A fuel distribution firm in North Carolina lost more than $800,000 in a cyberheist earlier this month. Had the victim company or its bank detected the unauthorized activity sooner, the loss would have been far less. But both parties failed to notice the attackers coming and going for five days before being notified by a reporter.

Organized cyber thieves began siphoning cash from Mooresville, N.C. based J.T. Alexander & Son Inc. on the morning of May 1, sending money in sub-$5,000 and sub-$10,000 chunks to about a dozen “money mules,” people hired through work-at-home job scams to help the crooks launder the stolen money. The mules were paid via automated clearing house (ACH) payment batches that were deducted from J.T. Alexander’s payroll account.

The attackers would repeat this process five more times, sending stolen funds via ACH to more than 60 money mules. Some of those mules were recruited by an Eastern European crime gang in Ukraine and Russia that I like to call the “Backoffice Group.” This same group has been involved in nearly every other cyberheist I have written about over the past four years, including last month’s $1.03 million theft from a nonprofit hospital in Washington state.

David Alexander, J.T. Alexander & Son’s president, called the loss “pretty substantial” and “painful,” and said his firm was evaluating its options for recouping some of the loss. The company has just 15 employees that get paid by ACH payroll transactions every two weeks. At most, J.T. Alexander’s usual payroll batch is around $30,000. But in just five days, the thieves managed to steal more than a year’s worth of employee salaries.

The company may be able to recoup some of the loss through insurance: J.T. Alexander & Son Inc.’s policy with Employer’s Mutual Casualty Company (EMC) includes a component that covers cyber fraud losses, but the coverage amount is far less than what the victim firm lost.

“They’ve got some specific coverage, but unfortunately the amount of coverage they’ve got is not going to cover anywhere near the amount of money they lost,” said Jim Mitchell, an adjuster for EMC.

According to J.T. Alexander & Son, the company’s bank – Peoples Bancorp of North Carolina Inc., a state-chartered bank with $1.1 billion in assets and 22 branches across the state — had just upgraded its security system a month prior to the cyberheist. Before the upgrade, the company’s controller had to enter a login ID, password and then enter a six-digit code that was read by an automated system at the bank that would call them.

“Also, it used to be we could only access the bank’s site from my computer,” said Kristie Williams, who works in accounting and finance for J.T. Alexander. “The way [the bank] changed it, anybody anywhere could access it as long as they had my login, and apparently that’s what happened because the logins came from a different IP address than our normal one. I think they made it more convenient, but less secure. I wasn’t aware all of that had changed.”

Peoples Bank did not return calls seeking comment.

These types of cyberheists — in which neither the victim organization nor its financial institution notice the theft for days on end — can be especially costly. It’s difficult to assign blame for such incidents to either the victim or its bank — there were failures on both parts, to be sure — but typically the liability for these breaches lies with the victim. That’s why it’s vitally important for small businesses that wish to bank online to assume they are targets of organized crime and to take the necessary precautions, wherever possible.

If you run a small business and manage your company’s accounts online, please take a moment to read my list of recommendations here: Online Banking Best Practices for Businesses.

The internet is abuzz with news that beleaguered security company RSA, which suffered a security intrusion and theft of trade secrets back in March, is offering to replace its customers’ security tokens.

Security tokens are used in two-factor authentication to add additional strength to conventional password-based logins.

The simplest sort of token generates and displays a sequence of pseudo-random numbers, with a new number appearing every minute or so. You enter this ever-changing number as well as, or instead of, your regular password.

The theory behind time-based token authentication is that only your authentication server and the token itself can reproduce the pseudo-random stream. So, if you don’t have possession of the token, you’ll never know the password-of-the-minute.

And if a crook should shoulder-surf or keylog your current token number, it’ll be worthless next time. That should make you much more secure than relying on a password you use over and over again.

But one concern over RSA’s security breach was that some of the trade secrets stolen might allow cybercrooks to work out a token’s pseudo-random number sequence. Of course, this would destroy the very foundations of RSA token security.

RSA didn’t do itself many favours when it first commented on the breach, playing its cards rather close to its chest and not saying much more about the ongoing security of its tokens than:

"we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers."

Sadly, RSA’s confidence may have been misplaced, with recent attacks on US defence contractors linked with the compromise of RSA token security.

Under this sort of pressure – and perhaps still reluctant to give away too many technical details for fear of making a bad thing worse – RSA has just announced a free replacement plan for users of its tokens.

That’s going to be a big job. But is it going to be quite as big as PC World suggests when it says that RSA “will replace [SecurID] tokens for any customer that asks“?

RSA’s open letter on the subject isn’t quite as clear-cut.

It looks as though RSA will only replace your tokens for free if you are a customer:

"with concentrated user bases typically focused on protecting intellectual property and corporate networks."

Those sound rather like weasel-words to me. What is a “concentrated user base”? If you directly protect your own corporate network, are you covered? Or is RSA only offering to cover you indirectly, as the customer-of-a-customer, by helping your reseller?

What if you’re a boutique ISP with a webmail service who has taken the extra step of offering selected users two-factor authentication? Is your user base concentrated enough? Are you protecting intellectual property, or just casual chatter?

And if you do swap out your old tokens, will you be given enough information to satisfy yourself that the new tokens don’t have the same flaws as the old ones?

