Jan 31, 2010

Roubini Calls U.S. Growth ‘Dismal and Poor,’ Predicts Slowing

New York University Professor Nouriel Roubini, who anticipated the financial crisis, called the fourth quarter surge in U.S. economic growth “very dismal and poor” because it relied on temporary factors.

Roubini said more than half of the 5.7 percent expansion reported yesterday by the government was related to a replenishing of inventories and that consumption depended on monetary and fiscal stimulus. As these forces ebb, growth will slow to just 1.5 percent in the second half of 2010, he said.

“The headline number will look large and big, but actually when you dissect it, it’s very dismal and poor,” Roubini told Bloomberg Television in an interview at the World Economic Forum’s annual meeting in Davos, Switzerland. “I think we are in trouble.”

Roubini said while the world’s largest economy won’t relapse into recession, unemployment will rise from the current 10 percent, posing social and political challenges.

“It’s going to feel like a recession even if technically we’re not going to be in a recession,” he said.

Regulators shut down banks in 5 states

- Regulators shut down a big bank in California on Friday, along with two banks in Georgia and one each in Florida, Minnesota and Washington. That brought to 15 the number of bank failures so far in 2010 atop the 140 shuttered last year in the punishing economic climate.

The failure of Los Angeles-based First Regional Bank, with nearly $2.2 billion in assets and $1.9 billion in deposits, is expected to cost the federal deposit insurance fund $825.5 million.

The Federal Deposit Insurance Corp. took over the bank as well as the others: First National Bank of Georgia, based in Carrollton, Ga., with $832.6 million in assets and $757.9 million in deposits and Community Bank and Trust of Cornelia, Ga., with $1.2 billion in assets and $1.1 billion in deposits; Florida Community Bank of Immokalee, Fla., with $875.5 million in assets and $795.5 million in deposits; Marshall Bank of Hallock, Minn., with $59.9 million in assets and $54.7 million in deposits; and American Marine Bank of Bainbridge Island, Wash., with $373.2 million in assets and $308.5 million in deposits.

First Regional Bank's collapse followed the shutdown of several large California banks in the last months of 2009. California was one of the states hardest hit by the real estate market meltdown, and many banks there have suffered under the weight of soured mortgage loans. Last year saw the failure of 17 banks in the state.

First-Citizens Bank (CZMO) & Trust Co., based in Raleigh, N.C., agreed to buy the deposits and $2.17 billion of the assets of First Regional Bank. The FDIC retained the remaining assets for later sale. In addition, the FDIC and First-Citizens agreed to share losses on $2 billion of the failed bank's loans and other assets.

Community & Southern Bank, also based in Carrollton, Ga., agreed to assume the deposits and assets of First National Bank of Georgia.

SCBT, a national bank based in Orangeburg, S.C., is assuming the assets and deposits of Community Bank and Trust. United Valley Bank, based in Cavalier, N.D., is buying the assets and deposits of Marshall Bank.

Miami-based Premier American Bank, N.A., a new bank with a national charter set up last week, is buying the deposits and $499.1 million of the assets of Florida Community Bank. The FDIC will retain the remaining assets for later sale. In addition, the FDIC and Premier American Bank - owned by the investment firm Bond Street Holdings - agreed to share losses on $305.4 million of Florida Community Bank's loans and other assets.

Columbia State Bank, based in Tacoma, Wash., is assuming the assets and deposits of American Marine Bank.

The two shuttered banks in Georgia followed 25 bank failures there last year, more than in any other state.

The government's resolution of First National Bank of Georgia is expected to cost the deposit insurance fund $260.4 million. That of Community Bank and Trust is estimated to cost $354.5 million. Florida Community Bank's resolution is expected to cost the fund $352.6 million and Marshall Bank is expected to cost $4.1 million. The hit to the fund from American Marine Bank is estimated at $58.9 million.

As the economy has soured, with unemployment rising, home prices tumbling and loan defaults soaring, bank failures have accelerated and sapped billions out of the federal deposit insurance fund. It fell into the red last year.

The 140 bank failures last year were the highest annual tally since 1992, at the height of the savings and loan crisis. They cost the insurance fund more than $30 billion. There were 25 bank failures in 2008 and just three in 2007.

The number of bank failures is expected to rise further this year. The FDIC expects the cost of resolving failed banks to grow to about $100 billion over the next four years.

The agency last year mandated banks to prepay about $45 billion in premiums, for 2010 through 2012, to replenish the insurance fund.

Depositors' money - insured up to $250,000 per account - is not at risk, with the FDIC backed by the government. Besides the fund, the FDIC has about $21 billion in cash available in reserve to cover losses at failed banks.

Banks have been especially hurt by failed real estate loans, both residential and commercial. Banks that had lent to seemingly solid businesses are suffering losses as buildings sit vacant. As development projects collapse, builders are defaulting on their loans.

If the economic recovery falters, defaults on the high-risk loans could spike. Many regional banks hold large concentrations of these loans. Nearly $500 billion in commercial real estate loans are expected to come due annually over the next few years.

In his State of the Union address this week, President Barack Obama said he will initiate a $30 billion program to provide money to community banks at low rates, if they boost lending to small businesses. The money would come from balances left in the $700 billion bailout fund.

Hundreds of banks, including major Wall Street institutions, received taxpayer support through that politically unpopular rescue program, enacted by Congress in October 2008 at the height of the financial crisis.

Canada privacy office launches new Facebook probe

Canada's privacy commissioner is once again probing Facebook over the online social network's privacy policies.

The Privacy Commissioner of Canada said she is investigating a complaint from a Facebook user over changes the company introduced in December.

The announcement came just five months after Facebook agreed to give users more control over the information they share with outside applications such as games and quizzes in response to concerns raised by Canadian privacy officials.

The latest complaints stem from changes Facebook made to give users more granular controls over what information is shared with others, while pushing users to be more open.

The complaint alleges that Facebook's new, "default" settings made more information exposed than the user had previously intended. Facebook insists those settings were merely recommendations.

Elizabeth Denham, the assistant privacy commissioner, said some Facebook users have been disappointed at changes that were supposed to improve protection of their personal information.

Facebook said it has not seen the complaint but it is confident that its process last month was "consistent with user expectations, and within the law."

In the US, the Electronic Privacy Information Center and nine other organisations have also filed a complaint with the Federal Trade Commission over last month's changes.

Fill 'er up – in your own driveway

Honda has developed a next-generation solar-powered hydrogen fuelling station in the US that can be installed in your home - effectively removing the need for regular retail refilling stations.

The prototype is designed to refill a hydrogen fuel cell vehicle in an eight-hour overnight cycle. It produces half a kilo of hydrogen in that time, which is enough to replenish the supply sufficiently enough for the average everyday commute.

One of the biggest benefits of Honda's new system is that it doesn't require the costly and bulky compressor of the previous solar hydrogen refilling station. The compressor with a high differential pressure electrolyser.

The new system can also pump energy back into the grid, allowing the owner to "sell" unused electricity to an energy supplier.

Honda says that the key to getting hydrogen stations into people's homes is to make it convenient, clean and energy efficient - the 48-panel solar powered system runs on off-peak energy and Honda says it wants to push the use of fuel cell vehicles forward.

"The combination of fuel cell electric vehicles and solar hydrogen stations could lead to the establishment of a hydrogen society based on renewable energy, resulting in a major reduction of CO2 emissions and greater energy sustainability."

According to Honda, it's all part of the plan to make hydrogen - in particular, the company's FCX Clarity fuel-cell vehicle - a mainstream option for the future.

"With fast fill public stations providing 5-minute fuelling time for longer trips, and the opportunity of convenient night-time slow filling at home... the Honda FCX Clarity can cover a wide range of driving demands from the daily commute to weekend trips."

The Honda FCX Clarity is currently only available in America and Japan as a lease vehicle, though it has been reported that Honda plans to offer affordable hydrogen cars to the mass market within ten years.

Computers under constant attack

THIRTY per cent of computer systems for the nation's essential services such as banks, government and utilities are repeatedly attacked by hackers every month, according to an international report released today. More than half of those targets are hit multiple times a week or even multiple times a day, and the situation could get worse.

Forty per cent of the Australian experts surveyed for the report believed the nation would sustain a ''major cyber incident'' against its key services in the next 12 months. Given a two-year timeframe, the figure jumped to 53 per cent, and 76 per cent expected a major digital strike against the nation's critical infrastructure within five years.

The study, commissioned by the anti-virus vendor McAfee, was conducted by the Washington-based Centre for Strategic and International Studies. The report's lead author, Stewart Baker, was the first assistant secretary for policy at the US Department of Homeland Security until last January and previously worked as general counsel at the National Security Agency.

The report surveyed 600 computer and security experts in 14 countries.

Jan 30, 2010

Bankers besieged at World Economic Forum for role in global financial crisis

NOT so long ago, financiers ruled the roost at the glitzy annual gathering of the global economic elite in Davos, amid the Swiss Alps. At this year's gathering of the World Economic Forum, the unofficial theme seems to be, "First, kill all the bankers".

The ire directed at bankers from all sides is palpable, acknowledged Donald Moore, chairman of Morgan Stanley in Europe, as he stood alone reading some charts amidst the hubbub at the forum's Global Village cafe. Asked which other groups of people have been similarly unpopular in Davos in the past, he said: “Terrorists.”

The quip reflects the mounting alarm with which bankers have come to view their besieged profession - even in Davos, a usually cozy gathering.

