Saturday, August 28, 2010

Senators Introduce Federal Data Breach Notification Bill

On August 5, 2010, the Chairman of the Senate Commerce Subcommittee on Consumer Protection, Product Safety, and Insurance Mark Pryor (D-AR) and Full Committee Chairman John Rockefeller (D-WV) introduced the “Data Security and Breach Notification Act of 2010,” S. 3742, which would require businesses to protect personal information in their possession, to notify residents if that information is breached, and to adopt a data security policy.

Currently, there is no federal notification requirement for a data breach in most industries, although the vast majority of states have enacted data breach notification laws. The proposed bill requires entities to notify consumers within 60 days of a breach and to provide consumers with two years of credit monitoring services.

The proposed bill would authorize the FTC to set national standards for safeguarding personal information and to seek up to $5 million in civil penalties for failure to comply.

If enacted, the bill would preempt all state data breach notification and data security laws and regulations. Only companies covered by the Fair Credit Reporting Act and in compliance with that act would be exempt from the proposed law. Last month, Sens. Tom Carper, D-DE, and Robert Bennett, R-UT, reintroduced a similar bill, S. 3579.

Thursday, August 26, 2010

False Sense of Computer Security

A team of security analysts found that most leading anti-spyware and anti-virus software fail to detect commonly used keyloggers.

Keyloggers are designed to silently record all of one's computer activity. They are commonly used for parents to monitor their children's computer activity. Now they are being used for criminal activity ranging from spying on individuals, identity theft and data theft.

The security team at SpyReveal tested the leading anti-spyware and anti-virus software against ten of the most popular keyloggers. The results were astonishing! Most of the leading security software used to combat viruses and spyware failed to detect 70% of the keyloggers. While most failed to detect any keyloggers at all, SpyReveal successfully detected all keyloggers.

Computer users are receiving a false sense of security when installing various security applications. With the explosion in online banking, the proliferation of identity theft is greater than ever. Many users install an anti-spyware solution with the expectation of being safe from identity theft. Unfortunately, they are still at an extremely high risk for identity theft and data logging.

"More and more news stories are being published of hackers who have obtained credit card records by using keyloggers", said Mr. Hankinson, SpyReveal's co-founder. "Yet, we still see major players in the security industry continue to fail at this specific type of problem."

Still don't think you or your business is at risk? Take for example Verizon's 2009 Data Breach Investigations Supplemental Report which states "Keyloggers and spyware.... played a crucial role in larger breach scenarios in which hundreds of millions of records were compromised."

"Consumers and businesses should not rely on a single solution for security. Each has a specific purpose. We want consumers to realize that even though their anti-spyware software says 'Nothing Found', that any keylogger could still be present, recording credit card information or business intellectual property," Mr. Hankinson added.

It is important for users to purchase security solutions that are designed for a dedicated purpose to receive the highest degree of protection, without being too narrow. With software like SpyReveal, you can rest assured that you are protected from most keyloggers available on the open market.

Thursday, August 19, 2010

Jennifer Aniston named as victim of salon fraud

The owner of a Beverly Hills beauty salon was arrested on Wednesday on charges of stealing credit card information from Jennifer Aniston, Anne Hathaway and Liv Tyler and running up tens of thousands of fraudulent payments on their accounts.


According to court documents in the case, a witness claimed that Cher, Melanie Griffith and former "Felicity" television star Scott Speedman were also victims of the fraud.

The owner of Chez Gabriela Studio is accused of swindling $214,000 from Tyler alone in a five-month period last year, according to a court affidavit.

The U.S. Attorney's office in Los Angeles said salon owner Maria Gabriella Perez, 51, is accused of making at least $280,000 of fraudulent charges in a one-year period.

Perez is alleged to have used credit card information provided by celebrities and other clients for legitimate services, and later entered the details manually to run up unauthorized charges.

Aniston, Hathaway, Cher, Tyler, Griffith and Speedman were named in the court papers as among those who saw unauthorized charges on their credit cards.

