Fisher squeezed out time around his day job as editor of Kaspersky Lab’s security blog, Threatpost, to pen and publish his first novel, released last week. Prior to his current gig, Fisher was an editor and writer, focused on information security, at TechTarget.

Fisher

No surprise, then, that this work of fiction contains an info sec subplot. Hot on the trail of a serial killer, the detectives get stymied by an inability to legally examine the contents of the suspect’s computer. Enter JD, who agrees to help out with some stealthy cybersnooping. He also leaves a rootkit behind that ultimately figures into a climactic scene at the end of the book.

There’s clearly an eager global audience for works of fiction that feature lone wolf hackers. Lisabeth Salander, the fictional hacker-heroine of the late Swedish journalist Stieg Larsson’s Girl With The Dragon Tatoo trilogy, comes to mind.

Fisher says he got the idea for the book while commuting to Boston every day.  “I’d drive by this really nasty looking swamp on the way home. It was right by the side of the highway and had the feel of something from a horror movie, with burned-out tree trunks sticking out of the water,” Fisher says. “I started wondering what had happened there and what could be under the water.

“I started wondering what had happened there and what could be under the water. I eventually came up with the beginning of the plot, with there being dead bodies found in the water and then went from there. I imagine that most writers start either with a character or a plot idea, but for me it started with that location.”

He describes Motherless Children as “a story about the small decisions that can define our lives, the true nature of good and evil and finding the strength to do what needs to be done–regardless of the consequences.”

JD, the hacker-hero, is ” based loosely on a couple of researchers and there are several small inside security jokes in the book that folks in the community will like, I think,” Fisher adds.

Online tracking is fueling a heated national debate over whether new do-not-track laws are needed to safeguard consumers’ online privacy. Leaders in the online advertising industry use a version of Privacyscore to self-police the tracking practices of online advertising networks, and thus head off new laws. Privacy experts welcomed the consumer version.

“This certainly is going to be a useful tool for consumers, but it may actually be even more useful in pushing application developers, who don’t like getting poor grades, to look more closely at their own privacy practices,” says Jules Polonetsky, director of the Future of Privacy Forum, a Washington, D.C., think tank on data security.

Facebook’s pervasive Web presence comes with “a responsibility to hold people who are developing apps on their platform accountable for the (privacy) assertions that they’re making,” says Craig Spiezle, executive director of the Online Trust Alliance.

Facebook’s David Swain noted that the company requires app developers to agree to its privacy policies. “If we find an app has violated our policies … we take action,” Swain says.

According to PrivacyChoice, 140 different tracking entities routinely collect information about users of the top Facebook apps. Trackers can correlate that data to profiles of individuals’ browsing behavior across multiple Web pages in order to deliver more relevant ads. “It’s up to users to know the privacy risk of sharing personal data with apps,” says Jim Brock, PrivacyChoice founder and CEO.

Privacyscore’s top score is 100. Deductions are made for sharing data with an excessive number of tracking entities, failing to honor deletion requests, failing to provide an opt-out choice or storing consumer data for long periods.

Gamemaker Zynga, for instance, registers an overall score of 82 for 17 Facebook games. The game Slingo, with 17 million players, scores 80, losing points partly because it connects to 59 trackers. Zynga general counsel Reggie Davis says Zynga welcomes tools such as Privacyscore. And Zynga’s online tutorial, PrivacyVille, rewards its users for learning more about the company’s privacy policies.

—

Another detection tool you can use has been made available by Russian antivirus firm Kaspersky. Meanwhile, Apple has issued a statement indicating that it is continuing to work on an offical detection and innoculation tool.

It’s not just individual Mac owners who ought to take heed. Network security firm Lancope says companies with employees who use Macs would be wise to check for infected Apple computing devices.

Kissling

“Enterprises should also bolster their defenses,” says Lancope vice president Jody Ma Kissling. “As the market share for Macs continues to increase, end users, corporations and Apple itself must all be prepared for a subsequent rise in attacks targeting Apple’s Mac OS X.”