The scorn poured on the industry at this year's get-together in the Swiss ski resort is a sign of a mounting international backlash against the financial sector. Popular anger about banks' role in the financial crisis, and their behaviour in its aftermath, has spilled over to the world's elite business executives, politicians and regulators. Since gathering here Wednesday, they have been aiming sometimes bitter recriminations at the tainted masters of the banking universe.

Start of sidebar. Skip to end of sidebar.

End of sidebar. Return to start of sidebar.

"I think that the relationship between government and banks has changed irreversibly," said Peter Sands, group chief executive of Standard Chartered Bank and a co-chair of the Davos meeting. "I think the banks have not helped themselves at all. We have been tone deaf, and shot ourselves in the foot," he said, adding, "We all need a little humility."

Such servings of humble pie are just a taste of a political atmosphere that has turned poisonous for banks. Many bankers are keeping a low profile, preferring private meetings to appearances on discussion panels. Under rising pressure, some bankers are even turning on their peers.

On the fringes of one of the many showy events that host the real business of Davos, a senior London-based investment banker offered this wager: Lloyd Blankfein, CEO of Goldman Sachs, would be out within two years, he said, and he was prepared to back up his bet with millions of pounds.

Mr Blankfein isn't the only target of anti-banker anger. But he presides over the world's most successful investment bank. Goldman has emerged from the financial crisis stronger than ever. And Mr Blankfein has been among the most outspoken public defenders of banks and he has paid his bankers well, though the level of bonuses was cut in the last round.

Asked about the wager over Mr Blankfein, Goldman spokesman Lucas van Praag said: "It is preposterous that The Wall Street Journal would even consider publishing such effluent."

Support is growing among governments and regulators for a more aggressive clampdown on banks' practices than looked likely only a few weeks ago. Proposals for tough new taxes and rules from the US, U.K. and other governments are feeding a growing determination among officials on both sides of the Atlantic not to let the financial sector off lightly, after banks' losses nearly caused a global economic crash.

Relief about the easing of the economic crisis is giving way to demands for far-reaching change, dismissals of banks' objections, and questioning of the value of many financial sector activities.

Top bankers, including Deutsche Bank chief executive Josef Ackermann, were due to meet behind closed doors with finance ministers, central bankers and regulators from major economies in Davos today in an attempt to win a reprieve.

"We should stop the blame game and we should start looking forward," Mr Ackermann said overnight in the Alps setting, arguing that a plethora of new taxes and proposals is damaging the banking sector.

"If you don't have a strong financial sector to support the recovery, you're making a huge mistake and you will regret that later on," he said.

One European bank chairman complained that the organisers of the conference have invited too many politicians and regulators to what was formerly a friendly get-together for the business elite.

At times the atmosphere has turned downright hostile, say some. French President Nicholas Sarkozy delivered a populist broadside in the keynote address to officially open the meeting.

"There is indecent behaviour that will no longer be tolerated by public opinion in any country of the world," Mr Sarkozy told the conference. "That those who create jobs and wealth may earn a lot of money is not shocking. But that those who contribute to destroying jobs and wealth also earn a lot of money is morally indefensible," Mr Sarkozy said.

A widespread view heard here is that banks have brought much of the anger upon themselves, by appearing to return to a culture of taking high risks and dishing out lavish pay as soon as they were out of intensive care.

"I think banks have misjudged the deep feelings of the public regarding the devastating effects of the crisis," said Guillermo Ortiz, until recently Mexico's central bank governor.

Bankers from outside the US, where the bonuses and risk-taking have traditionally been greatest, complain that all bankers are being tarred as villains. Even banks that acted conservatively face new regulations that could make doing business more complicated and costly.

"The banks who stayed strong are angry at the banks who had poor management," said Robert Diamond, president of the British bank Barclays, at a debate on rethinking financial-systemic risk.

"I've seen no evidence that shrinking banks and making banks more narrow is the answer," Mr Diamond said, criticising the US proposals.

If regulators try to eliminate the risk of banking crises entirely, said Alessandro Profumo, chief executive of Italian lender Unicredit, the result will be "a very inefficient system, and I think we are moving towards that”.

That argument is falling on deaf ears at Davos. Jean-Claude Trichet, the president of the European Central Bank, said that the financial crisis has fundamentally changed the relationship between the banks and government because taxpayer money was used to rescue the financial system.

"We were very close to a full fledged Depression had the government not stepped in," said Mr Trichet. "We put taxpayer money at risk to guarantee loans at banks ... a gigantic amount."

Deutsche Bank's Mr Ackermann on Thursday held lengthy private talks with more than 30 top bankers on the edge of the Davos conference, to agree on a common line for today's encounter with government officials.

The hope was that a constructive offer to regulators will take some of the heat off banks.

The talks lasted five hours, but the group struggled to find common ground.

"We've tried before, but we aren't going to be able to come up with an agreement," said one of Europe's top investment bankers: "We're too competitive with one another."

One group enjoying the bankers' pain at the global capitalism fest in Davos is the trade-union movement.

"We were never sure if we were really welcome here. This time, we are speaking on panels, we have a seat at the table," said Philip Jennings, general secretary of the UNI Global Union. Now, bankers are "at the bottom of the totem pole”.

“They've been rumbled."

Jan 29, 2010

Always being positive can become a negative

I don't know about you but I'm over being positive. I'm over looking for the silver lining when there isn't one, over moving forward rather than reflecting on past mistakes, and over saying I'm having a nice day when basically I'm having a pretty crap one.

It's difficult being a nay-sayer in a time when unrealistic optimism is so pervasive. But now author Barbara Ehrenreich has removed the rose-coloured glasses and taken a good look at the country that bought us the "have a nice day" phenomenon in her book Smile or Die: How Positive Thinking Fooled America & the World, and, at the same time, given pessimists some overdue recognition.

Ehrenreich exposes the ideology, vested interests and some might say insanity that underpin exhortations that positive is the only way to go. She begins with her own experience of breast cancer, where instead of solid scientific explanations she was presented with pink ribbons and teddies. Her point that this infantalises women is best made by her observation that men diagnosed with breast cancer aren't given Matchbox cars.

As someone who has been treated for breast cancer, I can only agree that the breast cancer industry - for that is what it is - while raising awareness and money, has also stereotyped women and normalised breast cancer as almost as natural a part of women's lives as childbirth or menopause.

Ehrenreich's research finds that women coping with cancer diagnosis and treatment are swamped with messages that cancer is an opportunity, a gift that should be embraced. Women are told the key to survival is to stay positive - if the cancer comes back, you just weren't positive enough.

The ideology of positive thinking has invaded every nook and cranny of American life but nowhere has its impact been more apparent than on its economy. According to Ehrenreich, the economic crisis is a direct result of reckless optimism. America was so blinded by mega profits, over-the-top consumption and good times it refused to see the signs, ignoring aphorisms long favoured by economists: bubbles always burst; booms are followed by busts.

The irony of America's delusional attachment to the power of positive thinking is captured in the film Up in the Air, in which a downsizing executive played by George Clooney, travels across America to fire people in the nicest possible way. He encourages those soon to be on the unemployment scrap heap to see only positives, telling one casualty: "Anyone who ever built an empire or changed the world sat where you are right now.''

The ideology of positive thinking has infiltrated the Australian way of life. In the workplace, employees who ask hard questions are often seen as negative and counter-productive, team members who do not conform (or dislike playing team-building games) are thought to damage morale, consensus is valued and debate considered unhelpful.

And while politicians demand we work harder, smarter and longer - though statistics suggest Australians already do - long working hours and the complexity of modern life are taking their toll on family and other relationships. But rather than put our heads out the window and scream "we won't take it anymore", we turn to self-help tapes and smiley faces to get us through.

Positive thinking distracts us from the bigger picture, too. Take climate change: we're all taking shorter showers, turning out lights and filling buckets with grey water, when we could be storming the streets to protest against policies that wreck our backs as well as support unsustainable agriculture and industry such as coal and decrepit facilities that squander vast quantities of water.

But politicians want voters to feel positive, especially about them. To persuade us that it's all good, public relations consultants are contracted and given access to millions of taxpayer dollars to spend on spin.

The media, depended on to scrutinise politicians, big business and institutions, has lost its way and sold out to the positivity industry. In failed bids to maintain circulation, newspapers have sacrificed space once devoted to investigative journalism and critical analysis to fashion, food and gossip.

Smile or Die is a reminder of the need for dissenting voices, particularly when political parties look and sound like each other and when one ideology - capitalism, growth and consumption - holds us captive.

While Australia has not grasped positive thinking with the fervour of America, that country's willingness to forgo common sense is a worthy lesson that always being positive can make us very unhappy indeed.

Low blood sugar can kill, British scientists say

RESEARCH has shown how treatment to control a diabetic's rising blood sugar level can lower it too far. And it's a problem that can prove deadly.

British scientists have gauged the risk posed by hypoglycemia - a lack of sugar in the blood - in a major study of diabetics that also points to possible changes in treatment guidelines.

"Low and high mean HBa1c (an indicator of blood sugar) values were associated with increased all-cause mortality and cardiac events," writes Craig Currie, from Cardiff University, and colleagues, in a paper published in The Lancet. "If confirmed, diabetes guidelines might need revision to include a minimum HBa1c value."

The British-based research took in the medical and mortality records of almost 50,000 type 2 diabetics aged over 50, over the course of 22 years. An HBa1c level measured at 7.5 per cent was found to be optimal, as it was associated with the fewest deaths.

Start of sidebar. Skip to end of sidebar.

End of sidebar. Return to start of sidebar.

Compared to this level, diabetics with elevated glucose levels (10.6 per cent) suffered almost 80 per cent more deaths.

