China could be behind Twitter password reset

Twitter sent notices of an attempted hacking to China-based foreign journalists and analysts just hours before apologizing for resetting the passwords of more users than necessary in a recent break-in of accounts.

The Voice of America reported Thursday that the emailed warnings did not say who was behind the hacking attempts. Chinese Internet users have had difficulty in accessing foreign websites and using virtual private networks (VPN) to avoid government censorship, the U.S.-funded VOA said.

Twitter routinely sends warnings when it believes a person's account has been hacked. The microblogging site then forces the person to reset his password. On Thursday, the company apologized for resetting more passwords than necessary to protect users from a recent hacking.

"In this case, we unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised," Twitter said in a tweet. "We apologize for any inconvenience or confusion this may have caused."

Twitter, which did not respond to a request for comment, has provided no details on the hacking. However, VOA reported that journalists and analysts have been expecting a censorship crackdown as China's Communist Party begins meetings to set in motion a leadership change.

David Bandurski, head of the China Media Project in Hong Kong, told VOA he received a warning that his Twitter account had been hacked just as he was tweeting about Chinese President Hu Jintao's speech at the 18th Party Congress.

"I had someone else, a programmer, look at it and say that's a legit message from Twitter," Bandurski told VOA. "Beyond that I don't know what that means or who could be behind it. I have my guesses that I won't hazard, but I'm not sure what to say other than that it's an annoyance."

[See also: Chinese official defends Internet censorship]

Contacted by email, Bandurski declined to provide more details. "I've been very careful to explain to reporters that I'm not speculating about what happened, that they need to find out from Twitter," he said.

Prolexic, a security vendor specializing in distributed denial of service (DDoS) attacks, said it had not seen any significant changes in activity out of China. "It has maintained its position as one of the top three countries originating DDoS traffic over the last 2 quarters," a spokesman said.

Hackers with stolen user names and passwords will hijack Twitter accounts to distribute links thatsend users to malicious websites. Cybercriminals are also opening accounts to tweet commands to malware controlling compromised PCs, McAfee reported recently in its second quarter Threats Report.

Overall, four in 10 social network users have been victims of cybercrime on the platforms, according Symantec's 2012 Norton Cybercrime Report. In addition, one in six reported that someone had hacked into their profile and pretended to be them.

A U.S. commission has fingered China as the biggest cyberthreat, due to relentless attacks against U.S. military systems and defense contractors. The U.S.-China Economic and Security Review Commission is scheduled to release its findings to Congress next month.

Read more about access control in CSOonline's Access Control section.

Read more »

Shareholders kept in the dark on data breaches

It happened more than three and a half years ago. So it presumably would be old news that Chinese hackers broke into soft drink behemoth Coca-Cola's computer systems and stole confidential files relating to its effort to acquire the China Huiyuan Juice Group for $2.4 billion.

But it is just coming to light now, through a report earlier this week in Bloomberg Businessweek. The story said the FBI contacted Coke executives on March 15, 2009, and told them hackers had been inside their system for a month. The attempted deal for Huiyuan collapsed three days later.

The U.S. Securities and Exchange Commission (SEC) requires companies to report to its shareholders any "material losses" from attacks, plus any information, "a reasonable investor would consider important to an investment decision."

Meredith Cross, director of the SEC's division of corporation finance, told Businessweek, "We think reasonable investors could care, depending on the specific facts and circumstances."

But Coca-Cola never disclosed the breach to its investors. Most companies don't. Bloomberg reported on breaches of the British energy company BG Group, the Chesapeake Energy and others that were never disclosed to investors.

When questioned about it, most company officials or representatives either declined to comment, or declared that they were in full compliance with all applicable laws.

The response of Coca-Cola spokesman Kent Landers was typical. "We make disclosures in our public filings when we believe they are appropriate and in accordance with the requirements of the federal securities laws," he told Businessweek.

One reason for the lack of transparency may be that Coca-Cola didn't discover the breach itself. It took notification from the FBI. That is common. Security experts regularly point out that many companies don't know they have been hacked until a third party tells them.