Neil Roiter, research director at Corero Network Security says “cyber criminals now consider Macs profitable targets. Mac users should protect their computers with antivirus software, encrypt sensitive information and follow the common-sense advice not to click on links or open email attachments from unknown sources.”

Roger Thompson, chief emerging threats researcher at vendor-neutral testing and certification firm ICSA Labs, explains the significance of the emergence of a major botnet comprised entirely of Macs.

He observes that Mac infections were considered rare for much of the past two decades “as a natural consequence of relative market opportunity for the bad guys. Put another way, there were way more PCs than Macs, so there was simply more opportunity for a return on their development and marketing effort.”

What the existence of a massive Mac botnet highlights, Thompson says, is that “Mac malware is not just a reality, but is now a genuine problem. The issue is that for a decade, Apple has made a point of telling users that they had no malware problem, and the result of that is that Mac users have no antibodies, when it comes to malware. They don’t expect it, and too many people will click on, and install, anything.”

The bottom line for Mac users: they will have to install and keep current antivirus programs and make sure all application updates, for things like Java, iTunes and Adobe Flash are quickly installed, just like Windows users.

“There will soon be a name for Mac users who are not doing this: victims,” says Thompson.

Those cool mobile devices beloved by consumers carry deep-rooted security flaws that are only now being discovered and addressed.

That’s the upshot of two recent deep examinations of popular mobile devices. The findings highlight how designers of the current generation of smartphones and tablet PCs failed to fully account for the security and privacy implications.

“Today’s smartphones and tablet devices perform the same functions as a PC,” says Dan Hoffman, chief of mobile security at Juniper Networks.“However, the vast majority of devices lack security software and mistakenly rely upon the operating system to keep people safe.”

In one study, Cryptography Research showed how it is possible to eavesdrop on any smartphone or tablet PC as it uses cryptographic keys to protect sensitive operations, such as when a mobile device is being used to make a purchase, conduct online banking or access a company’s virtual private network.

The secret keys can be deciphered, enabling a criminal to use them to access a financial account or a company network, says Benjamin Jun, Cryptography Research’s chief technology officer.

Jun

“These type of attacks do not require the device to be modified and there is usually no observable sign that an attack is in progress,” Jun says.

Cryptography Research is “working with one of the major smartphone and table companies right now to put countermeasures in,” Jun says. No known actual attacks have occurred, he says.

In another theoretical study, researchers at security firm McAfee, a division of Intel, demonstrated several ways to remotely hack into Apple iOS, the operating system for iPads and iPhones.

McAfee’s research team remotely activated device microphones and recorded conversations taking place in the vicinity of the hacked device. They also stole secret keys and passwords, and were able to pilfer sensitive data, including call histories, e-mail and text messages.

“This attack method shows ways that advanced attackers can compromise and control devices indefinitely,” says Ryan Permeh, McAfee’s principal security architect. “This can be done with absolutely no indication to the device user.”

Apple spokeswoman Trudy Muller declined comment.

Security experts and law enforcement officials anticipate that cybergangs will accelerate actual attacks as consumers and companies begin to rely more heavily on mobile devices for shopping, banking and working.

“Responsibility for addressing these security concerns is far reaching,” says Hoffman. “The broader security community needs to assist in providing all users the highest-level of protection.”

Henry

The disclosure of a massive botnet comprised entirely of Macs is serving as a lightning rod for the community of a few hundred top virus hunters who would like to see Apple become more collaborative about defending the Internet against cybercriminals.

“Maybe Apple will feel a little of the pain their users are now feeling and get serious about being more candid and perhaps more revealing in their patch release notifications,” says Paul Henry, security and forensic analyst at network security company Lumension,.

Henry notes that calculating the number of infected Macs has been relative easy, since the Trojan “actually sends a copy of each infected Mac’s UUID to the command and control server.”

Some 300,000 of the 600,000 Macs infected by the Flashback Trojan are located in the U.S., including 274 in Cuppertino, Apple’s hometown in Silicon Valley, according to Tweets from Ivan Sorokin, a malware analyst at Russian antivirus company Dr. Web.

