Secure online Identity

2009-11-22T00:40:00.000-08:00

NCSA: Security concerns drive shopping cart abandonment

Even in tough times when bargains are being sought by many, consumers are still wary of pouncing on a purchase if they have doubts about a site's online security. E-commerce sites that don't reassure consumers their personal data is secure are risking losing out on sales.

In what looks like another tough holiday season, online retailers need to do all they can to secure a sale. One area that many overlook is online security. Recent studies have shown that consumers are abandoning shopping carts if they feel their identities or personal information are at risk in the hands of a retailer.

A new poll by the National Cyber Security Alliance (NCSA) and Symantec found that security concerns were behind 63% of online shoppers' decisions to terminate a purchase. In addition, 46% terminated a purchase because of worries about providing the information being requested, 41% were unhappy at the amount of information being asked of them and 32% were unsure as to how the data they provided would be used.

"Americans are extremely focused on protecting their personal information and their identities," said Michael Kaiser, executive director of the NCSA. "Skepticism is a front-line defense and it is heartening to see that Americans are actively engaged in making critical decisions when shopping online. This poll should alert online retailers that there is direct relationship between security and revenue."

Earlier this year a study released by McAfee found that around half of consumers have abandoned a shopping cart due to security fears. Even in an attempt to find a bargain, 63% will not make a purchase from a website that does not display a trust-mark or have a clear security policy.

"Online retailers who ignore the role security plays in converting digital window shoppers to customers are missing out on billions of dollars they can`t afford to lose in this economy," said Shane Keats, senior research analyst for McAfee.

As well as pushing security features in marketing, online retailers can also help reassure consumers by educating them about online security and actively promoting and displaying security policies at vital touch-points within their websites.

2009-11-16T03:53:00.000-08:00

Cyber crims makes millions through fake anti-virus software

Kelly Gregor

Cyber criminals are taking control of people’s computers and forcing them to buy compromised malware in order to regain control of their machines, online security specialists AVG says.

The biggest challenge facing anti-virus and anti-spyware providers is making people aware of the constant dangers online. Most users don’t realise when they have entered a bad site and don’t realise they have a virus until its too late.

AVG global security strategist Larry Bridwell said the industry, the providers and the media needed to raise awareness and better educate people about the threats online, as the people creating and developing the attacks were only after one thing, money.

Mr Bridwell said AVG was seeing anywhere between 100,000 to 200,000 new variants of cyber crime via phishing attacks, spam, worms and viruses. About 60% of these new attacks are online for less than a day.

AVG research Nick Fitzgerald said cyber criminals were making millions of dollars every year from tricking people into buying goods they never receive, or hacking into financial systems and stealing money by forcing people to buy bad malware in order to regain control of their machines.

Mr Fitzgerald said the problem with the latter was that once compromised malware has been downloaded onto a computer, the criminals can hold the machine ransom and demand more money for false updates and upgrades.

Customers using AVG software to protect their computers can receive real-time updates every 30 seconds. Mr Fitzgerald said AVG collected data from its customers’ computers, details including sites visited that have been compromised, where the malware is coming from and how these criminals are manipulating computers and IP addresses to do “their dirty work”.

The majority of money earned through cyber crime in ending back in Eastern Europe, especially the Ukraine and Romania, South East Asia and South America.

“These people are very good at what they do when they put their minds to it.
But they are lazy because they are only interested in money,” he said.

A good example of this, was when the tsunami hit Samoa, how many bad sites emerged masquerading as legitimate news sites. Mr Fitzgerald said the first seven search links under Samoa tsunami were compromised. These sites appeared before news sites such as The New Zealand Herald, The Times, The Guardian and CNN.

These criminals were playing on the emotion of the event and targeting people’s generosity through false fundraising appeals.

This week, AVG in Australia has reported three compromised Google sites. AVG was in Auckland yesterday to promote the lunch of its new anti-virus platform 9.0.

2009-11-16T03:33:00.000-08:00

Copycat websites set to rob Christmas shoppers of millions

High street stores targeted as fraudsters become ever more sophisticated

Lauren Thompson

Online shoppers are at risk of losing money or becoming victims of fraud if they buy from scam or "copycat" websites this Christmas.

Experts are warning consumers to be on their guard after an increase in copycat websites of high street stores that look legitimate. There is also a proliferation of "bargain" websites selling counterfeit items or goods that fail to arrive. Many of these websites appear safe, with encrypted web pages and logos of secure payment services such as PayPal.

Ross Anderson, an online security expert at the University of Cambridge says: "It's easy enough to create copycat sites. At the end of last month there were at least ten dodgy 'Littlewoods sites'." Neither Trading Standards nor the Office of Fair Trading has the power to close down a dodgy website, and the police's e-crime unit refused to tell Times Money whether it had taken action against any retailers.

Sarah Kidner, of Which? Computing magazine, says: "Hundreds of websites ripping people off flourish because there is no effective policing online." Here Times Money explains how to shop safely this Christmas.

Copycat sites

Ms Kidner says it is easy for copycat websites to copy and paste the logo of a high street store. The Marks & Spencer, Topshop and John Lewis sites, for example, all allow this easily.

"Domain names that slightly misspell a shop's name can be bought for as little as £7. These would be used to build a fake site in the hope that someone accidentally misspells the web address when typing it in the address bar," she says. "The logo of a payment system such as PayPal can be pasted on to add credibility to a site and to make it appear secure."

Harriet Homuth, a Times Money reader, bought two tops in August from a website that looked like the Abercrombie & Fitch site — www.aber crombiestore.co.uk — which had the PayPal logo. Her items never arrived. The real site is www.abercrombie.com; the fake one has been taken down. PayPal says that it had nothing to do with the site.

A quick Google search reveals at least four similar sites still up and running, including www.abercrombie fitchshop.co.uk and www.fitchabercrombie.com. A spokesman for Abercrombie & Fitch says: "We have no association with these websites and we have shut them down on numerous occasions. They are registered by Chinese nationals on web servers in protected countries. They pop back up quickly after being shut down."

Ms Kidner adds: "Victims of copycat websites are likely never to receive their goods. Worst-case scenario, fraudsters will use their credit or debit card details to empty their bank account."

The easiest way to lure a victim on to a copycat website is via a phishing attack, when an e-mail invites someone to click on a link, perhaps to confirm an order or to update their details. Traditionally, this has been a problem for banks, but retailers are targeted increasingly as well.

"People are more careless and more easily phished when their accounts are with non-banks — eBay is a big target and Amazon," says Mr Anderson.

Kate Fisher, 54, received an e-mail recently purporting to be from the fashion store Great Universal, asking her to click on a link to "confirm an item in your shopping basket". Ms Fisher, who lives in Lurgashall, West Sussex, had never shopped at Great Universal. She did not click on the link, but rang the store to ensure that an order had not been made. The e-mail was a phishing attack that would have taken her on to a fake website; it has now been taken down.

It is also possible for your computer to be corrupted by a "pharming" attack, when you type a legitimate website address into your browser and still end up at a fake site. Tony Neate, of GetSafeOnline.org, says: "Check the address in your browser's address bar to make sure that it matches the address you typed. Subtle changes ('eebay' instead of 'ebay', for example) may indicate a pharming attack." The best way to guard against such attacks is to install anti-spyware software, as well as anti-virus software and a firewall.

