Security Corner


March 26, 2010  3:20 AM

20-year Sentence in TJX Credit Card Case



Posted by: Ken Harthun
Banking Fraud, cyber security, Cyber-criminal, Cybercrime, Hacking, Identity Theft, Security

In the lengthiest sentence yet handed down in an identity or hacking prosecution, confessed TJX hacker Albert Gonzalez was sentenced to 20 years in federal prison for orchestrating one of the largest theft of payment card numbers in history.

IDG News Service – BOSTON — As his parents and sister silently wept, hacker mastermind Albert Gonzalez was sentenced Thursday in U.S. District Court to two concurrent 20-year stints in prison for his role in what prosecutors called the “unparalleled” theft of millions of credit and debit card numbers from major U.S. retailers.

“I stand before you humbled by these past 24 months,” Gonzalez said. “I’m guilty not only of exploiting complicated networks, but also of exploiting personal relationships.”

SANS Institute editor Stephen Northcutt had this to say in a recent issue of SANS NewsBites (Vol. 12 Num. 23):

It seems sensible to me to make stealing 45 million identities a more serious crime than selling marijuana, not that I support either. When you steal identities you hurt so many innocent people. When you sell Marijuana, the damage, if any, occurs in the lungs and brains of the people that willingly used the drug. Yet…it appears to me that in the past people received stiffer sentences marijuana sales than for identity theft. I believe both should be illegal, but that identity theft is the more harmful crime. Nothing against Mr. Gonzalez, but if he is sentenced to a serious number of years, it could send a signal to the criminals of the world there is a downside to identity theft.

Well, the signal has been sent. Personally, I don’t believe that any non-violent crime should be subject to lengthy terms of incarceration, but that’s a subject for a different post at a different blog at another time.

The cyber-criminals in the huge international crime rings who run most of the major botnets and steal most of the money won’t even blink at this.

March 25, 2010  12:45 AM

Whither Security?



Posted by: Ken Harthun
cyber security, diversionary tactic, security awareness

No reports about it, but with all of the nation’s attention diverted and focused on the Health Care law fiasco, what are the cybercriminals doing to exploit the lapse of attention in other areas?

Let me point out that a very effective security subversion tactic is  the creation of a diversion. The diversion does not have to be intentional; it can just as easily be inadvertent, as in the case of focusing on possible cyber attacks related to the passage of the controversial health care reform law.

I’m sure that we’ll hear about cyber attacks related to this recent regulation, probably in the form of attempted web site defacings and/or DDOS attacks against relevant websites. Many people are up in arms about provisions in the law, so certainly, there are going to be attacks. In my life I’ve seen unrest through the 1960′s and 1970′s, but I don’t think I’ve ever seen it quite as bad as today.

It behooves us to be even more vigilant than usual in these times of political upheaval and unrest. If I have you focused on target A, then I can easily attack target B.

And I believe we’ll see that happening.


March 23, 2010  1:08 AM

Technospeak: Advanced Persistent Threat



Posted by: Ken Harthun
Advanced Persistent Threat, APT, InfoSec, Intrusion detection, Security, security awareness, Security practice

Just what we need – another coined phrase and acronym. This time, it’s Advanced Persistent Threat: APT for short. This new one was popularized at the RSA conference a couple of weeks ago. What is it? Let me explain; rather, let’s let Steve Gibson of the Security Now! podcast explain. This is from episode #240, Listener Feedback #88:

So this notion of an Advanced Persistent Threat is that some way in is found, and then the bad guys set up a persistent presence inside the network and attempt to stay undetected and connected in the network, present essentially, for as long as possible, for doing whatever they’re doing – surveillance, collecting files, sending them offsite, out of that local country zone, wherever.

Very bad. And the worst part about it is that it only takes one un-patched hole to leave a network open. The biggest problem with security is that it must be absolutely perfect. Here’s Steve again:

And remember, this is the big problem with security is it has to be perfect. Meaning it only takes one mistake somewhere, one thing missed, one vulnerability not patched, one port left open, one unsafe application running. I mean, literally, the barrier is so high to be absolutely secure because it just takes one hole for some guy to get in. And so if there’s tremendous pressure against the security perimeter, any leak will allow someone in.