Representatives for Cher, however, told celebrity website TMZ.com that the singer and actress was not a victim and did not know why she had been named in the court papers.

Sunday, August 8, 2010

Rogue AV: A wolf in sheep's clothing

Rogue anti-malware, also known as rogue AV, has become the delivery vehicle of choice for the cybercriminals seeking to infect endpoints with their payloads. Those endpoints consist of both the consumer and enterprise. The ESET Global Threat Trends Report for April 2010 contains a short article called “Free but Fake.” Better yet, one of our most active researchers, Cristian Borghello from our Latin American office, wrote an excellent paper on rogue anti-malware.

If you haven't had a chance to view the convincingly crafted fake scans from our various rogue AV pages, here's one that I took off of one of my testing workstations prior to the infection. The first stage requires the user to take a particular action. In this case – and many others – it can't infect the system without human assistance.

According to a recent paper on large-scale exploits and emergent threats that Google released in late April at the Usenix Workshop, rogue AV accounts for more than 15 percent of all malware Google detects. In the report, Google outlines that from January 2009 until February 2010, more than 11,000 domains were involved in rogue AV distribution.

I have also had recent discussions with colleagues over fake/rogue anti-malware that didn't break the law by infecting endpoints. This isn't actually fake security software, just highly substandard with disproportionately strong messaging.

This aligns strongly with an article from Bruce Schneier that I recall reading entitled “A Security Market For Lemons” (Wired, April 2007). In his article Bruce states:

““Of course, it's more expensive to make an actually secure USB drive. Good security design takes time, and necessarily means limiting functionality. Good security testing takes even more time, especially if the product is any good. This means the less-secure product will be cheaper, sooner to market and have more features. In this market, the more-secure USB drive is going to lose out.”

Bruce closes the article with:

““With so many mediocre security products on the market, and the difficulty of coming up with a strong quality signal, vendors don't have strong incentives to invest in developing good products. And the vendors that do tend to die a quiet and lonely death.”

I agree that a new tactic that's not illegal, such as a deluge of confusing messages and products (more than our customers currently experience), has the potential to impact the revenue of legitimate companies and leads the end-user into having a false sense of security with a highly inert product.

So what do we do about blatantly rogue anti-malware? Below are four points to consider:

■The executable itself shouldn't be allowed to touch or run on the endpoint. While possible, this is easier said than done due to the myriad permutations of endpoint configurations.

■Rogue software, like other malware, may be detectable via behavioral analysis. Implement a highly regarded anti-malware product with excellent static and/or dynamic detection (i.e., positive user feedback and presale dialog – not marketing hype)

■The distribution of the executable is dependent on very convincing JavaScript and associated graphics. Filtering for these, while tedious, can yield big payoffs.

■If the rogue executable is discovered, send it to the security response team for your anti-malware product. This allows them to add static detection and update their dynamic detection algorithms.

Attacks are cyclical, so once there is a much more effective means for dealing with rogue AV, you can rest assured there will soon be another angle leveraged to gain a foothold in the endpoint. In the meantime, it's an arms race and there are a lot of security vendors working hard to meet the escalating threats head-on. As a security community, keeping the lines of communication open and flowing to share threat intelligence is one of our greatest strengths in this protracted fight.

PCI DSS 1.2: Changes, best practices and tips

PCI DSS is a global information security standard consisting of 12 different requirements – assembled and released by the Payment Card Industry Security Standards Council (PCI SSC). It was created to assist organizations that hold, process or pass on credit card information to help in preventing credit card fraud.

This particular blog post will detail some of the differences between PCI DSS 1.1 and 1.2, and offer several best practices and four useful tips in consideration of obtaining and maintaining PCI DSS compliance. Changes are in the works for DSS, with a formal announcement coming in the fall,

Below are some of the key changes from PCI DSS v1.1 to v1.2:

■Incorporates existing and new best practices

■Provides further scoping and reporting clarification

■Eliminates overlapping sub-requirements and consolidates documentation

■Enhances the frequently asked questions (FAQ) and glossary to facilitate understanding of the security process.

