Friday, December 10, 2010

Exclusive: “Anonymous” speaks out about WikiLeaks payback

A group who refers to itself as Anonymous has as taken credit for a recent string of high-profile cyber attacks against the websites of businesses, banks and politicians that have either spoken out against or stopped doing business with WikiLeaks.

Cyber attacks, dubbed Operation Payback, targets those who have caved into US government pressure to shun the whistleblower website that recently released thousands of classified US diplomatic cables.

The activist hackers have attacked, PostFinace, Visa,, and others.

For the first time, in an exclusive interview with RT’s Alyona Minkovski, an unidentified representative of the group explained they will always have technology on their side and be one step ahead to continue to fight challenges to free speech.

The goals are to show these companies that people are willing to fight for the vindication of WikiLeaks.

“We have been DDoS’ing sites,” he explained. “We have been flooding them with traffic so other people cannot use them and they have been taken down like this and they cannot operate like this anymore. We’ve been attacking them, we’ve been DDoS’ing them so people can’t buy things, people can’t make transactions.”

He explained the relation is to send a message to these companies and individuals who are taking money from WikiLeaks and refusing service, specifically citing

“Anyone can do it. Anyone has a voice that can stand up and do it,” the representative said. “They can just load up a browser, type in the details; they can volunteer for this, and have a voice of their own.”

However, to do so would be illegal in most countries. But, he pointed out the chances of getting caught are practically zero. His organization coordinates attacks, but the attacks themselves are carried out by a team of massive volunteers globally who are well aware of the risk.

Since the attacks began, “Anonymous’” Facebook and Twitter accounts have been suspended, but the representative explained that action has had little impact on their efforts.

The attacks and actions by the group are a protest, a revolution, he explained.

Although the media had reported the group planned coordinated attacks on, the groups representative said they do not have any malicious plans to take on Amazon nor had they attempted to. He also said the group was not responsible for any coordinated attacks or hacks on Sarah Palin, although she claims to have been a target.

“We don’t really care about Sarah Palin that much, to be honest. I don’t really know what she’s trying to accomplish or what attention she is trying to gain. We personally don’t care about Sarah Palin,” he added.

Friday, December 3, 2010

Congress Considers Change to 'Red Flags Rule

The American Bar Association has been battling for more than a year to exempt lawyers from new regulations designed to fight identity theft. Now, Congress has decided to step in.

With no fanfare and no recorded vote late Tuesday, the Senate approved legislation that could accomplish what the ABA was hoping to achieve. The bill would narrow the definition of “creditor” under the Fair and Accurate Credit Transition Act of 2003, likely ensuring that lawyers would not meet the new definition.

An ABA spokeswoman said the group is optimistic about House passage, possibly this week.

The regulations over identity theft were written by the Federal Trade Commission, and they’re popularly known as the “Red Flags Rule.” FTC regulators have interpreted the term “creditor” to include those who perform services and get paid at a later date, as many lawyers do. Other professional groups, including accountants and physicians, have protested their inclusion, too.

The bill, S. 3987, would define a creditor largely as someone who uses credit reports, furnishes information to credit reporting agencies or “advances funds…based on an obligation of the person to repay the funds or repayable from specific property pledges by or on behalf of the person.”

Sen. John Thune (R-S.D.) introduced the bill Tuesday with Sen. Mark Begich (D-Alaska) as a co-sponsor. In a prepared statement, they said the FTC was threatening small businesses.

“Small businesses in South Dakota and across our country are the engines of job growth for America,” Thune said. “Forcing them to comply with misdirected and costly federal regulations included in the FTC Red Flags Rule will hurt their ability to create jobs and continue growing our economy.”

ABA President Stephen Zack said in a prepared statement: “Last night’s Senate vote to clarify the rule so that lawyers are clearly not included was a critical step in ending a bureaucratic effort to solve a non-existent problem with paper-pushing regulations that would have increased legal costs.”

The fight over the Red Flags Rule has also played out in court after the ABA sued the FTC. In October 2009, U.S. District Judge Reggie Walton of the District of Columbia ruled in favor of the ABA. The U.S. Court of Appeals for the D.C. Circuit heard the FTC’s appeal last month.

Tuesday, November 23, 2010

After FTC Settlement, LifeLock Refund Checks Going out

The check is in the mail for nearly a million LifeLock customers, after the provider of identity-theft protection services settled accusations of deceptive advertising.

The checks, for US$10.87, started going out Wednesday, according to the U.S. Federal Trade Commission, which is managing part of the $12 million settlement.

LifeLock drew attention after CEO Todd Davis published his Social Security number in company advertisements, saying he was so confident in his company's services that he was making it public. It was later discovered that Davis had become the victim in at least 13 cases of identity theft.

The FTC and 35 state attorneys general accused LifeLock of making false claims, saying it didn't protect against some of the most common types of identity theft, such as theft from existing bank accounts. They reached a little settlement with LifeLock in March and the checks are being mailed as part of that settlement.

In March, LifeLock said it was pleased with this agreement because it set advertising guidelines for the entire identity-theft protection industry.

The checks are being sent to 957,928 people who signed up for LifeLock's $10-per-month identity-theft protection service. Customers will have 60 days to cash their checks. The refund's administrator has set up a toll-free number for people with questions at 1-888-288-0783

Thursday, October 14, 2010

Dozens charged with largest Medicare scam ever

A vast network of Armenian gangsters and their associates used phantom health care clinics and other means to try to cheat Medicare out of $163 million, the largest fraud by one criminal enterprise in the program's history, U.S. authorities said Wednesday.

Federal prosecutors in New York and elsewhere charged 73 people. Most of the defendants were captured during raids Wednesday morning in New York City and Los Angeles, but there also were arrests in New Mexico, Georgia and Ohio.

The scheme's scope and sophistication "puts the traditional Mafia to shame," U.S. Attorney Preet Bharara said at a Manhattan news conference. "They ran a veritable fraud franchise."

Unlike other cases involving crooked medical clinics bribing people to sign up for unneeded treatments, the operation was "completely notional," Janice Fedarcyk, head of the FBI's New York office, said in a statement. "The whole doctor-patient interaction was a mirage."

The operation was under the protection of an Armenian crime boss, known in the former Soviet Union as a "vor," prosecutors said. The reputed boss, Armen Kazarian, was in custody in Los Angeles.

Bharara said it was the first time a vor — "the rough equivalent of a traditional godfather" — had been charged in a U.S. racketeering case.

Kazarian, 46, of Glendale, Calif., and two alleged ringleaders — Davit Mirzoyan, 34, also of Glendale, and Robert Terdjanian, 35, of Brooklyn — were named in an indictment charging racketeering conspiracy, bank fraud, money laundering and identity theft.

The indictment accused Terdjanian and others of hatching other schemes involving stolen credit cards, untaxed cigarettes and counterfeit Viagra. It also alleges that during a meeting last year at a Brighton Beach restaurant, Terdjanian pulled a knife on someone who owed him money "and threatened to disembowel the individual if the debt was not paid."

A judge jailed Terdjanian without bail on Wednesday at a brief hearing. Afterward, his attorney said his client denies the charges.

Kazarian and Mirzoyan were scheduled to appear in court Wednesday in Los Angeles.

Authorities began the New York-based investigation after information on 2,900 Medicare patients in upstate New York — including Social Security numbers and dates of birth — were reported stolen.

The defendants in the New York case also had stolen the identities of doctors and set up 118 phantom clinics in 25 states, authorities said. The names were used to submit fake bills for care that was never given, they said.

Some of the phony paperwork was a giveaway: It showed eye doctors doing bladder tests; ear, nose and throat specialists performing pregnancy ultrasounds; obstetricians testing for skin allergies; and dermatologists billing for heart exams.

Tuesday, October 5, 2010

Sacremento credit-card fraud traced to one restaurant

Roseville police are warning people eating out in Roseville to avoid using their debit cards and to pay with cash or use credit cards. Police said hackers have stolen well over 200 people’s information after they ate out at various restaurants and eateries. “We believe the breach is not actually at the restaurant but a third party vendor that's in the process between using your credit card at the restaurant and actually billing the bank,” said Capt. Stefan Moore.

Latest Zeus attack propagated via fake iTunes receipt

U.S. and international authorities may have just made a serious dent in the manpower behind the Zeus botnet, but dozens of arrests aren't stopping the data-stealing trojan from spreading.

The latest Zeus spam campaign targeted iTunes users and attempted to trick them into installing the insidious malware, designed to hijack online banking credentials from its victims, security firms warned this week.

The messages, which appeared to have been sent from Apple's iTunes Store with the address donotreply@itunes[dot]com, arrived with the subject "Your receipt #" followed by a random number, Fred Touchette, senior security analyst at email protection vendor AppRiver, wrote in a blog post Tuesday. The fake receipts claimed the recipient's iTunes order cost hundreds of dollars.

“People buying music from iTunes are getting used to seeing these receipts in their inboxes,” Touchette told on Tuesday. “If [attackers] can get them nervous about the amount of the receipt, they can get them to click on a link.”

Links in the bogus receipt lead to one of approximately 100 domains ending in .info, all of which were registered with GoDaddy. Once clicked, the links redirected users to another site where the Zeus trojan is waiting to infect victims.

The final site that users landed on attempted to automatically download a file claiming to be Adobe Flash Player, but it actually was the malicious payload, Touchette said.