Breach victims also frequently don't know what was taken, who took it and how it is being used. So, since it is difficult to put a value on the loss, they argue that it is not a material event, and therefore not subject to that SEC regulation.

David C. Vladeck, director of the Federal Trade Commission's (FTC) Bureau of Consumer Protection, made that point at a recent press conference, saying that the question of when major data breaches should be reported is "difficult. We don't necessarily have the right answers."

Stewart Baker, a partner at Steptoe & Johnson LLP and former assistant secretary for policy at the Department of Homeland Security, told Businessweek, "All of the ambiguities stack the deck against disclosure."

[See related: EPA data breach highlights worrying trend]

Read more »

NYC corporate partnership seeks fresh financial tech

A partnership of New York City businesses has put out a call for innovative financial technologies.

Sponsored by The Partnership for New York City Fund and Accenture, the FinTech Innovation Lab seeks novel technologies that would benefit the financial services sector. The six winners of the annual contest will have the opportunity to present their technologies to top executives at some of the city's most powerful financial firms.

The goal is to spark "a new financial technology sector in New York," as well as to "find interesting technologies for the financial institutions," said Maria Gotsch, president and CEO of The Partnership for New York City Fund, an organization funded by New York businesses to bring more jobs to the city.

Gotsch said that New York financial firms often have to seek expertise in Silicon Valley or other locales outside New York to find competitive new technologies. So the partnership wants to bring more financial technology firms to the city. "The program is explicitly set up with a New York-centric focus for that reason. It would put the banks closer to innovation. We're a center of financial services so we should be the center of financial technology," Gotsch said.

The 2013 contest, the third annual iteration, will focus on finding new capabilities in data and analytics, mobile and wireless, payments, risk management, security, social media, and collaboration. Companies with innovative financial technologies in other realms are encouraged to apply as well.

Winning companies will participate in a 12-week program that provides access to venture capitalists and top-level financial industry executives. "It really is a mentoring relationship. The banks bring in the right people for the product and give [the winners] feedback," Gotsch said.

"It is difficult to find the right person to talk to, and get their attention. This program tries to solve that problem," Gotsch said.

Businesses applying do not need to be headquartered in New York City. Should a business win, however, its senior staff should be prepared to spend 12 weeks in New York. The partnership is hoping that the winners will eventually set up offices in the Big Apple, where they can continue to enjoy close proximity to their customer base.

There is no size restriction on the companies that can apply. Companies can either be in the early stage with a prototype or already have a product on the market. Even established software companies can enter the contest if they wish to expand the use of an established technology into the financial sector.

Financial firms participating in the lab include American Express, Bank of America, Barclays, Capital One, Citigroup, Credit Suisse, Deutsche Bank, Goldman Sachs, JP Morgan Chase and Morgan Stanley. Participating venture capital firms include Bain Capital Ventures, Contour Venture Partners, Rho Ventures and Warburg Pincus.

Applications must be submitted by Dec. 19. Winners will be announced in April.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Read more »

Manufacturer sues IBM over SAP project 'disaster'

IBM has been slapped with a multimillion dollar lawsuit by chemical products manufacturer Avantor Performance Materials, which alleges that IBM lied about the suitability of a SAP-based software package it sells in order to win Avantor's business.

In 2010, Avantor decided to upgrade its ERP (enterprise resource planning) platform to SAP software, according to the lawsuit, which was filed Thursday in U.S. District Court for the District of New Jersey.

"Seizing upon Avantors decision and fully aware that, given the competitive pressures of Avantors industry, and the specialized demands of its customers, Avantor could not tolerate any disruptions in customer service IBM represented that IBMs 'Express Life Sciences Solution' ... was uniquely suited to Avantors business," the lawsuit states. "The Express Solution is a proprietary IBM pre-packaged software solution that runs on an SAP platform."

But Avantor discovered a different truth after signing on with IBM, finding that Express Life was "woefully unsuited" to its business and the implementation brought its operations "to a near standstill," according to the suit.

IBM also violated its contract with Avantor by staffing the project with "incompetent and reckless consultants" who made "numerous design, configuration and programming errors," it states.

In addition, IBM "intentionally or recklessly failed" to tell Avantor about risks to the project and charged toward a go-live date, the suit alleges.