This should be enough to get your attention and put in that IDS that you’ve been putting off for so long.


March 15, 2010  2:10 AM

What is Weaponized Email?



Posted by: Ken Harthun
Clickjacking, Security, security awareness, Trust No One, Web 2.0 Security

The security threat formerly known as “spear phishing” is now called “weaponized email” and it’s a bad, bad thing made worse by Web 2.0 and the social network sites. As you probably know, spear phishing is an email attack that targets a specific organization or demographic. A couple of years ago, we had these things targeting dentists, doctors and other professionals from purported “hit men” who had consciences agreeing to forgo the hit in exchange for “protection” money — a classic extortion scheme. With the meteoric rise of Web 2.0 social networking sites like Facebook, MySpace, Twitter, the Ning networks and what have you, the game has changed.

Consider this (based on an actual incident): You’re employed by a financial firm; you have a Facebook page; you’re the coordinator for the annual company picnic; and, many of your co-workers also have Facebook pages and are in your group of friends. Sounds OK, right? Just a gathering of co-workers on a social network.

Well, think again. The cyber-criminals had a field day with it.

The crooks noticed this social circle, noting that they all worked for a firm that might be a good target. Attempts to hack the Facebook accounts were rewarded with a successful attempt against the person I mentioned above. The criminals now were able to impersonate the victim. The crooks sent messages out to the victim’s friends with a subject similar to “Look who I caught on camera at the company picnic.” The messages contained what looked like a link to some photos, but was really a link to a malicious site that contained malware in the form of a keylogger program.

You’re a friend of the victim, and you get a message from them. No problem, they’re your friend on Facebook and a co-worker whom you trust. Naturally, you think it’s safe, so you open the email and click on the link. You’re infected with a keylogger program. On your company laptop. That you use to access the corporate VPN at home and on the road.

Tonight, you have a report that’s due and you’ve just finished it, so you log into the VPN, access the secure data repository and upload your file. The bad guys have a complete recording of everything you just did…

The criminals managed to log in to the corporate VPN and spent the better part of two weeks mapping the network to see what they could steal. The good news is that the slime bags were discovered, but not before they had already compromised two of the central database servers and had taken full control of them.

Trust no one and never click links until you are sure where they lead.


March 13, 2010  3:36 PM

Worth Repeating: Use a Dedicated PC for Online Banking



Posted by: Ken Harthun
Cybercrime, Identity Theft, Online banking fraud, Secure Computing, security awareness

In light of my last my post, “120M Stolen By Hackers in Three Months“, I want to reiterate what I said in “ABA Recommends Using Dedicated PC for Online Banking.” This is the way I would do it:

…set up a PC with Microsoft’s Steady State, disable any Internet access except to the bank’s online application and uninstall Outlook Express. I would make a completely locked down and hardened installation of Windows with all services disabled except for essentials. Assign a static IP address to the machine. I would use a software firewall and disable all ports except 80 and 443. Of course, anti-malware software would be essential.

In March 2010 SANS Ouch! Vol. 7 No. 3, you’ll find this advice:

* Keep your dedicated computer out of reach, or even better, under lock and key
* Set a strong password for the Administrator account
* Create a second account that has limited privileges and always use this account for your online banking
* Contact your computer support provider for information about how to add, remove and change user accounts
* Turn your dedicated computer off when not in use to help prevent network-based intrusions
* Keep the operating system secure by applying patches and updates promptly
* Don’t scrimp on security software; install a good-quality security suite and keep it updated
* Never use a wireless connection for online banking
* Use a strong password for your online banking account, and do not use that password anywhere else (Strong password tips:
http://www.sans.org/newsletters/ouch/issue/20100219.php)

Either way, the key is to use a secure, dedicated system. And if you spot any unauthorized activity, or suspect your information has been compromised in any way, the Federal Trade Commission recommends you take the following actions:

* Notify your bank and credit card companies immediately
* Close all affected accounts
* Notify the major credit reporting agencies
* File a report with the Federal Trade Commission
* File a report with the police

Find more advice in the ABA Education Foundation article,  “Protect Your Financial Identity“.