Wireless network changes from v1.1 to v1.2:

■Requirement 4.1.1.

■In v1.1 there were provisions for WEP (Wired Equivalent Privacy) which is a weak encryption.

■Removing the requirement for disabling SSID broadcasts is new in v1.2.

Anti-virus requirement differences:

■In v1.2, there is a clarification regarding the use of anti-virus software – namely that it applies to all operating system types

■Requirement number 5.1.1 states: “Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.”

Best practices:

■Constant vigilance: Knowing that there is no 100% guaranteed “silver-bullet” for network security companies. Instead, they must maintain constant vigilance of their security – from physical security to network configuration/security. A “set it and forget it” attitude in the security world sets false expectations of ongoing security.

■Network traffic anomaly detection

■Log analysis: Using software to correlate various security logs (e.g., firewall, web server, remote access) to spot trends

■Heuristic detection of malicious software: Heuristically detecting malicious software on critical systems that are connected to the vendor's network – not just the systems that handle customer data

■Implementing layered security: If one defense fails, the others have a chance of stopping the attack

■Patch management: Maintaining an effective patch management system, procedures, or both is a key security measure

Four useful tips (going beyond the checklist):

1. Compliance is not a one-time project – it is an ongoing process

a. One of the biggest dangers of the checklist is that it can't be viewed as a one-time project. It is an ongoing process of checking/re-checking the various security controls, as well as enforcing them. Companies should not consider themselves immune to attacks simply because they have achieved compliance.

2. End-to-end encryption (E3)

a. PCI DSS doesn't mention, or require, encrypting the data from the point at which the customer's card was “swiped.” This step will significantly reduce the value of data if it is intercepted.

3. Avoid the low-hanging fruit

a. People tend to go for the path of least resistance. For instance, if their network is unique in its design, and there is a new method of accessing data, and the checklist does not cover the new method, it might be glossed over and compliance would still be achieved. Scheduled reviews of a company's PCI DSS compliance will help ensure that as technology and networks continue to progress, new threat vectors are addressed. For instance, Requirement 5 of the PCI DSS states that for compliance a vendor must use and regularly update anti-virus programs. As there are varying levels in the quality of anti-virus software, a vendor could choose to implement a low detection/high false-positive anti-virus program and have a fairly ineffective anti-virus application running on their systems.

4. “Chain of events” or the “error chain”

a. As in the aviation world, when there is an accident it is referred to as a “chain of events” or the “error chain.” These terms simply mean that multiple factors, rather than a single one, lead to an accident. The same can be said for security incidents, such as data leakage.

Resources:

■PCI Security Standard Council web site: https://www.pcisecuritystandards.org/

■PCI DSS v1.2 Requirements and Security Assessment Procedures: https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html

Do you have additional best practices, tips or observations? You can also share your experiences regarding PCI DSS – experiences, challenges, benefits or any other comments regarding your company and credit card security.

Banking trojans as a weapon of mass destruction

Part 1


According to FinCEN, between between January 1 and June 30, 2009, depository institution (banking) suspicious activity reports characterized as computer intrusion increased 75 percent, compared to the corresponding six-month reporting period in 2008. These reports are filed by individual banks across the country and I'm currently grappling with the multiple categories in an attempt to determine exactly how large this banking trojan corporate account takeover risk may be.

Tell you what – 75 percent growth year to year is not small. If one Zeus banking trojan-hijacked account equals the $100,000 average loss that experts tell me, that money is easily the payroll of 20 people – employees, vendors, and owners – who won't be paying their mortgages or rent on time. I can't speculate on where the growth comes from yet because so much of it is mislabled and tagged into multiple categories.

The importance of clarifying this threat is simple: All experts are unanimous in the fact that businesses are at greater risk of a show-stopping corporate account hijacking event – consumers have separate rights which protect account takeover losses for a much longer time period. Yet businesses often don't know what lurks online or how they can get phished with a simple email, and often they handle a half million dollars or more with no issue.