The messages began cropping up on Friday, not long after a separate spam run spoofing the social networking site LinkedIn aimed to foist Zeus on victim PCs. The iTunes campaign is no longer active, and all the domains that attackers were using have been blacklisted, Touchette said.

In the past, attackers have used fake iTunes receipts to lure users to websites selling pharmaceuticals, as well as phishing sites that try to trick users into logging into fake web pages to dupe them into handing over account credentials, researchers at Mac security firm Intego, wrote in a blog post Tuesday.

U.S. and foreign authorities last week announced a series of arrests disrupting an international cybercrime operation linked to Zeus.

The latest attacks indicate that even in spite of last week's arrests, the cyber gangs that use Zeus have not been phased and do not plan on stopping, Touchette said.

“Zeus hasn't shown any signs of letting up,” he said. “Zeus has been so readily available on the underground forums as a kit that many people have their hands on it. It's going to be difficult to put a dent on its output.”

Monday, October 4, 2010

Cyber-criminals steal identity of one of the world's top security chiefs using Facebook

The head of Interpol has warned that cyber-crime is the 'most dangerous criminal threat we will ever face' after fraudsters stole his identity on Facebook.

Security chief Ronald K. Noble revealed that two fake accounts were created in his name and used to find the details of highly-dangerous criminals.

The embarrassing security breach saw one of the impersonators used the false profile to obtain information on fugitives convicted of serious crimes including rape and murder.

Victim: The head of Interpol Ronald K. Noble has warned about the threats of cyber-crime after his identity was stolen on Facebook

The police chief has now warned that there could be devastating consequences of a terrorist cyber attack as he addressed officials at the first Interpol Information Security Conference in Hong Kong.

He said: ' Just recently Interpol's Information Security Incident Response Team discovered two Facebook profiles attempting to assume my identity as Interpol's secretary general.

'One of the impersonators was using this profile to obtain information on fugitives targeted during our recent Operation Infra Red.

'Cyber-crime is emerging as a very concrete threat. Considering the anonymity of cyberspace, it may in fact be one of the most dangerous criminal threats we will ever face.'

As the world's leading cross-border police agency Interpol, is responsible for working with international police forces.
But the details were stolen during Operation Infra Red in which senior investigators from 29 countries targeted criminals on the run from crimes including murder, paedophilia, drug trafficking and money laundering. It led to more than 130 arrests

It is believed the cyber-criminals created Facebook profiles claiming to be Mr Noble. From there they gathered sensitive information about the suspects.

Mr Noble spoke publicly about the scam for the fist time to hundreds of top security chiefs from 56 countries who were gathered at the conference last Friday.

He warned that terrorist could use methods similar to cyber-criminals who hack into victims' to steal financial details.

Mr Noble added: 'Just imagine the dramatic consequences of an attack, let's say, on a country's electricity grid or banking system," he said.

'We have been lucky so far that terrorists did not -- at least successfully or at least of which we are aware - launch cyber-attacks.
'One may wonder if this is a matter of style. Terrorists may prefer the mass media coverage of destroyed commuter trains, buildings brought down, to the anonymous collapse of the banking system. But until when?'

A recent study found that almost two thirds of all adult web users globally have fallen victim to some sort of cyber-crime from spam email scams to having their credit card details stolen.

China had the most cyber-crime victims, at 83 percent of web users, followed by India and Brazil, at 76 percent each, and then the US, at 73 percent, according to the 2011Norton Cyber-crime Report: The Human Impact.

The study of more 7,000 Internet users, also found that 80 percent of people believed the perpetrators would never be brought to justice. Fewer than half ever bother to report the crime to police.

Stacey Wu from internet security firm Symantec said: 'Identity and personal information theft is a big problem. It is no longer just high school kids in their bedrooms sending out malicious emails. It's organised criminals.'

FBI says cyber-thieves stole $70 million

More suspects arrested Friday in what appears to be global crime ring.

 The FBI and law enforcement agencies in Ukraine, the Netherlands and Britain are tracking down international cyber criminals who stole $70 million by using malicious software that captured passwords and account numbers to log onto online bank accounts.

At a press briefing Friday, the FBI said Operation Trident Breach began in May 2009 when agents in Omaha, Nebraska, were alerted to some of the stolen money, which was flowing in bulk payments to 46 bank accounts around the United States.

Ukrainian authorities have detained five people thought to have participated in some of the thefts and Ukraine has executed eight search warrants in the ongoing investigation.

Gordon Snow, the FBI's assistant director in charge of the cyber division, said police agencies overseas were instrumental in finding criminals who designed the malicious software, others who used it and still others called "money mules," who transferred the stolen funds to havens as distant as Hong Kong, Singapore and Cyprus.

Many of the victims were small- and medium-sized businesses that do not have the money to invest in high-level computer security.

On Thursday, 37 people were charged in papers unsealed in federal court in Manhattan with conspiracy to commit bank fraud, money laundering, false identification use and passport fraud for their roles in the invasion of dozens of victims' accounts. Fifty-five have been charged in state court in Manhattan.

The Achilles Heel of PCI Compliance

The payments industry has made significant improvements toward complying with the Payment Card Industry Data Security Standard. But, as Verizon Business' Wade Baker explains, it's the maintenance of PCI DSS compliance that seems to pose the biggest challenges.

This week, Verizon Business releases its 2010 Payment Card Industry Compliance Report, a study that analyzes 200 selected PCI assessments conducted in 2008 and 2009 by Verizon's Qualified Security Assessors. The report reviews how companies are attaining and maintaining PCI compliance. Among the key findings this year: Businesses and organizations struggled most with PCI requirements regarding tracking and monitoring access, as well as meeting the demands for system and process testing and the protection of stored cardholder data.

"Companies struggle with anything they have to maintain over time that requires constant attention," says Baker, director of risk intelligence for Verizon and one of the PCI report's authors. "Just because you were validated at a point in time does not mean that's going to remain static all year."

Lack of Diligence

What often leads to breaches at once-PCI-compliant companies, Baker says, is a lack of consistency and diligence. Companies are not maintaining PCI compliance. "If you don't maintain compliance by constantly reevaluating and upgrading systems, that compliance will erode over time. It erodes down to the point where they are weak, and that's when a breach occurs," he says.

Of organizations Verizon reviewed or assessed for the report, only 22 percent were consistently compliant with PCI requirements from one year to the next. "They gain compliance and they're validated in year one, and then by year two they've lost a little bit," Baker says. "That's a very interesting trend."

Baker is quick to point out that the companies Verizon found that had been breached were not PCI compliant at the time, but had been PCI compliant at some point in the past.

Most payments companies, he says, are doing a better job at staying compliant, but improvements in corporate mindsets are needed. "Certain attacks are going down, and I think a lot has to do with the PCI DSS. But other types of attacks are going up," Baker says.

In Verizon's Data Breach Investigations Report, which also was recently released, Verizon notes that while the number of data base breaches has dropped, the compromise of records has increased. "Personal information in records, like medical records, has value to criminals," Baker says. "But there is a lot of positive momentum in that range, as well," to better protect consumer information.

PCI Common Sense

The vast majority of breaches are preventable, Baker says. Only a small percentage of breaches require sophisticated controls. "Following the security basics, Security 101 and 102, consistently and comprehensively across the organization is rule No. 1," Baker says. "And that would knock out many of these breaches."

Verizon notes that 90 percent of all breaches could have been prevented with something simple, like changing a password. Chris Novak, who works in Verizon's forensics unit, said during his presentation at the PCI Community Meeting in September, that only 15 percent of breaches are high-tech. "The majority of the breaches we see are of moderate complexity," he said. SQL injections top the list and are the most easily prevented, Novak says.

Baker also points to the exploitation of default credentials or stolen credentials as ranking high on the compromise list. "An attacker just goes and starts hammering away at an application and tries 'admin' and 'password' and other combinations that are set at the factory on certain devices and systems," Baker says. "All too often, just trying that a few times allows the attacker in, and then he can do whatever he wants to do from that point on."

Saturday, September 25, 2010

Iran's nuclear agency trying to stop computer worm

TEHRAN, Iran – Iranian media reports say the country's nuclear agency is trying to combat a complex computer worm that has affected industrial sites in Iran and is capable of taking over power plants.

The semi-official ISNA news agency says Iranian nuclear experts met this week to discuss how to remove the malicious computer code, dubbed Stuxnet, which can take over systems that control the inner workings of industrial plants.

Experts in Germany discovered the worm in July. It has since shown up in attacks in Iran, Indonesia, India and the U.S.

Thursday, September 23, 2010

IRS Letters to Citizens Still Ripe for Identity Theft

The Internal Revenue Service (IRS) has yet to comply with a May 2007 federal order to remove the unnecessary use of Social Security numbers from correspondence with citizens, which can lead to identity theft, according to a recent report by the Treasury Inspector General for Tax Administration.

According to the report, the Office of Management and Budget (OMB) gave federal agencies 120 days to develop a plan to eliminate the unnecessary collection and use of social security numbers and 18 months to implement the plan.

Although the IRS has a plan in place, it has yet to draft detailed implementation and compliance management milestones, and target dates have not yet been established to eliminate or reduce taxpayer Social Security numbers from its correspondence with the public, according to the Inspector General’s report.