"To conceal the Systems defects and functional gaps, IBM ignored the results of its own pre-go-live tests, conducted inadequate and truncated testing and instead recommended that Avantor proceed with the go-live as scheduled even though Avantor had repeatedly emphasized to IBM that meeting a projected go-live date was far less important than having a fully functional System that would not disrupt Avantors ability to service its customers," the suit states.

The resulting go-live, which occurred in May, "was a disaster," with the system failing to process orders properly, losing some orders altogether, failing to generate need paperwork for U.S. Customs officials and directing "that dangerous chemicals be stored in inappropriate locations," the suit states.

Avantor has suffered tens of millions of dollars in monetary damages, as well as taken a hit to its reputation among partners and customers, the suit states.

For example, before the go-live, IBM and Avantor had met with one of Avantor's biggest customers, which voiced worry that its EDI (electronic data interchange) with Avantor for product ordering wouldn't work after the changeover, and IBM assured the customer that it would, according to the suit. "In fact, the EDI interface immediately failed upon go-live."

"IBM, meanwhile, has already pocketed over $13 million in fees from Avantor for a systems implementation project it mismanaged and was unable to perform properly," it adds. "Incredibly, IBM is now seeking to profit from its misconduct by demanding millions of dollars in additional fees to redesign and rebuild the defective System it implemented."

IBM spokespeople didn't respond to calls and emails for comment on Friday.

Avantor's suit does state that IBM made efforts to right the project's course, albeit ultimately ineffective ones, following a June meeting with Avantor's then-CEO, Rajiv Gupta.

IBM "began to acknowledge the severity of the situation" and replaced many of the original consultants, according to the suit. These workers did extensive redesign and programming.

In July, "IBM told Avantor to cancel every pending order and reset the entire System in light of pervasive warehouse problems," it states. "IBM said this was necessary to discover the root cause of the problem. Ultimately, IBM acknowledged that it had to engage in extensive remedial efforts to redesign and rebuild the System that Avantor hired it to deliver."

"Numerous" IBM workers have told Avantor personnel that IBM failed to manage the project correctly and use SAP "best practices," according to the complaint.

IBM workers even called the project the worst SAP implementation they'd ever seen, it adds.

Avantor is seeking assorted damages in an amount to be determined at trial.

In many respects, the lawsuit reflects other high-profile litigation over SAP projects.

But Avantor broke from tradition by calling attention to its lawsuit via a press release, as companies suing systems integrators and ERP vendors rarely actively seek publicity.

One famous exception came several years ago when Waste Management sued SAP over an allegedly failed project. Waste Management won a sizable settlement from SAP after a public bout of ugly back-and-forth allegations.

It wasn't immediately clear Friday whether Avantor also plans to initiate legal action against SAP, or even has grounds to do so.

An SAP spokesman said Friday he hadn't been aware of Avantor's suit against IBM and declined comment.

Chris Kanaracus covers enterprise software and general technology breaking news for The IDG News Service. Chris' email address is Chris_Kanaracus@idg.com

Read more »

Symantec broadens encryption options for Apple mobile devices, Dropbox file-sharing

Symantec this week announced two new data encryption options, one that is file-based encryption for use with Dropbox, and the second that works as an extension to the Apple iOS mail client to encrypt and decrypt documents.

BACKGROUND: New NIST encryption guidelines may force feds to replace old websites

Symantec Mobile Encryption for iOS works with Apple tablets and smartphones, and will be available in January, according to Tim Matthews, senior director product marketing in the Symantec division, which continues to develop encryption products based on technology acquired in the PGP Corp. acquisition two years ago. The second product to be out is Symantec File Encryption for Dropbox, which lets companies ensure that any file saved and stored to the Dropbox cloud-based file storage service will be encrypted.

"The company sets the policy," said Matthews, noting there's a lot of concern in the corporate world about how the security of files left in cloud-based file sharing services such as Dropbox. The encryption for Dropbox files can also be used without setting a group policy as well. Symantec may also develop something similar for other cloud-based services, but the popularity of Dropbox prompted work on file encryption for this first. It's expected to cost $225 per user.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Read more »