Strategic value of small businesses

According to the SBA advocacy site, over 99 percent of the private payroll in the US comes from small and midsize businesses. Without small business steadily providing the fifteen year trend of 64 percent of all net new jobs stateside, the logic is simple: our economy can't continue to grow. No new jobs mean slow economic growth.

And somehow we can't seem to measure all of this quantitatively. The overuse by banking employees of the FinCEN SAR category of ‘Other' mocks any efforts at transparency. I may not be able to access more granular data directly due to the Banking Secrecy Act. My calls and emails are still being automatically handled by FinCEN at the time of this article.

Banking trojans have the potential to become the largest historically destructive threat to our nation's economy short of the Civil War. Business account hijacking has the ability to completely destroy what typically takes strong business teams years of nurturing. All from thousands of miles away or from right across the street.

To the start-ups – willing to take on the gut check of starting a business – it's even worse. The theft of someone's total commitment and investment in their future, their employee's futures – different than merely victimizing a single household more and more this crime victimizes entire communities. Adding longer term impact: the money that's taken is not spent stateside, so our small restaurants, coffee shops, gas stations and others don't even get that money back into circulation.

Banking trojans are a weapon of mass destruction loosed in the heart of the American Dream.

The soul-destroying consequence of losing a business payroll account

Part 2


There's no Hurricane Katrina fund, no 9/11 trust for business banking victims. Instead of the sudden shocking yet galvanizing crash of a jet into a building, this malware-based attack comes as a slow, stealthy shadow creeping into the already bleak landscape of the jobless.

If a business owner lost their funds overnight, I imagine it might go something like:

■Day one: Shock. Could this really be happening?

■Day two: Fight the bank. And lose. Again, is this really happening?

■Day three: Find a new job so your family can sustain itself. And good luck with that task if you were part of the IT team who missed the malware which stole the banking funds!

Brian Krebs has interviewed many victims whose stories are similar:

“Since the incident, [Michelle Marsico] has had to take out a $395,000 loan at 12 percent to cover the loss (she managed to get $70,000 in wires reversed).

“I'm working for nothing right now, and can't afford to pay myself,” Marisco / [Marsico] said in a phone interview.

Without small business providing new job growth it's arguably a nuclear winter for our economy.

This must stop

1.Business owners are completely in the dark about this threat.

2.The critical priority must become identifying the threat of cybercrimes that soul-kill our communities: FinCEN and other aggregators of financial crime reporting need to step it up and show the data more transparently.

3.There are no laws which require protection for payroll accounts and the ABA, after saying how safe online banking has been for years now doesn't seem to want to budge from their position of the business' sole responsibility for compromise.

A recent interview was held with American Banking Association Vice President and Senior Advisor of Risk Management Policy Doug Johnson who, after agreeing that the threat of corporate account takeover was “very large”, pushes responsibility right back at the business, not with the banking community for prevention and risk.

““Banks have a tremendous responsibility to protect their small businesses and municipal customers just as they have that responsibility to protect their retail customers.

But the retail customer protections of Reg E would essentially absolve the small businesses of any responsibility or liability for not properly protecting themselves, and you can certainly appreciate that in a community bank market it is very difficult for a financial institution, through no fault of its own, to really make a corporate customer whole for a loss which could be upwards toward a half of million dollars.

“And there would be less incentive on the part of the corporate customer to protect themselves if they knew that they were going to be made whole in that fashion, even if they didn't protect themselves.”

Five years ago, Doug Johnson was saying something very different:

“"Online banking is safe and getting safer," says Doug Johnson, senior policy analyst at the American Bankers Association.” (USA Today, 2005)

2009 APWG Thought Leader Dr. Laura Mather states that dual control for small business accounts is a good practice for businesses to follow since it raises the bar for criminals, however she feels that it is unlikely that all businesses will implement dual controls and worse, that the tactic has a limited shelf life against faster cybercriminals.

