February 27th, 2008

Only 8,700 insecure ftp servers?

Posted by Richard Stiennon @ 3:51 pm

Categories: CyberCrime

Tags: Idea, FTP Server, Server, FTP, Security, Richard Stiennon

According to ComputerWorld coverage Finjan is publicizing a source in Hong Kong they have discovered that offers to sell access to hacked ftp servers. The idea is that a malware purveyor or phisher would want ftp access with admin credentials so they can quickly and easily upload there wares to the web sites served by the ftp service.

Larry Dignan thinks this may be the first “Hacking as a Service” example but he is way off. There have been sites in the past that allowed you to execute a “ping of death” against any site, or a ping storm or whatever, just type in the IP or URL and watch what happens. So nothing new there. The “new” is the financial model. Selling access piecemeal. Kind of Hacking 2.0.

The simple warning to administrators: Use ftp over secure shell (SSH) to update your servers. Yes, use the advanced authentication techniques.

Only 8,700 out of 65,000,000 active web servers? That is a good percentage.

Update:  Stiennon’s blog has moved to here. 

January 31st, 2008

Sumitomo copycat crime in Stockholm

Posted by Richard Stiennon @ 7:11 am

Categories: Bank security, CyberCrime, Physical Security, Spyware, Stupid Criminal stories

Tags: Bank, News, Sumitomo Corp., Financial Services, Richard Stiennon

Longterm readers of Threatchaos will recall the attempted Sumitomo Bank heist in London. In that incident a gang connected to an Israeli crime syndicate infiltrated the London branch of Sumitomo Mitsui and installed hardware key stroke loggers on desktop machines within the bank. With stolen credentials they attempted to transfer a reported 220 million pounds to bank accounts around the world.

There are still many questions that remain unanswered in the Sumitomo case. I have maintained a Google alert on Sumitomo for the last two years and there has not been a whisper about any arrests, prosecutions or actions in that case. For all we know the entire gang is still on the loose.

Now we have a fresh incident to look at in Stockholm. Apparently, an employee at a bank in a suburb of Stockholm noticed that his computer was acting strangely, looked under his desk, and pulled the plug on a piece of foreign hardware. The report claims he interrupted the bank robber’s attempt to transfer millions of something (kroner?). Wow, good timing. This incident occurred last August. The news is breaking now because the Swedish police are claiming to have the bank robbers in custody. Kudos to them. They should share their techniques with the police in London.

Now, let’s hope that through a public prosecution we learn all of the details of this bank heist. Without that how are the 50,000 or so other banks around the world going to adequately protect themselves against becoming victims of similar attacks?

January 30th, 2008

Escrow fraud ruining Craigslist?

Posted by Richard Stiennon @ 8:02 am

Categories: CyberCrime, Stupid Criminal stories

Tags: Car, Craigslist, Fraud, E-mail, Phishing, Telecom & Utilities, Online Communications, Security, Spam And Phishing, Richard Stiennon

There was a time when Bay Area residents could find anything they needed quickly and efficiently on Craigslist. It was great - cars, furniture, apartments, partners, all right there in a revolutionarily simple text format. Then Craigslist expanded to the rest of the US and even the world. Now the scam artists have descended.

This week we went to Craigslist to find a car. Wow! A 2003 Dodge Caravan with 45,000 miles for only $2,900.00 Similar vehicles where listed for $8,000. What a deal! A quick email to the seller and he responds from his email mark@usarmydt.com Turns out he is in the army and traveling, can’t take phone calls but that is OK he will have a third party escrow BuyerProtector.us ship the car to our home and invoice us. We have five days to return the car guaranteed. In the mean time, he sends an invoice for the $2,900.00

See the scam? Of course you do. He gets the money, we get nothing. No car ever shows up. The level of effort put out by these guys is impressive but it is not much more difficult than setting up a phishing scam. First he needed a domain to match his military story (usarmydt.com redirects to army.mil ). DNS for the domain is provided by Senpai-IT.com out of Ireland. The real effort went into creating the fake BuyerProtector.us site based on the legit BuyerGaurdian.com site.