What do you think? Take part in our poll – and be thankful you’re not working in one of RSA’s call centres or help desks right now!

Fox News is reporting that US military contractor Northrop Grumman may have suffered a hacking attack on its networks.

If true, the defense giant will be joining the likes of L-3 Communications and Lockheed Martin who have both been targeted in recent weeks by cyber attacks.

According to Fox News, Northrop Grumman unexpectedly shut down remote access to its network on May 26th, just five days after Lockheed Martin detected that unauthorised persons had infiltrated its systems.

A anonymous source at Northrop Grumman, which is the US’s second-largest defense contractor, told Fox News that the sudden lockdown was a shock to staff:

"We went through a domain name and password reset across the entire organization. This caught even my executive management off guard and caused chaos. I've been here a good amount of time and they've never done anything this way - we always have advanced notice."

Speculation is rising that what links the L-3, Lockheed Martin and Northrop Grumman security breaches are RSA’s SecurID tokens – devices used by many organisations worldwide to provide two factor authentication for remote staff.

In March, RSA admitted that it had been hacked, and some of the information stolen was specifically related to their SecurID two-factor authentication products.

RSA, the security division of EMC, hasn’t been forthcoming about the precise details of what was taken when they were hacked – but now that a third military contractor appears to have suffered as a consequence, there will be many firms keen to hear more details of how they should protect themselves.

US military contractor L-3 Communications, whose customers include the US Department of Defense, has been named in a news report as having been targeted in attacks by external hackers.

According to reports, L-3 warned 5,000 employees in April about an attempted hack against the company’s network using forged RSA SecurID tokens.

The claim, by Wired magazine, follows news earlier this week that US military giant Lockheed Martin had been subject to its own hacking attack, with RSA SecurID token security once again in the frame.

An anonymous source told Wired that L-3 “uses SecurID for remote employee access to the unclassified corporate network, but classified networks at the company would not have been at risk in the attack.”

RSA Security, a division of EMC, admitted in March that it had been hacked, and that some of the information stolen was specifically related to RSA’s SecurID two-factor authentication products.

There will obviously be some who will point fingers at China as likely suspects for the probes into the networks of US military suppliers, but until some evidence is made public it’s only going to be speculation.

As RSA has chosen to keep largely schtum about what was taken from them – and we can hardly expect the military contractors to share much detail – your guess is as good as mine right now.

What does seem clear, however, is that stories of hacking into military and government systems has never had a higher profile. Bear that in mind when you read news reports that The Pentagon is working on a Cyber Defense Strategy that could see an internet attack treated as though it were an “act of war”.

Hackers have broken into the network of Lockheed Martin and several other US military contractors, according to media reports.

Lockheed Martin, has described the attack as “significant and tenacious”.

Blogger Robert Cringely claimed that Lockheed Martin first detected the security breach last weekend (a fact later confirmed by the weapons maker in a press statement). In response to the attack the firm is said to have promptly blocked all remote VPN access to their internal network, and informed over 100,000 users that they would have to change their passwords.

In addition, it’s claimed that all Lockheed personnel with RSA SecurID tokens will be given new tokens.

From the sound of things, Lockheed Martin took swift and sensible action. It was wise of them to take the step of shutting down access to its internal networks as a precaution, once it believed that unauthorised users may have breached its systems.

The mention of RSA SecurID tokens, though, is interesting. They’re the devices used by many companies and organisations to provide two factor authentication to allow provide workers with a more secure way of proving they are who they say they are than just providing a username and password.

You may have used something similar when accessing your online bank account – for instance, a keyfob that displays a sequence of numbers that changes every 30 seconds or so.

The reason why this raises eyebrows is that back in March, RSA admitted that it had been hacked, and some of the information stolen was specifically related to RSA’s SecurID two-factor authentication products.

However, RSA has never made public details of precisely what kind of data was stolen – leading to speculation that the security of the widely-used SecurID tokens might have been compromised.

Is it possible that whatever information was stolen from RSA helped the hackers break into Lockheed Martin? If that’s the case, that’s worrying news for businesses around the world.

An unnamed source with direct knowledge of the attacks is said to have confirmed to Reuters that other military contractors have also been compromised.

It’s important to realise that all of these companies are victims of a criminal act – the authorities will no doubt be keen to uncover who is behind these attacks, and where they might have originated from. Only time will tell if those questions are ever answered satisfactorily.

Update: Lockheed Martin has now confirmed the attack, claiming that its “systems remain secure; no customer, program or employee personal data has been compromised.”

Here’s the meat of the statement by Lockheed Martin about the hack:

On Saturday, May 21, Lockheed Martin (NYSE: LMT) detected a significant and tenacious attack on its information systems network. The company's information security team detected the attack almost immediately, and took aggressive actions to protect all systems and data. As a result of the swift and deliberate actions taken to protect the network and increase IT security, our systems remain secure; no customer, program or employee personal data has been compromised.

Throughout the ongoing investigation, Lockheed Martin has continued to keep the appropriate U.S. government agencies informed of our actions. The team continues to work around the clock to restore employee access to the network, while maintaining the highest level of security.

To counter the constant threats we face from adversaries around the world, we regularly take actions to increase the security of our systems and to protect our employee, customer and program data. Our policies, procedures and vigilance mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multi-layered information systems security.