Just do it!


March 11, 2010  2:36 AM

$120M Stolen by Hackers in Three Months



Posted by: Ken Harthun
Banking Fraud, Cyber-criminal, Cybercrime, Krebs on Security, Security

David Nelson, an examination specialist with the FDIC, says that online banking fraud involving the electronic transfer of funds rose to over $120 million in the third quarter of 2009. He presented his estimates Friday at the RSA Conference in San Francisco.

I wrote about this in October, 2009 in my article, “Protecting Your Business From Online Banking Fraud.” I wasn’t the only one to advocate secure read-only systems to use for banking, but it looks like the message didn’t spread very far. Businesses need a security manager to prevent such losses.

Let’s see, if I was to charge, say, 1% fee based on the monthly ACH transfer volume of a given company to keep them secure and that company was doing $1M/mo., that would be a good living. Hmmm…just might have to look into that.

Better to pay 1% than to lose 100%, don’t you think? Especially when you consider this: “Commercial deposit accounts do not receive the reimbursement protection that consumer accounts have, so a lot of small businesses and nonprofits have suffered some relatively large losses,” Nelson said. Bullitt County, Kentucky suffered a loss of $415,000: PC Invader Costs Ky. County $415,000.

Wake up, people!


March 9, 2010  1:33 AM

Security Humor: Anti-Terrorism Honor System



Posted by: Ken Harthun
Security Humor

Well, I’ve tried everything I can to embed this, but it’s not working. Just click on the link. This is hilarious, I “pinky swear!”

http://www.collegehumor.com/video:1929195

Enjoy!


March 5, 2010  9:11 PM

Why It’s Important to Monitor Your Finances Closely



Posted by: Ken Harthun
Banking Fraud, Credit Monitoring, Fraud, Identity Theft

Being the security-conscious person that I am, I keep close tabs on my credit card and bank accounts. Everyone should monitor their finances closely; unfortunately (for them), many don’t. My daughter is one of those.

Imagine going to the bank to withdraw your rent money and being told you don’t have enough in your account. Panic. You know the money should be there; after all, you haven’t spent it. But someone did. That “someone” ran up a series of small purchases on the debit card totaling nearly $500 over a period of about a week. What’s a mystery at this point is who got access to the card and how, but that’s not the issue here.

The issue is that the very first unauthorized purchase should have been noticed and the bank informed of the fraud. Close monitoring of the account–I’m talking checking it on a daily basis–would have saved my daughter from considerable anxiety and inconvenience. It’s not that difficult to log on and check the transactions.

The good news is that the money will be returned by the bank, but it’s going to take a week or so to wrap up the investigation.

For those who are just too busy or don’t want to fool with it, there are services out there that monitor credit card and bank accounts and alert you if suspicious activity is noted. But these services charge anywhere from $12.99 to $19.99 a month and really don’t do anything that you can’t do yourself.

I’m betting that my daughter will take my advice.


March 4, 2010  7:37 PM

How NOT to Fight Spam



Posted by: Ken Harthun
email, Humor, Opinion, spam

I received this in response to a legitimate email sent out to one of my double opt-in subscribers at Ask the Geek. You can certainly tell that this poor soul is seriously frustrated. The first problem is that he has a Hotmail account which is a spam magnet in itself. The other problem is that this message will probably never get to anyone who matters and only confirms that he has a valid email address.

Although I share his sentiments somewhat, I don’t recommend this approach. It’s a waste of time.

Subject: Vacation reply
To: You!

