Forensic evidence indicates that the hackers may have been in the system as early as September, according to the “Public Water District Cyber Intrusion” report, released by the Illinois Statewide Terrorism and Intelligence Center on November 10.

The intruders launched their attack from IP addresses based in Russia, and gained access to the utility system by first hacking into the network of a software vendor that makes the SCADA system used by the utility. The hackers stole usernames and passwords that the vendor maintained for its customers, and thereafter used the credentials to gain remote access into the water utility’s system.

The theft of credentials raises the possibility that other customers using the vendor’s SCADA system may be targeted as well.

“It is unknown, at this time, the number of SCADA usernames and passwords acquired from the software company’s database and if any additional SCADA systems have been attacked as a result of this theft,” the report states, according to Joe Weiss, managing partner of Applied Control Solutions, who obtained a copy of the document and read it to Threat Level.

Software vendors often have remote access to customer systems in order to provide maintenance and upgrades to the systems. But such access provides a backdoor for intruders to exploit. This is how a Romanian hacker obtained access into restaurant credit card processing systems in the U.S. The point-of-sale systems in several states were installed by a single company, which maintained default usernames and passwords for remote access into the systems that the hacker was able to use to breach them.

Check out the full Wired Threat Level post here.

Cyber Weaknesses Should Deter US from Waging War
America’s critical computer networks are so vulnerable to attack that it should deter U.S. leaders from going to war with other nations, a former top U.S. cybersecurity official said Monday. Richard Clarke, a top adviser to three presidents, joined a number of U.S. military and civilian experts in offering a dire assessment of America’s cybersecurity at a conference, saying the country simply can’t protect its critical networks. Clarke said if he was advising the president he would warn against attacking other countries because so many of them — including China, North Korea, Iran and Russia — could retaliate by launching devastating cyberattacks that could destroy power grids, banking networks or transportation systems. Read the full AP story here.

Hackers Hijack Millions of Computers in ‘Massive’ Fraud Case
The U.S. charged seven people with a “massive” computer intrusion scheme that used malicious software to manipulate online advertising, diverted users to rogue servers and infected more than 4 million computers in more than 100 countries. One Russian and six Estonians were charged with wire fraud and conspiracy in a 27-count indictment unsealed today by Manhattan U.S. Attorney Preet Bharara. The cyber-hijacking victims included at least a half million individuals, businesses in the U.S. and government agencies, including the National Aeronautics and Space Administration, Bharara said. Read the full Bloomberg News story here.

Hackers May Have Spent Years Crafting Duqu
The hacker group behind Duqu may have been working on its attack code for more than four years, new analysis of the Trojan revealed Friday. Moscow-based Kaspersky Lab published some findings today from a recent rooting through Duqu samples provided by researchers in the Sudan, saying that one driver included with the attack payload was compiled in August 2007, extending the timeline of the gang’s work. “We can’t be 100% sure [of that date], but all the compiled dates of other files seem to match to attacks,” said Roel Schouwenberg, a senior researcher with Kaspersky, in an interview today. “So we’re leaning towards that date as correct.” Read the full Computerworld story here.

Steam Web Sites Hacked, Gamer Data Exposed
Hackers broke into a database with customer information at the Steam online gaming site, accessed user forum accounts and defaced a forum site, the company said. “Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums,” Gabe Newell, co-founder of Steam developer Valve Corp., said in a statement posted to the Steam site. “We learned that intruders obtained access to a Steam database in addition to the forums,” he added. “This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.” Read the full CNET article here.

Breach Exposes Data at Virginia Commonwealth University
Virginia Commonwealth University will hire an outside cybersecurity consultant to examine its information technology system after a computer server containing personal data on 176,567 people was hacked last month. The university has “very good forensic evidence” that the information was not accessed or targeted for identity theft, said Mark D. Willis, VCU’s chief information officer. “But you can never be 100 percent certain.” Read the full Richmond Times Dispatch article here.

Senators Hold Hearing on Protections Against Health Data Breaches
Electronic medical records, which the Obama administration would like to see widely used, are rarely encrypted so a data breach could be triggered by the simple theft of a laptop or misplaced thumb drive, a privacy expert told lawmakers last week. Regulations require healthcare providers to report data breaches unless the data lost had been encrypted. Read the full Reuters story here.

