News roundup: Zeus arrests, Stuxnet worm, PCI changesU.S. and foreign authorities announced a series of arrests disrupting an international operation linked to the data-stealing trojan Zeus. Police in the Ukraine arrested five people accused of stealing $70 million from the bank accounts of victims whose computers were infected with Zeus. The same week, prosecutors in New York arrested more than 70 alleged “money mules,” recruited by Zeus ringleaders.
Experts say the Stuxnet worm should serve as a wake-up call that cyberwarfare against critical infrastructure systems is a reality. “Up until now, the discussions have been scenario-based,” said Dave Marcus, director of security research at McAfee Avert Labs. “Here is an actual, real-world example. It is not conceptual anymore.” German security researcher Ralph Langner said the complexity of the attack and the use of four zero-day flaws indicates it was the work of a well-resourced team with critical infrastructure control systems expertise.
During the first half of 2010, academia was the sector most impacted by malware, according to a report from Trend Micro. The report states that 44 percent of all malware infections hit schools and universities.
The PCI Council released two new guidance documents assessing the impact of emerging data security technologies on payment card security. One focuses on point-to-point encryption (P2PE), also known as end-to-end encryption, an emerging technology used to mask cardholder data from point-of-swipe through processing. Properly implemented, P2PE will allow merchants to reduce their scope in complying with the Payment Card Industry Data Security Standard (PCI DSS), said Troy Leach, chief standards architect for the PCI Council. A separate guidance document is focused on EMV, a global standard for authenticating credit and debit card payments. Meanwhile, the PCI Council also released version 2.0 of the Payment Card Industry Data Security Standard. It included only minor revisions.The U.S. Department of Defense (DoD) and the Department of Homeland Security (DHS) announced plans to streamline their cybersecurity capabilities to better protect the nation's networks. Secretary of Homeland Security Janet Napolitano and Secretary of Defense Robert Gates signed an agreement that formalizes processes for the agencies to work together. Under the agreement, DoD cyber analysts will work within the DHS in support of the National Cybersecurity and Communications Integration Center (NCCIC), an incident response facility that opened late last year.
The mastermind behind a scheme to hack into internet phone networks and resell services for a profit was sentenced to 10 years in prison. Edwin Pena, 26, of Venezuela, operated two companies offering wholesale internet-based phone services for discounted rates. Instead of purchasing VoIP routes to resell, he hacked into the networks of legitimate VoIP service providers and routed his customers' traffic through the hacked networks.Erratum: In the feature story “Good or evil” in the October issue, we mistakenly identified the company for which Mark Leary is CISO. It is TASC. Our apologies for the error.