“Taxpayers need to be assured that the IRS is taking every precaution to protect their private information from inadvertent disclosure,” according to the Inspector General.

The number one consumer complaint during 2009 was identity theft, which often requires identity thieves to use victims’ Social Security numbers, according to a 2010 Federal Trade Commission report.

In 2010, the IRS mailed more than 42 million notices and letters to individual taxpayers for various reasons, including balance due notices. Most of those notices and letters included taxpayers’ Social Security numbers because they required the taxpayers to respond to the IRS.

The IRS submitted the first release of its plan to reduce or eliminate the use of Social Security numbers to the Department of the Treasury in November 2007 and has provided three releases of its plan since then, the last in February 2009.

However, to date it has only redacted or shortened taxpayers’ Social Security

numbers from only a small number of systems, notices, and forms, and there are no target dates for decisions on whether taxpayers’ Social Security numbers can be removed from notices and letters, according to the Inspector General’s report.

Saturday, August 28, 2010

Senators Introduce Federal Data Breach Notification Bill

On August 5, 2010, the Chairman of the Senate Commerce Subcommittee on Consumer Protection, Product Safety, and Insurance Mark Pryor (D-AR) and Full Committee Chairman John Rockefeller (D-WV) introduced the “Data Security and Breach Notification Act of 2010,” S. 3742, which would require businesses to protect personal information in their possession, to notify residents if that information is breached, and to adopt a data security policy.

Currently, there is no federal notification requirement for a data breach in most industries, although the vast majority of states have enacted data breach notification laws. The proposed bill requires entities to notify consumers within 60 days of a breach and to provide consumers with two years of credit monitoring services.

The proposed bill would authorize the FTC to set national standards for safeguarding personal information and to seek up to $5 million in civil penalties for failure to comply.

If enacted, the bill would preempt all state data breach notification and data security laws and regulations. Only companies covered by the Fair Credit Reporting Act and in compliance with that act would be exempt from the proposed law. Last month, Sens. Tom Carper, D-DE, and Robert Bennett, R-UT, reintroduced a similar bill, S. 3579.

Thursday, August 26, 2010

False Sense of Computer Security

A team of security analysts found that most leading anti-spyware and anti-virus software fail to detect commonly used keyloggers.

Keyloggers are designed to silently record all of one's computer activity. They are commonly used for parents to monitor their children's computer activity. Now they are being used for criminal activity ranging from spying on individuals, identity theft and data theft.

The security team at SpyReveal tested the leading anti-spyware and anti-virus software against ten of the most popular keyloggers. The results were astonishing! Most of the leading security software used to combat viruses and spyware failed to detect 70% of the keyloggers. While most failed to detect any keyloggers at all, SpyReveal successfully detected all keyloggers.

Computer users are receiving a false sense of security when installing various security applications. With the explosion in online banking, the proliferation of identity theft is greater than ever. Many users install an anti-spyware solution with the expectation of being safe from identity theft. Unfortunately, they are still at an extremely high risk for identity theft and data logging.

"More and more news stories are being published of hackers who have obtained credit card records by using keyloggers", said Mr. Hankinson, SpyReveal's co-founder. "Yet, we still see major players in the security industry continue to fail at this specific type of problem."

Still don't think you or your business is at risk? Take for example Verizon's 2009 Data Breach Investigations Supplemental Report which states "Keyloggers and spyware.... played a crucial role in larger breach scenarios in which hundreds of millions of records were compromised."

"Consumers and businesses should not rely on a single solution for security. Each has a specific purpose. We want consumers to realize that even though their anti-spyware software says 'Nothing Found', that any keylogger could still be present, recording credit card information or business intellectual property," Mr. Hankinson added.

It is important for users to purchase security solutions that are designed for a dedicated purpose to receive the highest degree of protection, without being too narrow. With software like SpyReveal, you can rest assured that you are protected from most keyloggers available on the open market.

Thursday, August 19, 2010

Jennifer Aniston named as victim of salon fraud

The owner of a Beverly Hills beauty salon was arrested on Wednesday on charges of stealing credit card information from Jennifer Aniston, Anne Hathaway and Liv Tyler and running up tens of thousands of fraudulent payments on their accounts.

According to court documents in the case, a witness claimed that Cher, Melanie Griffith and former "Felicity" television star Scott Speedman were also victims of the fraud.

The owner of Chez Gabriela Studio is accused of swindling $214,000 from Tyler alone in a five-month period last year, according to a court affidavit.

The U.S. Attorney's office in Los Angeles said salon owner Maria Gabriella Perez, 51, is accused of making at least $280,000 of fraudulent charges in a one-year period.

Perez is alleged to have used credit card information provided by celebrities and other clients for legitimate services, and later entered the details manually to run up unauthorized charges.

Aniston, Hathaway, Cher, Tyler, Griffith and Speedman were named in the court papers as among those who saw unauthorized charges on their credit cards.

Representatives for Cher, however, told celebrity website that the singer and actress was not a victim and did not know why she had been named in the court papers.

Sunday, August 8, 2010

Rogue AV: A wolf in sheep's clothing

Rogue anti-malware, also known as rogue AV, has become the delivery vehicle of choice for the cybercriminals seeking to infect endpoints with their payloads. Those endpoints consist of both the consumer and enterprise. The ESET Global Threat Trends Report for April 2010 contains a short article called “Free but Fake.” Better yet, one of our most active researchers, Cristian Borghello from our Latin American office, wrote an excellent paper on rogue anti-malware.

If you haven't had a chance to view the convincingly crafted fake scans from our various rogue AV pages, here's one that I took off of one of my testing workstations prior to the infection. The first stage requires the user to take a particular action. In this case – and many others – it can't infect the system without human assistance.

According to a recent paper on large-scale exploits and emergent threats that Google released in late April at the Usenix Workshop, rogue AV accounts for more than 15 percent of all malware Google detects. In the report, Google outlines that from January 2009 until February 2010, more than 11,000 domains were involved in rogue AV distribution.

I have also had recent discussions with colleagues over fake/rogue anti-malware that didn't break the law by infecting endpoints. This isn't actually fake security software, just highly substandard with disproportionately strong messaging.

This aligns strongly with an article from Bruce Schneier that I recall reading entitled “A Security Market For Lemons” (Wired, April 2007). In his article Bruce states:

““Of course, it's more expensive to make an actually secure USB drive. Good security design takes time, and necessarily means limiting functionality. Good security testing takes even more time, especially if the product is any good. This means the less-secure product will be cheaper, sooner to market and have more features. In this market, the more-secure USB drive is going to lose out.”

Bruce closes the article with:

““With so many mediocre security products on the market, and the difficulty of coming up with a strong quality signal, vendors don't have strong incentives to invest in developing good products. And the vendors that do tend to die a quiet and lonely death.”

I agree that a new tactic that's not illegal, such as a deluge of confusing messages and products (more than our customers currently experience), has the potential to impact the revenue of legitimate companies and leads the end-user into having a false sense of security with a highly inert product.

So what do we do about blatantly rogue anti-malware? Below are four points to consider:

■The executable itself shouldn't be allowed to touch or run on the endpoint. While possible, this is easier said than done due to the myriad permutations of endpoint configurations.

■Rogue software, like other malware, may be detectable via behavioral analysis. Implement a highly regarded anti-malware product with excellent static and/or dynamic detection (i.e., positive user feedback and presale dialog – not marketing hype)

■The distribution of the executable is dependent on very convincing JavaScript and associated graphics. Filtering for these, while tedious, can yield big payoffs.

■If the rogue executable is discovered, send it to the security response team for your anti-malware product. This allows them to add static detection and update their dynamic detection algorithms.

Attacks are cyclical, so once there is a much more effective means for dealing with rogue AV, you can rest assured there will soon be another angle leveraged to gain a foothold in the endpoint. In the meantime, it's an arms race and there are a lot of security vendors working hard to meet the escalating threats head-on. As a security community, keeping the lines of communication open and flowing to share threat intelligence is one of our greatest strengths in this protracted fight.

PCI DSS 1.2: Changes, best practices and tips

PCI DSS is a global information security standard consisting of 12 different requirements – assembled and released by the Payment Card Industry Security Standards Council (PCI SSC). It was created to assist organizations that hold, process or pass on credit card information to help in preventing credit card fraud.

This particular blog post will detail some of the differences between PCI DSS 1.1 and 1.2, and offer several best practices and four useful tips in consideration of obtaining and maintaining PCI DSS compliance. Changes are in the works for DSS, with a formal announcement coming in the fall,

Below are some of the key changes from PCI DSS v1.1 to v1.2:

■Incorporates existing and new best practices

■Provides further scoping and reporting clarification

■Eliminates overlapping sub-requirements and consolidates documentation

■Enhances the frequently asked questions (FAQ) and glossary to facilitate understanding of the security process.

Wireless network changes from v1.1 to v1.2:

■Requirement 4.1.1.

■In v1.1 there were provisions for WEP (Wired Equivalent Privacy) which is a weak encryption.

■Removing the requirement for disabling SSID broadcasts is new in v1.2.

Anti-virus requirement differences:

■In v1.2, there is a clarification regarding the use of anti-virus software – namely that it applies to all operating system types

■Requirement number 5.1.1 states: “Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.”

Best practices:

■Constant vigilance: Knowing that there is no 100% guaranteed “silver-bullet” for network security companies. Instead, they must maintain constant vigilance of their security – from physical security to network configuration/security. A “set it and forget it” attitude in the security world sets false expectations of ongoing security.