Data Security: Breaches Can Result in Huge Costs
This year, Marks and Spencer had to contact its customers, warning them their email addresses had been stolen, after Epsilon, a US-based email marketing supplier, was attacked by computer hackers. The incident laid bare risks to businesses ranging from retailers to banks when they hold customer data. According to Paul Bantick, a senior underwriter in insurer Beazley’s technology, media and business services team, retailers are among the most exposed to this type of risk. Read the full Financial Times article here.

Bill to Plug Data Breaches Still Stalled
Months of staff work and multiple headline-making data breaches later, the Senate Commerce Committee is still at the drawing board on data security legislation. Committee Chairman Jay Rockefeller (D-W.Va.) and Sen. Mark Pryor (D-Ark.) have been unable to forge consensus on a bill much discussed in tech circles that would force companies to bolster their data security practices and notify consumers whose information has been stolen. Read the full Politico story here.

Nothing can stop a campaign to expose Mexican drug lords more than good old-fashioned death threats.  This is exactly what happened when rogue hacker organization Anonymous found out that members of the Mexican drug gang, Los Zetas, threatened to kill multiple Anonymous members for each name of its members that was made public.

This all first began when Anonymous posted a YouTube video threatening to expose members of Los Zetas if they did not release of an unidentified member of Anonymous from Veracruz, Mexico who had been kidnapped by the cartel during its “Operation Paper Storm.”

Anonymous changed its tune because the alleged kidnap victim was released.  But the big motivator was a statement from U.S. security contractor, Strafor, which claimed that the Zetas were paying experts to track down and kill members of Anonymous.

Nothing can motivate and change your mind that a good old-fashioned death threat, as Anonymous saw first hand.

‘Kill a Zombie’ for Halloween
Here’s your chance to make a difference … tool up and kill a zombie for Halloween. What … what are you doing? Put down that baseball bat and chainsaw! I’m not talking the living dead kind of zombie here, I’m taking about the silicon kind that are used by cybercriminals to send spam, distribute malware, and commit identity theft. A zombie computer. What’s a zombie computer? It’s a computer that’s is infected with malware to bring it under the control of the cybercriminals as part of a botnet. Billions of spam emails are sent daily, and 99% of these are sent using zombie computers. Security firm Sophos have designated October 31st, to be “International Kill-A-Zombie Day.“ Read the full ZDNet article here.

Napolitano: Hackers Pose Major U.S. Threat
Homeland Security Secretary Janet Napolitano says Congress must act before computer hackers cripple critical parts of the U.S. infrastructure. Addressing a Washington Post conference Thursday, Napolitano cautioned the number of cyberattacks on financial systems, transportation and other networks is growing and have the potential to cause deaths and economic consequences. She warned cyber assaults had come close to crashing some key infrastructure. Read the full UPI story here.

Facebook Admits to 600,000 Cyber Attacks a Day
Facebook has revealed that every 24 hours it receives around 600,000 logins to the social networking website from impostors attempting to access users’ messages, photos and other personal information. This is the first time that Facebook has revealed how it is bombarded by hackers on a daily basis, according to the Telegraph. The figure was revealed in a Facebook blog post announcing new security measures to be implemented in the coming weeks to stop this kind of breach. Security experts told The Times that the figure was a “big concern” and urged greater care in selecting passwords and clicking on offers that supposedly originated from Facebook friends. Read the full ComputerWeekly post here.

Facebook Introduces Identity Theft Protection
Facebook is testing out two new security features to help users protect their accounts from being compromised by malicious third-party apps or hackers. In a 26 October blog post, the social networking giant unveiled the “trusted friends” feature to help users regain control of their account and application passwords to prevent malicious third-party apps from accessing account data. The features will be rolled out to users over the “coming weeks”, according to the Facebook security team. Read the full eWeek story here.

ID Theft: How to Help Consumers
Are banking institutions and state and federal agencies doing enough to assist consumers with ID theft recovery? ID theft expert Joanna Crane says consumer expectations are often loftier than what’s being done to meet the demand. They’re doing a pretty good job, says Joanna Crane. In fact, it was collaboration between the financial industry and the federal government that in 2004 led to the founding of the Identity Theft Assistance Center, a not-for-profit public-private partnership that to date has helped more than 80,000 victims of identity theft. But more always needs to be done. Read the full BankInfoSecurity.com post here.