Hello,

If you are NOT a CURRENT FRIEND, A MEMBER OF MY FAMILY, or if you DO NOT currently HAVE AN ACTIVE ACCOUNT FOR ME, or ARE RESPONDING TO AN EMAIL or REQUEST I INITIATED THEN YOU DO NOT!!!! SEND ME ANY MORE EMAIL AND TAKE ME OFF ALL YOUR EMAIL LISTS AND AFFILIATE’S LISTS!!!! I DONT WANT A BIGGER PxxxS [edited] , I DONT HAVE AN ACCOUNT ON ANY PERSONALS SITE, I DO NOT WANT TO SEE YOUR WEBCAM.

ALSO, Due to me being in an area that does not allow reliable internet connections, every email sent to this account will be forwarded to another email address that I do have routine access to, and if you are a friend, family, or someone I have business with, I will respond to you from that email address.

IF YOU ARE A SPAMMER, THEN GO THE HECK AWAY!!!!! I DONT CARE ABOUT ANYTHING YOU HAVE TO OFFER! I’M NOT INTERESTED!! STOP SENDING ME YOUR GARBAGE!!!! NOW!!!!!!!! BY LAW, YOU ARE REQUIRED TO REMOVE ME FROM YOUR LIST!!! SO, IF YOU DO NOT BELONG TO ONE OF THE VERY SPECIFIC CATEGORIES ABOVE, YOU WILL REMOVE ME FROM YOUR CONTACT/EMAIL LIST IMMEDIATELY!!!


March 3, 2010  5:59 PM

Botnet of 13 Million Infected PCs Dismantled



Posted by: Ken Harthun
Botnet, Cyber-criminal, Cybercrime, Panda Security

The Mariposa (“butterfly” in Spanish) botnet, which infected nearly 13 million PCs and spread to more than 190 countries, has been taken down, thus ending a global menace that affected more than half of the Fortune 1000 companies and more than 40 major banks. Three people alleged to be the botnet’s ringleaders  have been arrested by authorities in Spain; more arrests are expected soon in other countries.

According to the AP report, Cesar Lorenza, a captain with Spain’s Guardia Civil, which is investigating the case, said that the three suspects are Spanish citizens with no criminal records. They weren’t hackers but had underworld contacts who helped them construct and run the botnet.

The botnet was set up to steal online login credentials for banks as well as email services from compromised Windows PCs.

Panda Security was part of the Mariposa Working Group (MWG) along with Defence Intelligence, the Georgia Tech Information Security Center and other international security experts and law enforcement agencies. MWG was formed to eradicate the botnet and bring the perpetrators to justice. According to PandaLabs blog, here’s what went down:

The criminal gang behind Mariposa called themselves the DDP Team (Días de Pesadilla Team – Nightmare Days Team in English), as we discovered later when one of the alleged leaders of the gang slipped up, allowing us to identify him.

Tracking down the criminals behind this operation had become extremely complex, as they always connected to the Mariposa control servers from anonymous VPN (Virtual Private Network) services, preventing us from identifying their real IP addresses.

On December 23 2009, in a joint international operation, the Mariposa Working Group was able to take control of Mariposa. The gang’s leader, alias Netkairo, seemingly rattled, tried at all costs to regain control of the botnet. As I mentioned before, to connect to the Mariposa C&C servers the criminals used anonymous VPN services to cover their tracks, but on one occasion, when trying to gain control of the botnet, Netkairo made a fatal error: he connected directly from his home computer instead of using the VPN.

Netkairo finally regained control of Mariposa and launched a denial of service attack against Defence Intelligence using all the bots in his control. This attack seriously impacted an ISP, leaving numerous clients without an Internet connection for several hours, including several Canadian universities and government institutions.

Once again, the Mariposa Working Group managed to prevent the DDP Team from accessing Mariposa. We changed the DNS records, so the bots could not connect to the C&C servers and receive instructions, and at that moment we saw exactly how many bots were reporting. We were shocked to find that more than 12 million IP addresses were connecting and sending information to the C&C servers, making Mariposa one of the largest botnets in history.

Good riddance!


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: