January 31st, 2008

Sumitomo copycat crime in Stockholm

Posted by Richard Stiennon @ 7:11 am

Categories: Bank security, CyberCrime, Physical Security, Spyware, Stupid Criminal stories

Tags: Bank, News, Sumitomo Corp., Financial Services, Richard Stiennon

Longterm readers of Threatchaos will recall the attempted Sumitomo Bank heist in London. In that incident a gang connected to an Israeli crime syndicate infiltrated the London branch of Sumitomo Mitsui and installed hardware key stroke loggers on desktop machines within the bank. With stolen credentials they attempted to transfer a reported 220 million pounds to bank accounts around the world.

There are still many questions that remain unanswered in the Sumitomo case. I have maintained a Google alert on Sumitomo for the last two years and there has not been a whisper about any arrests, prosecutions or actions in that case. For all we know the entire gang is still on the loose.

Now we have a fresh incident to look at in Stockholm. Apparently, an employee at a bank in a suburb of Stockholm noticed that his computer was acting strangely, looked under his desk, and pulled the plug on a piece of foreign hardware. The report claims he interrupted the bank robber’s attempt to transfer millions of something (kroner?). Wow, good timing. This incident occurred last August. The news is breaking now because the Swedish police are claiming to have the bank robbers in custody. Kudos to them. They should share their techniques with the police in London.

Now, let’s hope that through a public prosecution we learn all of the details of this bank heist. Without that how are the 50,000 or so other banks around the world going to adequately protect themselves against becoming victims of similar attacks?

January 30th, 2008

Escrow fraud ruining Craigslist?

Posted by Richard Stiennon @ 8:02 am

Categories: CyberCrime, Stupid Criminal stories

Tags: Car, Craigslist, Fraud, E-mail, Phishing, Telecom & Utilities, Online Communications, Security, Spam And Phishing, Richard Stiennon

There was a time when Bay Area residents could find anything they needed quickly and efficiently on Craigslist. It was great - cars, furniture, apartments, partners, all right there in a revolutionarily simple text format. Then Craigslist expanded to the rest of the US and even the world. Now the scam artists have descended.

This week we went to Craigslist to find a car. Wow! A 2003 Dodge Caravan with 45,000 miles for only $2,900.00 Similar vehicles where listed for $8,000. What a deal! A quick email to the seller and he responds from his email mark@usarmydt.com Turns out he is in the army and traveling, can’t take phone calls but that is OK he will have a third party escrow BuyerProtector.us ship the car to our home and invoice us. We have five days to return the car guaranteed. In the mean time, he sends an invoice for the $2,900.00

See the scam? Of course you do. He gets the money, we get nothing. No car ever shows up. The level of effort put out by these guys is impressive but it is not much more difficult than setting up a phishing scam. First he needed a domain to match his military story (usarmydt.com redirects to army.mil ). DNS for the domain is provided by Senpai-IT.com out of Ireland. The real effort went into creating the fake BuyerProtector.us site based on the legit BuyerGaurdian.com site.

I was scammed once years ago. It still rankles and I still own the FULL SIZE WATER CRAFT WITH MOTOR that I got for FREE ($139.95 shipping costs!). These scam artists are going to ruin the Craigslist experience unless they do something about it quickly. As of this morning the self policing Craigslist community has flagged the postings from Mark@usarmydt.com. But it took three days and we are probably not the only ones who emailed him.

Here are my tips for avoiding being scammed:

1. If they contact you be suspect. Ask why me? Am I just lucky?
2. If they cannot talk on the phone be suspect. Are they afraid you won’t deal with a Nigerian or Russian accent?
3. Don’t send money.
4. Don’t send money.
5. Research it online. If anyone else saw the same scam you may be able to save yourself a lot of time.

If you are scammed report it to the FTC. That won’t do much good if the scammer is overseas but still worth reporting.

Come to think about it I fell for another scam once. That one set my career back two or three years. I’ll have to write that one up some day.

January 29th, 2008

Data mining Digg

Posted by Richard Stiennon @ 2:54 pm

Categories: Cool Companies, Data Security

Tags: NetFlix Inc., Security, Digg, user-ID, Blog, Data Mining, Blockbuster Inc., Help Desk, Blogging, Call Centers

Here is a beautiful example of poking around inside an application to gather what otherwise would be proprietary data. John Graham-Cumming has hacked the social book marking application Digg to discover how many registered users they have. He noticed that inside the html code associated with each user was the date they signed up and a unique user ID that he pretty convincingly argues is sequential and relates to the number of users at that date. Clever. And, potentially very damaging to the owners of Digg who may be involved in valuation exercises with potential investors and may have other ways of telling their story. In other words, through an oversight they have have left themselves vulnerable to a hacker who revealed confidential information.