Anonymous Threatens Mexico’s Murderous Drug Lords
A ruthless campaign of killing, extortion and kidnapping by Mexico’s powerful Zetas drug cartel has created plenty of enemies, from the Mexican government to paramilitary vigilantes to rival cartels. But now the Zetas have a new adversary: the hacker collective Anonymous. In a video uploaded Oct. 6, an Anonymous spokesperson said that unless the Zetas release one of the group’s members, the group will reveal the photos, names and addresses of Zetas-affiliated cops and taxi drivers. (The member was allegedly kidnapped in the western coastal city of Veracruz during an “Operation Paperstorm” demonstration.) Read the full Wired story here.

For those of us who cover cyber security issues on a regular basis, October is a pretty special month.  The National Cyber Security Alliance (NCSA) is hosting the 8th annual National Cyber Security Awareness Month to be held throughout the month of  October.   In case you weren’t ware of it, National Cyber Security Awareness Month is a coordinated national effort focusing on the need for improved online safety and security for all Americans. This year’s theme, “Our Shared Responsibility,” emphasizes that everyone has a role in securing their part of cyberspace, including the myriad of devices, such as smart phones and tablets, and the networks they use.

NCSA, along with the U.S. Department of Homeland Security and the Multi-State Information Sharing and Analysis Center, are the key sponsors National Cyber Security Awareness Month every October since its founding in 2003. Together, these three organizations strive to empower consumers, schools, businesses and government agencies to stay safe online, devoting the full month of October to public awareness and education.

The month-long calendar features a diverse array of NCSA sponsored flagship events as well as other events throughout the nation, beginning October 7th in Ypsilanti, Michigan with Governor Rick Snyder, leaders from the U.S. Department of Homeland Security and other officials. This official launch event for the month will take place during the Michigan Cyber Summit and will draw highly regarded cyber security experts from around the world. NCSA will also share findings from its annual national survey on the state of security and online safety.

Click here to learn more about National Cyber Security Awareness Month, and stay tuned for more podcasts and updates.

FBI Issues Warnings About Hurricane Irene Charity Scams
The Federal Bureau of Investigation warns us to be on alert against “fraudulent e-mails and websites claiming to conduct charitable relief efforts. Disasters prompt individuals with criminal intent to solicit contributions purportedly for a charitable organization or a good cause.” The FBI offers some excellent tips to protect yourself against charity scammers. Check out the full Forbes post here.

Nokia Suspends Forum After Data Breach
Nokia has suspended its developer forum website after it discovered a recent attack had resulted in members’ data being compromised. In an emailed statement the Finnish phone giant said its developer.nokia.com/ community would be taken offline until ”further investigations and security assessments were complete.” The company did admit that user’s personal information, including emails and for a few, dates of birth and other data, was compromised. Read the full WSJ blog post here.

Masked Protesters Aid Time Warner’s Bottom Line
Anonymous, the hacker group, has jostled with the Iranian government and the Church of Scientology and has briefly shut down the Web sites of Visa, MasterCard and other global corporations. When members appear in public to protest censorship and what they view as corruption, they don a plastic mask of Guy Fawkes, the 17th-century Englishman who tried to blow up the Houses of Parliament. Stark white, with blushed pink cheeks, a wide grin and a thin black mustache and goatee, the mask resonates with the hackers because it was worn by a rogue anarchist challenging an authoritarian government in “V for Vendetta,” the movie produced in 2006 by Warner Brothers. What few people seem to know, though, is that Time Warner, one of the largest media companies in the world and parent of Warner Brothers, owns the rights to the image and is paid a licensing fee with the sale of each mask. Read the full NY Times article here.

Android Is No. 1 Target of Mobile Hackers
“Chaos.” This is the word McAfee, the antivirus and computer security company, chose to describe the state of desktop and mobile hacking in a new report issued this week. The “McAfee Threats Report” said that a rise in “hacktivism” from groups like Lulz Security, or LulzSec, and Anonymous, helped drive a drastic increase in online attacks in recent months. McAfee also found that Google Android is now the most targeted mobile platform by hackers. Over the past several months LulzSec caused havoc online when it began hacking dozens of Web sites belonging to government agencies and corporations. McAfee said in its report that LulzSec’s brazen hacks were done with the hope of bringing turmoil to the Web, mostly for fun, rather than a monetary goal. Read the full NY Times article here.