Scams and dodgy sites

Shoppers looking for a bargain, or a particularly niche present, are most likely to fall victim to a dodgy website.

Consumer Direct receives thousands of complaints about Ugg boots and designer handbags bought at "bargain" prices online that either never arrive, or are counterfeit goods. Rebecca Farrell from Manchester fell victim to an online scam recently when she signed up for dieting tablets from viv3labs.helpserve.com. She was told that a trial of the pills would cost only £1, but to her horror she later discovered that two debits of £76.73 each had been taken from her bank account. She says: "I spoke to Trading Standards who told me this practice is illegal and it is unlikely that I will get my money back." The site did not respond to calls or e-mails from Times Money.

Fraudsters often have poor English and dodgy websites can be littered with spelling and grammar errors. "Many phishing and spoof websites originate in foreign countries and are written and programmed practically overnight," says Phil D'Angio, of VeriSign, the online security service. If a website name is prefixed with https:// it means that the site is encrypted, so the information you enter is secure. Also, make sure that the padlock appears in the browser interface rather than in the content of the page itself.

Problems with legitimate sites

The potential problems when buying online are manifold, from goods not arriving to poor after-sales service and not being given a refund.

Steve Langdown, from Newcastle upon Tyne, bought a Samsung home cinema system last month from www.pixmania.co.uk. He says: "It clearly stated on the website that the system came with an iPod dock. Well, it didn't and there are no obvious ways to connect an iPod dock. I have received no satisfactory responses to my e-mails and the product description on the website has removed the reference to the iPod dock." Pixmania did not respond to Times Money's e-mails and the company's call centre, based in the Czech Republic, was unable to comment.

Consumer Direct told Times Money that Mr Langdown's rights under the Sale of Goods Act apply; ie, that goods must be as described, fit for purpose and of satisfactory quality, and he, therefore, has the right to claim a full refund. However, many people find it impossible to enforce their consumer rights.

Sara Gibson, from Abingdon, Oxfordshire, was looking for a present for her sister — a Sony Freeview recorder — and the lowest price she found was online at www.totaldigital.biz. The recorder arrived, but it broke a month later. Total Digital sent her a new one, but Ms Gibson said that it smelt of cigarette smoke and there was dirt around the buttons, so she sent it back and requested a refund, which she never received. Total Digital, the internet arm of Premier Audio Visual Centre, told Times Money that it had never received the Freeview recorder that Ms Gibson sent back, but agreed as a gesture of goodwill to issue a refund.

Before buying anything from a website for the first time, google the site and look for problems experienced by other users on consumer forums. If you have problems with a product bought online, call Consumer Direct for advice on 08454 040506. Buying online with a credit card is safer than a debit card, because if something goes wrong you may be able to claim a chargeback from your card issuer.

Case study: It took nine months for goods to arrive

Jo Cugley, 26, bought her boyfriend some cooking utensils from www.decuisine.co.uk for his birthday earlier this year. It took nine months for the goods to arrive.

She says: "I had to call and e-mail hundreds of times, and eventually threaten the site with legal action before the goods were finally sent. Unfortunately, I paid the £25 on my debit card so I was unable to claim back the cost from the bank."

Ms Cugley, a wine buyer from West Sussex, found decuisine through Google after searching for kitchen gadgets. However, the site is littered with spelling errors, such as "Childrens Birthday Party's", and while the payments page displays a Thawte security logo, this is only a Jpeg that can be cut and pasted. Users should be able to click on the logo to reveal the website's security credentials, but when you click nothing happens.

If Ms Cugley had googled "problems with de cuisine" before she had made the purchase she would have found complaints about the site on consumer forums from people waiting months for their goods.

Decuisine did not respond to Times Money's e-mails or calls.

How to shop safely

Be wary of any unfamiliar retailer, especially those claiming to sell bargains.

Pay using a credit card, not a debit card. Remember, security logos such as PayPal may be fake.

Before you buy, see if other customers have had problems by searching for the site on consumer forums such as Moneysavingexpert.com.

Never click on a link from an unsolicited e-mail.

Always check that the website name is correct in the address bar.

2009-11-12T00:33:00.000-08:00

Third of Agency Report Daily Cyber Incidents

Survey: 44% of Agencies Had More Security Incidents in Past Year

Eric Chabrow, Managing Editor
November 11, 2009

Nearly one-third of federal agencies report at least one cybersecurity incident each day, with more than half reporting such occurrences weekly, according to a survey released Tuesday of 300 federal information security professionals conducted by CDW-Government, a provider of IT wares.

Among other findings of the survey, which was conducted in September:

44 percent of agencies reported increases in security incidents last year, with 31 percent saying cybersecurity incidents have increased in severity.
One-third of respondents picked malware as their No. 1 daily cybersecurity issue; followed by inappropriate employee activity/network use and managing remote user access, both 25 percent.
47 percent of the infosec pros surveyed - equally split between civilian and defense agencies - cited external sources as their greatest threat, followed by agency employees 23 percent, and contractors, 10 percent.
Among internal threats, 66 percent of respondents cited inappropriate web surfing and downloads, 50 percent, lost devices; and 40 percent, lost-stolen-shared passwords. In fact, 44 percent of those surveyed said they had seen an employee post a password in a public place.
52 percent of front-line federal IT professionals report they have adequate budget to meet needs.

CDW-G also asked respondents about the Trusted Internet Connections program, which reduces the number of Internet connections, and nearly half - 47 percent - said the program has reduced the number of connections their respective agencies have to the Internet. Of those that have reduced connections, 82 percent said ithas improved their agency's security posture.

2009-11-08T05:16:00.000-08:00

ACH fraud scams total $100 million, FBI says

The surge of Automated Clearing House (ACH) fraud committed by criminals stealing the online banking credentials of small and midsize businesses has resulted in approximately $100 million in attempted losses, according to the FBI.

Criminals are hitting businesses at a rapid clip, with several new cases opened each week, the FBI said in an intelligence note released Tuesday by the Internet Crime Complaint Center (IC3).

"FBI analysis has found in most cases, the victims' accounts are held at local community banks and credit unions, some of which use third-party service providers to process ACH transactions," the IC3 reported. "The bank account holders are often small- to medium-sized businesses across the United States, in addition to court systems, school districts, and other public institutions."

The IC3 alert comes less than a week after the Federal Deposit Insurance Corporation warned ofan increase in scams that recruit "money mules" to siphon money from business bank accounts through fraudulent electronic funds transfers, such as ACH transfers. The FDIC issued an alert on Aug. 26 about increased reports of fraudulent EFTs hitting banks' business customers.

IC3, which is a partnership between the FBI, the National White Collar Crime Center and the Bureau of Justice Assistance, said the attacks on SMBs typically start with a spear phishing email that contains an infected file or link to a malicious website. The email usually targets a company official who can initiate funds transfers; opening the attachment or visiting the website triggers a malware infection that includes a keylogger, which harvests banking credentials.

Fraudulent ACH transfers are directed to bank accounts of money mules, who are often recruited by criminals over the Internet with bogus work offers and directed to forward the bulk of the money overseas, the FBI said. In its alert, the IC3 noted that the fraudulent transfers in these scams also occur through the wire system, but that its bulletin specifically focused on the fraud occurring in the ACH network.

The FBI said the infection vector hasn't been determined in every case, but it identified more than two dozen different pieces of malware on the compromised computers, all with keyloggers. However, the malware isn't the only threat; the FBI's investigation revealed that a lack of controls at a financial institution or third-party in some cases also posed a threat.

"For instance, in several cases, banks did not have proper firewalls installed, nor antivirus software on their servers or their desktop computers," the IC3 wrote. "The lack of defense-in-depth at the smaller institution/service provider level has created a threat to the ACH system."

In one case, criminals used a DDoS attack against a compromised ACH third-party provider that prevented the provider and the bank from recalling fraudulent ACH transfers before money mules could cash them out, according to the IC3 alert. The transfers ranged from thousands to millions of dollars.

Terry Austin, president and CEO of Guardian Analytics Inc., an online banking security technology provider based in Los Altos, Calif., said the alert reflects the trends his company has been seeing. Attackers have been targeting specific small and midsize businesses, which tend to bank at small or regional financial institutions that haven't had the resources to invest in fraud prevention, he said.

"What it comes down to is the big vulnerability these banks have is the online account," Austin said. "You almost have to assume the user's computer has been compromised by the criminals in some way, whether by phishing or downloaded malware. No amount of anti-phishing or anti-spyware user education will prevent all endpoints from being compromised. The attacks are too prolific."

Over the past six months, his firm has seen increased interest in its fraud detection technology from regional banks trying to solve the current fraud problem, Austin said. Preventing the problem requires monitoring every user and every session, he added.

The FBI said that today's malware is reducing the effectiveness of signature-based antivirus and intrusion detection software, making it necessary to consider additional approaches such as user privilege reduction, application whitelisting and heuristic detection.

2009-11-08T05:09:00.000-08:00

Scareware, Rogue Ads Join Up for Hack Attacks

Two separate online security threats aimed at publishers and online advertisers are converging to form an even more potent force: Scareware is increasingly piggybacking in rogue ads to cause serious financial havoc and digital distrust - in some cases of once venerable websites - among consumers.

Scareware refers to warnings that suddenly pop up on a consumer's screen purporting to be from a security vendor. The messages often suggest that the computer has been infected by malware. To stay safe, the consumer is urged to download new security software that will eliminate the problem. Of course, the download is actually the malware.

Bogus ads are also hack attempts aimed at marketers - again, used to deliver malware. The New York Times fell victim to a rogue ad this September, as did MarketingVox in 2007. At first it was unclear what the malware was in the New York Times attack was meant to do. However, now Connecticut's Better Business Bureau reports that it was used to unleash scareware on the top-tier newspaper's online readers.

Then Falls Gizmodo

More recently, the tech blog Gizmodo fell victim to similar dual tactics, according to security vendor Sophos. "Their plan was to infect as many computer users as possible with their malicious adverts," said Graham Cluley, senior technology consultant for Sophos. "They know Gizmodo gets a huge amount of traffic - once they infected the site through their adverts they could just lie in wait for their victims to visit."

What is particularly audacious about this approach is that the criminals appear to have posed as legitimate representatives of Suzuki in order to plant dangerous code on Gizmodo's site.

Search Results Too

Scareware is also piggybacking on search results, Connecticut Better Business Bureau President, Paulette Scarpetti, noted. "Hackers are also watching the headlines - such as the death of actor Patrick Swayze and the US Open - to plant infected versions of hot headlines on Google searches. Victims who click on fake search results are presented with a scareware pop-up."

Scarpetti said this new menace takes advantage of people's trust in even the most prominent websites - a trend with which online brands and marketers are painfully familiar.

Marketing to the Marketers

Not surprisingly, providers of online security packages to retailers and other corporate sites are playing on companies' fears of losing customers' trust, as they position their latest wave of security products. McAfee, for example, is touting security to get consumers to make an online purchase, in its study "Digital Window Shopping: The Long Journey to Buy".

McAfee found a majority of shoppers are "digital window shoppers," or consumers who start shopping on a site, leave for a period of time and return later to complete the sale. McAfee studied the behavior of 163 million shoppers and found that sales conversions were 11% higher for digital window shoppers who were shown a security cue - such as its own McAfee Secure trustmark.

2009-11-03T10:03:00.000-08:00

Hackers Target Nearly 50% of German Internet Users

As per a research conducted by Forsa (a German research company) for Bitkom (the IT business association), almost 50% of Internet users in Germany have been targeted by cyber criminals. The research noticed 11% increase in cyber criminals' activities over the past one-year, with registered reports of 38,000 cases in the country.

Malware and PC viruses are still the ideal attack tactics for cyber criminals who infected 38% of web users by these two types of malicious software.

Yuval Ben-Itzhak, Chief Technology Officer, Forsa, said - the report recorded a rise in cyber crime mainly because of immense efforts by criminal groups which use Trojan-enabled phishing assaults, as per the reports by INFO SECURITY on October 12, 2009. He also said that the trend suggested observations made by Finjan.

As per Ben-Itzhak, the researchers reported in Finjan's Cybercrime Intelligence Report that Internet thieves are becoming shrewd in covering their tactics to remain unnoticed for a long period of time, as per the reports by INFO SECURITY on October 12, 2009.

Finjan researchers have also found that hackers are employing Trojans like the URLzone bank Trojan and new anti-fraud detection methods to evade identification by banks as well as their customers.

Ben-Itzhak has claimed that the figures of Bitkom verify their findings that the issue of online cyber crime has become a menace and touched high levels, with improving nasty skills of hackers who operate these scams.

In a survey conducted last year (2008), 4 Million people in Germany did not have computer security. Though 83% of survey participants had a virus security program on their system, just 67% were using a firewall. In addition, 28% of users had used an encryption program. 7% of surveyed users had no security mechanisms at all.

To evade attacks of cyber criminals, online security experts advise that that firms should evaluate and strengthens their IT safety systems against the rising cyber crime in the country. Users should make sure that their safety systems are both multi-layered and updated.

2009-11-03T09:58:00.000-08:00

Two-Headed Trojan Targets Online Banks
By Larry Barrett
October 29, 2009

A new Trojan called "W32.Silon" is the latest headache for online banks and their customers, packing a one-two punch that helps it evade security tokens and steal customer log-in information at the same time.

The two-headed Trojan, according to online security software vendor Trusteer, uses a "two-pronged payload" to steal log-in information and commit financial fraud at popular online banks.

"This new Trojan illustrates how advanced malware writers have become in their ability to dynamically execute multiple, bank-specific attacks with a single piece of software," Amit Klein, CTO and chief researcher at Trusteer, said in a statement. "The level of sophistication built into W32.Silon is concerning, as is its focus on circumventing strong authentication systems like card and PIN readers."

W32.Silon is a new malware variant that intercepts Internet Explorer Web browser sessions and has been associated with fraud incidents at several large banks, according to Trusteer researchers.

To steal user credentials, W32.Silon performs its initial attack when a user begins a Web log-in session and enters his username and password. The malware intercepts the log-in POST request, encrypts the requested data and sends it to a command-and-control (C&C) server.

When it targets users of online banking applications that are protected by transaction authentication devices such as tokens or banking card readers, W32.Silon waits until the user has logged in and then injects dynamic HTML code into the log-in flow between the user and the bank's Web server.