Lesson learned: Question every sequential assigning of user ID’s whether they are exposed or not. It costs nothing at the begining to code up a simple hash algorithm to obfuscate sequential data.

From the Customer Support Rant Desk.

OK, this is totally unrelated to security but I think once in a while I should be forgiven if I use my blog to rant a bit. Everybody else gets to write about their seedy hotel experiences and nightmare help desk calls, why can’t I?

First the good: I got a note from SecondLife a few weeks ago notifying me that they had dinged my credit card for my automatic annual renewal. While SecondLife is very cool my foray into using it as a way to reach a greater audience in security was a complete bust. I talked a friend into creating a Virtual Trade Show in SecondLife to run simultaneously with the RSA Security Conference last year. He sent out announcements to 600 marketing people at security vendors. Number of responses asking for more info? Zero. Not a single person. So, too early for them and I never took the SecondLife stuff further. When I got the notice that they had billed me I thought “oh no, here we go” as I opened a trouble ticket. Was this going to be as bad as AOL in their hyped up ponzi scheme days when people had to cancel credit cards in order to unsubscribe? I even used my full signature with this blog address in an unabashed attempt to threaten all of my blogger’s wrath and public invective if they did not get my money back. Next day I get a response: “You’re problem is fixed”. They refunded my money! No questions asked, just “OK here you go, no problem”. Now that is customer service and I owe the folks at Linden Lab this tribute in my blog. As soon as I get a better laptop I’ll be back!

Now the bad: Blockbuster Video. This past weekend my son and I rented a couple of videos. (I know, I know, how 1995 ) One of them was scratched. You know how frustrating it is to queue up a video, sit through all of the stupid warnings, and previews, get through the opening credits only to have a DVD freeze up on you? And when I tell you this was Curse of the Golden Flower, you will remember just how riveting that opening scene is. It was too late to return the scratched CD so I took it in to the Blockbuster store the next day. I politely told the guy behind the counter that I was returning a defective DVD and would like a credit to my account. He got the manager who informed me that they could not do that. All they could do was replace the defective DVD. “But this is Monday, and my son is not with me this week. How can we watch it now?” Sorry sir was all I got. I was steamed, what could I say? I said the only thing I could: “Well I guess you just created another NetFlix customer” and stomped out.

Last night I signed up for NetFlix and my wife and I sat on the couch and watched The Remains of the Day as it downloaded. The experience was incredible. This is the future. Goodbye Blockbuster. Forever.

January 28th, 2008

US Government seeks to invest $6 Billion in security by obscurity

Posted by Richard Stiennon @ 8:32 am

Categories: Security Industry News, State Sponsored Hacking

Tags: U.S. Congress, U.S. Government, Transparency, Security, Richard Stiennon

According to the Wall Street Journal this morning the Bush administration is pushing to spend $6 billion on cyber security in one year! They claim that US telecom systems are not adequately protected and that they need to spend this money to protect it. Just one problem, the government is not revealing to Congress just how these funds will be spent.

First of all let’s put some perspective around the size of this budget. $6 billion is larger than the entire industry for firewalls. That’s right, the total sales of firewalls from Check Point, Cisco, Juniper, Watchguard, Sonicwall, and twenty other vendors, world wide, is less than $6 Billion. The entire security industry for products is less than $24 Billion.

So just how could the Federal Government spend $6 Billion on cyber security? They are not saying. They are asking Congress to buy a pig in a poke. Of course you will see the DHS claiming that these new investments must remain secret to be effective. I beg to differ. There is *no* security in secrecy when it comes to effective cyber defenses. Just as the best security in cryptography is to use almost impossible to break but completely transparent encryption schemes, the best security for networks and systems is that which can not be penetrated even if every detail is published and open.

Congress should stick to their guns and refuse to grant funds for secret cyber defense solutions. Yes, investment is needed - more in new policies and rigid enforcement that anything else. But granting a carte blanche to the Department of Homeland Security for $6 Billion a year in budget will result in only one thing: a new cyber bureaucracy.

Transparency is good for security. The administration should earmark these funds for specific departments and specific security measures. Otherwise there will be no metrics, no accountability, and they will be back at the trough next year asking for money to accomplish more secret goals.

January 27th, 2008

Reckoning day for ChoicePoint?