Having a low blood sugar level (6.4 per cent) also carried a risk, as these people were involved in just over 50 per cent more deaths. Doctors typically seek to stabilise a diabetic's blood sugar levels at an HBa1c level of 7 per cent.

Queensland-based Gary Deed said there was a "sliding scale" by which a diabetic's HBa1c target was set, although the majority fell into a category aiming for 7 per cent. "The study suggests a raising of the current guidelines of HBa1c to 7.5 per cent from 7 per cent," said Dr Deed, who was formerly national president of Diabetes Australia.

"This, I feel, is presumptive as many other studies have shown the vast majority of patients, with all forms of diabetes, will have increased complications should we not at least try for the 7 per cent target."

The study split the diabetics into two groups - those who used insulin injections to manage their condition and those who used a combination of oral medicines. Those injecting insulin were shown to have a higher risk of death.

Jan 28, 2010

Philip C. Bolger, 81, Dies; Prolific Boat Designer

Philip C. Bolger, whose hundreds of boat designs, from classic schooners to sportfishing yachts to simple dories and dinghies, ranked him among the most prolific and versatile recreational boat designers in the world, died on Sunday in Gloucester, Mass., where he had lived nearly all his life. He was 81.
Skip to next paragraph
Susanne Altenburger

Philip C. Bolger experimented and did not mind failing.
Susan Davis

Mr. Bolger's Gloucester light dory.
Enlarge This Image
Peillet-Long Family

His Brick sailboat.

The cause was a self-inflicted gunshot, his wife, Susanne Altenburger, said. His mind had slipped in the last several months, and he wanted to control the end of his life while he was still able, she said. They had discussed the matter of his death, she added, but he had not told her of his intention. “He wanted to make sure to leave me out of the loop,” Ms. Altenburger said.

Carrie Kimball Monahan, a spokeswoman for the Essex County district attorney, said on Friday that the medical examiner had not yet determined the cause of death.

Mr. Bolger, something of a cult figure in the world of recreational boating, was a bit of a mad scientist, an experimenter who did not mind trying things and failing and then acknowledging his failures. Though he thought a boat could be perfect, he never thought a boat needed to be perfect to be useful or fun.

One of Mr. Bolger’s foremost interests was making boating easier and more accessible for people who were not full-time enthusiasts. For them he created the so-called instant boats, plywood craft that an amateur could build in a matter of hours. Often referred to as Bolger boxes, many were criticized as being out-and-out ugly — “They looked like floating packing crates,” Dan Segal, a boating writer, said — and Mr. Bolger acknowledged as much. But if you wanted to be able to build your own 12-foot boat and have some fun with it, the Bolger box was it.

Among Mr. Bolger’s nearly 700 designs were power boats, rowboats, fishing boats and sailboats, including many of the long, narrow, flat-bottomed sailboats known as sharpies. He designed, on the one hand, what has been called the world’s smallest dinghy, a novelty boat that actually folded up. On the other hand, he designed a replica of the H.M.S. Rose, an 18th-century British frigate, that was used in the 2003 film “Master and Commander: The Far Side of the World,” which starred Russell Crowe. The replica is now at the San Diego Maritime Museum.

Mr. Bolger was an iconoclast, a designer willing — eager, actually — to part with tradition, especially if it meant solving a practical problem. He had no loyalty to symmetry, for example; if necessary, he would move the mast, or even the centerboard, from the center of the boat. Indeed, instead of modifying existing boats, which is how boat design has largely evolved, Mr. Bolger liked to design on the basis of problem solving.

“If you said to him, ‘I want an inexpensive cruising boat for two people that I can put on a trailer,’ he’d design around the criteria,” said Mr. Segal, the former managing editor of the magazines Small Boat Journal and The Yacht. “He was, as far as I know, unique in this approach.”

That is not to say Mr. Bolger didn’t have a fine eye for a boat’s lines. In fact, he created several boats considered beauties, if not masterpieces — his Gloucester light dory, for example.

“His influence was gigantic,” said Sam Devlin, a boat designer and builder in Olympia, Wash., who as a young man some 25 years ago made a pilgrimage to Gloucester just to meet Mr. Bolger. “There were not many segments of the market he didn’t touch.”

Philip Cunningham Bolger was born on Dec. 3, 1927, in Gloucester, where he grew up whittling boats and watching real ones being built in a harbor boatyard. His older brother gave him his first boat when he was 7. His father died when he was a boy, and he was raised largely by his mother, Ruth, who encouraged independent thinking and guided him to books. (Mr. Bolger was a voracious reader.)

As an adult, he lived with his mother until her death in the late 1980s, after which he moved onto a boat. He and Ms. Altenburger were married in 1994. She is his only survivor.

Mr. Bolger’s grandfather had been an inventor who specialized in sheet metal and whose business, the Success Manufacturing Company, made its reputation producing steel iceboxes. When Philip was young, his grandfather lost his mental faculties, Ms. Altenburger said, leading not only to his company’s demise and changing what Philip thought would be his future, but also making an impression on him that affected the way he ultimately chose to die.

Mr. Bolger served in the Army just after World War II and graduated from Bowdoin College in Maine, where he studied history. He then turned to boat building as a career, serving apprenticeships with Lindsay Lord, a premier designer of recreational power boats, and John Hacker, a leading designer of racing boats.

Mr. Bolger wrote about boat design as well. Of his many books, the best known is “Boats With an Open Mind” (1994), an explication of 75 different boat designs, written in precise, personal prose. “The sides are too high to row comfortably, but she’ll carry four men and a big, frightened dog,” he wrote of a boat called Brick, one of his inelegant but practical boxes, “with plenty of buoyancy left, still able to sail though with lots of noisy waves.”

That insouciance was typical of Mr. Bolger.

“He was not held by any strings to conventional wisdom,” Mr. Devlin said. “He broke the boundaries. He allowed us to believe nothing was heresy

Jan 25, 2010

Verizon Business reveals details of Encryption Key Compromises

Verizon Business recently held a webinar titled “Don’t be the next victim on PIN-Based attacks.”

In the webinar, they revealed that there have been several PIN breaches, as well as the details behind the most common attacks against encrypted debit PIN’s. While the method of obtaining the encryption keys may vary, the commonality of these attacks is that they occur when criminal organizations enter a system in the payments infrastructure and are able to take over, or control, the HSM (Host Security Module) that is used for debit key translation between different payment system processors. These attacks can occur against both financial institutions as well as retailers that have installed HSN’s for PIN translation.

The top threats identified in the webinar are:
• PIN Block Translation Attack
• HSM API Brute Force Attack
• Lack of Unique Keys per Device/Zone
• Use of weak keys

The PIN Block Translation attack takes advantage of a weak PIN encryption format included in HSM’s for compatibility reasons. The format, called IBM/Diebold only has 10,000 possible PIN combinations. The standard ANSI x9.8 PIN Block format has 1,000,000,000,000,000,000,000,000,000 combinations. In this attack, criminals first breach the payment system network and then gain control of the HSM. Commands are entered to have the HSM build a table of all keys encrypted in the IM/Diebold format. They then use the PIN translation capability of the HSM to translate all DES or TDES encrypted PINs into the IBM/Diebold format, using the IBM/Diebold encryption key that they also load into the HSM. Then they simply look up the encrypted PIN in the table and they get the unencrypted PIN from the table.

A note – Verizon reports that gaining logical access to the HSM is easier than many people think and also occurs with much more frequency as well.

The HSM API Brute Force attack is similar to the PIN Block Translation Attack, but it does so without taking advantage of the IBM/Diebold format. Like the PIN Block Translation Attack, this also requires logical access to the HSM, gained by criminals after breaching the payment system network. Hackers break the encrypted PINs basically like solving an algebra problem by executing millions of commands to the HSM until they are able to determine the encrypted PIN. These commands are usually requested via batch or script files. This attack does not require a high degree of difficulty, but it does require much more time and processing power.

The Lack of Unique Keys per Device/Zone, is generally an attack that only occurs against retailers, although some ATM networks and gateways have also been breached as they are still using Master Session keys. This attack is usually aided by finding encrypted PIN block information in places like TLOG files and again uses a brute force type of attack against the encrypted PINs.

The fourth common method of attack against encrypted PINs takes advantage of weak DES (single DES) keys. In 1998 in a high-tech lab environment, DES keys were cracked in 56 hours. In 2007, DES keys can be cracked with a server costing less than $10,000 in 6 days.

There is also a Russian criminal gang that offers a fee-based DES cracking service. Ship a POS PED to the gang overnight and they will return the DES keys within 72 hours for $250,000, or you get your money back.

They also presented some best practices to reduce the impact of a PIN encryption key compromise as well as some ways to minimize the impact if a debit encryption key is breached.
• Replace any HSM’s that support the IBM/Diebold format, or upgrade the software so that it no longer supports the IBM/Diebold format.
• Do not use Master Session keys, as a breach of one location’s keys will provide them access to encrypted PIN’s from all devices.
• Review HSM logs and look for high volumes of unusual transactions like PIN translations.
• Review access to the HSM and make sure that only authorized programs are able to send it commands.
• Upgrade to TDES keys as they are much much more difficult to breach than single DES keys.
• Make sure you terminals are securely mounted and terminals in storage and transit are properly protected so they cannot be sent to Russian criminal gangs to have their encryption keys removed.
• As per current PCI requirements, a key should only be used for a single purpose. This limits the impact of a breach if one key is compromised. This is why the PCI PIN security requirements require encryption keys to be used for a single purpose only. (i.e. Debit PIN encryption, terminal authentication, end to end encryption, file signing, etc.)