I was scammed once years ago. It still rankles and I still own the FULL SIZE WATER CRAFT WITH MOTOR that I got for FREE ($139.95 shipping costs!). These scam artists are going to ruin the Craigslist experience unless they do something about it quickly. As of this morning the self policing Craigslist community has flagged the postings from Mark@usarmydt.com. But it took three days and we are probably not the only ones who emailed him.

Here are my tips for avoiding being scammed:

1. If they contact you be suspect. Ask why me? Am I just lucky?
2. If they cannot talk on the phone be suspect. Are they afraid you won’t deal with a Nigerian or Russian accent?
3. Don’t send money.
4. Don’t send money.
5. Research it online. If anyone else saw the same scam you may be able to save yourself a lot of time.

If you are scammed report it to the FTC. That won’t do much good if the scammer is overseas but still worth reporting.

Come to think about it I fell for another scam once. That one set my career back two or three years. I’ll have to write that one up some day.

January 27th, 2008

Reckoning day for ChoicePoint?

Posted by Richard Stiennon @ 6:06 pm

Categories: Bank security, CyberCrime, Data Security

Tags: Bureau, Price Tag, ChoicePoint Inc., Culprit, Lesson, Social Security, Identity Theft, Financial Services, Government, Security

You may remember when Choicepoint, the data aggregator and vendor of personally identifiable information fell prey to a very simple ploy. Some Nigerian data thieves became customers and proceeded to download thousands of records. ChoicePoint is finally settling a class action law suit that arose from that incident almost four years ago. The price tag is $10 million. Ouch.

The lesson is obvious: you have to think through all possible scenarios when making critical data available to your customers including what should be obvious - that your customers may be crooks. There are deeper questions though. The credit bureau’s and ChoicePoint ( a spin off from one of the bureaus, Equifax) have created a world where credit histories can be used to open new accounts with credit card issuers, apply for loans, and rent apartments. If it were not for them thieves would have no reason to want to steal Social Security numbers and credit reports.

The real culprit is actually ChoicePoint itself and the three bureaus. By creating what is supposedly a superior solution than the old fashioned way of granting credit (knowing your customer, personal references, bank references, like they do it in most of the rest of the world) they have created a system that is prone to identity theft and over extended borrowers.

I suggest that the FTC, various Attorneys General, and the trial lawyers, target the credit reporting industry for reform. Maybe we can starve the cyber criminals out by making identities less valuable goods.

January 25th, 2008

Societe Generale's problem *was* a security issue

Posted by Richard Stiennon @ 10:17 am

Categories: Bank security, CyberCrime, Data Security, Physical Security

Tags: Password, Authentication, SecGen, Security, Financial Services, Richard Stiennon

More details are coming to light already on this week’s revelation by France’s second largest bank, Societe Generale, of massive trading losses thanks to the activity of an errant insider.

The Wall Street Journal this morning (temporary link)reports that Jerome Kerviel spent hours in the evening “hacking” into SecGen’s computer systems. While they don’t reveal enough details they do mention that he eliminated trading controls put in place to impose limits on the size of bets he could make. The article reports that he logged in using the credentials of his friends in the back office where he used to work.

Oh, boy. Someone is going to have to answer for this at SocGen’s risk management group. If better password measures would have saved SocGen over $7 billion in losses it is going to be hard to explain why they weren’t used.

If you are a financial institution and you recently rejected a proposal to institute strong authentication controls based on the expense you had better adjust your risk models and re-evaluate that decision.

Update:  Follow up at new security blog

January 24th, 2008

Beware the knowledgable insider. Societe Generale shows us why.

Posted by Richard Stiennon @ 10:51 am

Categories: CyberCrime, Data Security, Stupid Criminal stories

Tags: Trader, Control, Firewalls, Security, Networking, Richard Stiennon

The absolute disaster that Societe Generale discoverd over the weekend is the best reminder ever to check internal controls. You should be especially wary of employees that are familiar with your risk and security measures. They are armed with the tools to circumvent all of your precautions.