First, the malware presents authentic-looking Web pages that appear to be from the bank asking users to employ their transaction authentication device. Next, the user is asked to enter information from the device into the Web page.

This information is then used by the criminals to execute fraudulent transactions on behalf of the user, Trusteer said.

"We have put all of our banking customers on alert, and are attempting to get the word out with this advisory," Klein said.

The sophistication of online scams has evolved to a point where watchdogs organizations such as the Anti-Phishing Working Group (APWG) have created an entirely new category for defining and quantifying attacks on financial institutions.

The group now defines "crimeware" as code designed to attack the data held by financial institutions.

"Due to evolution of attack sophistication, it is becoming increasingly difficult to separate and report on attacks that are specifically designed to steal customer banking information," Dan Hubbard, Websense's CTO, said earlier this month. "Additionally, attacks that only [look] for credentials from popular social networking, Webmail and gaming sites can lead to attacks for banking theft and crimeware."

Trusteer advises online banking customers to be especially vigilant when conducting transactions online and to visit its Web site for help detecting and removing the W32.Silon Trojan.

2009-10-15T05:56:00.000-07:00

If only these bank have protected their e-Banking with non of these would have happened

New Trojan Evades Banks' Anti-Fraud Systems

'URLZone' calculates how much money to steal from a victim's account without raising suspicion

By Kelly Jackson Higgins, DarkReading
Sept. 30, 2009
A next-generation Trojan recently discovered pilfering online bank accounts around the world kicks it up a notch by avoiding any behavior that would trigger a fraud alert and forging the victim's bank statement to cover its tracks.

The so-called URLZone Trojan doesn't just dupe users into giving up their online banking credentials like most banking Trojans do: Instead, it calls back to its command and control server for specific instructions on exactly how much to steal from the victim's bank account without raising any suspicion, and to which money mule account to send it the money. Then it forges the victim's on-screen bank statements so the person and bank don't see the unauthorized transaction.

Researchers from Finjan found the sophisticated attack, in which the cybercriminals stole around 200,000 euro per day during a period of 22 days in August from several online European bank customers, many of whom were based in Germany. Finjan estimates the group would make about $7.3 million per year at that rate.

"The Trojan was smart enough to be able to look at the [victim's] bank balance," says Yuval Ben-Itzhak, CTO of Finjan. "This is more advanced than other banking Trojans, like Zeus, whose main goal is to get the user to provide his online credentials, credit card numbers, or PINs by inserting different text boxes into the online banking application. Then they use those credentials to log into the bank account.

"But in this attack, everything happens from the victim's computer. This is more sophisticated than anything we've seen in the past."

The attack begins like most Web-based infections: An unsuspecting user visits an infected Website -- either a malicious or rigged legitimate one. The attack is based on the LuckySploit malware toolkit, which exploits things like unpatched Adobe PDF and Flash vulnerabilities in browsers. Its exploits are obfuscated so they're difficult to detect.

Finjan found the attackers had lured about 90,000 potential victims to their sites, and successfully infected about 6,400 of them. "They weren't targeting specific users, but many of the domains were Websites in Germany; they were targeting [certain] German banks," Ben-Itzhak says."We also found domains in Russia, China, and Europe, but we didn't find any U.S. banks on the list."

Law enforcement has since taken down the servers after Finjan reported the scam to them. But the Trojan toolkits remain in circulation in the cyber-underground.

Once the victims are infected with the URLZone Trojan, it sets up the victim's machine as a bot in the banking botnet, complete with command and control instructions. URLZone ensures the transactions are subtle: "The balance must be positive, and they set a minimum and maximum amount" based on the victim's balance, Ben-Itzhak says. That ensures the bank's anti-fraud system doesn't trigger an alert, he says.

And the malware is making the decisions -- and alterations to the bank statement -- in real time, he says. In one case, the attackers stole 8,576 euro, but the Trojan forged a screen that showed the transferred amount as 53.94 euro. The only way the victim would discover the discrepancy is if he logged into his account from an uninfected machine.

The stolen funds were then moved via "money mules" -- typically unsuspecting users who believe they're performing a legitimate funds transfer for a job they were offered online. The cyber gang was savvy enough to use each money mule no more than twice to avoid raising any red flags with banks' anti-fraud systems from multiple transactions.

2009-10-11T05:46:00.000-07:00

Phishing Scam Spooked FBI Director Off E-Banking

In announcing a crackdown on "phishing" e-mail scams that netted one of the FBI's largest cyber crime cases ever, FBI Director Robert Mueller on Wednesday offered a candid revelation: A personal close call with a phishing scam has kept his family away from online banking altogether.

Addressing the Commonwealth Club of California in San Francisco, Mueller spoke at length about the insidiousness of cyber crime, and how cyber criminals had affected him personally.

Not long ago, the head one of our nation's domestic agencies received an e-mail purporting to be from his bank. It looked perfectly legitimate, and asked him to verify some information. He started to follow the instructions, but then realized this might not be such a good idea.

It turned out that he was just a few clicks away from falling into a classic Internet "phishing" scam--"phishing" with a "P-H." This is someone who spends a good deal of his professional life warning others about the perils of cyber crime. Yet he barely caught himself in time.

He definitely should have known better. I can say this with certainty, because it was me.

After changing all our passwords, I tried to pass the incident off to my wife as a "teachable moment." To which she replied: "It is not my teachable moment. However, it is our money. No more Internet banking for you!"

So with that as a backdrop, today I want to talk about the nature of cyber threats, the FBI's role in combating them, and finally, how we can help each other to keep them at bay.

Mueller's comments are an interesting contrast to the views expressed by the former director of the FBI's cyber division, James Finch, who said he wasn't going to let cyber thugs deprive him of the efficiencies and convenience that online banking have to offer.

The following is an excerpt from an interview I had with Finch last August:

Q: Do you do online banking?

A: Yes, I do.

Q: How long have you been doing that?

A: Maybe 10 years?

Q: And you don't get freaked out by what you see every day? I certainly do.

A: Yeah, so does my wife. I do online banking. I pay my bills online. I file my taxes online. I truly believe in the Internet. Do I believe it's a scary place? Without a doubt. I'm in law enforcement, and I run the cyber division for the FBI. I don't want to say that I'm so intimidated by the bad guys that I am going to allow them to dictate taking full advantage of what I consider to be the benefits of the Internet. Yes, there are people who are targeting online bank accounts on a regular basis, but not to the point where it's going to cause me to stop using it.

As a consumer, having your online banking account credentials stolen -- either via phishing or through password-stealing malicious software -- can be a harrowing experience, but it is usually not a costly one. The federal Electronic Funds Transfer Act ("Regulation E"), limits consumer liability for unauthorized transactions to $50, provided notice is given within 10 business days, or to $500 provided notice is given within 60 business days. Even so, retail banks often will work to make whole those customers who are victims of cyber fraud.

On the other hand, business that bank online enjoy hardly any such protection. The precise obligations of a commercial bank and their business customers are spelled out in the agreement that those companies sign, but generally business customers agree to notify their bank of any suspicious or unauthorized transactions on the same day that the transaction in question occurs. Even then, there is no guarantee that the bank will be able to block or reverse any fraudulent transfers.

Regardless of whether you bank online as a consumer or business customer, here are a few recommendations to help avoid becoming a victim of cyber thieves.

-Do not click on links or attachments in unsolicited e-mail.

-Junk any e-mail communications that claims to come from your bank alerting you that you need to sign in or update your information. Due to threats like phishing e-mails, few banks use this medium any more to communicate with customers. But If you find yourself wondering whether an e-mail you received really was about a problem with your account, pick up the phone and call your bank.

-Keep your computer, Web browser and other software up-to-date with the latest software security updates: Many data-stealing malware threats arrive via hacked Web sites that leverage outdated or insecure browser plug-ins.

-Keep a close eye on your checking and savings account balances. Notify your bank immediately of any suspicious charges.

A copy of Director Mueller's remarks is available here.

2009-09-21T07:39:00.000-07:00

Cyber virus targets online banking log-ins

CYBER criminals have created a highly sophisticated Trojan virus that steals online banking log-in details from infected computers.

The Clampi virus, which is spreading rapidly across hundreds of thousands of computers in Britain and the United States, infects computers when users visit websites that host a malicious code.

Once on the computer, the virus sits unnoticed until the user logs on to bank, credit card or other financial websites. It then captures log-in and password information and sends it to a server run by the attackers.

They can then tell the compromised computer to send money to accounts that they control, or they can buy goods with the stolen credit card details.

The Trojan has a list of more than 4500 finance-related websites that it monitors, including British high street banks. Security experts warned that it was one of the stealthiest and most pervasive threats to computers using the Microsoft Windows operating systems.

Orla Cox, security operations manager with Symantec, the online security company, said: "Clampi is a complex threat. People are only just beginning to understand how it operates."

Researchers have found that the list of sites that Clampi is monitoring includes banks, credit card companies, online casinos, e-mail, wire transfer services, retail sites, utilities, share brokerages, mortgage lenders and government sites.

Ms Cox said: "The first big wave was in the US in July, but it is spreading around the world, particularly English-language countries. We have seen samples of it targeting UK high street banks. There is potential for another wave to come."

It is estimated that more than 1000 out of 40,000 or more infected computers have been in Britain. Only computers running Microsoft Windows are affected. Most of the infections seem to have occurred among small and medium-sized businesses, many of which have been reluctant to reveal how they have fallen victim.

In America, $US75,000 ($86,610) was stolen in July from Slack Auto Parts, a car parts supplier in Gainesville, Georgia. In August, criminals used Clampi to steal online banking details for the public school district in Sands Spring, Oklahoma.

The attackers then submitted a series of false payroll payments, totalling more than $US150,000. The attack was one of a series on American schools in which criminals hired unsuspecting money mules -- people who transfer money or fraudulently obtained high-value goods -- to receive the transfers of stolen cash and then wire the money out of the country.

Cyber criminals stole more than $US700,000 from the Western Beaver School District in 74 fraudulent electronic transfers, The Washington Post reported.

Clampi is one of a new wave of viruses to target the online banking system. Its emergence came as security experts warned that malicious websites hiding Trojan viruses were no longer confined to sites such as gambling and pornography.

A recent report by IBM security systems found an increase in malicious content such as viruses on trusted sites, including popular search engines, blogs, online magazines and mainstream news sites.

The number of links to malicious web pages rose by more than 500 per cent in the first half of this year. Last week, attackers placed a virus in an advert on the website of The New York Times.

Trojan viruses such as Clampi accounted for 55 per cent of all new malicious software in the first half of the year, IBM said, up from 46 per cent for the same period last year. Researchers say that variants of Clampi -- also known as Ligats or Ilomo -- have been around since 2005, but the new version appears to be spreading more quickly.

2009-09-16T04:42:00.000-07:00

Online Fraud: An Insider's View of Today's Top Threats

RSA Researcher Shares Insights on Fraudsters, Tools of Their Trade

Linda McGlasson, Managing Editor
September 14, 2009

Trojans. Harvesters. Mules. They're the backbone of the underground fraud economy, which is "vibrant" and worth billions, according to one international researcher.

And don't be swayed into a false sense of security by the recent indictment of Albert Gonzalez, who is charged with masterminding the Heartland Payment Systems breach of 130 million credit and debit cards. Gonzalez is but one representative of a thriving hidden network of fraudsters who are plying ever trickier tools of the trade, says Uri Rivner, lead researcher at RSA's Anti-Fraud Command Center in Israel.

"When I started my research, I believed, as many others did at the time, that a single fraudster could perpetrate fraud on their own," says Rivner. But after a decade spent researching the fraud economy, he now sees a sophisticated business model, replete with specializations and multi-levels of participants. "It's no longer the romantic notions of Matthew Broderick's character in 'War Games' penetrating the Pentagon's war computer."

Indeed, fraud is an international business - preying upon businesses internationally.

RSA alone stopped $1.2 billion worth of online fraud in 2008, Rivner says - and this represents what experts believe to be just a fraction of the crime's extent. "The economy of fraud is estimated into the billions, just in the U.S. alone," he says. "It is a very big issue."

Careers in Fraud

The two main "career paths" in the online criminal economy are harvesting and cash-out, Rivner says.

Harvesting is where criminals are after credentials -- typically from a single user. These credentials are gained through skimming, phishing and trojans. "The harvesting fraudsters are interested in one thing -- access credentials to online bank accounts, pin numbers, account numbers, credit card numbers," Rivner says. Rivner says the number of incidents hitting regular online users each month is in the millions.

There are forces, such as the group Gonzalez is accused of masterminding, that, rather than focusing on individuals, try to breach payment processors and retailers such as Heartland and TJX. "These fraudsters are bent on getting into large databases to try and get as much information as possible, sometimes using an insider in the retail side or company," he observes.

The harvesting fraudster's weapons of choice are phishing kits and Trojans. Once the harvesting is done, Rivner says, "At the end of the day, they have to empty these accounts they've taken. They have stolen 1000 credit card numbers, but they don't know how to cash them out. Or they have information on 10,000 online bank accounts, but they don't have the infrastructure to cash in on those accounts."

The harvester will then turn to sell the information to the cash-out side of the criminal model. Cash-out fraudsters are adept at getting money either through ecommerce transactions or online banking transfers, without leaving a trail that can be traced back to them.

How the fraudsters do this is by using the cards online. Or in the case of ATM fraud, if they have the pin number, they clone the card and use it to remove money from ATMs. In online banking, they remove the money from the victim's account and send it into an account that they control. It does not have to be their own account, otherwise they would be caught very quickly, Rivner says. "But, instead, the cash-out fraudster will use another online banking account (hired money mules) to transfer the money to the fraudsters.

Sadly, Rivner says, most times the unwitting money mules don't realize they are part of a money laundering ring until their bank or law enforcement agencies contact them. Typically, money mules are recruited, "given some story, receive money transfers, take the money out and wire it internationally to a money drop. Then the money goes to the cash-out fraudsters," he says.

The two sides of the fraud economy -- the cash-out and the harvesting fraudsters -- know each other only virtually, Rivner says. "They do all of their business online, they collaborate, establish business relationships in fraud forums or chat rooms." There are dozens that are active these days, with thousands of users all looking for business ventures. The fraudsters share tools, give advice, sell information and basically do business on these sites. All makes for an interesting "dark" economy that has sprung up in the last couple of years.

Tools of the Trade

Most recently, fraudsters have moved away from phishing to Trojans, Rivner says. Trojans are invisible, hard to detect, and the infection rates are very high. They also are very sophisticated and can be tailored to counter specific defenses, making them the malware of choice for the fraudsters. Examples: Two trojans being sold in the online underground are Zeus, typically sold for $1,000, and Limbo, which goes for $350.

How they work: Zeus and Limbo do not breach a bank or lead a customer to a spoofed website. Instead, "[the Trojan] is running on the same html of the bank web site, but right before the session starts, Limbo injects extra fields into the page," he explains. The session is real, it is recorded locally, and sent over to the hacker, who can record everything the bank customer is doing while on the site.

RSA's Anti Fraud Command Center set up a dummy online banking website to test the trojans. Limbo added two extra fields on the site -- the ATM number and the ATM Pin number. "If an average consumer is asked for additional information, they'll become a little suspicious," Rivner says. "If they are technology savvy, they'll click on the yellow lock and see it's the real SSL session."

Not many people are aware of the sophistication of these new trojans, Rivner observes. What is more worrying is the speed at which they are spreading. On a weekly basis, "there are thousands of sites that are infected, and if visitors don't have the most updated security, then they'll most probably be infected," Rivner says. "The fraudsters are very good about adding these vulnerabilities, and end up infecting users visiting these sites until a patch is released."

Other forms of infection are legitimate websites that have been infected by malicious code. Anyone browsing these pages may get infected if they have certain vulnerabilities. This is known as "Drive by Infection." Mitigation is mainly via making sure one's operating system automatically patches itself with the latest security patches, and that the antivirus and firewall are up to date. This reduces the risk of infection dramatically.

Fighting Back

The security industry has set up prevention measures such as phishing takedown services and anti-trojan services. These services are also augmented with information from malware labs, Rivner says. The shutdown operations monitor the fraudsters, how they move information. Through intelligence monitoring of cash-out operations, these services often are stopping the transactions from taking place, and implementing adaptive authentication methods that change the questions or add a third method of authenticating the transaction.

Knowledge-based authentication is also used, especially in other cross channels such as the telephone, which is also being hit with heightened fraud attempts.

When a customer calls and asks for something out of the ordinary or high risk, then the customer service rep will ask questions that only the customer would know, i.e. previous assets that they owned, or previous addresses lived at, says Rivner.

These emerging threats are here to stay, and the arms race is on, Rivner says. "The best bet is to have a flexible framework to respond to emerging threats," he adds. "It is a celestial alignment for fraudsters: So much better technical infrastructure, so much better infection, and the poor economy makes it easy to recruit the mules ... the atmosphere is right for fraud."

2009-09-13T03:29:00.000-07:00

7 Reasons Websites Are No Longer Safe

Many sites you visit are laden with malware. Here are 7 reasons why, and advice on how to protect your systems.

By Bill Brenner , CSO , 09/09/2009

Conventional wisdom is that Web wanderers are safe as long as they avoid sites that serve up pornography, stock tips, games and the like. But according to recently gathered research from Boston-based IT security and control firm Sophos, sites we take for granted are not as secure as they appear.

Among the findings in Sophos' threat report for the first six months of this year, 23,500 new infected Web pages -- one every 3.6 seconds -- were detected each day during that period. That's four times worse than the same period last year, said Richard Wang, who manages the Boston lab. Many such infections were found on legitimate websites.

In a recent interview with CSOonline, Wang outlined seven primary reasons legitimate sites are becoming more dangerous.

Also see 10 IE Browser Settings for Safer Surfing

1. Polluted ads

Many legitimate sites rely on paid advertisements to pay the bills. But Wang said recent infection statistics gathered by his lab show that they are often hiding malware, without the knowledge of the website owner or the user.

"A lot of sites supported by advertisers, rather than contracting directly with the advertiser, work through ad agencies and network affiliates," Wang said. "Some of these affiliates are less than diligent in reviewing content for flaws and infections."

Ads that incorporate Flash animation and other rich media are often rife with security holes attackers can exploit. When the user clicks on the ad, the browser can be (and often is) redirected to sites that download malware in the background while the user is reading the legitimate site. Someone in the ad-providing supply chain can be the culprit, though tracing a compromise back to them can be exceedingly difficult, Wang said.

Whatever the case may be, a downloaded Trojan is then free to gather up usernames, passwords and other sensitive banking data.

2. SQL injection attacks

SQL injection attacks are among the most popular of tactics and have been used in several high-profile incidents in the last couple of years. For example, see "SQL Injection Attacks Led to Heartland, Hannaford Breaches."

SQL injection is a technique that exploits a flaw in the coding of a Web application or page that uses input forms. A hacker might, for example, input SQL code into a field that is intended to collect email addresses. If the application doesn't include a security requirement to validate that the input is of the correct form, the server may execute the SQL command, allowing the hacker to gain control of the server.

"The hacker essentially takes advantage of flaws related to shoddy site development," Wang said.

3. User-provided content

It doesn't take a genius to write a comment to a blog posting or something they see on a social networking site like Facebook or Twitter. The bad guys know this and are therefore taking the opportunity to pollute discussion threads and other sources of user-supplied content with spam-laden links. (See "Seven Deadly Sins of Social Networking Security".)

"You can get comment spam, completely irrelevant comments including links to sites trying to sell you stuff," Wang said. "They can also try posting full links to malicious sites or work in a little scripting, depending on the filter they are trying to work around."

4. Stolen site credentials

Using the types of malware and social networking tactics described above, as well as other means, attackers can steal the content provider's log-in credentials. From there it's no sweat logging into the site and making changes. It typically is a change so subtle and small that it escapes notice. The tiny bits of code added in can then steal the site visitor's credit card or other data.

5. Compromised hosting service

This one is similar to number 4, where the credentials of the content provider are stolen and hackers log in to make sinister changes. Through this vector, Wang said the bad guys could potentially poison thousands of sites the provider is hosting in one strike.

6. Local malware

The website you visit may be perfectly safe, but if there's malware hidden on your own machine you can unwittingly become part of the attack, Wang said. For example, the user can visit their online banking site, and when typing in a user name and password the Trojan is there to record that information and pass it back to the attacker, allowing him to go in later and empty out your account or that of others.

7. Hacker-engineered fakes

Finally, there's the problem of hackers trying to sell you fake merchandise that includes phony security software. If a box appears warning that your machine may have been infected and that you must immediately download a particular security tool to remove it--a common occurrence if you have visited a site that surreptitiously downloads malware onto your computer--it's a sure sign of trouble.

"You spend your $39.95 and you get a worthless piece of software, and at the same time you have given them your credit card data," Wang said.

What is one to do if their website relies on ads and open access? Wang suggested IT security administrators use security scanners against anything coming in by way of third-party hosts and, for in-house apps and other online property, that developers redouble efforts to write more ironclad code.

For those who heavily rely on third-party forums, a wise practice is to take a daily scan of vulnerability reports that may affect those providers and to keep up to date on security patches that will harden your own environment against these threats, he added.

