That’s what happened this weekend when someone made hundreds of illegal calls from a FEMA PBX to the Middle East and Asia.

It appears that it was the usual culprits of poor change control and misconfigurations left FEMA’s digital doors open.

All of this is according to an Associated Press story I read on MSNBC.com last night.

According to the AP’s Eileen Sullivan and Ted Bridis, the attacker placed more than 400 calls on the hacked FEMA phone system to places such as Afghanistan, Saudi Arabia, India and Yemen.

Here’s the kicker, from an IT security perspective, from the AP story quoting a FEMA spokesperson:

FEMA’s chief information officer is investigating who hacked into the system and where exactly the calls were placed to. At this point it appears a “hole” was left open by the contractor when the voicemail system was being upgraded, Olshanski said. Olshanski did not know who the contractor was or what hole specifically was left open, but he assured the hole has since been closed.

This illustrates an excellent, yet often overlooked, point. Despite all of the attention we spend focusing on zero-day vulnerabilities and exotic exploits and attacks – many times it’s simply poor change control procedures, lack of urgency to patch, or carelessness that gets an organization bitten.

Fortunately, in this case, it only appears to have been $12,000 in illegal calls to the Middle East and Asia, and some egg of the face of FEMA and the DHS.

Source: MSNBC: Hacker breaks into FEMA phone system

According to data gathered by Google’s Postini corporate e-mail security service, the volume of e-mail virus attacks peaked at almost 10 million on a single day, July 24.

That kind of volume, six to seven times what’s typical, means spam messages are getting through someone’s defenses and turning recipient’s machines into zombies, said Sundar Raghavan, a product marketing manager with the Google Apps Security & Compliance team.

“The summer of spam has caught up with us this time,” said Raghavan.

Raghavan suggests that in contrast to the message protection Google delivers from the Internet cloud, anti-spam hardware appliances that don’t update fast enough may allow malicious e-mail attacks to succeed.

Much of the spam that Google is seeing aims to exploit not browser or operating system vulnerabilities but user curiosity. Thus, explained Raghavan, spam now takes the form of spoofed CNN newsletters with link descriptions designed to bait the user, such as “Microsoft Bribes Chinese Officials.” Clicking such links in spam messages, however, generally leads to malware.

Raghavan also said that Google has seen an increase in e-mail messages with viruses concealed as encrypted .RAR attachments, despite an overall decrease in malicious attachments.

Marshal, an e-mail security company, this morning issued its security report covering the first half of 2008. In the first six months of 2008, the company says that spam volume doubled.

Marshal said that because of unpatched browsers, 45% of Internet users are at risk when they visit legitimate Web sites hosting malicious code. And there are many such sites. In May, the company identified 1.5 million Web sites infected with malware as a result of a botnet attack.

It may not come as a shock that Marshal, as a maker of e-mail security hardware, has more faith in e-mail security hardware than Google.

“We are now in the situation where spam accounts for almost 90 percent of all e-mail and increasingly contains links to infected sites,” said Bradley Anstis, VP of products, in a statement. “Companies really need to employ a combination of e-mail security gateways that have anti-spam protection using multiple techniques to block malicious content and secure Web gateway products that do not just rely on URL filtering but also scan the content that end users are downloading and uploading in real-time.”

E-mail users may also want to consider in-brain message filtering (no purchase required). Just as one might be skeptical of offers of wealth from a mysterious Nigerian benefactor, one might also refrain from clicking on links to suspect news stories along the lines of “Steve Jobs Uses Windows Vista At Home” or “Google Provides NSA With Real-Time Search Data.”

Under recently disclosed Department of Homeland Security policies, such seizures may be carried out without suspicion of wrongdoing, the newspaper said, quoting policies issued on July 16 by two DHS agencies.

Agents are empowered to share the contents of seized computers with other agencies and private entities for data decryption and other reasons.

Full story and source: Reuters

That means about 576 million Web surfers leave themselves vulnerable to attack. You might just (not) be surprised by who doesn’t patch.

The study, published today, was conducted by the Swiss Federal Institute of Technology, Google, and IBM Internet Security Systems.

The researchers found that no matter how quickly browser and plug-in vendors create patches to fill security holes, it could be months before a large segment of the Internet population will apply those patches.

While I wasn’t surprised to see 83.3% of Firefox users having applied the most recent patches, the same can’t be said for Opera users, because only 56.1% of those users keep their browser up to date.

One would think that both Firefox and Opera users would be more technically savvy than the average user, thereby more prone to patch. Unlike Internet Explorer users, where less than half, at 47.6%, bother to apply the most recent software updates.

The study examined search and Web application log data from Google to ascertain what version of browsers, including patch levels, are used.

For Internet Explorer, the researchers culled data from Danish security firm Secunia’s Personal Software Inspector.

From the chorus:

There’s been a change, Yeah there’s been a change of heart, Said there’s been a change, You push just a little too far, You make it just a little too hard, There’s been a change of heart

That’s a change from last week, when it was reported that RIM would hand over the crypto keys for its “non-business enterprise customers.”