When I was a white hat hacker for PricewaterhouseCoopers our security assessments were usually done in two phases. There would be an external penetration test followed by an internal check of processes and controls. During that internal check I would examine firewall policies, scan networks, and run various tools on representative servers and desktops. I would also interview key IT staff. It would take about four days to get an insider’s feel for operations. And, in every case, I could discover ways to steal from the client company. In my opinion the only reason that most of these companies have *not* experienced a major theft is that people in general, and frankly IT staff in particular are trustworthy. But trust is not a good policy. Certainly the stake holders in Societe Generale are going to be asking some questions of level of trust that SG imbued their traders with.

In a case reminiscent of similar events at Barings Bank and Sumitomo, a trader scammed internal controls to engage in some lofty bets that SG claims led to losses of $7.14 billion. Jerome Kerviel has previously worked in the department that applied trading controls so evidently he knew just how to scam the system. It sounds a little strange that he was gaining nothing from his activity. I am sure investigators will check for evidence of unusual signs of wealth from his trading. Maybe he had an accomplice (employer?) on the outside that made bets in the opposite direction, whatever.

Use this incident as impetus to check your internal controls. I can guarantee you, they are not good enough.

Update:  More on SocGen at new Security Blog.

January 18th, 2008

CIA reveals that hackers were responsible for power outages

Posted by Richard Stiennon @ 2:36 pm

Categories: CyberCrime, Physical Security, Security

Tags: CIA, Hacker, Outage, Manufacturing, Hacking, Security, Richard Stiennon

At a SCADA conference in New Orleans this week we learn that there have been multiple instances of hackers attempting to extort municipalities with threats of power outages - and then carrying out the threats, in at least once instance taking out several cities(none in the US, so far).

Need I say more?

January 18th, 2008

Anniversary of TJX breach announcement

Posted by Richard Stiennon @ 12:00 pm

Categories: CyberCrime, Data Security, Security, Security blog

Tags: Credit Card, TJX, TJX Story, Public Relations, Sales Channel, Financial Services, Security, Marketing, Corporate Communications, Sales

Jaikumar Vijayan over at Computerworld has a great round up of “lessons learned” from the TJX break ins first announced a year ago today. To his five points listed below I would add a couple of observations.

Breach disclosures don’t always affect revenue or stock prices …

… but they can be costly

PCI remains a work in progress

The card payment process has issues

The bad guys remain hard to catch

All great points. I would just point out two more of my own:

Reading the the news can be very helpful. If those responsible for TJX’s security and compliance had had their eyes open they would have clued in to the attacks against Lowe’s and DSW and perhaps been able to avoid the credit card losses altogether.

TJX is becoming the poster child for how not to handle the PR around a data breach. Their management should come clean on the exact techniques that were used (with simultaneous assurances that the technical problems have been addressed). Was it WiFi? Was it kiosks in the back of the store? Was TJX aware of the breaches well over a year ago? If not how did law enforcement officials file briefs in a Florida court citing these breaches months before TJX’s announcement?

The TJX story is far from over. I just hope the rest of the retail industry is reading the media. Especially security blogs. :-)

January 17th, 2008

Security breakdown? Nah, just marketing hype

Posted by Richard Stiennon @ 9:27 am

Categories: Compliance, CyberCrime, Data Security

Tags: Concept, Marketing, Vendor, Exploit, Security, Richard Stiennon

Sean Hargrave over at the Guardian seems concerned about security research firms paying hackers for exploits before they are even reported to the responsible vendor. My reaction to this issue has been: “So what, big deal”.

Various vendors have made defending against so-called 0day exploits their primary differentiator. The concept is that most organizations are already well defended against known threats. Therefore, their biggest concern is being ready for the attack that comes in the night that is brand new. Couple problems here. Most organizations are *not* well protected. Look at the recent success hackers have had of infecting over 10,000 web servers with malicious Trojans.