The webinar was presented by Chris Novak, Managing Principal, Forensics Americas and Matthijs van de Wel, Managing Principal, Forensics EMEA

How a gang stole $9.4 million from 280 ATMs in 12 hours

The top line from the RBS WorldPay caper reads like a trailer for George Clooney’s next Ocean’s 11 summer blockbuster: An elite Euro-Russian cybergang uses the Internet to remotely crack deep inside the network of a giant U.S. debit- and credit-card processor. The gang swipes and decrypts valuable debit-card account data; and then sets into motion a globe-spanning, multi-million dollar score.
Moving fast to avoid detection, an army of accomplices carrying blank payment cards embedded with stolen debit account numbers hit up 2,100 ATMS in 280 cities in eight countries — in just 12 hours! Total take: a cool $9.4 million.
See related commentary: Why cybercrime is here to stay
In Hollywood, the ring leaders would smugly disband. Not this time, though. The bad guys got caught, thanks to unprecedented collaboration of U.S. and Estonian police, whose leaders bridged a geopolitical/cultural chasm to save the day — but that’s another movie.
What follows is a blow-by-blow account of the RBS WorldPlay caper,  based on security experts extrapolating details revealed in the 10Nov2009 indictment of Viktor Pleshchuk, 28, of St. Petersburg, Russia; Sergei Tsurikov, 25, of Tallinn, Estonia; and Oleg Covelin, 28, of Chisinau, Moldova, and a co-defendant identified only as “Hacker 3.”
They and four others were charged with wire fraud, computer fraud and identity theft, as outlined in this indictment and this  FBI press release.
The easy part: initial breach
Pleshchuk, Tšurikov, and Covelin gained “unauthorized access” into RBS WorldPay, the Atlanta, GA-based payment processing division of the Royal Bank of Scotland Group. But authorities don’t spell out precisely how they did this.
They certainly did not piggy back onto RBS’s WiFi systems, as hacker Albert Gonzalez did to initially penetrate retailer TJX’s internal network to steal 94 million payment card transactions records. RBS doesn’t use WiFi as a convenience tool that can be hacked by anyone with a cheap antennae, as many giant retail chains do.
covelin_wantedposter_crop_09pxAccording to the indictment, Oleg Covelin, based in Moldova, “learned of the vulnerability in the RBS WorldPay computer network” and provided that intelligence to Tsurikov in Estonia.
This is the second indictment of Covelin  in three months. In September, he was one of five eastern European men indicted in New York on Monday as part of an international ID theft ring, known as Western Express Cybercrime Group.
Covelin and Tsurikov rercruited the Russian hacker Pleshchuk and the mysterious Hacker 3 to figure out how best to exploit the security hole. They very well may have used a SQL injection attack on one of RBS’s public facing Web pages. This is a tried-and-trued attack vector, used in the infamous Heartland Payments System breach.
Or they could have hacked into security holes in one of RBS’s mail servers or Web servers — one not current on all of its security patches, says Chris Wysopal, CTO of applications security firm Veracode.
This was the easy part. “Breaching a perimeter is pretty well understood,” says Wysopal.
Scanning for jackpot servers
Once the intruders got inside RBS’s internal network on 04Nov2008, they immediately began looking for jackpot servers. This is fairly simple to do , as well. They probably used Nmap, or some other free port scanning tool, to quickly locate all servers storing Microsoft SQL server data bases.
thief-crop200px2Locating, accessing and extracting data from SQL databases from inside the “soft, chewy center of corporate networks” is fairly trivial stuff, says Don Jackson, senior researcher at SecureWorks.
Wysopal surmises that the bad guys took their sweet time culling through harvested data, sorting perhaps millions of credit and debit card account numbers. This would seem to suggest that RBS’s intrusion detection systems failed to send up any red flags as a result of the perimeter breach or the internal SQL database breaches. Or if it did, RBS ignored them.
At some point, the ring leaders stumbled upon 44 prepaid payroll debit accounts — 42 issued by Palm Desert National Bank. Companies use such accounts to pay their workers. Each gets a debit card to use to withdraw pay at ATMS; the company deposits salaries at bi-weekly or monthly intervals.
“I don’t think they were targeting any particular accounts,” say Wysopal. “These tend to be crimes of opportunity. They may have been probing all kinds of banking networks, found a way into this one, took a look around at vulnerable systems, found this ATM data, and when down this road.”
Finding and cracking ‘PIN blocks
The thieves also needed PINS to make the ATM withdrawals. Elite cyber gangs know that payment processors typically store account PINS in a separate server called a “high security module,” or HSM server. The same port scanning tool, such as Nmap, used to locate SQL databases holding account numbers can be easily tweaked to seek out HSM servers holding PINS, says Wysopal.
chris-wysopal_crop-120px1“They knew enough there would be a specialized machine, where the PINS would be stored,” says Wysopal. “They knew the PINS would be encrypted and that they’d have to do some research to learn how it worked, and how to decrypt it.”
PIN cracking research isn’t nearly as commonplace as the knowledge base on spamming, phishing and SQL injection. But it is out there on the Internet as a white paper, titled The Unbearable Lightness of PIN Cracking, delivered at Financial Cryptography and Data Security 2007 conference attests.
The members of this cyber gang appear to be brilliant at multi-tasking. While they were working to find and decrypt the needed PINS, they also manipulated the SQL databases holding the account information, raising the limits for ATM withdrawals. “It is not clear how the attackers accessed the SQL server, whether it was a command-line on the server itself, another machine, or perhaps through SQL Injection,” says Wysopal.
Meanwhile, they also readied 44 counterfeit debit cards — each faked card carrying a stolen payroll account number on its magnetic stripe, and organized a global network of “cashers” to use the 44 cards at 2,100 ATMS in 280 cities in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada.
All of this – the 44 faked cards with account numbers and PINS and the global network of cashers — were in place, tested and ready to go by Nov. 8. The gang even prepared coding routines to access RBS’s network to monitor the planned withdrawals in real time, and, afterward, destroy data to try to erase their tracks from the system, according to the indictment.
Wave of thievery
The climactic cashout went like clockwork. For 12 hours, the cashers hit ATM after ATM extracting $9.4 million. And then the operation shut down. The indictment gives a few snapshots of this global spanning wave of thievery.
Hacker 3 was responsible for managing the networks of 44 cashers. Each would get to keep 30% to 50 % of the stolen funds, transferring the balance to Hacker 3, who was in charge of distributing shares to the other ring leaders.
The withdrawals, as directed by Hacker 3, followed a strictly coordinated time schedule; Pleshchuk and Tsurikov monitored the ATM’s dishing out cash in real time from inside RBS’s network.
Tsurikov also managed a team of four cashers who hit ATMs in his home country, Estonia. They pulled out $289,000. Estonian police, working closely with the FBI, arrested the entire band. Information from the Estonian arrests led to the identification and arrest of a pair of cashers in Hong Kong.
uri_rivner_crop250pxUri Rivner, Head of New Technologies, Identity Protection & Verification RSA, The Security Division of EMC, says the gang’s technical prowess was unremarkable. “The technical aspects in this case were not that impressive,” says Rivner. “But the level of coordination was staggering.”
Rivner says Pleshchuk, Tšurikov, Covelin and Hacker 3 likely spent months on private chat channels and Internet forums plotting and recruiting accomplices.
“They cloned 44 cards and gave them to an army of cashiers, that went from ATM to ATM in their local cities,” says Rivner. “So, on average, each cloned card was used in 47 ATMs in six adjacent towns. Managing time zone issues and coordinating cashers in eight nations – all required to hit as many ATMs as possible within 12 hours makes me think of an Al Qaeda like strategy of multiple attacks in a single day.”
“A lot of planning and a very high degree of international cooperation went into this scam.”