2009-09-07T08:21:00.000-07:00

Court allows suit against bank for lax security

Citizens Financial Bank should have offered strong authentication, plaintiffs claim

Jaikumar Vijayan

September 2, 2009 (Computerworld) A couple whose bank account was breached can sue their bank for its alleged failure to implement the latest security measures designed to prevent such compromises.

In a ruling issued last month, Judge Rebecca Pallmeyer, of the District Court for the Northern District of Illinois, denied a request by Citizens Financial Bank to dismiss a negligence claim brought against it by Marsha and Michael Shames-Yeakel. The Crown Point, Ind. couple -- customers of the bank -- alleged that Citizens' failure to implement up-to-date user authentication measures resulted in the theft of more than $26,000 from their home equity line of credit.

The negligence claim was one of several claims brought against Citizens by the couple. Although, Pallmeyer dismissed several of the other claims, she allowed the negligence claim against Citizens to stand. She noted that the couple had shown that a "reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access."

The ruling highlights an issue that security analysts have been talking about for a long time: the need by companies to show due diligence in protecting customer data against malicious and accidental compromise. Security analysts have warned that companies that can't prove they took adequate measures to protect data could find themselves exposed to legal liability after a data breach.

Numerous lawsuits alleging such negligence have been filed against companies over the last two years. Most of those cases, however, involved payment card data breaches in which large numbers of accounts were compromised and in which victims want compensation. Courts typically sided with the breached entities in such lawsuits, and in many cases summarily dismissed the claims.

The decision in the Shames-Yeakel case was first reported on Digital Media Lawyer Blog, which is written by David Johnson, a lawyer specializing in digital media law with Jeffer, Mangels, Butler and Marmaro LLP in Los Angeles. The case shows how the failure to expeditiously implement state-of-the-art security measures can open companies to negligence claims, Johnson wrote.

The ruling shows that a "failure to implement the latest and greatest in data protection measures may be found to be a breach of expected standards of care," he warned.

The dispute stems from a February 2007 incident in which an intruder gained access to the Shames-Yeakel's equity credit line account using their username and password. The intruder then proceeded to take an advance of $26,500 from the account and transfer it to a bank in Austria. The fraudulent transaction wasn't discovered by the couple until 10 days later, by which time it was too late to recover the money.

Citizens held the couple responsible for paying back the money, and claimed that under its online terms and conditions it had no liability for any unauthorized transactions that were made using legitimate usernames and passwords. It said there was no liability unless it had been notified in advance about the possibility of unauthorized use and had been given a reasonable opportunity to act on that notice.

Citizens also had claimed that its online banking services were being provided and protected by a highly reputable company. In addition to the third-party security services, Citizens said it had its own measures for protecting access to user account.

But the Shames-Yeakels claimed those measures were inadequate. They said that at the time of the breach, Citizens was still relying on usernames and passwords to control access to accounts while others had begun using two-factor authentication, including token-based authentication, that is considered more secure. They pointed to a 2005 document by the Federal Financial Institutions Examination Council (FFIEC), which called single-factor authentication inadequate and recommended the use of two-factor authentication by banks.

In her ruling, Pallmeyer noted that Citizens had begun implementing stronger authentication measures in 2007 but supported only single-factor authentication at the time of the theft. The apparent delay in complying with the FFIEC's recommendations could indicate that the bank had breached its duty to protect account holder information, she wrote.

Although the judge has cleared the case for trial, no court date has been set, and Citizens' officials declined to comment on the pending litigation.

2009-09-06T03:06:00.000-07:00

The Move Toward Multifactor Authentication

For extra protection, companies are using two or more security methods for authenticating a user's identity.

John Edwards

Like the man who wears both a belt and suspenders, the owners of Web sites and applications protected by multifactor authentication are looking to reduce the possibility of accidental exposure. Multifactor authentication combines two or more different security methods for authenticating a user's identity.

The first method usually requires a "what-you-know" response from the person seeking access. This is typically a password, but it can also be the answer to a challenge question such as, "What is your mother's maiden name?" This technique is known as knowledge-based authentication.

The second method is usually based on something a user has in his or her possession. This object is usually a physical device, such as a smart card with a built-in chip or a hardware token that generates one-use-only passwords. Other personally possessed types of items could be a biometricasset, such as a fingerprint or the eye's iris.

Banks Lead the Charge

Multifactor authentication's fundamental goal is to enhance security by making it more difficult for fraudsters to obtain system access. Attack-proof security is a concern shared by many businesses, yet due to the large amounts of money they handle, banks and other financial institutions are at the forefront of the drive toward multifactor authentication. In the United States, the APACS (Association of Payment and Clearing Systems), the FDIC (Federal Deposit Insurance Corp.) and a variety of other banking organizations have all urged banks to begin offering multifactor authentication.

Many banks also view multifactor authentication as a way of enhancing customer confidence. A study conducted earlier this year by Javelin Strategy & Research revealed that 67 percent of consumers in the United States do not bank online for fear of having their identity stolen. Fifty-three percent of those surveyed would like to see banks offer identity-protection software, and 33 percent would like their bank to offer biometrics. The study shows that banks stand to realize a gain of $8.3 billion per year through customer adoption and increased loyalty by making identity-protection software available to their customers.

Many retailers would also like to see increased adoption of multifactor authentication for Web-based sales. Unfortunately, few American Web shoppers have the smart cards, hardware tokens or biometric readers required for such transactions. European shoppers, on the other hand, are ahead of their American counterparts on the multifactor-authentication adoption curve. Multifactor use is on the upswing in Europe, with a growing number of retailers adopting some form of the technology.

Europeans may be more accepting of multifactor authentication due to their experience with the related technology when shopping in brick-and-mortar stores. Until relatively recently, European retail shops didn't have easy access to cheap data lines for online verification of credit card transactions. This forced European retailers to pressure financial institutions to adopt some type of offline multifactor solution, such as a device that a retail clerk could use to scan a smart card-generated code, then compare it with the PIN entered by the consumer. Given this track record, it was more natural for Europeans to adopt multifactor authentication for consumer Web applications as well.

Market Drivers

In the U.S., many online bankers and retailers continue to hope that they will be able to perform authentication without issuing consumers extra hardware or software, such as by using monitoring systems to observe customer behavior and detect any anomalies. Most of these organizations want to focus on their core business and would prefer not to involve themselves in the cost and complexity of technology support. This mind-set has slowed the deployment of multifactor authentication in the United States, except perhaps for certain niche applications, such as high-end investing and corporate cash management.

Still, the prejudice against multifactor authentication may ease in the years ahead, as credit card issuers and financial regulators press their business partners to tighten security. In a 2007 study, financial industry research firm The TowerGroup Inc. reported that online banking is becoming the most powerful tool retail banks have ever deployed, outpacing everything from ATMs to call centers, and is increasing in use at an annual rate of 27 percent. With Web shopping growth also skyrocketing, it seems inevitable that more banks and retailers will eventually embrace enhanced security technologies, with multifactor authentication standing at the front of the line of potential solutions.

2009-09-03T08:55:00.001-07:00

iPhone passcode bugs revealed

Problems with iPhone passcode handling and Exchange ActiveSync policies may leave you vulnerable

By Jay Sartori , Network World , 09/02/2009

About the author: Jay Sartori, CISSP, Security+, CCSP, MCSE, is an IT security analyst with over 12 years of IT experience. He has a bachelor’s degree in computer engineering and a master’s in network security management.

