February 29th, 2008

Oil field data loss just common theft

Posted by Richard Stiennon @ 8:55 am

Categories: State Sponsored Hacking, Stupid Criminal stories

Tags: Brazil, Data Loss, Data, Firewalls, GIS, Network Security, Security, Networking, Software, Richard Stiennon

Sighs of relief can be heard coming from Brazil this week as police arrested four men (port security guards) responsible for heisting some computers that had lots of data from the newly discovered mega-oil-patch off the coast of Brazil.

Way back when I was an industry analyst I remember fighting the battle against universitites about so called academic freedom and firewalls. The argument ran that places of higher learning should not erect barriers that would limit access to information. That laughable theory applied to IT security has long since been discredited but the horrifying aspect was that the idea of no-firewalls was also present in major US government agencies such as the US Geological Survey, which is part of the Department of the Interior.

The USGS IT guys proudly told me that they were a research organization made up of scientists who would not abide firewalls. In further discussions they revealed that every oil and gas exploration company was required to store copies of their GIS data with USGS. I found this frankly horrifying because in all my travels I had found that oil and gas companies have the best security of any industry and they recognize the value of their data and go to extraordinary measures to protect it. And here I find that they are all sharing that data in an unsecured repository.

This was in 2002. I am sure that by now the USGS has instituted some protections around that data. They may even have firewalls.

Update:  Stiennon’s blog has moved to here. 

February 22nd, 2008

Get a clue Morocco

Posted by Richard Stiennon @ 10:38 pm

Categories: Stupid Criminal stories

Tags: Government, Internet, Vertical Industries, Enterprise Software, Software, Richard Stiennon

Do you ever get the feeling that the people around you are missing out on a major shift in the way the world works? Try explaining lolcats to your grandfather for instance. I feel sorry for the powers that be in Morocco who have sentenced Fouad Mourtada, a guy with a clue, to three years in jail for spoofing a Facebook site for a member of their so-called royalty.

I feel sorry for the backward thinking elements of the world as we enter an accelerated phase of how humans communicate and works. Let Fouad go. Hire him to instill cluefulness in your government.

What’s next? Arresting somebody for Leroy Jenkins syndrome?

I am compiling a top ten list of government stupidity when it comes to the Internet. This qualifies.

Update:  Stiennon’s blog has moved to here. 

February 18th, 2008

California court order effectively erases Wikileaks

Posted by Richard Stiennon @ 1:11 pm

Categories: Stupid Criminal stories

Tags: DNS, California, Web Site, Domain Names, Web Site Development, Internet Service Providers (ISPs), Web Technology, Networking, Internet, Richard Stiennon

In the rapidly escalating story of Wikileaks.org, (here) a California court has ordered the domain registrar, Dynadot, to erase all DNS entries for the domain, effectively erasing a website that hosts millions of documents purportedly “leaked” to the wiki-style site in the name of whistle-blowing on malfeasance. If you click on the above link you will note, however, that the site is not down of course.

And, in the meantime Cryptonome has made available a complete download of the documents that started all of this. Thoughts of Pandora’s box and cats escaping from bags leap to mind.

This is an outrageous move by a US court. They have attempted to destroy a website because of a complaint about a particular set of files. I wonder how they justify that? Luckily the Internet is made of a series of tubes and the DNS is only a small part of the plumbing.

Rumors abound of DDoS attacks against Wikileaks.org as well as a fire at their ISP. I am sure we have not heard the last of this.

Update:  Cringely is outraged as well.

January 31st, 2008

Sumitomo copycat crime in Stockholm

Posted by Richard Stiennon @ 7:11 am

Categories: Bank security, CyberCrime, Physical Security, Spyware, Stupid Criminal stories

Tags: Bank, News, Sumitomo Corp., Financial Services, Richard Stiennon

Longterm readers of Threatchaos will recall the attempted Sumitomo Bank heist in London. In that incident a gang connected to an Israeli crime syndicate infiltrated the London branch of Sumitomo Mitsui and installed hardware key stroke loggers on desktop machines within the bank. With stolen credentials they attempted to transfer a reported 220 million pounds to bank accounts around the world.

There are still many questions that remain unanswered in the Sumitomo case. I have maintained a Google alert on Sumitomo for the last two years and there has not been a whisper about any arrests, prosecutions or actions in that case. For all we know the entire gang is still on the loose.

Now we have a fresh incident to look at in Stockholm. Apparently, an employee at a bank in a suburb of Stockholm noticed that his computer was acting strangely, looked under his desk, and pulled the plug on a piece of foreign hardware. The report claims he interrupted the bank robber’s attempt to transfer millions of something (kroner?). Wow, good timing. This incident occurred last August. The news is breaking now because the Swedish police are claiming to have the bank robbers in custody. Kudos to them. They should share their techniques with the police in London.