■Network traffic anomaly detection

■Log analysis: Using software to correlate various security logs (e.g., firewall, web server, remote access) to spot trends

■Heuristic detection of malicious software: Heuristically detecting malicious software on critical systems that are connected to the vendor's network – not just the systems that handle customer data

■Implementing layered security: If one defense fails, the others have a chance of stopping the attack

■Patch management: Maintaining an effective patch management system, procedures, or both is a key security measure

Four useful tips (going beyond the checklist):

1. Compliance is not a one-time project – it is an ongoing process

a. One of the biggest dangers of the checklist is that it can't be viewed as a one-time project. It is an ongoing process of checking/re-checking the various security controls, as well as enforcing them. Companies should not consider themselves immune to attacks simply because they have achieved compliance.

2. End-to-end encryption (E3)

a. PCI DSS doesn't mention, or require, encrypting the data from the point at which the customer's card was “swiped.” This step will significantly reduce the value of data if it is intercepted.

3. Avoid the low-hanging fruit

a. People tend to go for the path of least resistance. For instance, if their network is unique in its design, and there is a new method of accessing data, and the checklist does not cover the new method, it might be glossed over and compliance would still be achieved. Scheduled reviews of a company's PCI DSS compliance will help ensure that as technology and networks continue to progress, new threat vectors are addressed. For instance, Requirement 5 of the PCI DSS states that for compliance a vendor must use and regularly update anti-virus programs. As there are varying levels in the quality of anti-virus software, a vendor could choose to implement a low detection/high false-positive anti-virus program and have a fairly ineffective anti-virus application running on their systems.

4. “Chain of events” or the “error chain”

a. As in the aviation world, when there is an accident it is referred to as a “chain of events” or the “error chain.” These terms simply mean that multiple factors, rather than a single one, lead to an accident. The same can be said for security incidents, such as data leakage.


■PCI Security Standard Council web site:

■PCI DSS v1.2 Requirements and Security Assessment Procedures:

Do you have additional best practices, tips or observations? You can also share your experiences regarding PCI DSS – experiences, challenges, benefits or any other comments regarding your company and credit card security.

Banking trojans as a weapon of mass destruction

Part 1

According to FinCEN, between between January 1 and June 30, 2009, depository institution (banking) suspicious activity reports characterized as computer intrusion increased 75 percent, compared to the corresponding six-month reporting period in 2008. These reports are filed by individual banks across the country and I'm currently grappling with the multiple categories in an attempt to determine exactly how large this banking trojan corporate account takeover risk may be.

Tell you what – 75 percent growth year to year is not small. If one Zeus banking trojan-hijacked account equals the $100,000 average loss that experts tell me, that money is easily the payroll of 20 people – employees, vendors, and owners – who won't be paying their mortgages or rent on time. I can't speculate on where the growth comes from yet because so much of it is mislabled and tagged into multiple categories.

The importance of clarifying this threat is simple: All experts are unanimous in the fact that businesses are at greater risk of a show-stopping corporate account hijacking event – consumers have separate rights which protect account takeover losses for a much longer time period. Yet businesses often don't know what lurks online or how they can get phished with a simple email, and often they handle a half million dollars or more with no issue.

Strategic value of small businesses

According to the SBA advocacy site, over 99 percent of the private payroll in the US comes from small and midsize businesses. Without small business steadily providing the fifteen year trend of 64 percent of all net new jobs stateside, the logic is simple: our economy can't continue to grow. No new jobs mean slow economic growth.

And somehow we can't seem to measure all of this quantitatively. The overuse by banking employees of the FinCEN SAR category of ‘Other' mocks any efforts at transparency. I may not be able to access more granular data directly due to the Banking Secrecy Act. My calls and emails are still being automatically handled by FinCEN at the time of this article.

Banking trojans have the potential to become the largest historically destructive threat to our nation's economy short of the Civil War. Business account hijacking has the ability to completely destroy what typically takes strong business teams years of nurturing. All from thousands of miles away or from right across the street.

To the start-ups – willing to take on the gut check of starting a business – it's even worse. The theft of someone's total commitment and investment in their future, their employee's futures – different than merely victimizing a single household more and more this crime victimizes entire communities. Adding longer term impact: the money that's taken is not spent stateside, so our small restaurants, coffee shops, gas stations and others don't even get that money back into circulation.

Banking trojans are a weapon of mass destruction loosed in the heart of the American Dream.

The soul-destroying consequence of losing a business payroll account

Part 2

There's no Hurricane Katrina fund, no 9/11 trust for business banking victims. Instead of the sudden shocking yet galvanizing crash of a jet into a building, this malware-based attack comes as a slow, stealthy shadow creeping into the already bleak landscape of the jobless.

If a business owner lost their funds overnight, I imagine it might go something like:

■Day one: Shock. Could this really be happening?

■Day two: Fight the bank. And lose. Again, is this really happening?

■Day three: Find a new job so your family can sustain itself. And good luck with that task if you were part of the IT team who missed the malware which stole the banking funds!

Brian Krebs has interviewed many victims whose stories are similar:

“Since the incident, [Michelle Marsico] has had to take out a $395,000 loan at 12 percent to cover the loss (she managed to get $70,000 in wires reversed).

“I'm working for nothing right now, and can't afford to pay myself,” Marisco / [Marsico] said in a phone interview.

Without small business providing new job growth it's arguably a nuclear winter for our economy.

This must stop

1.Business owners are completely in the dark about this threat.

2.The critical priority must become identifying the threat of cybercrimes that soul-kill our communities: FinCEN and other aggregators of financial crime reporting need to step it up and show the data more transparently.

3.There are no laws which require protection for payroll accounts and the ABA, after saying how safe online banking has been for years now doesn't seem to want to budge from their position of the business' sole responsibility for compromise.

A recent interview was held with American Banking Association Vice President and Senior Advisor of Risk Management Policy Doug Johnson who, after agreeing that the threat of corporate account takeover was “very large”, pushes responsibility right back at the business, not with the banking community for prevention and risk.

““Banks have a tremendous responsibility to protect their small businesses and municipal customers just as they have that responsibility to protect their retail customers.

But the retail customer protections of Reg E would essentially absolve the small businesses of any responsibility or liability for not properly protecting themselves, and you can certainly appreciate that in a community bank market it is very difficult for a financial institution, through no fault of its own, to really make a corporate customer whole for a loss which could be upwards toward a half of million dollars.

“And there would be less incentive on the part of the corporate customer to protect themselves if they knew that they were going to be made whole in that fashion, even if they didn't protect themselves.”

Five years ago, Doug Johnson was saying something very different:

“"Online banking is safe and getting safer," says Doug Johnson, senior policy analyst at the American Bankers Association.” (USA Today, 2005)

2009 APWG Thought Leader Dr. Laura Mather states that dual control for small business accounts is a good practice for businesses to follow since it raises the bar for criminals, however she feels that it is unlikely that all businesses will implement dual controls and worse, that the tactic has a limited shelf life against faster cybercriminals.

““Banks should be educating their business customers to use this technique,” Dr. Mather adds, “and possibly implement measures that enforce the requirements for dual control. The next obvious step for cybercriminals will be multiple infections within a business such that the criminal has access to both of the dual control accounts.”

“As for the ABA party line – I think with the litigation that is moving forward there will soon be legislation around the SMB accounts. Of course, when that happens, all banking organizations will likely have to change their stance on these issues.”

Her words are prophetic: I found a story about the banking trojan compromise of the ABA-recommended dual control method right in our own SoCal backyard which Brian Krebs wrote about a few weeks ago:

““Owner Michelle Marisco said her financial institution at the time — Professional Business Bank of Pasadena, Calif. – normally notified her by email each time a new wire was sent out of the company's escrow account. But the attackers apparently disabled that feature before initiating the fraudulent wires.”

“The thieves also defeated another anti-fraud measure: A requirement that two employees sign off on any wire requests. Marisco said that a few days before the theft, she opened an email informing her that a UPS package she had been sent was lost, and urging her to open the attached invoice. Nothing happened when she opened the attached file, so she forwarded it on to her assistant who also tried to view it. The invoice was in fact a trojan horse program that let the thieves break in and set up shop and plant a password-stealing virus on both Marisco's computer and the PC belonging to her assistant, the second person needed to approve transfers.”

Steps you can take:

In keeping with how to protect yourselves and your business here are the top things to do today to harden your business target:

1.Update your endpoint malware protection and ensure you have an antispam solution which will block phishing attacks which use spam tactics to reach their victims.

2.Plan and complete a US-CERT risk assessment,

3.Plan to audit your business accounts DAILY from a secure computer. Don't rely too heavily on email alerts – the latest malware disables them.

4.Raise awareness in your own back yard. Start the discussion.

One final step would be to sit down and have a formal review with your bank of the responsibilities involved with an account hijacking and quite frankly, if you don't like what you hear, vote with your feet and consider changing your approach to online banking or changing your bank.

We're still on the search for definative bank account hijacking statistics. Once we get them, you'll be the first to know.

Once more unto the (data) breach

While going through some FAA manuals, I was reminded of a particular term that is highly applicable in the world of cybercrime. It is referred to as the “chain of events” or the “error chain.” These terms simply mean that multiple factors, rather than a single one, lead to an accident. The same can be said for security incidents, such as data leakage. Take, for instance, some of the largest data breaches to date – such as the those experienced by TJX Companies or Heartland Payment Systems (which I've written about in the past here and here).

