


Financial cybercrime a national security threat, U.S. Justice Department official warns

By Julie DiMauro and Stuart Gittleman
NEW YORK, Sept. 27 (Thomson Reuters Accelus) -

U.S.-based financial services institutions that don’t tell law enforcement agencies about having been victimized by cybercrime are compromising the nation’s security as well as that of their firms, a top Department of Justice official warned this week.
The remarks on Wednesday by Lanny Breuer, assistant attorney general for the department’s criminal division, came as a financial industry group warned banks to be on heightened alert for cyber attacks after Bank of America and JPMorgan Chase experienced unexplained outages on their public websites.

Institutions, Breuer said, have a duty to disclose security breaches. “After a possible, brief delay due to a law enforcement investigation, the institution whose data has suffered a breach should need to inform the public that it happened,” Breuer said in a talk at Fordham Law School.
He called cybercrime is one of the most serious threats to national security and said it “is so hard to get a handle on because a lot of it is perpetrated by those working abroad who are skilled at what they do, and the anti-virus software most of us use only protects us from known vulnerabilities.”

The threat includes the growing “botnet” networks of computers compromised by hacking software that turns over control of personal computers to criminal hackers, but the Justice Department is fighting back, Breuer said.

In April 2011, the department’s computer crime and intellectual property division, which is responsible for cybercrime initiatives, took steps to dismantle botnets by using its own software to call into a network, find the malicious software and force it to “go to sleep,” he said.

Cyber criminals and their malware work around the clock, Breuer said. “Our international partners and the United States have a 24/7 assistance network for global cooperation and assistance in dealing with this type of crime.”

Cyber attack threat level raised

The Financial Services Information Sharing and Analysis Center, an industry security group on Wednesday raised its threat level for cyber attacks to “high” from “elevated.”
The warning cited “recent credible intelligence regarding the potential” for attacks, following earlier intermittent outages at Chase’s consumer banking website, and issues on Tuesday with Bank of America’s website. It urged banks and other industry members to “ensure constant diligence in monitoring and quick response to any malicious events.”
The group also cited a warning from Microsoft Corp that hackers have attacked some of its customers due to an as-yet unfixed security bug in Internet Explorer browser software.

Reuters has reported that the U.S. Department of Homeland Security has advised users to follow Microsoft’s recommended steps to reduce the risk of attacks but noted that the measures may not fully secure the browser.

The attacks on U.S. banks may have been spurred by a purported film that has riled the Islamic world, the bank security group said. Breuer suggested another reason for targeting financial firms and online credit providers: that’s where the money is.
Online broker-dealers have suffered losses they claimed were not financially significant, but million-dollar losses could bankrupt a small brokerage or advisory firm.
Online firms want to make it easy for customers to do business without hard-to-remember passwords or other obstacles to fast transactions, and, as Breuer noted, don’t want to scare customers from using the Internet.

Firms can’t control their customers beyond suggesting safer practices but they must supervise their own employees, he said.
Regulatory guidance, some of it in enforcement actions, urges firms to ensure that employees use hard-to-hack passwords and install – and keep updated – anti-malware software on all devices for accessing internal networks and the Web. It’s harder to be rigorous over mobile devices for using email and social media than desktop systems, but there are risks in purported Facebook friends and “spoofed” emails that appear to be from colleagues, as well as in requests from supposedly deposed dictators for help in accessing their stolen loot.

Privacy rights

Breuer said the government is mindful of privacy rights and careful in making sure it has probable cause when seeking evidence of cybercrime, as mandated by the Electronic Communications Privacy Act, he said.
The department must show probable cause to get subpoenas and court orders for obtaining evidence, but Breuer admitted being concerned over the delays this can cause, saying, “If law enforcement cannot get this type of data easily, it cannot protect your information.”
A key obstacle in obtaining cyber-evidence is the fact that Internet service providers are not required to retain their data for any specific amount of time,

Breuer said. “We’ll go through the process of getting a search warrant for the information, but the ISP might not have the data any longer when we get there,” he said.