““Banks should be educating their business customers to use this technique,” Dr. Mather adds, “and possibly implement measures that enforce the requirements for dual control. The next obvious step for cybercriminals will be multiple infections within a business such that the criminal has access to both of the dual control accounts.”

“As for the ABA party line – I think with the litigation that is moving forward there will soon be legislation around the SMB accounts. Of course, when that happens, all banking organizations will likely have to change their stance on these issues.”

Her words are prophetic: I found a story about the banking trojan compromise of the ABA-recommended dual control method right in our own SoCal backyard which Brian Krebs wrote about a few weeks ago:

http://krebsonsecurity.com/2010/06/e-banking-bandits-stole-465000-from-calif-escrow-firm/

““Owner Michelle Marisco said her financial institution at the time — Professional Business Bank of Pasadena, Calif. – normally notified her by email each time a new wire was sent out of the company's escrow account. But the attackers apparently disabled that feature before initiating the fraudulent wires.”

“The thieves also defeated another anti-fraud measure: A requirement that two employees sign off on any wire requests. Marisco said that a few days before the theft, she opened an email informing her that a UPS package she had been sent was lost, and urging her to open the attached invoice. Nothing happened when she opened the attached file, so she forwarded it on to her assistant who also tried to view it. The invoice was in fact a trojan horse program that let the thieves break in and set up shop and plant a password-stealing virus on both Marisco's computer and the PC belonging to her assistant, the second person needed to approve transfers.”

Steps you can take:

In keeping with how to protect yourselves and your business here are the top things to do today to harden your business target:

1.Update your endpoint malware protection and ensure you have an antispam solution which will block phishing attacks which use spam tactics to reach their victims.

2.Plan and complete a US-CERT risk assessment,

3.Plan to audit your business accounts DAILY from a secure computer. Don't rely too heavily on email alerts – the latest malware disables them.

4.Raise awareness in your own back yard. Start the discussion.

One final step would be to sit down and have a formal review with your bank of the responsibilities involved with an account hijacking and quite frankly, if you don't like what you hear, vote with your feet and consider changing your approach to online banking or changing your bank.

We're still on the search for definative bank account hijacking statistics. Once we get them, you'll be the first to know.

Once more unto the (data) breach

While going through some FAA manuals, I was reminded of a particular term that is highly applicable in the world of cybercrime. It is referred to as the “chain of events” or the “error chain.” These terms simply mean that multiple factors, rather than a single one, lead to an accident. The same can be said for security incidents, such as data leakage. Take, for instance, some of the largest data breaches to date – such as the those experienced by TJX Companies or Heartland Payment Systems (which I've written about in the past here and here).


When the chain of events is unraveled, interesting details begin to unfold – one after another. These are obviously valuable lessons so that the majority of companies can take steps to protect themselves from these severe incidents in the future. But there will always be another way to “get to the goods.”

What are “the goods”? They are, primarily, the unencrypted customer information that resides deep within the core of organizations. In August 2008, I read a Yankee Group analyst research paper by Phil Hochmuth entitled, “Anywhere Data is Powerful, Data Everywhere is Dangerous.” In this paper, Phil discusses the challenge of data security and an increasingly untethered workforce. While that particular paper's focus covered the mobile workforce, it also conveys the key point applicable to all businesses: Customer data is essential to running a business and supporting our customers, but it can also be considered a dangerous liability that must be well-protected.

Three proposed solutions to securing customer data.

■End-to-end encryption (E3). In this context it is from where data is captured, through all intermediaries to the final credit issuer or debit gateway endpoint (http://www.e3secure.com/pdf/E3Security_Model.pdf);

■Mandatory encryption of personally identifiable information (PII) at rest and in motion (this brings up painful key management issues);

■Heartland is requesting the Accredited Standards Committee X9 (ASC X9) develop a standard to protect cardholder data.