When the chain of events is unraveled, interesting details begin to unfold – one after another. These are obviously valuable lessons so that the majority of companies can take steps to protect themselves from these severe incidents in the future. But there will always be another way to “get to the goods.”

What are “the goods”? They are, primarily, the unencrypted customer information that resides deep within the core of organizations. In August 2008, I read a Yankee Group analyst research paper by Phil Hochmuth entitled, “Anywhere Data is Powerful, Data Everywhere is Dangerous.” In this paper, Phil discusses the challenge of data security and an increasingly untethered workforce. While that particular paper's focus covered the mobile workforce, it also conveys the key point applicable to all businesses: Customer data is essential to running a business and supporting our customers, but it can also be considered a dangerous liability that must be well-protected.

Three proposed solutions to securing customer data.

■End-to-end encryption (E3). In this context it is from where data is captured, through all intermediaries to the final credit issuer or debit gateway endpoint (;

■Mandatory encryption of personally identifiable information (PII) at rest and in motion (this brings up painful key management issues);

■Heartland is requesting the Accredited Standards Committee X9 (ASC X9) develop a standard to protect cardholder data.

Data breach consequences. There are a slew of consequences that can impact companies after a breach occurs. Some of them bandied about by industry experts are noted below:

Financially catastrophic:

■According to the Ponemon Institute's 2009 Annual Study “U.S. Cost of a Data Breach,” the average cost of a data breach (per record) is $204;

■Loss of sales;

■Investigation and notification costs;

■Fines and litigation;

■Cost of credit monitoring service;

■Interruption of operations;

■Last, but definitely not least, brand erosion (reputation, customer trust).

Regulatory compliance mandates that may impact breached organizations. Of course, many organizations began really paying attention to protecting data as a result not only of some of the consequences noted above, but also because of various industry and government compliance mandates. A sampling includes:

■Health Insurance Portability and Accounting Act (HIPAA);

■Sarbanes-Oxley (SARBOX);

■Graham-Leach-Bliley Act (GLBA);

■Payment Card Industry Data Security Standard (PCI DSS);

■Federal Information Security Management Act (FISMA).

These are but a few points that are relevant to data breaches of all sizes – not only those that potentially revealed more than 100 million customer records in one incident. Keep in mind that at the time of the breaches, the companies I mentioned were PCI compliant. This should reinforce the point that we still have a long way to go to secure our data and reduce the severity of data breaches.

Data security risk is as unlimited as human intelligence, ingenuity and ignorance.

Rampant hotel data theft

For the past several years, hotels have been hit hard by data thieves. Experts say that despite an increased awareness within the hospitality industry, data theft is still prevalent.

In the most recent incident, disclosed in late June, remote attackers installed a malicious program into the card processing system of Englewood, Colo.-based hotel chain Destination Hotels & Resorts. Guests at 21 Destination properties may have been subjected to credit card theft.

Cybercriminals last year targeted hotels more than any other industry for credit card theft, according to a recent report by data security company Trustwave. Hotels are being targeted because they have large amounts of credit card data and frequently neglect to implement the most basic security precautions, such as changing default passwords or ensuring programs are up to date, said Nicholas Percoco, senior vice president of Trustwave's SpiderLabs.

As a result, attackers commonly gain entry into a hotel's network by exploiting default passwords on point-of-sale (POS) applications, added Dave Ostertag, manager of investigative response at Verizon Business. From there, customized malware is loaded onto the hotel's transaction server that steals credit card information as a transaction occurs.

In March, the Westin Bonaventure Hotel & Suites in Los Angeles disclosed a possible data breach of its POS systems dating back to 2009. Also, between November 2008 and May 2009, the computer systems of some Radisson hotels in the United States and Canada were illegally accessed. And the computer systems of Wyndham Hotels & Resorts were accessed on two separate occasions by cybercriminals who stole customers' card numbers, expiration dates and other data.

Part of the problem is that many hotels are not compliant with the Payment Card Industry (PCI) Data Security Standards (DSS), said Gary Palgon, vice president of product management at encryption firm nuBridges. While retailers have faced increasing pressure over the past few years to get into compliance with the mandate, few from the hotel industry have been paying attention.

However, some members of the hospitality industry are working to deal with this problem, experts said. The Hotel Technology Next Generation (HTNG), a nonprofit hotel trade association, recently issued a security standard which defines how card data should securely flow between a hotel's various systems. Additionally, large, brand-name organizations are beginning to take data security seriously, experts said. But many others are lagging.

“We are still seeing cases on a weekly basis of hotels getting breached,” Percoco said.

Microsoft readies record 14 fixes, eight critical

 Microsoft on Thursday announced that next week it plans to deliver a record 14 patches to resolve 34 vulnerabilities across its product line.

The 34 flaws expected to be fixed, which ties a record with the number of holes plugged in June's update, reside in Windows, Office, Internet Explorer, SQL Server and Silverlight, according to the advance notification. Eight of the 14 bulletins earned a "critical" rating, while the others are designated as "important."

Of the critical bulletins, seven impact Windows. Joshua Abraham, a security researcher at Rapid7, which provides vulnerability management and penetration testing services, said he'd expect a few working exploits to come out of the security update, launching attacks such as drive-by downloads.

Abraham added that administrators should not necessarily be concerned by the high number of vulnerabilities receiving updates. He said this is not uncommon following security conferences such as Black Hat and DEFCON.
"In the past, there has been a rather high volume around the summer months," Abraham told on Thursday. "It's something we've seen before. It doesn't really shock me."

August's update appears to match a recent trend in which a light month of bulletins precedes a busier month.

Administrators should review Microsoft's advisories and use its exploit grades to determine which patches deserve priority, Abraham said.

Rockefeller, Pryor introduce federal data security law

Two senators on Thursday introduced a national data breach notification bill that also would force businesses to create measures to protect sensitive information under their control, according to a news report.

The legislation, introduced Thursday by Sens. Mark Pryor, D-Ark., and John Rockefeller, D-W.Va., would require organizations to alert victims of a breach within 60 days and provide them with two years of credit monitoring services, according to the National Journal's Tech Daily Dose blog.

In addition, businesses and nonprofits would have to implement policies and procedures to protect their data, the blog post said.

Representatives for Pryor and Rockefeller did not immediately respond to requests for comment by

Last month, Sens. Tom Carper, D-Del., and Bob Bennett, R-Utah, reintroduced a similar bill

"The Data Security Act of 2010 would require entities such as financial establishments, retailers, and federal agencies to safeguard sensitive information, investigate security breaches, and notify consumers when there is a substantial risk of identity theft or account fraud," said a news release. "These new requirements would apply to retailers who take credit card information, data brokers who compile private information and government agencies that possess nonpublic personal information."

A national data breach notification law has been in the works for a number of years. Several versions have made the rounds, but nothing ever has cleared both chambers.

This mainly has been due to other Congressional priorities and, more specific to the bills, disagreement over what constitutes a suitable threshold to report a breach. The lack of a federal measure has given way to a hodgepodge of state laws, 46 to be exact.

Sunday, August 1, 2010

Hack attack hits ATM jackpots

LAS VEGAS — Computer security researcher Barnaby Jack jokes that he has resorted to hiding cash under his bed since figuring out how to crack automated teller machines remotely using the Internet.

The New Zealand native on Saturday demonstrated his "ATM jackpotting" discovery for an overflow crowd of hackers during a presentation at the infamous DefCon gathering in Las Vegas.

"You don't have to go to the ATM at all," Jack told AFP after briefing fellow software savants. "You can do it from the comfort of your own bedroom."

Jack proved his findings using two kinds of ATMs typically found in corner stores, bars or other "stand-alone" venues in the United States but said the flaw likely exists in machines at banks.

Banks use "remote management" software to monitor and control their ATMs, and Jack used a weakness in that kind of code to take control of machines by way of the Internet.

He found a way to bypass having to submit passwords and serial numbers to access ATMs remotely. Once in the machines, he could command them to spit out cash or transfer funds.

He could also capture account data from magnetic strips on credit or bank cards as well as passwords punched in by ATM users.

"When you think about ATM security you generally think about the hardware side; is it bolted down and are the cameras in position," Jack said.

"This is the first time anyone has taken the approach of trying to attack the underlying software. It is time to find software defenses rather than hardware defenses."

Jack did his research on ATMs he bought on the Internet. He also found master keys for stand-alone machines available for purchase online, meaning hackers could walk up and tinker with ATM software, he added.

"We shouldn't dwell on the walk-up attack, because no physical access is required," Jack said. "They have a flaw that lets me bypass all authentication on the device on the Internet, and I am the ATM at that stage."

He didn't reveal specifics of the attack to hackers even though the ATM makers were told of the flaw and have bolstered machine defenses.

"I might get my butt in hot water if I released the code," said the IO Active software security researcher who did the ATM hack 'as a hobby.'

"I was careful not to release the keys to the kingdom."

Jack said he doesn't know if criminals have exploited the software flaw "in the wild" but that it is tough to be certain.

"It is not an easy attack to replicate but I am not naive enough to think I am the only one who can do it," Jack said, admitting he has grown wary of ATMs. "I just keep my cash under the bed now, mate."