Now, let’s hope that through a public prosecution we learn all of the details of this bank heist. Without that how are the 50,000 or so other banks around the world going to adequately protect themselves against becoming victims of similar attacks?

January 30th, 2008

Escrow fraud ruining Craigslist?

Posted by Richard Stiennon @ 8:02 am

Categories: CyberCrime, Stupid Criminal stories

Tags: Car, Craigslist, Fraud, E-mail, Phishing, Telecom & Utilities, Online Communications, Security, Spam And Phishing, Richard Stiennon

There was a time when Bay Area residents could find anything they needed quickly and efficiently on Craigslist. It was great - cars, furniture, apartments, partners, all right there in a revolutionarily simple text format. Then Craigslist expanded to the rest of the US and even the world. Now the scam artists have descended.

This week we went to Craigslist to find a car. Wow! A 2003 Dodge Caravan with 45,000 miles for only $2,900.00 Similar vehicles where listed for $8,000. What a deal! A quick email to the seller and he responds from his email mark@usarmydt.com Turns out he is in the army and traveling, can’t take phone calls but that is OK he will have a third party escrow BuyerProtector.us ship the car to our home and invoice us. We have five days to return the car guaranteed. In the mean time, he sends an invoice for the $2,900.00

See the scam? Of course you do. He gets the money, we get nothing. No car ever shows up. The level of effort put out by these guys is impressive but it is not much more difficult than setting up a phishing scam. First he needed a domain to match his military story (usarmydt.com redirects to army.mil ). DNS for the domain is provided by Senpai-IT.com out of Ireland. The real effort went into creating the fake BuyerProtector.us site based on the legit BuyerGaurdian.com site.

I was scammed once years ago. It still rankles and I still own the FULL SIZE WATER CRAFT WITH MOTOR that I got for FREE ($139.95 shipping costs!). These scam artists are going to ruin the Craigslist experience unless they do something about it quickly. As of this morning the self policing Craigslist community has flagged the postings from Mark@usarmydt.com. But it took three days and we are probably not the only ones who emailed him.

Here are my tips for avoiding being scammed:

1. If they contact you be suspect. Ask why me? Am I just lucky?
2. If they cannot talk on the phone be suspect. Are they afraid you won’t deal with a Nigerian or Russian accent?
3. Don’t send money.
4. Don’t send money.
5. Research it online. If anyone else saw the same scam you may be able to save yourself a lot of time.

If you are scammed report it to the FTC. That won’t do much good if the scammer is overseas but still worth reporting.

Come to think about it I fell for another scam once. That one set my career back two or three years. I’ll have to write that one up some day.

January 26th, 2008

Another case of insider abuse

Posted by Richard Stiennon @ 11:39 am

Categories: Stupid Criminal stories

Tags: Woman, Insider, CAD, Productivity, Software, Richard Stiennon

OK, this one is on a completely different scale than SoGen’s issues this past week (see below). A woman sees an ad online for an administrator at the architecture firm she works for. Thinking her employer is looking to replace her she goes in to the office in the evening and maliciously deletes millions of dollars of CAD files. Of course the company had backups, no one is that dumb, but it sounds like she created a lot of hassle the next day. What was dumb was allowing anybody to have delete authority on those files.

But think about it. Could anyone do this in your organization? Do you actually trust your employees too much? The most common instance I run in to of computer threat is the insider jack-of-all-trades IT guy at a small business.

The reason I categorize this story under “stupid criminals”? Turns out the ad was for a position at the owner’s wife’s business. Oops.

January 24th, 2008

Beware the knowledgable insider. Societe Generale shows us why.

Posted by Richard Stiennon @ 10:51 am

Categories: CyberCrime, Data Security, Stupid Criminal stories

Tags: Trader, Control, Firewalls, Security, Networking, Richard Stiennon

The absolute disaster that Societe Generale discoverd over the weekend is the best reminder ever to check internal controls. You should be especially wary of employees that are familiar with your risk and security measures. They are armed with the tools to circumvent all of your precautions.

When I was a white hat hacker for PricewaterhouseCoopers our security assessments were usually done in two phases. There would be an external penetration test followed by an internal check of processes and controls. During that internal check I would examine firewall policies, scan networks, and run various tools on representative servers and desktops. I would also interview key IT staff. It would take about four days to get an insider’s feel for operations. And, in every case, I could discover ways to steal from the client company. In my opinion the only reason that most of these companies have *not* experienced a major theft is that people in general, and frankly IT staff in particular are trustworthy. But trust is not a good policy. Certainly the stake holders in Societe Generale are going to be asking some questions of level of trust that SG imbued their traders with.