According to a RIM statement, its encryption architecture doesn’t allow for anyone, not even RIM itself, to break open ciphered messages.

“The Blackberry security architecture for enterprise customers is purposefully designed to exclude the capability for Research in Motion or any third party to read encrypted information under any circumstances,”

Source: Indian Express Newspaper

If this is true, and I really hope it is, there is no way RIM can fulfill the Indian government’s request for the keys so they’d be able to read messages for certain investigations. Though, I’m quite confident, the government will find a way.

If they don’t, let’s see if the government ups the ante to a “don’t come around here no more” threat to RIM.

According to this story, which ran in The Economic Times, there’s been somewhat of a riff between the Indian Department of Telecom and RIM over BlackBerry’s inherently robust (until now) encryption.

Apparently, the Indian government can only break crypto if it’s 40 bits, or less. So they asked RIM to fork over the keys that make it possible to decrypt the messages or reduce BlackBerry crypto to 49 bits.

From the story:

According to officials close to the development, Canadian High Commissioner David Malone and RIM officials met telecom secretary Siddhartha Behura on May 7. “It was explained by RIM that it should be possible for the government to monitor e-mails to nonbusiness enterprise customers,” sources told ET. “RIM is considering giving access to individual users’ e-mail to the government. Details on this will be provided in two or three weeks,” sources said.

So it appears, for now, that corporate users don’t have as much to be concerned with.

RIM doesn’t have much more to say on the issue:

A RIM spokesperson said: “RIM operates in more than 135 countries around the world and respects the regulatory requirements of governments. RIM does not comment on confidential regulatory matters or speculation on such matters in any given country.”

I hope RIM grows more of a backbone and “respects” the privacy and security needs of its customers.

Once the keys are public, how long before the cryptography scheme is broken? How long before they’re sold to criminals? And where does this stop? Are keys going to be made available to any government that asks?

Small disclaimer: your mileage may very, this video is meant for educational purposes only and finally, don’t try this at home:

I especially like how at the end he says “try them.” Good to know. Welcome to April

Here’s what I’ve learned from retailers and PCI auditors about step one of PCI compliance.

It’s simple to track credit card data from the point of sale to your databases and the bank that processes the transaction.

More challenging is uncovering the nooks and crannies it falls into throughout the organization.

Depending on your business processes, credit card data could be stored on customer service PCs, inside spreadsheets in the marketing department, or on backup tapes being shipped off-premises.

As I research an upcoming feature on PCI, I’ve been speaking with a number of retailers and PCI auditors. Here are a few tips you might find useful.

1. Self assessments. CIOs are conducting internal audits of their IT teams and business units to find out who touches credit card data and where they keep it.

It’s important to get this information from all the stakeholders, particularly business units that take customer orders or use card data to analyze buying trends.

2. 3rd-party audits. It’s often instructive to bring in outside experts to help you ferret out credit card data. One auditor told me about a major grocery chain that had made significant efforts to purge card data from systems that didn’t specifically need it.

However, when he bought a pack of gum with his credit card and then reviewed the logs of the point of sale system, he found it was recording the full card number and expiration date.

Of course, third-party audits are expensive, so you have to weigh the cost against the potential fines of PCI violation—along with the risk of a malicious party getting access to that data source.

3. Use tools. One retailer bought a data leak prevention product to make sure intellectual property and other sensitive data didn’t leave the network.

He also used its discovery feature to crawl his headquarters network and remote offices for repositories of card numbers. He used the findings to approach the business units holding the data to ensure they were following IT policies for encryption.

He also crawls the network regularly for rogue data or non-compliant business units. Which brings us to…

4. Get your processes in order. 99 percent of PCI compliance revolves around having IT and business processes in place to secure card data. You have to ensure that business units understand IT policies—and that they are following them.

You may also want to tweak business processes to minimize (or eliminate) the use of credit card data wherever possible. For instance, credit card numbers can be replaced with unique identifiers to analyze customer purchases.

According to numerous breaking news stories it seems a lack of proper security controls enabled some to take parts of the site down, and tweak its pages. Get serious.

It looks like a plain vanilla SQL injection vulnerability was publicized on the social news network site Reddit, and the attacking escalated from there.

The RIAA.org Web site appears fully functioning now, but that probably won’t last too long if history is any indication. During the past five years the site has reportedly been defaced and has undergone several denial-of-service attacks.

Things got really sticky a few years ago when Senator Orin Hatch proposed to give the entertainment industry the right to attack systems used by illegal file swappers.

How about a search warrant?

Other than a laugh, these more recent hacks aren’t going to push their argument against the RIAA, its lawsuits, or the demise of DRM any further.

Energy would be better placed by hounding Congress to improve the Digital Millennium Copyright Act (DMCA) and boycotting the purchase of DRM enabled music files and CDs.

Speaking of DRMed music files, they’re already starting their fade into oblivion.

Nearly every, if not every, major record label is already starting to release DRM-free files. In fact, defacing Web sites is about as petty as trying to sue your customer-base to save a dying business model.

Speaking of petty: why won’t the RIAA spring for the occasional server assessment?