Posted by Richard Stiennon @ 6:06 pm

Categories: Bank security, CyberCrime, Data Security

Tags: Bureau, Price Tag, ChoicePoint Inc., Culprit, Lesson, Social Security, Identity Theft, Financial Services, Government, Security

You may remember when Choicepoint, the data aggregator and vendor of personally identifiable information fell prey to a very simple ploy. Some Nigerian data thieves became customers and proceeded to download thousands of records. ChoicePoint is finally settling a class action law suit that arose from that incident almost four years ago. The price tag is $10 million. Ouch.

The lesson is obvious: you have to think through all possible scenarios when making critical data available to your customers including what should be obvious - that your customers may be crooks. There are deeper questions though. The credit bureau’s and ChoicePoint ( a spin off from one of the bureaus, Equifax) have created a world where credit histories can be used to open new accounts with credit card issuers, apply for loans, and rent apartments. If it were not for them thieves would have no reason to want to steal Social Security numbers and credit reports.

The real culprit is actually ChoicePoint itself and the three bureaus. By creating what is supposedly a superior solution than the old fashioned way of granting credit (knowing your customer, personal references, bank references, like they do it in most of the rest of the world) they have created a system that is prone to identity theft and over extended borrowers.

I suggest that the FTC, various Attorneys General, and the trial lawyers, target the credit reporting industry for reform. Maybe we can starve the cyber criminals out by making identities less valuable goods.

January 26th, 2008

Another case of insider abuse

Posted by Richard Stiennon @ 11:39 am

Categories: Stupid Criminal stories

Tags: Woman, Insider, CAD, Productivity, Software, Richard Stiennon

OK, this one is on a completely different scale than SoGen’s issues this past week (see below). A woman sees an ad online for an administrator at the architecture firm she works for. Thinking her employer is looking to replace her she goes in to the office in the evening and maliciously deletes millions of dollars of CAD files. Of course the company had backups, no one is that dumb, but it sounds like she created a lot of hassle the next day. What was dumb was allowing anybody to have delete authority on those files.

But think about it. Could anyone do this in your organization? Do you actually trust your employees too much? The most common instance I run in to of computer threat is the insider jack-of-all-trades IT guy at a small business.

The reason I categorize this story under “stupid criminals”? Turns out the ad was for a position at the owner’s wife’s business. Oops.

January 25th, 2008

Societe Generale's problem *was* a security issue

Posted by Richard Stiennon @ 10:17 am

Categories: Bank security, CyberCrime, Data Security, Physical Security

Tags: Password, Authentication, SecGen, Security, Financial Services, Richard Stiennon

More details are coming to light already on this week’s revelation by France’s second largest bank, Societe Generale, of massive trading losses thanks to the activity of an errant insider.

The Wall Street Journal this morning (temporary link)reports that Jerome Kerviel spent hours in the evening “hacking” into SecGen’s computer systems. While they don’t reveal enough details they do mention that he eliminated trading controls put in place to impose limits on the size of bets he could make. The article reports that he logged in using the credentials of his friends in the back office where he used to work.

Oh, boy. Someone is going to have to answer for this at SocGen’s risk management group. If better password measures would have saved SocGen over $7 billion in losses it is going to be hard to explain why they weren’t used.

If you are a financial institution and you recently rejected a proposal to institute strong authentication controls based on the expense you had better adjust your risk models and re-evaluate that decision.

Update:  Follow up at new security blog

January 24th, 2008

Beware the knowledgable insider. Societe Generale shows us why.

Posted by Richard Stiennon @ 10:51 am

Categories: CyberCrime, Data Security, Stupid Criminal stories

Tags: Trader, Control, Firewalls, Security, Networking, Richard Stiennon

The absolute disaster that Societe Generale discoverd over the weekend is the best reminder ever to check internal controls. You should be especially wary of employees that are familiar with your risk and security measures. They are armed with the tools to circumvent all of your precautions.

When I was a white hat hacker for PricewaterhouseCoopers our security assessments were usually done in two phases. There would be an external penetration test followed by an internal check of processes and controls. During that internal check I would examine firewall policies, scan networks, and run various tools on representative servers and desktops. I would also interview key IT staff. It would take about four days to get an insider’s feel for operations. And, in every case, I could discover ways to steal from the client company. In my opinion the only reason that most of these companies have *not* experienced a major theft is that people in general, and frankly IT staff in particular are trustworthy. But trust is not a good policy. Certainly the stake holders in Societe Generale are going to be asking some questions of level of trust that SG imbued their traders with.