Sorokin used sinkhole technology to redirect the botnet traffic to their own servers to count infected Macs.

Henry says that “Apple still lacks any urgency in their patch release and in fact, users had to be lucky enough to have checked.

“Simply put, if Apple wants to be taken seriously as an enterprise provider, they need to be more timely and candid about their patches,” Henry continues. “How else will administrators understand the necessary sense of urgency to prioritize and deal with security issues?”

Apple has been issuing patches roughly once a month, much like Microsoft issues security fixes on the second Tuesday of each month, known as Patch Tuesdsay.

“Apple should take a lesson from Microsoft and formally adopt a monthly process and provide, at minimum, the same level of disclosure users have come to expect from Microsoft,” says Henry.

An unpatched portion of Java left Mac users prone to the Flashback Trojan, which causes the machine to quietly report to a command and control server for further instructions.

Mac users  can get infected by navigating to a viral web page pre-loaded to deliver a driveby download tuned to exploit this Java vulnerability — much the same as Windows PC users.

The  Russian antivirus company Dr. Web says some 600,000 Macs have been infected, several of which include devices based in Cupertino, California, the home of Apple. So if your Mac has been balky lately, this could be the explanation.

Swiss Army knife

Botnets are used to spread spam and infections, participate in denial of service attacks, hijack online bank accounts etc. Botnets are the Swiss Army Knife of cybercrime. And when your machine is performing bot duties, your processing efficiencies naturally get sapped. It was only a matter of time before this common experience of Windows PC users came home to roost with Mac users.

One commenter to Ars Technica’s coverage noted:

My wife’s first gen core duo macbook pro hard drive is always busy, which i thought was due to limited hard drive space. Even after cleaning out ~15 gigs of space, the OS is slow and often unresponsive, and the HD is clickety clacking all the time. I sure hope I don’t have it. I’m going to check first thing when I get home. Has anyone’s machine here tested positive? If so, does this sound familiar?

Apple has since patched the Java flaw. F-Secure has supplied details on how to diagnose and fix the problem, but warns that the steps are tricky.

Wake up call

“This latest wave of infections is a wake-up call to Mac users that their system is not immune to threats,” says Mike Geide, senior security researcher at Zscaler ThreatLabZ. “And the need to follow best security practices, such as remaining current with patches, is ubiquitous — it doesn’t matter if you’re using Windows, Mac, or even mobile phone.”

Marcus

Dave Marcus, director of advanced research and threat intelligence at McAfee Labs, says the existence of a major Mac botnet comes as no surprise. He advises Mac users to do as Windows PC users do: keep antivirus protection and all Apple patches current.

“Attackers are leveraging years of success from writing PC malware and they’re doing the same thing in the Mac world,” says Marcus. “Cybercriminals will attack any operating system with valuable information, and as the popularity of Macs increase, so will attacks on the Mac platform.”

–By Byron Acohido

Visa and MasterCard acknowledged Friday that they’ve been alerting banks about a major breach of an unnamed payment card processing firm. The Wall Street Journal, citing unnamed sources, named Atlanta-based Global Payments as the processor in question.

Global Payments declined interview requests.

Security blogger Brian Krebs, who broke the story, says thieves cracked into the processor’s systems between Jan. 21 and Feb. 25, and may have swiped more than 10 million credit and debit card transactions records, originating from an unknown number of merchants, banks and credit unions.

Litan

Gartner banking security analyst Avivah Litan says unverified reports point to a New York City street gang with Central American ties taking over ” an administrative account that was not protected sufficiently.”

“I’ve spoken with folks in the card business who are seeing signs of this breach mushroom,” says Litan.

MasterCard issued a statement advising cardholders to contact the financial institution that issued their cards with any concerns. Visa emphasized that no Visa systems were breached.

However, criminals know better than to try to waste time on highly defended systems, and have been consistently successful cracking support system. “Sooner or later they find some weakness in the highly complex chain of systems that they can exploit,” says Geoff Webb, of data security firm Credant Technologies.

Credit card processors have been breached before. Heartland Payment Systems lost 130 million payment card records generated by 250,000 merchants and restaurants in 2008 -2009.

It’s not just card processors that are being targeted. Last year hackers stole payment card information for more than 100 million customers of Sony’s PlayStation Network.

And earlier this year online shoe retailer Zappos disclosed hackers took e-mail and shipping addresses, phone numbers and account passwords for some 24 million customers, data useful for identity theft.

“Any business that’s capturing payment data is a target,” says Mark Bower, analyst at Voltage Security.

Consumers whose debit card account information landed in criminals’ hands with this latest breach are at heightened risk. That’s because gangs are adept at quickly manufacturing faked cards to make large cash withdrawals from ATMs. And the consumer’s cash goes missing until a theft is reported and reimbursement carried out, which can take several days.

“You should always be watching your statements for unauthorized transactions but right now people should be extra vigilant,” says Steve Coggeshall chief technology officer at ID Analytics.

Retailers are also uniquely exposed. Some 46 states have now enacted data breach disclosure laws that require merchants and payment card issuing banks and credit unions to notify customers whose card numbers are stolen.

Many of these data loss disclosure laws impose stiff fines if notifications are not done in a timely manner, says Ted Julian, of Co3, a Cambridge, Mass.-based start-up that helps retailers manage the repercussions of credit card theft.

States could pursue a windfall in fines levied against merchants and card-issuing banks and credit unions who are slow to notify consumers that their credit or debit card number is in criminals’ hands. “Merchants are definitely on the hook for these state disclosures, because they are the ones who have the consumer relationship,” Julian says.

Cyberthieves are stepping up phone-calling scams to pilfer from consumers’ online banking accounts.

In the second half of 2011, Pindrop Security detected more than 1 million fraudulent calls, including 189,439 in December, a 52% spike from the 124,258 calls tracked in July, according to a first of its kind reporte released Thursday.

“Mobile is a growth area for online banking fraud,” says Stan Stahl, president of the Los Angeles chapter of the Information Systems Security Association, a tech professionals group that’s working with financial institutions to stem all forms of online banking fraud.

Many of the bogus calls were tied to caller ID spoofing – a way to place a phone call that causes the recipient’s phone to display a caller ID number that appears to originate from a trusted party.

Phone call spoofers often begin by luring a cell phone user into divulging account information via an automated call or text message that appears to come from the user’s bank. Next, the crooks call the bank, spoofing a patron’s phone number and correctly answering security questions to trick the customer rep into carrying out fraudulent cash transfers or issuing new credit cards to mailing addresses they control.

The use of spoofed calls to hijack online banking accounts is one slice of a thriving, multi-billion dollar online banking fraud industry. Cyber robbers also spread poisoned links on webpages and in e-mail and on social networks to take control of consumers’ PCs. They then embed programs, called banking Trojans, that let them stealthily tap into online banking accounts.

Billions stolen

Based on cases it has worked on with law enforcement and victim companies, Dell SecureWorks estimates that small- and medium-sized businesses in the U.S. and Europe lose as much $1 billion a year from online banking accounts. The financial services industry contends the security of computing devices is the responsibility of the companies and often do not reimburse theft losses from online business accounts.

The financial services industry often does not reimburse such losses. “We’d expect business owners to be a bit more savvy and have more resources at their fingertips,” says Carol Kaplan, spokeswoman for the American Bankers Association. “That doesn’t mean we’re not seriously concerned about the problems small businesses are having, and there continues to be huge gobs of investment into shoring up security.”

Results of an ABA survey of 95 financial institutions, released exclusively to USA TODAY, show the number of commercial account takeovers by cybercrooks rose 260% in 2011 vs. 2009. However, the average loss per victimized company decreased 92% during the same period.

“Financial institutions are becoming more effective at stopping illicit transactions from being executed,” says Doug Johnson, the ABA’s vice president of risk management policy.

Individual consumers are getting hit too, but typically get made whole by the banks — if they catch and report theft from online accounts quickly. In those instances, the banks bear the loss.

“It is incredibly difficult to measure losses from consumer accounts, but it’s probably higher than $1 billion a year,” says Dale Gonzalez, Dell SecureWorks mobile product strategist. Droves of less-skilled cyberthieves, equipped with free, easy-to-use account hijacking tools “are absolutely targeting consumers,” Gonzalez says.

Spoofed call attacks, in particular, are catching on because they are easy to do and difficult to defend, law enforcement  officials and security analysts say. Consumers’ names, phone numbers and e-mail can be purchased inexpensively from hackers who specialize in cracking into databases, like the gang that swiped 24 million customer records from online  shoe retailer Zappos.

Easy pickings

What’s more caller ID spoofing techniques are trivial to master; free and cheap automated programs are readily available on the Internet. In the last six months of 2011, bogus calls were placed in connection with online banking scams directed at 30 of the 50 largest financial institutions in the U.S., says Pindrop CEO Vijay Balasubramanian.

“We are continuing to see this rising trend,” says Balasubramanian. “There appears to be a network effect as word of successful scams gets relayed to other fraudsters.”

ISSA’s Stahl says tech companies and banks need to do more to stem the tide of attacks. Part of the solution: being more transparent to small businesses and consumers about the risks of online banking.

“Online bank fraud is at epidemic levels, there’s no question about that,” Stahl says. “Right now there is inadequate security against the many kinds of attacks that lead to online banking fraud, and that’s only going to get worse, not better.”

Nearly one in five mobile phone users have experienced some type of security threat with their device. That’s the finding of a Cloudmark survey of 1,000 cellphone users, scheduled to be released Tuesday.

Poisoned text messages, nearly non-existent in the U.S. a few years ago, grew 300% in 2010 and 400% in 2011, accounting for about 1% of all text messages. “We’ve gone from totally clean to a trickle,” says Rachel Kinoshito, head of Cloudmark’s security operations. “Most people are seeing about one a month.”

That foothold is part of a broader concern. Variations of scams that infest the Internet, through PC browsers, have begun spreading on a meaningful scale through mobile devices. And it looks like the bad guys are just getting warmed up.

One type of poison text message involves tricking people into signing up for worthless services for which they get billed $9.99 a month. Another type lures them into doing a survey to win a free iPhone or gift card. Instead, the attacker gets them to divulge payment card or other info useful for identity-theft scams.

“Malicious attacks have exploded well beyond e-mail, and we are very aware of their move to mobile,” says Jacinta Tobin, a board member of the Messaging Anti-Abuse Working Group, an industry group combating the problem.

Meanwhile, hackers are repurposing skills honed in the PC world to attacks on specific mobile devices. Particularly, handsets using Google’s Android operating system are frequently the target of hackers. In December, anti-virus company F-Secure tracked down 1,639 unique malicious Android apps — disguised as free apps and circulating on websites across the Internet. That’s up from 48 in January 2011.

One type offered and delivered a free copy of the popular Angry Birds game. But the victim is also unwittingly signed up for a premium-rate texting service and charged an extra $10 a month on his or her phone bill, says F-Secure researcher Sean Sullivan.

Network security company Juniper Networks says the pool of bad apps it has been tracking swelled 86% in February from January. Nearly half of the poisoned Android apps analyzed by Juniper were classic spyware, says Dan Hoffman, head of Juniper’s mobile security business.

“We’ve identified malware that can steal credentials from e-mail and mobile banking applications,” Hoffman says. “These attacks can be devastating.”

The online industry is on high alert. The working group— whose members include AT&T, Verizon, Comcast, Facebook, PayPal and Time Warner— convened in San Francisco last month to join forces on defending new mobile threats.

“We need to stay ahead of what’s happening with mobile abuse, social networking abuse and malware,” says Tobin. “It makes sense for us to collaborate across all these channels.”

For more information about reprints & permissions, visit our FAQ’s. To report corrections and clarifications, contact Standards Editor Brent Jones. For publication consideration in the newspaper, send comments to letters@usatoday.com. Include name, phone number, city and state for verification. To view our corrections, go to corrections.usatoday.com.

“We urge the Administration to ensure that it carries out this process in a fair and transparent manner, and that consumer voices are heard and acted on,” Susan Grant, Director of Consumer Protection at Consumer Federation of America, adds:

In an unusual move, the White House convened a press conference at 4:30 p.m. Eastern on Wednesday to announce the details, imposing an embargo – which all media outlets accepted without question – to midnight. Here are the seven rights:

• Individual Control: Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
• Transparency: Consumers have a right to easily understandable information about privacy and security practices.
• Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
• Security: Consumers have a right to secure and responsible handling of personal data.
• Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
• Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
• Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

Watering down

Simpson

“The real question is how much influence companies like Google, Microsoft, Yahoo and Facebook will have intheir inevitable attempt to water down the rules that are implemented and render them essentially meaningless,” says John Simpson, spokesman for Consumer Watchdog. ” I am skeptical about the ‘multi-stakeholder process’, but am willing to make a good faith effort to try it.

Simpson and others remain concerned about the Commerce Department’s role in shaping consumer privacy protections. ” Commerce’s job — quite correctly — is to promote the interests of business, not protect consumers,” he says. “If nothing else, the report demonstrates the growing concern about online privacy. Perhaps this is one of the few issues where true bipartisan action will be possible this year.”

As proposed by the White House, the bill of recognizes the need to for heightened protections for children and teens on the Internet.

“If we want to ensure that the Internet economy continues to be strong and vital, consumers need to be able to trust that the information collected about them will not be misused. This announcement sets the stage for that to begin to happen,” says Ellen Bloom, Senior Director of Federal Policy for Consumers Union, the policy and advocacy arm of Consumer Reports.

Power moves

The next steps will entail Washington D.C.-style power brokering, says Jeffrey Chester, executive director of the Center for Digital Democracy.

Chester

“The new framework largely depends on the development of voluntary codes of conduct, to be negotiated between consumer groups and companies like Google, Facebook, Microsoft, Yahoo and others, Chester says. “Consumers groups will engage in these negotiations in good faith. But we cannot accept any ‘deal’ that doesn’t really protect consumers, and merely allows the data-profiling status quo to remain.”

Another part of the White House privacy framework calls for the Digital Advertising Alliance to add to its efforts to self-police its members by improving  an existing Do Not Track mechanism many of its members already make available to consumers.

” The plan by the DAA to add Do-Not-Track to its self-regulatory system could derail a promising privacy effort by the Worldwide Web Consortium standards group (W3C) that is being designed to give consumers greater control over data collection,” contends Chester. “The new DAA scheme will enable companies to continue to collect profiling data on users, and merely prevent the delivery of targeted ads. DAA members are terrified about the development of a DNT system with teeth, which would stop so much data collection, profiling and tracking.”

California cracks down

On a parallel track, the Associated Press reports that  California is cracking down on invasive mobile apps.

California Attorney General Kamala Harris is calling for the tech giants vying in the mobile space — Apple, Google, Microsoft, Amazon Research In Motion and Hewlett-Packard  — as well as thousands of mobile app developers to give people advance warning before extracting and storing sensitive information from smartphones and tablet PCs.

Harris began discussing the need for better privacy protections with six powerful companies that have shaped the mobile computing market, spawning nearly 1 million applications over the past four years, the AP reports.

“We are assuming everyone is going to cooperate in good faith and not get cute,” Harris told AP reporter Mike Liedtke.

Harris , a Democrat, is taking her stand out west, at the same time fellow Californian, Mary Kay Bono, a Republican Congresswoman, and several other Republican lawmakers are clamoring for more details about Google and Facebook conduct online tracking. The tech giants put themselves in the spotlight by recently announcing new initiatives to extend how they index and cross-reference data about what consumer do on their PCs and mobile devices.

Google has begun rolling out a new user privacy policy that will make it easier for the search giant to correlate information about anyone who uses multiple Google services, such as Google search, plus Gmail, Google Apps, YouTube, Picasa or Google+.  Facebook is rolling out a new user interface — Timeline — that makes it easier to search and digest chronologically-assembled data about a person. Each is trying to out do each other in a race to sell more online advertising. Each insists  they  provide consumers with ample choice and control over such tracking data.