Robert McMillan writes on ComputerWorld:

Ongoing computer scams targeting small businesses cost U.S. companies $25 million in the third quarter of 2009, according to the U.S. Federal Deposit Insurance Corporation.

Online banking fraud involving the electronic transfer of funds has been on the rise since 2007 and rose to over $120 million in the third quarter of 2009, according to estimates presented Friday at the RSA Conference in San Francisco, by David Nelson, an examination specialist with the FDIC.

The FDIC receives a variety of confidential reports from financial institutions, which allow it to generate the estimates, Nelson said.

Almost all of the incidents reported to the FDIC “related to malware on online banking customers’ PCs,” he said. Typically a victim is tricked into visiting a malicious Web site or downloading a Trojan horse program that gives hackers access to their banking passwords. Money is then transferred out of the account using the Automated Clearing House (ACH) system that banks use to process payments between institutions.

Even though banks now force customers to use several forms of authentication, hackers are still stealing money. “Online banking customers are getting too reliant on authentication and on practicing layers of controls,” Nelson said.

That’s bad news for businesses, which are increasingly on the hook for any losses.

More here.

Robert McMillan writes on ComputerWorld:

Ongoing computer scams targeting small businesses cost U.S. companies $25 million in the third quarter of 2009, according to the U.S. Federal Deposit Insurance Corporation.

Online banking fraud involving the electronic transfer of funds has been on the rise since 2007 and rose to over $120 million in the third quarter of 2009, according to estimates presented Friday at the RSA Conference in San Francisco, by David Nelson, an examination specialist with the FDIC.

The FDIC receives a variety of confidential reports from financial institutions, which allow it to generate the estimates, Nelson said.

Almost all of the incidents reported to the FDIC “related to malware on online banking customers’ PCs,” he said. Typically a victim is tricked into visiting a malicious Web site or downloading a Trojan horse program that gives hackers access to their banking passwords. Money is then transferred out of the account using the Automated Clearing House (ACH) system that banks use to process payments between institutions.

Even though banks now force customers to use several forms of authentication, hackers are still stealing money. “Online banking customers are getting too reliant on authentication and on practicing layers of controls,” Nelson said.

That’s bad news for businesses, which are increasingly on the hook for any losses.

More here.

J. Nicholas Hoover writes on InformationWeek:

The federal government could do a better job defining and coordinating its recently partially declassified Comprehensive National Cybersecurity Initiative, according to a report [.pdf] from the government’s own auditors.

The new report, released by the Government Accountability Office last week, found that although the White House and federal agencies have made strides in planning and coordinating the 12-point program by creating interagency working groups like the Joint Interagency Cyber Task Force, the plan lacks definition in some places and doesn’t cover the full scope of federal cybersecurity needs.

Among the key challenges for the CNCI: defining roles and responsibilities. For example, then-acting White House cybersecurity policy advisor Melissa Hathaway, in an interview with the GAO, noted an ad hoc, uncoordinated response to July 2009 distributed denial of service attacks targeting government Web sites.

More here.

J. Nicholas Hoover writes on InformationWeek:

The federal government could do a better job defining and coordinating its recently partially declassified Comprehensive National Cybersecurity Initiative, according to a report [.pdf] from the government’s own auditors.

The new report, released by the Government Accountability Office last week, found that although the White House and federal agencies have made strides in planning and coordinating the 12-point program by creating interagency working groups like the Joint Interagency Cyber Task Force, the plan lacks definition in some places and doesn’t cover the full scope of federal cybersecurity needs.

Among the key challenges for the CNCI: defining roles and responsibilities. For example, then-acting White House cybersecurity policy advisor Melissa Hathaway, in an interview with the GAO, noted an ad hoc, uncoordinated response to July 2009 distributed denial of service attacks targeting government Web sites.

More here.

It’s well known that digital photo frames can carry malware that can infect a PC, or at least, it should be. How about a battery charger?

The U.S. Computer Emergency Readiness Team (US CERT) cautioned on Friday over a trojan in optional software that can be used with the Energizer DUO USB battery charger. The Windows application, which allows users to view battery charging status, actually contains a Trojan that can allow an attacker to remotely control a Windows PC.

US CERT says:

The installer for the Energizer DUO software places the file UsbCharger.dll in the application’s directory and Arucer.dll in the Windows system32 directory. When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dll component for providing USB communication capabilities. UsbCharger.dll executes Arucer.dll via the Windows rundll32.exe mechanism, and it also configures Arucer.dll to execute automatically when Windows starts by creating an entry in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.

Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp. [...] An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user.

The software has been offered for three years. It is unclear how long the malware was in the program’s download. If it was in the code in 2007, that was when a number of infected consumer products, including the aforementioned digital photo frames, were coming out of China.

Marcus Sachs, director of the SANS Internet Storm Center said:

“This may simply be from that time frame when all the factories in China were not clean and many were putting malware onto stuff, not intentionally but because the hygiene wasn’t good. Who knows where the server (hosting the software) is located. It could have been exposed to the unclean conditions that were rampant there.”

It’s well known that digital photo frames can carry malware that can infect a PC, or at least, it should be. How about a battery charger?

The U.S. Computer Emergency Readiness Team (US CERT) cautioned on Friday over a trojan in optional software that can be used with the Energizer DUO USB battery charger. The Windows application, which allows users to view battery charging status, actually contains a Trojan that can allow an attacker to remotely control a Windows PC.

US CERT says:

The installer for the Energizer DUO software places the file UsbCharger.dll in the application’s directory and Arucer.dll in the Windows system32 directory. When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dll component for providing USB communication capabilities. UsbCharger.dll executes Arucer.dll via the Windows rundll32.exe mechanism, and it also configures Arucer.dll to execute automatically when Windows starts by creating an entry in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.

Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp. [...] An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user.

The software has been offered for three years. It is unclear how long the malware was in the program’s download. If it was in the code in 2007, that was when a number of infected consumer products, including the aforementioned digital photo frames, were coming out of China.

Marcus Sachs, director of the SANS Internet Storm Center said:

“This may simply be from that time frame when all the factories in China were not clean and many were putting malware onto stuff, not intentionally but because the hygiene wasn’t good. Who knows where the server (hosting the software) is located. It could have been exposed to the unclean conditions that were rampant there.”

Amazon Associates beware; you can expect this to happen in any state that passes a so-called “Amazon Tax” law. On Monday, Amazon.com cut ties with Amazon Affiliates in Colorado after that state instituted a Web sales tax.

All of this stems from a 1992 Supreme Court decision, Quill vs. North Dakota, in which the Supreme Court ruled that out-of-state retailers cannot be required to collect sales tax on purchases sent to states where they did not have a physical presence.

The Supreme Court’s reasoning was at least partially based on the fact that, at the time the case was decided in 1992, there were over 6,000 separate sales and use tax jurisdictions in the United States (states, localities, special tax districts, etc.) and to impose a collection obligation on a remote seller would impose a crushing burden that would severely restrict interstate commerce.

It should be noted that even though retailers are not required to collect sales tax on out-of-state purchases, residents are supposed to add a so-called “use tax” into their state tax return for the sales tax. Many either do not know this, or knowing that it would be impossible for the state to tell how much they owe, ignore it.

New York State was the first to coin the “Amazon Tax” term. Three states, New York, North Carolina and Rhode Island, have used Associates, which carry advertising on their sites for retailers like Amazon.com, and defined it as a form of physical presence. In other words, if a NY resident was an Amazon Affiliate, Amazon.com had a physical presence.

In those states, retailers such as Amazon.com and Overstock.com cut ties to their Affiliates. However, Colorado affiliates spoke to the state’s legislature, and warned them of this fact. Because of that, Colorado modified its new sales tax law, such that retailers (effective March 1st) had to start informing state residents that their Internet purchases are subject to state sales tax both at the time of checkout and in an end-of-year summary. Those retailers that do more than $100,000 in annual sales can also be asked to provide data on what individual Colorado residents spend each year.

By changing the law, Colorado removed the “blame,” so to speak, from Colorado Affiliates. Despite this, however, Amazon.com has severed ties with said Affiliates.

Dear Colorado-based Amazon Associate:

We are writing from the Amazon Associates Program to inform you that the Colorado government recently enacted a law to impose sales tax regulations on online retailers. The regulations are burdensome and no other state has similar rules. The new regulations do not require online retailers to collect sales tax. Instead, they are clearly intended to increase the compliance burden to a point where online retailers will be induced to “voluntarily” collect Colorado sales tax — a course we won’t take.

We and many others strongly opposed this legislation, known as HB 10-1193, but it was enacted anyway. Regrettably, as a result of the new law, we have decided to stop advertising through Associates based in Colorado. We plan to continue to sell to Colorado residents, however, and will advertise through other channels, including through Associates based in other states.

There is a right way for Colorado to pursue its revenue goals, but this new law is a wrong way. As we repeatedly communicated to Colorado legislators, including those who sponsored and supported the new law, we are not opposed to collecting sales tax within a constitutionally-permissible system applied even-handedly. The US Supreme Court has defined what would be constitutional, and if Colorado would repeal the current law or follow the constitutional approach to collection, we would welcome the opportunity to reinstate Colorado-based Associates.

You may express your views of Colorado’s new law to members of the General Assembly and to Governor Ritter, who signed the bill.

Your Associates account has been closed as of March 8, 2010, and we will no longer pay advertising fees for customers you refer to Amazon.com after that date. Please be assured that all qualifying advertising fees earned prior to March 8, 2010, will be processed and paid in accordance with our regular payment schedule. Based on your account closure date of March 8, any final payments will be paid by May 31, 2010.

We have enjoyed working with you and other Colorado-based participants in the Amazon Associates Program, and wish you all the best in your future.

Best Regards,

The Amazon Associates Team

It’s hard to understand what just happened here, but Affiliates are using the hashtag #noadtax to post on Twitter. At the same time, Sen. Greg Brophy tweeted:

I have call into Amazon about affiliates – will seek emergency legislation if necessary to fix #noadtax

It’s unclear exactly what Brophy means, though: the Affiliates were not part of the requirements to force retailers down this new path, yet they were terminated. One has to wonder, therefore, if it’s a PR blitz on the part of Amazon.com.

Amazon Associates beware; you can expect this to happen in any state that passes a so-called “Amazon Tax” law. On Monday, Amazon.com cut ties with Amazon Affiliates in Colorado after that state instituted a Web sales tax.

All of this stems from a 1992 Supreme Court decision, Quill vs. North Dakota, in which the Supreme Court ruled that out-of-state retailers cannot be required to collect sales tax on purchases sent to states where they did not have a physical presence.

The Supreme Court’s reasoning was at least partially based on the fact that, at the time the case was decided in 1992, there were over 6,000 separate sales and use tax jurisdictions in the United States (states, localities, special tax districts, etc.) and to impose a collection obligation on a remote seller would impose a crushing burden that would severely restrict interstate commerce.

It should be noted that even though retailers are not required to collect sales tax on out-of-state purchases, residents are supposed to add a so-called “use tax” into their state tax return for the sales tax. Many either do not know this, or knowing that it would be impossible for the state to tell how much they owe, ignore it.

New York State was the first to coin the “Amazon Tax” term. Three states, New York, North Carolina and Rhode Island, have used Associates, which carry advertising on their sites for retailers like Amazon.com, and defined it as a form of physical presence. In other words, if a NY resident was an Amazon Affiliate, Amazon.com had a physical presence.

In those states, retailers such as Amazon.com and Overstock.com cut ties to their Affiliates. However, Colorado affiliates spoke to the state’s legislature, and warned them of this fact. Because of that, Colorado modified its new sales tax law, such that retailers (effective March 1st) had to start informing state residents that their Internet purchases are subject to state sales tax both at the time of checkout and in an end-of-year summary. Those retailers that do more than $100,000 in annual sales can also be asked to provide data on what individual Colorado residents spend each year.