Making your security purchase decisions based on a vendor’s claims or ability to “get the exploits first” is silly. Security has moved into the somewhat more boring realm of compliance, efficiency, manageability, reliability, throughput, and effectiveness. Winning the race to the next 0day worm is not a buying criteria.

You may question the morality of a vendor paying people to discover exploits but at the end of the day it just does not matter. So what, big deal.

January 14th, 2008

Cyber Defcon 4

Posted by Richard Stiennon @ 10:30 am

Categories: CyberCrime, State Sponsored Hacking

Tags: Attack, Security, Richard Stiennon

I am preparing my next road show pitch. My past presentations have followed a pattern. There is one slide I have been using for seven years now, ever since I joined Gartner as an analyst as a matter of fact. It is the Threat Hierarchy slide. It lists threats in rank order of risk:

Exploratory hacking
Vandalism
Hacktivism
Cyber crime
Information warfare

When I first started touring I would use my renown Power Point skills (not) to “strike out” Cyber crime, stating that there was no Lex Luthor of the Internet. Wow, times have changed and I have spent the last two years on the road exhorting my audiences to be aware of the threat from cyber criminals. There are now probably at least 100,000 Lex Luthors all working diligently day and night to steal information and make money from cyber victims.

Well, what about Information warfare? All the rest of the threat hierarchy have come to pass. I am rapidly coming tot he realization that cyber war is a topic that should be addressed. Thus I am taking “Surviving Cyber War” on the road.

In preparing for this road show I found that I needed to define a set of Cyber Defense Conditions so here they are:

• Cyber DefCon 1. Travel warnings. Governments issue warnings about protecting data when traveling to foreign nations. Government agents monitor industry conferences and bug hotel rooms. We have been in this condition at least since 1992. Testimony before the US Congress sited a NY Times article that among many other instances mentioned French spying on US businessmen at conferences and by installing listening devices on Air France flights.

• Cyber DefCon 2. Nation states probe each other’s networks for vulnerabilities. They attempt to exploit those vulnerabilities perhaps using teenage hackers as a cover. Of course there are many instances of this world wide. The most covered was the so-called “cyber war” between Chinese and US hacker groups in the aftermath of the Chinese-US spy plane collision that occurred April 1, 2001.

• Cyber Defcon 3. Wide spread information theft with intent to mine industrial as well as military and geo-political secret information. Shortly after the Haephrati Trojan case broke, where it became known that Israeli businesses where hiring private investigators to spy on competitors using custom Trojan software to steal documents and communications, the UK’s NISCC announced that industrial scale attacks using similar techniques were targeting UK businesses and government agencies. The spokesman for NISCC named Asia as the source of the attacks. We now know that he meant China.

• Cyber DefCon 4. Targeted attacks against a nation’s military and government installations. Loss of critical data, collateral damage. In the US attacks emanating from China have been labeled Titan Rain. In recent months more concerted attacks have been leveled at the Pentagon causing an outage that lasted several days. These attacks mirrored similar incidents at Whitehall (UK), and the German Chancellery.

• Cyber DefCon 5. Nation to nation attacks that are malicious with intent to destroy communication infrastructure and disable business processes including financial markets. While the events of last April where Russian sponsored hackers took down most of Estonia’s Internet presence and similar attacks against the Ukraine of last quarter fall into this category, the motivation and purpose where disruptive rather than a precursor to an invasion or more serious acts of war.

From these definitions it is not unrealistic to declare that we are in a state of Cyber Defense Condition 4. Organizations should be taking extreme measures to protect their data from theft by investing in strong authentication, and utilizing encryption technology. They should also be preparing their IT infrastructure for concerted denial of service attacks by hardening their DNS, deploying additional layers of defense, and positioning key cyber assets at network nodes with lots of available bandwidth. Western governments should be using the strongest diplomatic means to curtail the current attacks and avoid future attacks. Strategic defensive measures should be deployed throughout the global networks. Government agencies and individual departments should segregate themselves and defend their perimeters. Offensive capabilities should be prepared as a deterrent to future attacks.