Data breach consequences. There are a slew of consequences that can impact companies after a breach occurs. Some of them bandied about by industry experts are noted below:

Financially catastrophic:

■According to the Ponemon Institute's 2009 Annual Study “U.S. Cost of a Data Breach,” the average cost of a data breach (per record) is $204;

■Loss of sales;

■Investigation and notification costs;

■Fines and litigation;

■Cost of credit monitoring service;

■Interruption of operations;

■Last, but definitely not least, brand erosion (reputation, customer trust).

Regulatory compliance mandates that may impact breached organizations. Of course, many organizations began really paying attention to protecting data as a result not only of some of the consequences noted above, but also because of various industry and government compliance mandates. A sampling includes:

■Health Insurance Portability and Accounting Act (HIPAA);

■Sarbanes-Oxley (SARBOX);

■Graham-Leach-Bliley Act (GLBA);

■Payment Card Industry Data Security Standard (PCI DSS);

■Federal Information Security Management Act (FISMA).

These are but a few points that are relevant to data breaches of all sizes – not only those that potentially revealed more than 100 million customer records in one incident. Keep in mind that at the time of the breaches, the companies I mentioned were PCI compliant. This should reinforce the point that we still have a long way to go to secure our data and reduce the severity of data breaches.

Data security risk is as unlimited as human intelligence, ingenuity and ignorance.

Rampant hotel data theft

For the past several years, hotels have been hit hard by data thieves. Experts say that despite an increased awareness within the hospitality industry, data theft is still prevalent.

In the most recent incident, disclosed in late June, remote attackers installed a malicious program into the card processing system of Englewood, Colo.-based hotel chain Destination Hotels & Resorts. Guests at 21 Destination properties may have been subjected to credit card theft.

Cybercriminals last year targeted hotels more than any other industry for credit card theft, according to a recent report by data security company Trustwave. Hotels are being targeted because they have large amounts of credit card data and frequently neglect to implement the most basic security precautions, such as changing default passwords or ensuring programs are up to date, said Nicholas Percoco, senior vice president of Trustwave's SpiderLabs.

As a result, attackers commonly gain entry into a hotel's network by exploiting default passwords on point-of-sale (POS) applications, added Dave Ostertag, manager of investigative response at Verizon Business. From there, customized malware is loaded onto the hotel's transaction server that steals credit card information as a transaction occurs.

In March, the Westin Bonaventure Hotel & Suites in Los Angeles disclosed a possible data breach of its POS systems dating back to 2009. Also, between November 2008 and May 2009, the computer systems of some Radisson hotels in the United States and Canada were illegally accessed. And the computer systems of Wyndham Hotels & Resorts were accessed on two separate occasions by cybercriminals who stole customers' card numbers, expiration dates and other data.

Part of the problem is that many hotels are not compliant with the Payment Card Industry (PCI) Data Security Standards (DSS), said Gary Palgon, vice president of product management at encryption firm nuBridges. While retailers have faced increasing pressure over the past few years to get into compliance with the mandate, few from the hotel industry have been paying attention.

However, some members of the hospitality industry are working to deal with this problem, experts said. The Hotel Technology Next Generation (HTNG), a nonprofit hotel trade association, recently issued a security standard which defines how card data should securely flow between a hotel's various systems. Additionally, large, brand-name organizations are beginning to take data security seriously, experts said. But many others are lagging.

“We are still seeing cases on a weekly basis of hotels getting breached,” Percoco said.

Microsoft readies record 14 fixes, eight critical

 Microsoft on Thursday announced that next week it plans to deliver a record 14 patches to resolve 34 vulnerabilities across its product line.

The 34 flaws expected to be fixed, which ties a record with the number of holes plugged in June's update, reside in Windows, Office, Internet Explorer, SQL Server and Silverlight, according to the advance notification. Eight of the 14 bulletins earned a "critical" rating, while the others are designated as "important."

Of the critical bulletins, seven impact Windows. Joshua Abraham, a security researcher at Rapid7, which provides vulnerability management and penetration testing services, said he'd expect a few working exploits to come out of the security update, launching attacks such as drive-by downloads.