In a case reminiscent of similar events at Barings Bank and Sumitomo, a trader scammed internal controls to engage in some lofty bets that SG claims led to losses of $7.14 billion. Jerome Kerviel has previously worked in the department that applied trading controls so evidently he knew just how to scam the system. It sounds a little strange that he was gaining nothing from his activity. I am sure investigators will check for evidence of unusual signs of wealth from his trading. Maybe he had an accomplice (employer?) on the outside that made bets in the opposite direction, whatever.

Use this incident as impetus to check your internal controls. I can guarantee you, they are not good enough.

Update:  More on SocGen at new Security Blog.

December 11th, 2007

Those clever 419'ers

Posted by Richard Stiennon @ 6:52 am

Categories: CyberCrime, Stupid Criminal stories

Tags: Technique, E-mail, Productivity, Online Communications, Richard Stiennon

It had to happen. In this latest technique scammers hack into someone’s email account and send emails to friends asking for money. In this case a professor in Calcutta’s account was compromised. The scam artists sent email to a business associate asking for $2,500 so he could get out of a hotel in Nigeria. (Hello??? Nigeria?? That should set off alarm bells with anyone who has been using the Internet for more than, oh about 15 seconds.)

Stiennon’s simple rule for never getting scammed: Don’t send money. Period. Just don’t.

The 419′ers deserve this treatment.

September 11th, 2007

First hacking tools, now key words are outlawed

Posted by Richard Stiennon @ 10:04 am

Categories: State Sponsored Hacking, Stupid Criminal stories

Tags: Hacking, Bomb, Hacking Tool, Terrorism, Web Page, Wikipedia, Richard Stiennon

Reading this Reuters report is a trip to the Twilight Zone. Or, maybe, it is an Onion-esque spoof on reality. The EU is going to force search engines to block access to bomb-making sites? Huh? What are these guys thinking?

EU Justice and Security Commissioner Franco Frattini said in an interview.

“I do intend to carry out a clear exploring exercise with the private sector … on how it is possible to use technology to prevent people from using or searching dangerous words like bomb, kill, genocide or terrorism,” Frattini told Reuters.

So, OK. How do you do that? There are over 84 million web pages with the word bomb in it. Wikipedia has great articles on bombs. Do you set up a department of information control and have them peruse all web pages and decide which ones are harmful? It *is* almost possible. A staff of several hundred with the help of automation can get you 80-90% of the way there. Then all you need are massive filtering devices on every backbone and access point.

There is so much evidence that regulators and government officials are woefully ignorant of technology. Maybe they should just turn off the “Internets”. That should stop terrorism.

August 22nd, 2007

Not Constantinople. Again!

Posted by Richard Stiennon @ 1:41 pm

Categories: CyberCrime, Data Security, Stupid Criminal stories

Tags: Istanbul, Metaphor, Trojan Horse, Richard Stiennon

I love it when cyber crime is linked however remotely to Istanbul. While there is absolutely no pattern here it is still fun to pile up all the incidents. I have written (my 24th post!) how I first learned of the criminal use of keystroke loggers to steal banking credentials in Istanbul. While I was at Webroot there was that bizarre coincidence that in one quarter the highest number of Trojan horses found where in Turkey! (You know, that’s where the ancient city of Troy was located and thus the coining of Trojan Horse as a term for ways to sneak inside defenses. And by the way, I was once accused by my editors at Gartner of using an Americanism when I included the metaphor of an Achilles Heel in a presentation I was giving at Cannes. I gleefully informed them that that particular metaphor would probably be understood by the citizens of a country who had named their capital after the guy, Paris, who shot Achilles ( the mastermind of the Trojan Horse) in his heel. Sorry, I digress…)

Anyway, authorities have just tracked down and arrested some one who has been trafficking in stolen TJX credit cards. This Ukrainian man was arrested in a nightclub in Istanbul which the journalist thinks is strange but I say is no more strange than luring a hacker to New York city and arresting him under the Brooklyn Bridge!

The ripples from the TJX incident continue to spread. This week TJX took a big hit to their earnings as they set aside reserves to cover costs from the incident.

From MarketWatch:

TJX Cos.’ fiscal second-quarter earnings fell 57%, due to a charge of $118 million related to the theft of credit-card data from a Marshall’s store, of which $11 million was for costs incurred in the quarter and $107 million was a reserve for its exposure to potential losses.