Saturday, July 31, 2010

Smooth-talking hackers test hi-tech titans' skills

By Glenn Chapman (AFP) – 12 hours ago

LAS VEGAS, Nevada — Hackers at an infamous DefCon gathering are proving that old-fashioned smooth talk rivals slick software skills when it comes to pulling off attacks on computer networks.

A first-ever "social engineering" contest here challenges hackers to call workers at 10 companies including technology titans Google, Apple, Cisco, and Microsoft and get them to reveal too much information to strangers.

"Out of all the companies called today, not one company shut us down," said Offensive Security operations manager Christopher Hadnagy, part of the team behind the competition that kicked off on Friday.

The team kept hackers within the boundaries of the law, but had them coax out enough information to show that workers would have unintentionally made it easier to attack networks.

Workers that unknowingly ended up on calls with hackers ranged from a chief technical officer to IT support personnel and sales people.

One employee was conned into opening programs on a company computer to read off specifications regarding types of software being used, details that would let a hacker tailor viruses to launch at the system.

"You often have to crack through firewalls and burn the perimeter in order to get into the internal organization," said Mati Aharoni of Offensive Security, a company that tests company computer defenses.

"It is much easier to use social engineering techniques to get to the same place."

Other companies targeted were Pepsi, Coca Cola, Shell, BP, Ford, and Proctor & Gamble.

The contest, which continues Saturday at DefCon and promises the winner an Apple iPad tablet computer, is intended to show that hardened computer networks remain vulnerable if people using them are soft touches.

"We didn't want anyone fired or feeling bad at the end of the day," Aharoni said. "We wanted to show that social engineering is a legitimate attack vector."

A saying that long ago made it onto T-shirts at the annual DefCon event is "There is no patch for human stupidity."

"Companies don't think their people will fall for something as simple as someone calling and just asking a few questions," Hadnagy said.

"It doesn't require a very technical level of attacker," Aharoni added. "It requires someone with an ability to schmooze well."

One worker nearly foiled a hacker by insisting he send his questions in an email that would be reviewed and answered if appropriate.

The hacker convinced the worker to change his mind by claiming to be under pressure to finish a report for a boss by that evening.

"As humans, we naturally want to help other people," Hadgagy said. "I'm not advocating not helping people. Just think about what you say before you say it."

Companies that got word of the social engineering contest before DefCon called in the FBI, which was assured by the event organizers that nothing illegal was afoot.

Information about "exploiting human vulnerabilities" was available at the websit.

Attacking the edges of secure Internet traffic


LAS VEGAS — Researchers have uncovered new ways that criminals can spy on Internet users even if they're using secure connections to banks, online retailers or other sensitive Web sites.

The attacks demonstrated at the Black Hat conference here show how determined hackers can sniff around the edges of encrypted Internet traffic to pick up clues about what their targets are up to.

It's like tapping a telephone conversation and hearing muffled voices that hint at the tone of the conversation.

The problem lies in the way Web browsers handle Secure Sockets Layer, or SSL, encryption technology, according to Robert Hansen and Josh Sokol, who spoke to a packed room of several hundred security experts.

Encryption forms a kind of tunnel between a browser and a website's servers. It scrambles data so it's indecipherable to prying eyes.

SSL is widely used on sites trafficking in sensitive information, such as credit card numbers, and its presence is shown as a padlock in the browser's address bar.

SSL is a widely attacked technology, but the approach by Hansen and Sokol wasn't to break it. They wanted to see instead what they could learn from what are essentially the breadcrumbs from people's secure Internet surfing that browsers leave behind and that skilled hackers can follow.

Their attacks would yield all sorts of information. It could be relatively minor, such as browser settings or the number of Web pages visited. It could be quite substantial, including whether someone is vulnerable to having the "cookies" that store usernames and passwords misappropriated by hackers to log into secure sites.

Hansen said all major browsers are affected by at least some of the issues.

"This points to a larger problem — we need to reconsider how we do electronic commerce," he said in an interview before the conference, an annual gathering devoted to exposing the latest computer-security vulnerabilities.

For the average Internet user, the research reinforces the importance of being careful on public Wi-Fi networks, where an attacker could plant himself in a position to look at your traffic. For the attacks to work, the attacker must first have access to the victim's network.

Hansen and Sokol outlined two dozen problems they found. They acknowledged attacks using those weaknesses would be hard to pull off.

The vulnerabilities arise out of the fact people can surf the Internet with multiple tabs open in their browsers at the same time, and that unsecured traffic in one tab can affect secure traffic in another tab, said Hansen, chief executive of consulting firm SecTheory. Sokol is a security manager at National Instruments Corp.

Their talk isn't the first time researchers have looked at ways to scour secure Internet traffic for clues about what's happening behind the curtain of encryption. It does expand on existing research in key ways, though.

"Nobody's getting hacked with this tomorrow, but it's innovative research," said Jon Miller, an SSL expert who wasn't involved in the research.

Miller, director of Accuvant Labs, praised Hansen and Sokol for taking a different approach to attacking SSL.

"Everybody's knocking on the front door, and this is, 'let's take a look at the windows,'" he said. "I never would have thought about doing something like this in a million years. I would have thought it would be a waste of time. It's neat because it's a little different."

Another popular talk at Black Hat concerned a new attack affecting potentially millions of home routers. The attack could be used to launch the kinds of attacks described by Hansen and Sokol.

Researcher Craig Heffner examined 30 different types of home routers from companies including Actiontec Electronics Inc. and Cisco Systems Inc.'s Linksys and found that more than half of them were vulnerable to his attack.

He tricked Web browsers that use those routers into letting him access administrative menus that only the routers' owners should be able to see. Heffner said the vulnerability is in the browsers and illustrates a larger security problem involving how browsers determine that the sites they visit are trustworthy.

The caveat is he has to first trick someone into visiting a malicious site, and it helps if the victim hasn't changed the router's default password.

Still: "Once you're on the router, you're invisible — you can do all kinds of things," such as controlling where the victim goes on the Internet, Heffner said.

Tuesday, July 27, 2010

Preserving Innovation While Ensuring Security, Confidence in System

The Commerce Department's Internet Policy Taskforce on Wednesday will formally seek viewpoints from stakeholders on how best the public and private sector can preserve innovation in an Internet economy while ensuring security and confidence in the system.

Commerce Secretary Gary Locke unveiled the notice of inquiry at a symposium Tuesday on Internet security sponsored by the taskforce, where he also addressed departmental efforts to help build confidence in the Internet so that identity and personal information will be secured for consumers; intellectual property won't be stolen for businesses; and trade, technology and military secrets will be safe from adversaries for government.

"Let's be blunt - because the Internet was initially designed for convenience and reliability, instead of with security as a top priority - we are fighting an uphill battle," he said.

Citing a recent study published by IT security vendor Symantec, Locke painted a gloomy picture of Internet security, noting that malicious activity is increasingly flowing out of countries where broadband and information technology penetration is growing the fastest, advanced persistent threats focused on large enterprises are becoming more common as thieves seek customer data, financial information and intellectual property assets; and, mass-market attacks - those that small businesses and consumers usually fall prey to - continue to evolve in their sophistication.

Saturday, July 24, 2010

Santa Cruz, Calif. Mayor Has Laptop Stolen From Office

Posted: Monday, February 1, 2010

A burglar broke into Santa Cruz Mayor Mike Rotkin's office and took his city-issued laptop computer.
Police said the thief used a rock to break an office window and then took the computer.

Rotkin said he doesn't think anyone was specifically targeting him, and that there was nothing of importance kept on the computer.

"I think it was close to a window and somebody desperate saw it and decided to break the window and take the computer," Rotkin said. "I never used the computer. I had nothing on it."

The cost of the computer and the damage done to the office is about $1,500.

City Hall does have security cameras but there aren't any aimed on the mayor's office.

Monday, July 19, 2010

VeriSign 'Trusted' Service Now Scans Sites for Malware

VeriSign said Monday that it has begun to add a "VeriSign Trust Seal" logo to search results and on Web sites, that can be used to verify that a site does not harbor malware.

VeriSign already places a logo on some sites that tells the user that it has secured the site via an SSL certificate. The "VeriSign Trusted" logo now also means that the site is checked on a daily basis to see if an attacker was able to penetrate its security and inject malware that would then be downloaded by the site's customers.

A related "Seal-in-Search" technology will place a VeriSign logo next to search results, including Google, alerting users that VeriSign has certified the site as safe to visit, where malware is concerned.

"In the face of increasingly elaborate attacks and fraud schemes, web sites need solutions that do more than data encryption," said Tim Callan, vice president of product marketing at VeriSign. "By enhancing our SSL Certificate services with new features that instill trust at every step of the online experience—at no additional charge to our customers—we're delivering a more robust and value-driven solution. In the process, we're redefining what web sites should expect from online security."

Saturday, July 17, 2010

.94 charged in Medicare scams totaling $251M

MIAMI – Elderly Russian immigrants lined up to take kickbacks from the backroom of a Brooklyn clinic. Claims flooded in from Miami for HIV treatments that never occurred. One professional patient was named in nearly 4,000 false Medicare claims.

Authorities said busts carried out this week in Miami, New York City, Detroit, Houston and Baton Rouge, La., were the largest Medicare fraud takedown in history — part of a massive overhaul in the way federal officials are preventing and prosecuting the crimes.