PIN Crackers Nab Holy Grail of Bank Card Security

Hackers have crossed into new frontiers by devising sophisticated ways to steal large amounts of personal identification numbers, or PINs, protecting credit and debit cards, says an investigator.  The attacks involve both unencrypted PINs and encrypted PINs that attackers have found a way to crack, according to an investigator behind a new report looking at the data breaches.
The attacks, says Bryan Sartin, director of investigative response for Verizon Business, are behind some of the millions of dollars in fraudulent ATM withdrawals that have occurred around the United States.
"We’re seeing entirely new attacks that a year ago were thought to be only academically possible," says Sartin. Verizon Business released a report Wednesday that examines trends in security breaches. "What we see now is people going right to the source … and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks."
The revelation is an indictment of one of the backbone security measures of U.S. consumer banking: PIN codes. In years past, attackers were forced to obtain PINs  piecemeal through phishing attacks, or the use of skimmers and cameras installed on ATM and gas station card readers. Barring these techniques, it was believed that once a PIN was typed on a keypad and encrypted, it would traverse  bank processing networks with complete safety, until it was decrypted and authenticated by a financial institution on the other side.
But the new PIN-hacking techniques belie this theory, and threaten to destabilize the banking-system transaction process.
Information about the theft of encrypted PINs first surfaced in an indictment last year against 11 alleged hackers accused of stealing some 40 million debit and credit card details from TJ Maxx and other U.S. retail networks. The affidavit, which accused Albert "Cumbajohnny" Gonzalez of leading the carding ring, indicated that the thieves had stolen "PIN blocks associated with millions of debit cards" and obtained "technical assistance from criminal associates in decrypting encrypted PIN numbers."
But until now, no one had confirmed that thieves were actively cracking PIN encryption.
Sartin, whose division at Verizon conducts forensic investigations for companies that experience data breaches, wouldn’t identify the institutions that were hit or indicate exactly how much stolen money was being attributed to the attacks, but according to the 2009 Data Breach Investigations report, the hacks have resulted in "more targeted, cutting-edge, complex, and clever cybercrime attacks than seen in previous years."
"While statistically not a large percentage of our overall caseload in 2008, attacks against PIN information represent individual data-theft cases having the largest aggregate exposure in terms of unique records," says the report. "In other words, PIN-based attacks and many of the very large compromises from the past year go hand in hand."
Although there are ways to mitigate the attacks, experts say the problem can only really be resolved if the financial industry overhauls the entire payment processing system.
"You really have to start right from the beginning," says Graham Steel, a research fellow at the French National Institute for Research in Computer Science and Control who wrote about one solution to mitigate some of the attacks. "But then you make changes that aren’t backwards-compatible."
PIN hacks hit consumers particularly hard, because they allow thieves to withdraw cash directly from the consumer’s checking, savings or brokerage account, Sartin says. Unlike fraudulent credit card charges, which generally carry zero liability for the consumer, fraudulent cash withdrawals that involve a customer’s PIN can be more difficult to resolve since, in the absence of evidence of a breach, the burden is placed on the customer to prove that he or she didn’t make the withdrawal.
Some of the attacks involve grabbing unencrypted PINs, while they sit in memory on bank systems during the authorization process. But the most sophisticated attacks involve encrypted PINs.
Sartin says the latter attacks involve a device called a hardware security module (HSM), a security appliance that sits on bank networks and on switches through which PIN numbers pass on their way from an ATM or retail cash register to the card issuer. The module is a tamper-resistant device that provides a secure environment for certain functions, such as encryption and decryption, to occur.
According to the payment-card industry, or PCI, standards for credit card transaction security, PIN numbers are supposed to be encrypted in transit, which should theoretically protect them if someone intercepts the data. The problem, however, is that a PIN must pass through multiple HSMs across multiple bank networks en route to the customer’s bank. These HSMs are configured and managed differently, some by contractors not directly related to the bank. At every switching point, the PIN must be decrypted, then re-encrypted with the proper key for the next leg in its journey, which is itself encrypted under a master key that is stored in the module.
The most common method Sartin says criminals are using to get the PINs is to fool the application programming interface (or API) of the hardware security module in to helping them "understand or manipulate one key value."
"Essentially, the thief tricks the HSM into providing the encryption key," he says. "This is possible due to poor configuration of the HSM or vulnerabilities created from having bloated functions on the device."

Sartin says HSMs need to be able to serve many types of customers in many countries where processing standards may be different from the U.S. As a result, the devices come with enabled functions that aren’t needed and can be exploited by an intruder into working to defeat the device’s security measures. Once a thief captures and decrypts one PIN block, it becomes trivial to decrypt others on a network.
Other kinds of attacks occur against PINs after they arrive at the card-issuing bank. Once encrypted PINs arrive at the HSM at the issuing bank, the HSM communicates with the bank’s mainframe system to decrypt the PIN and the customer’s 16-digit account number for a brief period to authorize the transaction.
During that period, the data is briefly held in the system’s memory in unencrypted form.
Sartin says some attackers have created malware that scrapes the memory to capture the data.
"Memory scrapers are in as much as a third of all cases we’re seeing, or utilities that scrape data from unallocated space," Sartin says. "This is a huge vulnerability."
He says the stolen data is often stored in a file right on the hacked system.
"These victims don’t see it," Sartin says. "They rely almost purely on anti-virus to detect things that show up on systems that aren’t supposed to be there. But they’re not looking for a 30-gig file growing on a system."
Information about how to conduct attacks on encrypted PINs isn’t new and has been surfacing in academic research for several years.  In the first paper, in 2003, a researcher at Cambridge University published information about attacks that, with the help of an insider, would yield PINs from an issuer bank’s system.
The paper, however, was little noticed outside academic circles and the HSM industry. But in 2006, two Israeli computer security researchers outlined an additional attack scenario that got widespread publicity. The attack was much more sophisticated and also required the assistance of an insider who possessed credentials to access the HSM and the API and who also had knowledge of the HSM configuration and how it interacted with the network. As a result, industry experts dismissed it as a minimal threat. But Steel and others say they began to see interest for the attack research from the Russian carding community.
"I got strange Russian e-mails saying, Can you tell me how to crack PINs?" Steel recalls.
But until now no one had seen the attacks actually being used in the wild.
Steel wrote a paper in 2006 that addressed attacks against HSMs (.pdf) as well as a solution to mitigate some of the risks. The paper was submitted to nCipher, a British company that manufactures HSMs and is now owned by Thales. He says the solution involved guidelines for configuring an HSM in a more secure manner and says nCipher passed the guidelines to customers.
Steel says his solution wouldn’t address all of the types of attacks. To fix the problem would take a redesign.
But he notes that "a complete rethink of the system would just cost more than the banks were willing to make at this time."
Thales is the largest maker of HSMs for the payment-card and other industries, with "multiple tens of thousands" of HSMs deployed in payment-processing networks around the world, according to the company. A spokesman said the company is not aware of any of the attacks on HSMs that Sartin described, and noted that Thales and most other HSM vendors have implemented controls in their devices to prevent such attacks. The problem, however, is how the systems are configured and managed.
"It’s a very difficult challenge to protect against the lazy administrator," says Brian Phelps, director of program services for Thales. "Out of the box, the HSMs come configured in a very secure fashion if customers just deploy them as is. But for many operational reasons, customers choose to alter those default security configurations — supporting legacy applications may be one example — which creates vulnerabilities."
Redesigning the global payment system to eliminate legacy vulnerabilities "would require a mammoth overhaul of virtually every point-of-sale system in the world," he says.
Responding to questions about the vulnerabilities in HSMs, the PCI Security Standards Council said that beginning next week the council would begin testing HSMs as well as unattended payment terminals. Bob Russo, general manager of the global standards body, said in a statement that although there are general market standards that cover HSMs, the council’s testing of the devices would "focus specifically on security properties that are critical to the payment system." The testing program conducted in council-approved laboratories would cover "both physical and logical security properties."
Update: Due to an editing error, a previous version of this article stated that the master key is stored in the API of the hardware security module. It should have said that criminals can manipulate the API to trick it into revealing information about the key. The key is stored in the HSM, not in the API

Read More http://www.wired.com/threatlevel/2009/04/pins/#ixzz0dcNkbVVM

Verizon: Data Breaches Getting More Sophisticated

Methods of stealing data are becoming increasingly sophisticated, but attackers are still gaining initial access to networks through known, preventable vulnerabilities, according to a report released by Verizon Business on Wednesday.

“The attackers still usually get in the network through some relatively mundane attacks,” said Wade Baker, research and intelligence principal for Verizon Business’s RISK Team, in an interview. ”But once they’re in, they’re getting more and more adept at getting the data they want and getting it effectively and silently. And we seem to be on a plateau in terms of our ability to detect [them].”

For example, while companies have been expanding their use of encryption to protect bank card data in transit and in storage, hackers countered with RAM scrapers that grab data during the few seconds it’s unencrypted and transactions are being authorized.

“A paper was published about the theoretical possibility of this about three years ago,” Baker said. “But 2008 was the first time we saw [the attacks] live and active. It is a fairly sophisticated attack to be able to grab data from memory.”

The attacks are detailed in a new report issued by Verizon’s RISK Team, which conducts forensic investigations for companies that experience a breach. The report supplements the company’s 2009 Data Breach Investigations report, released in April. That report also indicated that thieves were conducting “more targeted, cutting-edge, complex” attacks, but provided few details.

The supplement provides case studies, involving anonymous Verizon clients, that describe some of the tools and methods hackers used to compromise the more than 285 million sensitive records that were breached in 90 forensic cases Verizon handled last year.

In one case, for example, a simple SQL injection attack opened the door for intruders to breach the entire network of an unidentified consumer banking institution. Once inside, the attackers got into the hardware security modules (HSMs) for the bank’s ATM system, from which they were able to grab account numbers and PINs.

An HSM is a tamper-resistant box that sits on bank networks to provide a secure environment for encryption and decryption of PINs as card transactions pass from ATM or retail cash register to the card issuer for authentication. When transaction data hits the HSM, the PIN is decrypted for a fraction of a second, then re-encrypted with a key for the next leg in its journey, which is itself encrypted under a master key that is stored in the module.

But as Threat Level reported previously, thieves have found a way to fool the application programming interface, or API, of the HSM into revealing the encryption key to them.

Academic papers published in the last few years have described theoretical attacks against HSMs, but generally an attacker needed physical access to the device to exploit it. In the Verizon case, however, the hackers were able to remotely attack the HSM because the bank had installed no access controls to protect it from unauthorized personnel, and the HSM was accessible from “hundreds of systems” in the bank’s network, making it vulnerable to attack from anyone. For several months, the attackers siphoned data out of the network via FTP connections to IP addresses in South America.

Baker said most companies are starting to disable command capabilities in HSMs to prevent an attacker from exploiting the API. But Verizon has seen cases where an attacker reverted the software on a secured HSM to its previous vulnerable version — essentially restoring the command capability and making it open to attack again.

SQL injection attacks were one of the most common methods of breaching systems in the cases that are highlighted in the Verizon report. They were used in 19 percent of the cases and accounted for 79 percent of the breached records.

A SQL injection attack is generally conducted through a website to its backend database and is often the first simple step in what becomes a more sophisticated attack once the hacker is in the network. By sending special attack commands through a vulnerable website to the backend database, a hacker can obtain access to the database, change data in it or use it as a jumping off point to install a sniffer, keystroke logger or backdoor on the network.