The Next New Cyberdefense Strategy: Monitor Everything
The definition of “cybercrime” is ever changing, as is the severity of attacks. 2011 has already been labeled the “year of the data breach,” and yet many of the breaches are not the typical SQL injection attacks or database hacks. Instead, criminals are using legitimate website functions to steal data and sometimes money, from targeted organizations. Compounding the problem, as U.S. banks and other financial institutions are enabling customers and employees to make mobile transactions, security implications around both Web and mobile functionality have become a large concern for IT. As the majority of today’s applications and services are easily accessible via the Web — website, intranet, mobile, etc. — online security standards are a weakness that cannot be ignored. Although acts of cybercrime may not be classified as, “physical destruction,” new threats crop up daily. Online institutions and the security industry need to band together to develop effective solutions that protect as many users as possible. Read the full TechNewsWorld post here.

Consumers Say E-Banking Security Should be Banks’ Top Priority
For a survey commissioned by McLean, Va.-based strategy and technology consulting firm Booz Allen Hamilton, market research firm Zogby International polled 2,160 U.S. adults last July about their concerns and expectations regarding security in the banking industry. The results show that the majority of consumers rate the securing of their financial information online as the most important banking service, with 71 percent of respondents saying they believe a bank’s top focus should be on e-banking security. The consumers surveyed even put security before convenience, with 78 percent of them saying they’re willing to provide an additional level of authentication before accessing their account information online if that would increase protection from threats. The results also indicated that 66 percent of respondents believe banks, not government, are most accountable for protecting customer financial assets online. Read the full Bank Systems & Technology post here.

DHS Partners with Boys & Girls Clubs of America on Cybersecurity
he U.S. Department of Homeland Security will partner with over four million members of Boys & Girls Clubs of America to heighten cybersecurity, the DHS announced last Friday. The over-100-years-old Boys & Girls Clubs of America join the DHS “Stop.Think.Connect.” campaign, a national effort to achieve a higher level of internet security by educating Americans at home, in the workplace and in communities. “In today’s world, Americans can use technology to engage with communities around the globe,” said Homeland Security Secretary Janet Napolitano in the announcement. “Now, more than ever, it is important that all Americans learn to protect themselves online and do their part to ensure that cyberspace is a safe and secure environment for all Internet users.” Read the full WHTC post here.

For companies interested in protecting their online brands – and perhaps those with a “softer” moral compass – you can hire a hacker to make sure the bad reviews are not seen by prospective customers.

Though, one hacker promising to offer reputation management services got a little taste of his own medicine.  Consumer advocacy site RipOff Report recently detected and successfully defeated an ongoing hack of its the site by this supposed “reputation manager” hacker.

Here’s some more about this development from our friends at Dark Reading:

Earlier this year, a hacker, promising his customers “reputation management” services, had embedded code into the website to prevent search engines from recognizing certain postings. In some cases, website visitors were misdirected to a false message stating that the posting had been redacted.

A RipoffReport.com investigation revealed that the hacker had been commissioned by reputation management companies that accepted thousands of dollars in monthly fees from their clients, promising that Ripoff Report postings about the businesses could be removed from search engine results or deleted from the Internet altogether.

Well, reputation management firms (i.e., PR firms?) offering below-the-radar hacker services for managing bad online reviews is something completely new to us.  As companies are fighting to win and even survive in today’s economic climate, we suspect that these types of “hacker services” will only increase — unfortunately.  We welcome all thoughts, comments and feedback.

Credit-Card Data Hacker Sentenced To 10 Years In Prison
A 25-year-old Georgia man was sentenced to 10 years in prison for counterfeit credit-card trafficking and identity theft in a fraud that caused $36 million in losses, the U.S. Department of Justice said Friday. Rogelio Hackett pleaded guilty in April. He admitted that since at least 2002, he trafficked in credit-card information gleaned either by hacking into business computer networks and downloading credit-card databases or by purchasing the information from others through Internet discussion groups known as “carding forums.” He sold the information, made and sold fake plastic cards and used the credit-card information to accumulate gift cards and merchandise, according to his admissions in court filings. Read the full WSJ article here.