In all, 94 people — including several doctors and nurses — were charged Friday in scams totaling $251 million. Federal authorities, while touting the operation, cautioned the cases represent only a fraction of the estimated $60 billion to $90 billion in Medicare fraud absorbed by taxpayers each year.

For the first time federal officials have the power to overhaul the system under Obama's Affordable Care Act, which gives them authority to stop paying a provider they suspect is fraudulent. Critics have complained the current process did nothing more than rubber-stamp payments to fraudulent providers.

"That world is coming to an end," Health and Human Services Secretary Kathleen Sebelius told The Associated Press after speaking at a health care fraud prevention summit in Miami. "We've got new ways to go after folks that we've never had before."

Officials said they chose Miami because it is ground zero for Medicare fraud, generating roughly $3 billion a year. Authorities indicted 33 suspects in the Miami area, accused of charging Medicare for about $140 million in various scams.

Suspects across the country were accused of billing Medicare for unnecessary equipment, physical therapy and other treatments that patients never received. In one $72 million scam at Bay Medical in Brooklyn, clinic owners submitted bogus physical therapy claims for elderly Russian immigrants.

Patients, including undercover agents, were paid $50 to $100 a visit in exchange for using their Medicare numbers and got bonuses for recruiting new patients. Wiretaps captured hundreds of kickback payments doled out in a backroom by a man who did nothing but pay patients all day, authorities said.

The so-called "kickback" room had a Soviet-era propaganda poster on the wall, showing a woman with a finger to her lips and two warnings in Russian: "Don't Gossip" and "Be on the lookout: In these days, the walls talk."

With the surveillance, the walls "had ears and they had eyes," U.S. Attorney Loretta Lynch said at a news conference in Brooklyn.

Wednesday, July 14, 2010

Mercury News editorial: California should outlaw online impersonation

Impersonating someone with the intent to harm, intimidate, threaten or defraud is illegal in California — except when it's done online. Existing state law, written in 1872, didn't anticipate the existence of Facebook, MySpace or a host of other Internet sites that unintentionally created new ways to harm innocent victims.

State Sen. Joe Simitian has a solution. His SB 1411 would make it a misdemeanor to maliciously impersonate another person online. The Legislature should pass the Palo Alto Democrat's bill, and Gov. Arnold Schwarzenegger should sign into law legal protections against online abuse.

It's sad that Simitian's law is necessary. But online abuses are a growing problem for students, teachers, businesspeople, politicians and people of all ages who are in relationships that have gone amiss.

Facebook and MySpace accounts can be shut down when a problem arises. But when they are created with the intent to do damage, there should be a price. Simitian's law, which includes provisions to protect legitimate forms of free speech, would carry up to a $1,000 fine and/or up to a year in jail.

Sacramento can't legislate good behavior. But it can and should protect Californians from being further damaged by impersonators who are up to no good.

Puerto Rico Birth Certificates Reissued

The Government of Puerto Rico has extended the validity of current Puerto Rico birth certificates for three months, through Sept. 30, 2010. Puerto Rico is reissuing all birth certificates because of identity theft problems starting on July 1st.

There is a huge problem with Puerto Rico-issued birth certificates being used to unlawfully obtain U.S. passports, Social Security benefits, and other federal services.

The government admits that hundreds of thousands of original birth certificates were stored without adequate protection, making them easy targets for theft.

About 40 percent of the passport fraud cases involve birth certificates of people born in Puerto Rico.

The Vital Statistics Record Office will begin issuing new birth certificates incorporating what it calls "state-of-the-art" technology to limit the possibility of forgery.

The government of Puerto Rico recommends that only people who have a specific need for their birth certificate request a new birth certificate.

People who want a copy of the new birth certificates for their records are asked to wait to avoid a rush of applications.

The new birth certificates will cost $5.

Identity Theft Cases Up 23% 2005-7; 3% Of Households Hit

The number of U.S. households with at least one member who experienced one or more types of identity theft increased 23 percent from 2005 to 2007, says the U.S. Bureau of Justice Statistics. A new compilation from the agency says that in the period studied, the number of households that experienced credit card theft increased by 31 percent and the number that experienced multiple types of theft during the same episode increased by 37 percent.

BJS said that during a six month period in 2008 which identity theft victimization data was collected as part of the regular nationa crime victimization survey, 3.3 percent of households discovered that at least one member had been a victim of one or more types of identity theft. Households with incomes of $75,000 or more experienced a higher rate of identity theft than did households in lower income brackets.

E-Verify law

The Utah Legislature passed a law this year requiring employers to use the federal E-Verify system to confirm the eligibility of new employees to work in the United States legally. But because the law does not include any penalties, businesses have been slow to use it, essentially ignoring the law. However, before Utah imposes penalties, the Legislature should look much more deeply into this system.

E-Verify is an Internet-based system operated by U.S. Citizenship and Immigration Services. It compares information that an employee provides on a Form I-9 ( Employment Eligibility Verification) to records from the U.S. Department of Homeland Security and Social Security Administration. It confirms whether the information provided by the employee, such as name, date of birth and Social Security number, matches government data.

In most cases, E-Verify will instantly confirm the employee’s work authorization, according to USCIS. Sometimes, however, a manual search is required. If the employee information does not match government records, the employer must make sure he has not made a mistake in entering the information, and he must inform the employee of how to contact the agency to clear up or appeal the result.

At the time the bill was being debated, we argued that it made little sense to require employers to use a system whose accuracy was questionable. According to one study, E-Verify fails to identify illegal status about 54 percent of the time. But reliable statistics about the system’s accuracy are hard to find. Some reports suggest that E-Verify correctly identifies people who are eligible to work about 96 percent of the time. The 3.5 percent who fail happens to roughly correspond with the 5 percent of the work force that some studies estimate are in the country illegally. Identity theft also skews any statistics on reliability. In fact, E-Verify may actually encourage identity theft, since a person who presents himself for employment as someone else with valid government data would not be caught by the system.

Prediction: Obamacare 1099 Provisions Will Lead To Identity Theft Explosion

Public Law 111-148, the Health Care Reform Act, contains a number of revenue raising provisions buried in the back of the legislation. In my judgment, the new IRS Form 1099 requirements found in Section 9006 of this law will have the unintended consequence of leading to an explosion of identity theft!

The basic changes to Form 1099 requirements incorporated in this law take effect at the beginning of 2012. They require that all businesses tabulate payments for goods and services from non-governmental agencies and send a 1099 Form to the recipient if the total exceeds $600 for the entire calendar year.

Current 1099 law exempts sending of 1099 Forms to most corporations, but the new law requires accumulating and reporting payments to corporations as well. Further, current law is largely limited to the reporting of payments for services, not goods. The new law expands coverage to all goods and services. It appears that 1099 Forms will now be required to report the same information provided on W-2 Forms that report employee compensation.

What this means for the millions of businesses in the US is that they will have to obtain confidential tax information from almost anyone who provides a good or service, even if the first transaction in a calendar year is under $600, in order to avoid paying a penalty if a 1099 Form is eventually required. Once this information is obtained, each of the businesses must follow the legal requirements for protecting this confidential information in order to avoid a penalty for violating these regulations.

Senators try again on identity theft bill

Senators Tom Carper (D-Del.) and Bob Bennett (R-Utah) re-introduced a bill Wednesday that would require companies to notify consumers when their personal information has been stolen.

“At the very least, identity fraud can cause worry and confusion, and at the very most it can cause serious financial harm,” Carper said. “We need to replace the current patchwork of state and federal regulations for identity theft with a national law that provides uniform protections across the country.”

The bill would replace a system of state data breach notification laws with a national framework clarifying what constitutes personal or sensitive information — any information that can be used to steal from a consumer, commit identity theft, or be used for other criminal activities. The bill also requires organizations to notify consumers within a reasonable timeframe if their information has been breached.

Carper and Bennett have introduced similar legislation in previous sessions, but a senior Senate aide said the current focus on cybersecurity makes this their best chance of getting the bill passed. The aide also said the Obama administration recognizes the severity of the identity theft problem and is anxious to find a solution.

The legislation would apply to any organization that collects private or sensitive information from the public, including businesses, schools and government institutions. The bill requires that the organizations disclose all breaches but does not introduce any new penalties if they fail to do so.

Instead the lawmakers rely on existing regulations that require companies to adequately protect consumer information or face fines, public notification, or other regulatory penalties. Enforcement will fall to various regulatory agencies, depending on the sector in which the breach occurs; financial institutions that lose customer information must notify the Securities and Exchange Commission or Federal Deposit Insurance Corporation, while other groups may report to the Federal Trade Commission.

“We live in an Information Age where technology provides greater ease and business opportunities for Americans, but also increases the ability for criminals to exploit any weak link in the cyber-world,” Bennett said. “In the event that protection is violated, putting victims of identity theft or account fraud at risk, [the bill] provides a much needed uniform national standard for data security and breach notification.”

Malware Support Even Better than Security Vendors

Is your rogue antimalware product not meeting your expectations? Perhaps you should contact support.

Nicolas Brulez of Kaspersky recently blogged about how some of these gangs are offering tech support with their products that has live chat, e-mail, phone, and even multiple languages.

We've truly stepped through the looking glass now, especially when you consider all the legitimate products that don't offer support this good. It says something about how much money is still being made by rogue products. It also says something about how affordable outsourced support using scripted response is.