Abraham added that administrators should not necessarily be concerned by the high number of vulnerabilities receiving updates. He said this is not uncommon following security conferences such as Black Hat and DEFCON.
"In the past, there has been a rather high volume around the summer months," Abraham told SCMagazineUS.com on Thursday. "It's something we've seen before. It doesn't really shock me."

August's update appears to match a recent trend in which a light month of bulletins precedes a busier month.

Administrators should review Microsoft's advisories and use its exploit grades to determine which patches deserve priority, Abraham said.

Rockefeller, Pryor introduce federal data security law

Two senators on Thursday introduced a national data breach notification bill that also would force businesses to create measures to protect sensitive information under their control, according to a news report.

The legislation, introduced Thursday by Sens. Mark Pryor, D-Ark., and John Rockefeller, D-W.Va., would require organizations to alert victims of a breach within 60 days and provide them with two years of credit monitoring services, according to the National Journal's Tech Daily Dose blog.

In addition, businesses and nonprofits would have to implement policies and procedures to protect their data, the blog post said.

Representatives for Pryor and Rockefeller did not immediately respond to requests for comment by SCMagazineUS.com.

Last month, Sens. Tom Carper, D-Del., and Bob Bennett, R-Utah, reintroduced a similar bill

"The Data Security Act of 2010 would require entities such as financial establishments, retailers, and federal agencies to safeguard sensitive information, investigate security breaches, and notify consumers when there is a substantial risk of identity theft or account fraud," said a news release. "These new requirements would apply to retailers who take credit card information, data brokers who compile private information and government agencies that possess nonpublic personal information."

A national data breach notification law has been in the works for a number of years. Several versions have made the rounds, but nothing ever has cleared both chambers.

This mainly has been due to other Congressional priorities and, more specific to the bills, disagreement over what constitutes a suitable threshold to report a breach. The lack of a federal measure has given way to a hodgepodge of state laws, 46 to be exact.

Sunday, August 1, 2010

Hack attack hits ATM jackpots

LAS VEGAS — Computer security researcher Barnaby Jack jokes that he has resorted to hiding cash under his bed since figuring out how to crack automated teller machines remotely using the Internet.

The New Zealand native on Saturday demonstrated his "ATM jackpotting" discovery for an overflow crowd of hackers during a presentation at the infamous DefCon gathering in Las Vegas.

"You don't have to go to the ATM at all," Jack told AFP after briefing fellow software savants. "You can do it from the comfort of your own bedroom."

Jack proved his findings using two kinds of ATMs typically found in corner stores, bars or other "stand-alone" venues in the United States but said the flaw likely exists in machines at banks.

Banks use "remote management" software to monitor and control their ATMs, and Jack used a weakness in that kind of code to take control of machines by way of the Internet.

He found a way to bypass having to submit passwords and serial numbers to access ATMs remotely. Once in the machines, he could command them to spit out cash or transfer funds.

He could also capture account data from magnetic strips on credit or bank cards as well as passwords punched in by ATM users.

"When you think about ATM security you generally think about the hardware side; is it bolted down and are the cameras in position," Jack said.

"This is the first time anyone has taken the approach of trying to attack the underlying software. It is time to find software defenses rather than hardware defenses."

Jack did his research on ATMs he bought on the Internet. He also found master keys for stand-alone machines available for purchase online, meaning hackers could walk up and tinker with ATM software, he added.

"We shouldn't dwell on the walk-up attack, because no physical access is required," Jack said. "They have a flaw that lets me bypass all authentication on the device on the Internet, and I am the ATM at that stage."

He didn't reveal specifics of the attack to hackers even though the ATM makers were told of the flaw and have bolstered machine defenses.

"I might get my butt in hot water if I released the code," said the IO Active software security researcher who did the ATM hack 'as a hobby.'

"I was careful not to release the keys to the kingdom."

Jack said he doesn't know if criminals have exploited the software flaw "in the wild" but that it is tough to be certain.

"It is not an easy attack to replicate but I am not naive enough to think I am the only one who can do it," Jack said, admitting he has grown wary of ATMs. "I just keep my cash under the bed now, mate."