Anonymous to FBI: You can’t arrest an idea
The members of Anonymous and LulzSec say they won’t back down in the face of the FBI’s recent efforts to shut them down. In a letter published Thursday on Pastebin, the affiliated hacking groups vowed to “continue to fight” the “governments and corporations [which] are our enemy.” The letter, posted by “AnonymousIRC,” was a response to comments made by deputy assistant FBI director Steve Chabinsky in an interview with NPR. AnonymousIRC is a handle that has been associated with purported LulzSec co-founder “Sabu.” Read the full Think Digit post here.

Sony Insurer Sues to Deny Data Breach Coverage
One of Sony Corp’s insurers has asked a court to declare that it does not have to pay to defend the media and electronics conglomerate from mounting legal claims related to a massive data breach earlier this year. The dispute comes as demand soars for “cyberinsurance,” with companies seeking to protect themselves against customer claims and associated costs for data and identity theft. How to write such policies has become a huge subject of debate in the insurance industry. Read the full Reuters story here.

Hackers steal Apple App Store account IDs, passwords to make illicit purchases
At least 50 customer complaints have been posted to discussion boards on Apple Inc.’s Japanese App Store claiming their accounts have been hacked to make illicit purchases for a Chinese-made game. The majority of the customers’ complaints state that their Apple IDs and passwords had been used to buy in-game items for Mingzhu Sanguo OL — a game app released in Chinese on April 23 and free for download — with thousands of yen subtracted from money the victims had on their game accounts for later use. Many of the complaints were posted in July, suggesting a growing problem. Read the full Mainichi Daily News article here.

4 Suspected Anonymous-Connected Hackers Freed
Four hackers believed to be connected to the hacker activist group Anonymous have been released by Dutch authorities, a report from The Associated Press says. According to the report, “national prosecutors” in the Netherlands have revealed that the hackers have been released by authorities. The report further reveals that the four hackers have acknowledged that they have “infiltrated websites” and published “confidential information.”
The news report, which came out Friday, details that the group of hackers were arrested Tuesday last week. Read the full Social Barrel post here.

Bride Under Arrest for Identity Theft – At the Wedding!
A bride has been placed under arrest at her own wedding in Florida. The police were called to the ceremony by a guest of the wedding, as the bride Tammy Lee Hinton was wanted by police in Michigan for identity theft and one guest wanted to make certain she answered to police for her alleged crimes – even at the wedding. According to MSNBC.Com police officers were nice enough to allow the “bride to finish her ceremony before making the arrest.” Blackman-Leoni Department of Public Safety Deputy Director Jon Johnston said: “Our officers showed up as the wedding was taking place and allowed her to finish and separate from her guests before they made contact.” Read the full National Ledger article here.

Rating the Hacker Threat Level – The Street.com
Hackers have loaded email, social networking and Web surfing with potential danger, but equal measures of doom aren’t lurking behind every click. Hackers who gain access to data on Sony and Central Intelligence Agency sites get the headlines, but the ones bothering Internet users engaging in more benign tasks are the ones wreaking more widespread havoc and driving the online security industry. A survey conducted earlier this month by security firm Symantec suggests at least part of the problem stems from the users themselves. Read the full article from TheStreet.com here.

Well, the hacker community is now dealing with a rivalry that aims to bring down one of the most notorious hacker groups out there, LulzSec.

FoxNews.com scored an exclusive interview with Hex0010, a 23-year-old member of TeaMp0isoN (meaning Team Poison), which is a “group of professional hackers, publicly connected to the Palestinian-friendly ‘Mujahideen Hacking Unit’ that defaced Facebook in December.”

It seems that Team Poison is trying to race international police to pull back the sheets and expose LulzSec’s identities.   And here’s a warning to any members of LulzSec in California — Hex0010 told Foxnews.com that the next hacker to be exposed is a Californian.   His  plan is “to post that information along with IP addresses and chat room logs that confirm the person’s affiliation with LulzSec.”

Well, this certainly bodes well for law enforcement.  Nothing like having an insider expose a more nefarious insider…and it will all be done out in the open on the web.  And we thought the times were interesting now….just wait and see how this one will shake out.