And according to Kaspersky the support, including the live chat, really is with real people, not a bot. If you have trouble with English, the chat tells you (in English) to send your support request to a particular e-mail address, and then you receive support in your native language. Some of the rogues have native language support based on the language of your Windows version. No word on which languages are supported, but put your money on Russian.

Utah agencies probe alleged illegal immigrant list

SALT LAKE CITY -- State agencies are investigating whether any of their employees leaked Social Security numbers and other personal information after a list of 1,300 people who an anonymous group claims are illegal immigrants was circulated around Utah.

The anonymous group mailed the list to several media outlets, law enforcement agencies and others this week, frightening the state's Hispanic community. A letter accompanying the list demanded that those on it be deported immediately.

Yahoo! BuzzThe list also contains highly detailed personal information such as Social Security numbers, birth dates, workplaces, addresses and phone numbers. Names of children are included, along with due dates of pregnant women on the list.

Republican Gov. Gary Herbert wrote in a tweet Tuesday that he has asked state agencies to investigate the list's origin.

"We've got some people in our technology department looking at it right now," said Dave Lewis, communication for the state Department of Workforce Services. "It's a high priority. We want to figure out the how's and why's."

Monday, July 12, 2010

Personal Documents Found In Dumpster,Sacramento Parks Department: This Shouldn't Have Happened

About 100 people's personal information was thrown out along with unused, unopened books and learning materials, a KCRA 3 investigation revealed.

A KCRA 3 insider watched Sacramento Department of Parks and Recreation employees putting the materials in a Dumpster outside a parks building.

KCRA 3 found several folders with important documents. One contained names, Social Security numbers, phone numbers, birth dates, addresses, monthly incomes and even copies of driver's licenses dating back to 2005.

The documents themselves indicated the information provided would be kept confidential.

Instead, the KCRA 3 insider said he watched employees dumping the documents into an easily accessible bin. He has asked not to be identified.

"They didn't even check what was in it," he said. "I know a lot of people get cardboard from those bins. So, anybody really could have found it."

City Parks and Recreation spokesman Hindolo Brima said, by policy, the papers should have been shredded.

"This was not supposed to happen. Staff has been taught how to handle confidential material," Brima said. "We will be investigating. We will make sure this doesn't occur again."

In the same Dumpster were also boxes filled with learning materials for children's programs operated by Parks and Recreation. Other people who work in the area said they see waste frequently.

Monday, June 28, 2010

FTC: Scammers Stole Millions Using Micro Charges To Credit Cards

A gang of unknown thieves has stolen nearly $10 million using micro charges made to more than a million credit and debit cards in an elaborate multiyear scam, according to a lawsuit filed by the Federal Trade Commission in March.

Have any of these company names appeared on your bank card statement? The FTC says they were front companies used by scammers to make nearly $10 million in charges to consumer credit and debit card accounts. (FTC v. API Trade, LLC)

The fraudulent charges went unnoticed by the majority of card owners because they were made in small amounts — ranging from 20 cents to $10 — that bypassed fraud detection algorithms, and because the scammers typically made only one fraudulent charge per card.

The sophisticated scam, which was first reported by IDG News Service, began in 2006 and was stifled only recently after the FTC succeeded to shut down merchant accounts the scammers were using and halt the activities of at least 14 money mules who were laundering illegal proceeds for the gang.

According to court documents filed (.pdf) in the U.S. District Court for the Northern District of Illinois, the scammers — identified only as “John Does” in the complaint — recruited money mules through a spam campaign that sought to hire a U.S.-based financial manager for an international financial services company.

Mules who responded to the ad and were chosen for the task opened multiple bank accounts and about 100 limited liability companies for the scammers, which were then used to make the fraudulent charges and launder money to bank accounts in Cyprus and several Eastern European countries, including Estonia and Lithuania.

Front companies set up by the mules included Albion Group, API Trade, ARA Auto Parts Trading, Data Services, New York Enterprizes, and SMI Imports, among others.

The scammers then purchased domain names and set up phone numbers and virtual office addresses for the front companies through services such as Regus. They used this information — along with federal tax ID numbers stolen from legitimate companies with similar names — to apply for more than 100 merchant accounts with credit card processors, such as First Data.

According to IDG,

They used another legitimate virtual business service — United World Telecom’s CallMe800 — to have phone calls forwarded overseas. To further make it seem as though their companies were legitimate, the scammers would set up fake retail Web sites. And when credit card processors asked them to provide information about company executives, they handed over legitimate names and social security numbers, stolen from ID theft victims.

When they had to log into payment processor Web sites, they would do this from IP addresses that were located near their virtual offices, again evading payment processor fraud detection services.

Once approved by the card processors, the front companies were able to charge consumer credit and debit cards. Money charged to the cards was directed into the bank accounts set up by the money mules, who then transferred it to accounts overseas.

The charges showed up on consumer credit and debit card statements with a merchant name and toll-free phone number. But consumers who called the numbers to question the charges generally encountered an automated voicemail recording saying the number had been disconnected or instructing them to leave a detailed message. The calls, of course, were never returned.

More than 1.35 million cards were used to make fraudulent charges, according to IDG, but 90 percent of the charges went uncontested by consumers.

Thursday, June 24, 2010

Protect your business from the cybercrime wave

Fantastic article from Steve Straus at USA Today...

Q: I really think you should warn people about the increasing dangers coming from scam artists who are targeting small business. Our business had several thousand dollars illegally transferred out of our bank account recently and my banker says this is becoming more and more common. – Paul

A: As with everything else it has touched, the Internet has changed financial fraud, too. And the problem with that is that e-scammers are more difficult to detect. But make no mistake about it – being the victim of financial fraud of any sort can put you out of business in a hurry.

Maybe the worst case of financial fraud that I have been associated with was an old client who ran a very successful, seven-figure construction company. But after his bookkeeper embezzled several hundred thousand dollars, the company had to file two separate bankruptcies before eventually going out of business anyway.

And as I said, today's bad guys have gone high-tech and have unfortunately devised new and better ways to steal your money.

Consider the recent story about a dental group in Missouri that discovered one morning that more than $200,000 had been illegally transferred out of its bank account. To make matters worse, the dentists also found out that, unlike consumers, small businesses do not get the same protections afforded consumers who are the victim of online fraud. If your credit card is stolen, and you report it promptly, your out-of-pocket loss is capped at $50.

Such is not the case with illegal commercial wire transfers.

According to Brian Krebs, a journalist who has covered this issue extensively, "Most companies that get hit with this type of fraud quickly figure out that their banks are under no legal obligation to reimburse them."

So how does this type of fraud occur, and what can you do to protect yourself? Typically, the bad guys are able to plant malware on the victim's computer and then use that to access the company's online banking profile. They then use that information to transfer huge sums of money out of the targeted accounts.

Estimates of losses to business from these types of cyberscams run from the hundreds of millions annually, to the billions.

So what do you do? To answer that question, I recently spoke with Bill Conner, the dynamic president and CEO of Entrust. Conner is one of the world's leading experts on cybersecurity, and his company provides security for everything from Homeland Security, to all U.S. and British passports.

According to Conner, cybercrooks are now targeting small business: "We are in an arms race with sophisticated, high tech enemies who are now concentrating on smaller business bank accounts in addition to their continued efforts to steal from large corporations." To combat the risk, Conner suggests that small businesses employ a "triple threat" security package that would include

• Authentication

• Fraud detection, and

• "Out-of-band transaction verification and signing for high-risk transactions"

Authentication and fraud detection intuitively make sense – these sorts of products look at your transaction, and transaction history, and check for suspicious activity. Conner explained that while Entrust already offers the first two types of protection, to better serve its customers, it is adding that third, necessary layer, of protection with a new product being launched this week.

"IdentityGuard Mobile" is an app for your smartphone. When a potentially suspicious activity begins to hit your account, this product sends you a text of the transaction details and asks you to authenticate and approve it before the bank can approve it.

With the challenges to small business coming from all sides – decreased lending, tighter budgets, wary consumers – the last thing we need is to take a financial hit due to cybercrime, so we must be vigilant. Keep your security patches up to date. Make sure you have a robust antivirus suite. Change your pass codes frequently. Use the triple threat.

You will be glad you did.

How Much Should You Spend On Security? Gartner Offers Some Answers

Security drops to No. 9 on the list of IT priorities, research firm says Jun 24, 2010

NATIONAL HARBOR, MD. -- Gartner Security Summit 2010 -- Security is not as big a priority for enterprises as it was in 2008, but it's still grabbing a healthy chunk of the IT budget, a major research firm said Tuesday.

Speaking at the annual Gartner Security Summit here, senior analyst Vic Wheatman said that although security has dropped to ninth place on CIOs' lists of top priorities, spending is still strong.

After placing eighth on the 2009 priority list and fifth in 2008, security is continuing to drop on the hit parade, Wheatman said. But security still accounts for an average of 5 percent of total IT spending, he says.

Interestingly, the IT industry spends the most on security -- 11.3 percent of their total IT budget, Wheatman said. Banking and finance companies spend about 8.3 percent of their IT budgets on security; educational institutions spend less than 4 percent.

The average business spends about $525 per employee annually on security, Wheatman continued. The insurance industry spends the most: about $886 per employee. The transportation industry spends only about $155 per employee on security.