Verizon describes the case of one Europe-based processor of prepaid debit cards who discovered it had been hacked when it conducted a routine review of transaction balances on a Monday morning. The attackers, who entered the system from IP addresses based in Russia, had used SQL commands to increase the balance on multiple card accounts.

The processor discovered the activity because the balances didn’t match the amounts the merchants who sold the cards had recorded as deposits into the accounts. The hackers also increased the withdrawal limits on the cards. In a coordinated attack over one weekend, mules around the world withdrew more than 3 million euro from ATMs before the company discovered the problem.

Another card processor was also breached through a SQL injection attack. In this case, the attackers installed “an extensive array” of packet sniffers on the processor’s network to map it out and locate card data. Then they installed keystroke loggers to record administrative passwords to get into the core payment system and installed other sniffers that siphoned millions of transactions records.

Point-of-sale (POS) systems were another popular target in Verizon’s caseload.

A U.S. restaurant chain was using a point-of-sale system that stored unencrypted card data, in violation of the payment card industry security guidelines. The thieves were able to get into the restaurant chain’s system because a third-party company hired to install the POS system in each restaurant neglected to change the system’s default password. Intruders had been in the system for “years” siphoning card data, Verizon reported.

Verizon wouldn’t identify the restaurant chain or the company that installed its POS system. But Threat Level reported on a case last week that involved seven restaurant chains that are suing the maker of a point-of-sale system and the company that installed the system in their restaurants for the same kinds of vulnerabilities described in Verizon’s report.

The suit claims that the POS systems stored card-transaction data in violation of PCI guidelines and that the company that installed the systems at the restaurants failed to change the vendor’s default passwords. The vendor in that suit is Radiant, maker of the Aloha POS system, and Computer World, a Louisiana-based company that installed the systems in the restaurants.

Another Verizon case involving POS systems affected a number of unrelated supermarkets across the country that were all breached through an attack originating from a single IP address in South Asia.

The attacker used legitimate credentials to gain access, but rather than having the same default credentials, the systems used different logins and passwords. Verizon discovered that the supermarkets had all hired the same third-party firm to manage their POS systems. It turned out that an attacker had hacked the firm and stolen its customer list, which identified the unencrypted log-in credentials the firm used to access the POS system at each supermarket.

Jan 21, 2010

E-Clear, credit card processor involved in the Globespan collapse, goes under

E-Clear, the credit card processing company, has been put into administration after failing to prove that it has enough funds to pay its debts to Globespan, the collapsed Scottish airline.
A high court order approved the administration after the company failed "to submit evidence of funds", according to PricewaterhouseCoopers, Globespan's administrators.
PwC claimed that the payment firm had received £35m from Globespan customers that had not been passed on to the airline. "Over the last month we have sought financial reassurance from E-Clear and are disappointed that the funds are no longer there," said PwC partner Bruce Cartwright.
Of the £35m total PwC claims, about £12.5m is in fact due to be returned, as the money relates to flights that did not take place. As many as 50,000 customers paid for flights by credit card or Visa debit and are owed rebates by their credit card company, PWC said.
E-Clear is also being pursued in two legal disputes linked to alleged overdue payments owed to collapsed Slovakian airline SkyEurope and Canadian travel firm Go Travel Direct. E-Clear contests all the allegations.
E-Clear specialised in providing ­payment processing services to smaller firms that were considered too great a risk by other credit card processors. The travel industry is considered among the highest risk sectors for payment firms because it involves large lumps of money often received long in advance of the flight or holiday date.
E-Clear is owned by a parent group in Cyprus, and moved its head office to a Mayfair address four years ago. Its chief executive, Elias Elia, a Greek Cypriot, has been involved in the travel industry for years.
Elia was also the controlling shareholder in Allbury Travel Group, a Hertfordshire travel agent, until it collapsed leaving 100 holidaymakers to be repatriated by the Civil Aviation Authority last month. The travel agency used E-Clear as a payment processor.

EFTPOS attacks net card-skimming gangs $50m

NSW is at the centre of an unprecedented attack by an international criminal gang on retailers' EFTPOS machines, fleecing $50 million.   The wave of attacks on EFTPOS machines was yesterday described by NSW fraud squad head Detective Superintendent Colin Dyson as "the biggest I've seen".  Fast-food, convenience and specialist clothing stores are bearing the brunt of the crime. McDonald's is among the outlets whose EFTPOS machines have been targeted.

People commonly swipe both credit and debit cards through the in-store machines to pay for goods and services at these outlets.  Supt Dyson said the criminal activity was "ongoing" and based in suburban Sydney and NSW coastal cities.  He said the NSW Police Strike Force Wigg had identified "50 persons of interest" from a criminal gang based "in a particular part of Asia". Many are currently outside of Australia. 
He urged people to change credit and debit card pin numbers to avoid the possibility of having their account balances wiped out, as it was likely more cases would be identified in days to come.

"There is sometimes a lag between PINs being compromised and used," he said. "If someone whose details are skimmed changes their PIN quickly, the data can be useless to the criminal."  It is the first time EFTPOS machines have been the target of concentrated criminal activity in Australia.  While bank ATMs have long been targeted by gangs, the smaller in-shop EFTPOS devices have avoided being compromised. Legitimate versions of retailers' EFTPOS PIN pads were stolen - in some case through armed robberies - and replaced with compromised machines.  Last year, legitimate EFTPOS devices at McDonald's outlets across Perth were replaced with compromised card-skimming versions, with 3500 customers cheated of $4.5 million.

The recent problems with EFTPOS machines are believed to centre on older model in-store devices. McDonald's and other retailers are believed to have used Ingenico PX328 PIN pads, not tamper-proof unlike newer models.  Other retailers using similar older model PIN pads include Australia Post, which has already indicated it will replace them with newer devices. But it is not just old machines. Supt Dyson said old card technology was causing its own problems.  "Australia is one of the last countries in the world to have chip technology (on credit and debit cards)," he said. "Criminals always attack the weakest link."

Prtotect your laptop

The largest single type of security breach is the stolen or lost laptop, according to the Open Security Foundation, yet these computers are among the least protected of all IT assets. The costs of a data breach can be huge, including the loss of trade secrets, marketing plans, and other competitive information that could have long-term business damage, plus the immediate costs of having to notify people if their personal information was possibly at risk from the breach. Particularly in a recession, enterprise management can't afford to take these risks lightly.

There is a way for IT to protect those laptops and the confidential information they contain: encryption. Without the combination of password security and encryption, any halfway-competent hacker has no problem siphoning hard drive contents and putting it to nefarious use.

Perhaps the most important advantage of full disk encryption, though -- beyond the peace of mind it gives your business's lawyers -- is the "safe harbor" immunity that accrues under many data privacy regulations. For example, credit card disclosure rules don't apply to encrypted data, and even California's strict data-disclosure statute makes an exception for encrypted records -- provided you can prove they're encrypted. That's trivial with full disk encryption but not so easy with partial encryption techniques, which depend on user education for safe operation.

A key challenge for IT in deploying encryption on its laptops is the sheer number of encryption options available. Some Windows Vista editions, as well as the forthcoming Windows 7, support Microsoft's built-in BitLocker encryption, and numerous third-party encryption products cover the range of mobile operating systems from XP through Windows 7, Linux, and Mac OS X. Encryption granularity is widely variable as well, ranging from protecting individual files to encrypting virtual disks to deploying fully armored, hardware-based full disk encryption. Prices range from free to moderately expensive.

If you've put off laptop data security due to perceived technical shortcomings or high costs, you need to take another look at the field -- before you lose another laptop.

The maximum encryption protection possible: TPM

Ideally, you'll deploy the full-metal-jacket approach to laptop data protection: full disk encryption using the Trusted Platform Module (TPM) technology. If you can afford the cost, waste no time with inferior methods. All you need is a laptop containing a TPM security coprocessor and, optionally, an encryption-enabled hard drive from one of the major hard drive manufacturers.

The TPM is a chip soldered on to the laptop's motherboard, providing hardware-based device authentication, tamper detection, and encryption key storage. The TPM generates encryption keys, keeping half of the key information to itself, making it impossible to recover data from an encrypted hard drive apart from the computer in which it was originally installed. Even if an attacker gets the user's part of the encryption key or disk password, the TPM-protected drive's contents can't be read when connected to another computer. Further, the TPM generates a unique digital signature from the motherboard in which it's embedded, foiling attempts to move the TPM chip itself to another machine.

Secure USB Drives Not So Secure

Several hardware-encrypted USB memory sticks are now part of a worldwide recall and require security updates because they contain a flaw which could allow hackers to easily gain access to the sensitive information contained on the device.  When USB maker SanDisk first received news of the problem last month, the vendor issued a security bulletin that warned customers its Cruzer Enterprise series of USB flash drives contained a vulnerability in the access control mechanism. SanDisk offered a product update online to address the issue and made sure to note the problem only applied to the application running on the host, not the device hardware or firmware.

Now USB vendor Kingston has jumped in with a similar warning, probably because their drives utilize the same code from SanDisk. Kingston's alert informs customers that "a skilled person with the proper tools and physical access to the drives may be able to gain unauthorized access to data contained" on the drives. The company has issued a recall on the devices and urged customers to return them. A warning has also been issued by USB vendor Verbatim.