By changing the law, Colorado removed the “blame,” so to speak, from Colorado Affiliates. Despite this, however, Amazon.com has severed ties with said Affiliates.

Dear Colorado-based Amazon Associate:

We are writing from the Amazon Associates Program to inform you that the Colorado government recently enacted a law to impose sales tax regulations on online retailers. The regulations are burdensome and no other state has similar rules. The new regulations do not require online retailers to collect sales tax. Instead, they are clearly intended to increase the compliance burden to a point where online retailers will be induced to “voluntarily” collect Colorado sales tax — a course we won’t take.

We and many others strongly opposed this legislation, known as HB 10-1193, but it was enacted anyway. Regrettably, as a result of the new law, we have decided to stop advertising through Associates based in Colorado. We plan to continue to sell to Colorado residents, however, and will advertise through other channels, including through Associates based in other states.

There is a right way for Colorado to pursue its revenue goals, but this new law is a wrong way. As we repeatedly communicated to Colorado legislators, including those who sponsored and supported the new law, we are not opposed to collecting sales tax within a constitutionally-permissible system applied even-handedly. The US Supreme Court has defined what would be constitutional, and if Colorado would repeal the current law or follow the constitutional approach to collection, we would welcome the opportunity to reinstate Colorado-based Associates.

You may express your views of Colorado’s new law to members of the General Assembly and to Governor Ritter, who signed the bill.

Your Associates account has been closed as of March 8, 2010, and we will no longer pay advertising fees for customers you refer to Amazon.com after that date. Please be assured that all qualifying advertising fees earned prior to March 8, 2010, will be processed and paid in accordance with our regular payment schedule. Based on your account closure date of March 8, any final payments will be paid by May 31, 2010.

We have enjoyed working with you and other Colorado-based participants in the Amazon Associates Program, and wish you all the best in your future.

Best Regards,

The Amazon Associates Team

It’s hard to understand what just happened here, but Affiliates are using the hashtag #noadtax to post on Twitter. At the same time, Sen. Greg Brophy tweeted:

I have call into Amazon about affiliates – will seek emergency legislation if necessary to fix #noadtax

It’s unclear exactly what Brophy means, though: the Affiliates were not part of the requirements to force retailers down this new path, yet they were terminated. One has to wonder, therefore, if it’s a PR blitz on the part of Amazon.com.

Michael Evans and Giles Whittell write on The Times Online:

Urgent warnings have been circulated throughout NATO and the European Union for secret intelligence material to be protected from a recent surge in cyberwar attacks originating in China.

The attacks have also hit government and military institutions in the United States, where analysts said that the West had no effective response and that EU systems were especially vulnerable because most cyber security efforts were left to member states.

NATO diplomatic sources told The Times: “Everyone has been made aware that the Chinese have become very active with cyber-attacks and we’re now getting regular warnings from the office for internal security.” The sources said that the number of attacks had increased significantly over the past 12 months, with China among the most active players.

In the US, an official report released on Friday said the number of attacks on Congress and other government agencies had risen exponentially in the past year to an estimated 1.6 billion every month.

More here.

Michael Evans and Giles Whittell write on The Times Online:

Urgent warnings have been circulated throughout NATO and the European Union for secret intelligence material to be protected from a recent surge in cyberwar attacks originating in China.

The attacks have also hit government and military institutions in the United States, where analysts said that the West had no effective response and that EU systems were especially vulnerable because most cyber security efforts were left to member states.

NATO diplomatic sources told The Times: “Everyone has been made aware that the Chinese have become very active with cyber-attacks and we’re now getting regular warnings from the office for internal security.” The sources said that the number of attacks had increased significantly over the past 12 months, with China among the most active players.

In the US, an official report released on Friday said the number of attacks on Congress and other government agencies had risen exponentially in the past year to an estimated 1.6 billion every month.

More here.