In a case reminiscent of similar events at Barings Bank and Sumitomo, a trader scammed internal controls to engage in some lofty bets that SG claims led to losses of $7.14 billion. Jerome Kerviel has previously worked in the department that applied trading controls so evidently he knew just how to scam the system. It sounds a little strange that he was gaining nothing from his activity. I am sure investigators will check for evidence of unusual signs of wealth from his trading. Maybe he had an accomplice (employer?) on the outside that made bets in the opposite direction, whatever.

Use this incident as impetus to check your internal controls. I can guarantee you, they are not good enough.

Update:  More on SocGen at new Security Blog.

January 24th, 2008

Cyber confusion. What is the airforce talking about?

Posted by Richard Stiennon @ 8:24 am

Categories: Spyware, State Sponsored Hacking

Tags: Computer Network, Network, Goal, Air Force, Computer, Cyber Command, Phishing, Cyberthreats, Networking, Productivity

If you are like me your eyes cross and you feel a ringing in your ears when you are exposed to military-speak. The acronyms are fun and server to separate insiders from outsiders, kind of a tribal thing. But is sure makes it hard to figure out what is really going on. Take Ellen Messmer’s article today in Networkworld orld Magazine. She interviews Air Force Lt. Gen. Robert Elder who is head of the Air Force “Cyber Command.”

Now let me warn you, the military uses the word “cyber” as a noun. When a military guy says “cyber is important” he means something like “networks are important”. So, while “Cyber Command” should mean using networks to provide command capabilities, the air force has abused our language once again because what they seem to mean is “network management”. In other words there is now one group within the air force responsible for network management and it is headed up by Lt. General Robert Elder.

OK, so what does he say?

NWW: The Air Force has obviously made use of networking for a long time, so what’s really different about the Cyber Command?

Elder: We differentiate between computer network security and computer network defense. Once you’re through the gate, you’re in, so we look at that as hostile territory. It’s inside defense. Right now, most of what we do today is computer network security. But we know our adversaries will attack, and we need training and cyber tools.

See what I mean? Hard to de-cypher. “Once you’re through the gate, you’re in” I love that.

NWW: What kind of attacks are of concern?

Elder: Phishing, for example, is a type of attack. We’re arming airmen with the skills to recognize a phishing attack. We’re installing tools to check URLs. We’re integrating commercial products with our own host-based security systems.

Phishing? Phishing is a problem? Are you starting to get worried here?

NWW: How many people are in the Cyber Command today?

Elder: There are at least a few thousand people now and it will grow to between 5,000 and 10,000. Many people are re-assigned from all over the Air Force. The goal is to be fully established by October. We can’t do anything without cyber — today, we talk about operations in the cyber domain.

At first reading I thought he was talking about 10,000 people doing cyber security. But this number must mean 10,000 people in IT, right? Those parts of IT that have not been outsourced to EDS that is.

But, good news. The new Cyber Command is going to make some radical changes:

NWW: What steps can you take?

Elder: We’re putting a lot of things in place, like moving toward a policy on our firewalls to deny all except by exception.

Yikes, let me check the date on this article. Maybe it is from 1995? That was when the rest of the world figured out firewalls. Nope, 01/23/08. This just reinforces my image of most military operations when it comes to security: they are in the Twilight Zone, a world of their own, completely separated from reality, and most unfortunately, completely unprepared to face their enemies.

Update: Thanks to John Andrew Prime of Gannet for this helpful clarification: LTG Bob Elder is the commander of the 8th Air Force and the Cyber-Strike action component of Air Force Cyber Command (Provisional), but the actual commander of AFCYBER(P) as the U.S. Air Force calls it, is Maj. Gen. William “Bill” Lord. he answers directly to USAF Chief of Staff Gen. T. Michael Moseley. You can see all the top commanders of the new command at its Web page, http://www.afcyber.af.mil/

January 23rd, 2008

Now this is leverage: scaling a phishing operation

Posted by Richard Stiennon @ 9:19 am

Categories: Security Industry News, Spyware

Tags: Phishing, Cyberthreats, Spam, Viruses And Worms, Security, Spam And Phishing, Richard Stiennon

Great research over at Netcraft today. They have found a site called Mr. Brain set up by some Moroccon hackers that offers a whole suite of phishing tools. The phishing tools are the usual set of cloned HTML, and management interface for routing stolen bank card info, etc. But these tools come with a bonus! All of the stolen data is also sent to the guys at Mr. Brain!

Brilliant.