The drives impacted are equipped with AES 256-bit hardware encryption, which is designed to meet the stringent requirements of enterprise-level security. However, penetration testers with German security firm SySS uncovered a vulnerability that exploits the way the flash drives handle passwords. The exact nature of the flaw is not described on any of the vendor bulletins, but according to an article in security publication The H, "the main point of attack for accessing the plain text data stored on the drive is the password entry mechanism." SySS testers found a flaw that allowed them to write a tool that sent the same character string to unlock the drive, regardless of what password was entered.

The flaw may be contained in other drives as well and more recalls may be on the way, according to Graham Cluley, Senior Technology Consultant with Sophos.  "It's certainly a disturbing vulnerability, and may well lead to other hackers exploring the possibility of accessing what was previously considered 'securely encrypted' data," noted Cluley.

"I don't know if other manufacturers also use SanDisk's code, but even if they don't they might be wise to examine their own products and think long and hard about whether they might be vulnerable to similar exploits. Although it's embarrassing to recall a product, it would be much worse to have a product on the market which is vulnerable to this kind of attack."

Cluley, who also blogged about the issue, called the problem "shameful" and said security managers need to be able to ensure proper encryption is used on USB sticks, which can carry a wealth of sensitive information.  He also urged companies to put in place necessary measures to detect and block unauthorized use of removable storage device

Jan 20, 2010

Sitting all day can be a killer

Sitting all day might significantly boost the risk of lifestyle-related disease even if one adds a regular dose of moderate or vigorous exercise, scientists said today. The health benefits of pulse-quickening physical activity are beyond dispute - it helps ward off cardiovascular disease, diabetes and obesity, among other problems.

But recent scientific findings also suggest that prolonged bouts of immobility while resting on one's rear end might be independently linked to these same conditions.  "Sedentary time should be defined as muscular inactivity rather than the absence of exercise," a team of Swedish researchers concluded.

"We need to consider that we are dealing with two distinct behaviours and their effects," they reported in the British Journal of Sports Medicine.  Led by Elin Ekblom-Bak of the Karolinska Institute in Stockholm, the scientists proposed a new "paradigm of inactivity physiology", and urged fellow researchers to rethink the definition of a sedentary lifestyle.

They point to a recent study of Australian adults showing that each daily one-hour increase in sitting time while watching television upped the rate of metabolic syndrome in women by 26 per cent - regardless of the amount of moderate-to-intensive exercise performed.

Thirty minutes of daily physical exercise decreased the risk by about the same percentage, suggesting that being a couch potato can cancel out the benefits of hitting treadmill or biking, for example.
Metabolic syndrome is defined as the presence of three or more factors including high blood pressure, abdominal obesity, high cholesterol or insulin resistance.
New research is required to see if there is a causal link between being sedentary and these conditions and, if so, how it works, the researchers said.
One candidate is lipoprotein lipase, or LPL, an enzyme that plays a crucial role in breaking down fat within the body into useable forms.
Recent research has shown that LPL activity was significantly lower in rats with restrained muscle activity - as low as one-10th of the levels of rats allowed to walk about.
The LPL level during such activity "was not significantly different from that of rats exposed to higher levels of exercise", the scientists reported.
"This stresses the importance of local muscle contraction per se, rather than the intensity of the contraction."
These studies suggest that people should not only exercise frequently, but avoid sitting in one place for too long, they said.
Climbing stairs rather than using an elevator, taking five-minute breaks from a desk job, and walking when possible to do errands rather than driving were all recommended.

Jan 19, 2010

Financial services exports can double, says architect Johnson

MARK Johnson, the architect of the plan to develop Australia into a regional financial hub, believes the export of financial services can double in the next five to seven years.  Exports account for only 3 per cent of the sector's contribution to the economy at present, compared with 50 per cent in Britain, 25 per cent in Singapore and 8 per cent in Canada and the US.  However, it was a reasonable ambition for financial service exports to increase their "value-add" to the economy from 3 per cent to 6 per cent, Mr Johnson told The Australian yesterday.

"We are not trying to build a financial system on steroids, with artificial inducements," he said. "Really what we are talking about is making sure our financial services sector is in accord with open competitiveness and efficiency."  Mr Johnson, the former deputy chairman of Macquarie Group, is keen for the Australia As A Financial Centre report handed to the government last week to be used as a blueprint for boosting the financial services sector's international output.

Among numerous recommendations, the Australian Financial Centre Forum study said the local market would be more internationally competitive if the withholding tax on the interest income that foreign banks earn from their Australian branches was removed. Mr Johnson believes the report's recommendations would increase competition in the local banking market by encouraging major Asian banks to open branches in Australia.  He said while the Australian banking market was in better shape than the rest of the world, there were still opportunities to increase competition in the sector.

"It's very important that we have as much competition as possible in this market," he said.  "Our recommendation on withholding tax on foreign banks goes directly to that point. "We think some of the regional shifts will see some changes in Australia. I think some of the big Japanese banks have limited growth opportunities in Japan, and as their customers increase outside of Japan, they will come back to Australia.

"We are seeing at the moment more activity from the big Chinese banks. They will come to Australia on the traditional routine of financing their customers, but they will move to financing trade and financial investments and then local operations."  The report, commissioned by Financial Services Minister Chris Bowen in 2008 before the full extent of the global financial crisis had hit, was designed to identify policies to encourage growth in the financial services industry.  A number of foreign banks at the time were threatening to leave Australia.

However, only two have changed their local operations. Canadian bank Toronto-Dominion last year shifted its Australian operations to Singapore, at a cost of 65 jobs. And Societe Generale (SG), the French bank, is in the process of scaling back its domestic business.   SG's outgoing Australian chief executive, John Harvey, yesterday said the move was the result of the bank making Hong Kong the regional hub for its Asia-Pacific operations.  "The bank has been very consistent in its commitment to the region, and has made a big push into Hong Kong, developing it as a regional centre," Mr Harvey said.

"It has been the view that the growth future of the bank is in the region. SG is going to be a European bank with a focus in Asia."  Mr Harvey said SG had held discussions with regulators and would retain its Australian banking licence for at least a year. It is understood its leasing finance business in Australia will remain for some time yet.  "There has been a significant transfer of staff and resources from Australia to Hong Kong as the bank continues to build its presence there," Mr Harvey said. 

"We have transferred approximately 30 staff from Australia overseas to ensure adequate coverage of Australian business and clients.

"We are in regular dialogue with APRA and their position is that we retain our branch banking licence while SG continues to conduct banking operations in Australia."

Mr Johnson said the proposed measures, along with the establishment of an independent financial services taskforce, would help the sector raise its contribution to the broader Australian economy.

Mr Johnson said even though significant reforms had been put in place, the financial services sector was still not "highly internationalised".

"I think the technical pieces that need to be put in place are relatively straightforward -- we can identify them," he said.

"What you need is to implement changes at the policy-making level to accept and deal with the recommendations for changes.

"We have been arguing for years and years on tax . . . where is the money earned, what is revenue and what is capital?  "Thousands of people have made the pilgrimage to Canberra to talk with the tax office about this, and they have responded by saying this is the law as we see it applied in these circumstances.  "The Board of Taxation has done a lot of work, but this the first time there has been the opportunity to look at tax policy as it applies to the financial sector."  Mr Johnson said the fact the government had indicated it would take a "holistic approach" to improving the competitiveness of the Australian financial services sector was a positive sign.

Google probes for enemies within

Google is investigating whether one or more employees may have helped facilitate a cyber-attack that the US search giant said it was a victim of in mid-December, two sources have told Reuters.

Google, the world's most popular search engine, said last week it may pull out of the world's biggest Internet market by users after reporting it had been hit by a "sophisticated" cyber-attack on its network that resulted in theft of its intellectual property.

The sources, who are familiar with the situation, said that the attack, which targeted people who have access to specific parts of Google networks, may have been facilitated by people working in Google China's office.

"We're not commenting on rumour and speculation. This is an ongoing investigation, and we simply cannot comment on the details," a Google spokeswoman said.

Security analysts said the malicious software (malware) used in the Google attack was a modification of a Trojan called Hydraq. A Trojan is malware that, once inside a computer, allows someone unauthorised access. The sophistication in the attack was in knowing whom to attack, not the malware itself, the analysts said.

Local media, citing unnamed sources, reported that some Google China employees were denied access to internal networks after January 13, while some staff were put on leave and others transferred to different offices in Google's Asia Pacific operations. Google said it would not comment on its business operations.

Google, which has denied rumours that it has already decided to shut down its China offices, said on Monday it contacted the Chinese government last week after the announcement.

"We are going to have talks with them in the coming few days," Google said.

Google is also still in the process of scanning its internal networks since the cyber-attack in mid-December.

China has tried to play down Google's threat to leave, saying there are many ways to resolve the issue, but insisting all foreign companies, Google included, must abide by Chinese laws.

Washington said it was issuing a diplomatic note to China formally requesting an explanation for the attacks.

The Google issue risks becoming another irritant in China's relationship with the United States. Ties are already strained by arguments over the yuan currency's exchange rate, which US critics say is unfairly low, trade protectionism and US arms sales to Taiwan.

Washington has long been worried about Beijing's cyber-spying program. A congressional advisory panel said in November the Chinese government appeared increasingly to be penetrating US computers to gather useful data for its military.

Jan 18, 2010

Depressed? Don't blame your genes

Britain is depressed. Especially its women. Recently the Irish author Marian Keyes announced on her website that she is suffering from such “crippling depression” that she was unable to sleep, write, eat, read or talk.  Depending on which study you believe, a woman aged 25 in 1980 was between three and ten times more likely to have suffered depression than her grandmother. The increase has continued in the past 30 years, particularly among girls from affluent homes.

The proportion of such girls suffering at the age of 15 almost doubled between 1987 and 2006 (up from 24 per cent to 43 per cent). Scientists are now confident that these increases are real, not because of our greater willingness to engage in psychobabble. Overall, 23 per cent of us suffered from a mental illness of some kind in the past 12 months. The proportion rockets among the young: 32 per cent of 16-24 year olds, dropping steadily as we get older, to 11 per cent of over-75s.

With the short, dark days of January especially hard for those with depression — many psychologists claim today that with freezing temperatures, debts from the Christmas break, and gloom about returning to work, add up to the most depressing day of the year — what has gone wrong and, even more importantly, what can you do if you are suffering?

Some people blame their genes. For decades we have treated as common knowledge the existence of a depression gene. But one of the most interesting developments of last year was a growing conviction among scientists that genes play little or no role in depression.

The Human Genome Project, which mapped all our DNA, has not reliably identified a single example of a gene for any mental illness.

Top lawyer Sanford Litvack recruited as US mulls Google antitrust suit

The US Justice Department has hired one of America's best-known litigators, former Walt Disney vice chairman Sanford Litvack, for a possible antitrust challenge to Google's growing power in advertising, the Wall Street Journal reports.

His hiring is the strongest signal yet that the US is preparing to take court action against Google and its search-advertising deal with Yahoo, the WSJ claims.

We must end the silence surrounding the risks of health care

A few years ago, a group of American activists set out to protect millions of human lives; not from global scourges such as malnutrition or preventable disease, but from the ravages of the world's most expensive and sophisticated health-care system, that of the United States of America.

The ''Five Million Lives - Let's Make Harm History'' campaign was not a tasteless First-World parody of Third-World misery, but a serious effort by the non-profit Institute for Healthcare Improvement (IHI) to draw attention to the considerable risks of harm and death caused by modern health-care systems.
For all the extraordinary advances in medical science and technology, getting sick (or injured) is a safety issue.

Worldwide, health-care errors cost an incredible 10,000 disabilities and deaths every day. Today's patients have only a one in two chance of receiving recommended care, a 1:10 likelihood of something going wrong in hospital and a 1:50 possibility of a health system-induced death or major disability. And that's in the world's best resourced health systems, such as US and Australian hospitals.
Prime Minister Kevin Rudd acknowledges Australia's beleaguered health system has reached a critical ''tipping point''. Last year's landmark National Health and Hospital Reform Commission report argues for new funding and administration models to address, among other pressing issues, the shortfall in the delivery of appropriate care.
Yet for all its 123 recommendations, the commission's report contains mostly high-level pronouncements, when much depends on driving change at the troubled health-care ''coal face''.
Complex systems fail for many, inter-related reasons. Ensuring heart surgery is skilfully performed or the right dose of radiotherapy is calibrated and delivered depends not only on individual competency and focus, but on every one of the multitude of human interactions in long treatment chains. Modern health care can be delivered only by well co-ordinated teams, but team work is routinely compromised by fatigue, heavy workloads and inadequate resources.
Technology offers one path to safer hospitals. Take the video surveillance equipment installed on state order in the operating theatres of a US Rhode Island hospital recently, after its fifth ''wrong site'' surgical procedure. In three cases surgeons had operated on the wrong parts of the brain.
But technology is just a tool. Reducing errors is as much a matter of admitting just how serious the problem is. We have managed to join up the dots in other areas where individual suffering adds up to a threat to community safety such as signs outside coal mines declaring the number of ''accident-free'' days or the grisly images on cigarette packets. Health professionals wholeheartedly support such frank disclosures. But, on health system risks and harm there is relative silence.

Recent lessons from the mining and aviation industries suggest that professional attitudes really do matter. By openly acknowledging that ''things can go wrong, and will go wrong, so we need to be very vigilant'', mining companies and airlines have shifted safety to the top of their organisational agendas.
The idea that hospitals and other health care providers should publish details of patient deaths and avoidable harm may well be resisted. Health care professionals are trained to face disease, injury and death with heroic, rational cool. But what we really need are clinicians who are prepared to admit they are fallible - especially under system-wide pressures - and to own up when they make mistakes.

Internet-driven consumer activism is exposing health-care risk anyway. US health consumers can already check out the ''grades'' of thousands of hospitals and hundreds of thousands of doctors online, and online forums mean few health-care tales go untold.

Far better would be accurate, standardised safety benchmarks. Medical care will always be risky, but health systems cannot be effectively reformed without open incident reporting, which avoids blaming individuals and enables complex systems to learn from their errors.

In such ''safety-first'' cultures practical measures work. The successful ''Five Million Lives'' campaign was built, for example, around washing hands more frequently to tackle known risks of hospital-acquired infections, adopting better procedures in operating theatres, reducing critical delays in life-saving treatment and the administration of correct drugs and dosages. International efforts to build global health safety standards and procedures, backed by the World Health Organisation, are also promising.
Interestingly, data suggests patients and families are less likely to sue if they believe an adverse medical outcome was a genuine, unintended error, if the doctor or health care worker apologises and if remedial action is taken so ''it can't happen to someone else''.

The Rudd Government's much anticipated health reforms, due out soon, are also most likely to succeed in an open disclosure health system. With a federal election approaching, both sides will be positioning for a policy bunfight over our votes. This seems like an ideal time for our own ''make harm history'' health-care campaign.

Calls to ditch Internet Explorer after China hacks

Internet users are being warned off Internet Explorer after it was revealed that recent sophisticated cyber attacks on Google and other businesses exploited a previously unknown flaw in Microsoft's web browser.

Germany's Federal Office for Information Security, or BSI, told Germans to avoid use of all versions of Explorer after the security hole led to hacks against Google and others.

Microsoft confirmed the weakness after Google announced that hackers in China had pried into email accounts of human rights activists. However, the company said that the hole could be closed by setting the browser's internet security zone to "high".

But the BSI insisted that such measures were not sufficient.

"Using Internet Explorer in 'secure mode', as well as turning off Active Scripting, makes attacks more difficult but can not fully prevent them," BSI said in a statement.

Google said last week that in mid-December, it detected an attack on its corporate infrastructure originating from China that resulted in the theft of its intellectual property. It eventually found that more than 20 other companies had been infiltrated.

Security firm McAfee said on Thursday that those who engineered the attacks tricked employees of the companies into clicking on a link to a website that secretly downloaded sophisticated malicious software onto their PCs through a campaign that the hackers apparently dubbed "Operation Aurora".

"We have never seen attacks of this sophistication in the commercial space. We have previously only seen them in the government space," said Dmitri Alperovitch, a vice-president of research with McAfee.

The programs allowed the hackers to take control of the PCs without the knowledge of their users, said McAfee, which has been researching the matter on behalf of several companies involved in the attacks since late last week.

Alperovitch declined to say which companies had hired McAfee, saying they had signed confidentiality agreements.

So far the only other victim to come forward is design software maker Adobe Systems, which has said that it is still investigating the matter.

Some researchers have speculated that the attackers may have exploited flaws in Adobe's Acrobat software and its widely used Reader program for opening PDF documents.

McAfee's researchers said that they found no evidence that was the case.

Still, they said that the hackers might have used other types of malicious software to break into Google and the other companies.

Internet Explorer is vulnerable on all recent versions of the Windows operating system, including Windows 7, McAfee says. Microsoft said attacks had been limited to IE6, an older version of the application.

Jan 17, 2010

Google blames 'human error' for leak of users' business data

Google is apologizing after it mistakenly e-mailed potentially sensitive business data last week to other users of its business listings service.

The company's Local Business Center allows businesses to create a listing for Google's search engine and Maps application, as well as add videos, coupons or photos.

[ Keep up on the day's tech news headlines with InfoWorld's Today's Headlines: First Look newsletter. ]
Google then provides data on how customers found the listing, showing search terms people used before clicking the listing and other data such as the geographic location of someone who looked up driving directions to the business.

Google will send reports to those who are signed up. Early last week, Google sent the reports to third parties by mistake. The mistake affected several thousands businesses registered with Local Business Center, of which there are more than a million.

"Shortly after sending the newsletter to a portion of our users last night, we discovered that some e-mails included statistics for the wrong business," Google said in a written statement. "We promptly stopped sending any further e-mails and investigated the cause, which we found to be a human error while pulling together the newsletter content. We'd like to apologize to all the business owners impacted and assure them that we're fixing the process that led to this mistake."

People who received the data then began to publicize the incident, realizing the privacy implications. Chicago-based Internet consultant David Dalka wrote on his blog that he received information regarding the listing for Boscos, a restaurant in Tennessee that brews its own beer.

"My first thought was this was potentially some kind of joke by someone at Google due to the subject matter resolving to beer, which has a long history of pranks in SEO [search engine optimization] circles," Dalka wrote.

The data included the number of times Boscos' listing appeared in Google's local search results, the number of times it had been clicked on and the number of follow-through clicks on the actual business' Web site.

Jan 15, 2010

Government overhauls national cyber security arrangements

BUSINESSES on the cyber frontline will get more direct help as the federal government bolsters national defences against increasing online espionage and attacks on critical infrastructure.

"Many online threats are surreptitious and insidious, and the perpetrators are more inventive in their tricks," Attorney-General Robert McClelland said last night, unveiling a cyber-security strategy that positions e-security as a top priority.

"There are clear links to organised crime syndicates and the intelligence services of foreign governments.

"And while it is important to protect individual users this is also a matter of national security."

Mr McClelland said the plan was to help businesses maintain resilient computer systems to protect both their operating capacity and customers' information, and to boost the security of government agency systems, which held citizens' data.