As an IT security professional, I was tasked with evaluating the iPhone’s security features for the enterprise (more iPhone management tests here). Over the past few weeks, I have been testing different aspects of the new iPhone 3GS, particularly the interaction with Exchange ActiveSync (EAS) and device password policies. During my testing, I discovered some strange behaviors with how the iPhone handles device password policies, as well as passwords altogether.

iPhone security considerations, Part 1 | Part 2

It has already been proven that the passcode on an iPhone can be removed. The purpose of this article is to point out the false sense of security delivered through Apple’s marketing of iPhone features for the enterprise. My testing has revealed that the enterprise security features do not behave correctly and I will point out three flaws with how passwords are handled with the iPhone and EAS.

The setup for my testing consisted of a 16GB iPhone 3GS running firmware 3.0.1. The iPhone was configured to use Exchange ActiveSync mail going through a proxy server. The proxy server was an F5 Firepass which provides similar functionality as an ISA server to proxy connections to EAS. The Exchange server was running Exchange 2003 SP2 with EAS enabled and configured with device password policies. I set up the device password policy on the Exchange server to enforce a password with a minimum of four characters and a 20 minute inactivity timeout. This means that any mobile device connected to Exchange that is idle for 20 minutes will automatically lock and require a password to access the device.

Bug 1 – iPhone does not handle EAS Policies as expected

With Exchange ActiveSync, administrators can configure device password policies. According to Microsoft, the “Inactivity Time” option determines how long the device needs to be inactive before the user is prompted for the password. I first tested my EAS settings against a Windows Mobile Device. The results were as expected, with the device requiring me to set a password and after 20 minutes of inactivity, requiring me to enter my password.

The iPhone behaved differently. First, you need to understand two settings on the iPhone which pertain to passwords: “Auto-Lock” and “Passcode Lock.” “Auto-Lock” sets the amount of time in minutes before the screen locks. The purpose of this is to save battery life by dimming the screen and to prevent accidental pocket dialing. “Passcode Lock” determines the amount of time in minutes after the Auto-Lock sets in, before a password needs to be entered. This can be configured at 1 min., 5 min., 15 min., 1 hour, 4 hours or never.

Upon successfully connecting to EAS, I was required to set a password as expected. After I set up my password, I reviewed the settings on the iPhone and saw that Auto-Lock was set to 5 minutes and Passcode Lock was set to 15 minutes. This appeared to be correct as the total adds up to 20 minutes before requiring a password to be entered. Surprisingly, however, I was able to change the “Passcode Lock” on the iPhone up to a maximum time of 1 hour. I did notice that I could not set the Passcode Lock to 4 hours or never as those options were apparently removed after connecting to EAS. This allowed me to change the Passcode Lock up to a maximum of 1 hour for a total of 65 minutes (5 for the Auto-Lock and 1hr for the Passcode Lock) before requiring a password.

This means in a corporate environment, users are able to override inactivity timeout settings defined by administrators, as the iPhone does not respect the EAS policy. This gives a false sense of security to administrators and they need to be aware of this behavior. If Apple is going to advertise integration with EAS security policies, then they need to ensure the iPhone respects the settings and behaves accordingly.

Bug 2 – Passcode Prompt Reveals Too Much Information

I’m really not sure how this next bug made it by the quality assurance team, specifically security testing. For this example, let’s assume you set your password to “abc123” and your device gets locked. You are prompted to enter your password with the iPhone keyboard and, as you type, asterisks are displayed across the screen (see Figure 1). This is typical and expected behavior. Note that the input box does not give any indication as to the length of the password or the complexity of the password as you can enter numbers, letters and special characters.

But if you change your password to “1234” or any four-digit numeric password for that matter, from then on you lose the ability to enter any letters or special codes (see Figure 2). This reveals two pieces of information about your password: 1) that it consists of only numbers, and 2) the password is only four digits long. From a brute-force perspective that is only 10,000 possible combinations, which would be trivial for any type of offline attack. Knowing this behavior of the iPhone, you may want to consider requiring passwords to require at a minimum both numbers and letters in your EAS policy.

Bug 3 – Changing your iPhone Passcode

This next bug has some similarities to Bug 2. Let’s assume that you realize that your four-digit numeric password is weak and reveals too much information. You decide to change your password from numbers to something alphanumeric. What I discovered is you cannot do this. Once your password is changed to four digits, when you go to change the password, you are only given the option to change it to another four-digit numeric password. On the other hand, if your password is already alphanumeric, you can change it to any length and any combination of numbers, letters and special characters. This is clearly a bug with the iPhone OS.

The workaround to this was to remove the Exchange account from the iPhone and add it back. Upon adding the Exchange account back, I was prompted to enter a new password which allowed me to enter a complex password.

Summary

The iPhone is a great device and is arguably the best mobile device from a usability perspective. Unfortunately, the security features are not quite ready for the enterprise and contain various bugs. In order to safeguard against such bugs, data encryption has to be considered for any type of data protection, but that is another article. Enterprises considering the iPhone for corporate use need to be aware of how the iPhone security features behave and the different ways that data can be breached in the event that the device is lost or stolen.

More test results of iPhone management available here.

2009-09-03T08:55:00.000-07:00

iPhone Security, Part 2

The iPhone app security model

Security Strategies Alert By M. E. Kabay , Network World , 05/20/2009

My friend and colleague Adjunct Professor Richard Steinberger from the MSIA Program at Norwich University continues his analysis of Apple iPhone security. Everything that follows is entirely Ric’s work with minor edits.

* * *

iPhone apps are, with a few limited exceptions, available to iPhone owners only via Apple’s iTunes store and only if iTunes has been installed on the computer accessing the store. Users cannot, in general, download apps from any other source, or share their apps (even free apps) with other iPhone owners. This distribution architecture allows Apple to vet every app that iPhone users install on their phones. In emergencies, Apple may also remotely remove or disable dangerous apps that have been installed on iPhones.

Based on my personal observation and analysis, the main security constraints imposed by the iPhone Operating System are as follows:

• No app may access any iPhone OS files.
• No app may access any other app’s files (with a few exceptions). Any files created by an app must remain local to that app. For example, an app designed to edit Java files could only edit Java files created within that app (or downloaded to that app). Primary exceptions include: Third-party apps may access and modify stored photos and phone contacts.
• No app may alter any system settings. For example, a precise, NTP-enabled clock may not set the iPhone’s clock.
• If an app crashes, then in theory, only that app crashes, and the OS is unaffected. In practice, a crashed app may hang a system, requiring a restart.
• An iPhone app may sync with a PC- or Mac-based application to exchange or update the app’s data. But the syncing must be done by a wireless LAN connection and cannot be carried out using the cable that connects the iPhone to the computer; i.e., synchronization via an iTunes conduit to a PC or Mac application is not permitted.
• Apps are allowed to communicate with the Internet using the iPhone’s network connection. Thus, any data files present within an app may, in theory, be sent to an unauthorized destination without the iPhone owner’s knowledge. This transfer would be an example of an app Trojan horse program. Although such programs may escape Apple’s initial vetting, the author knows of no cases where such an app has actually been distributed via iTunes.

In other words, apps are islands unto themselves. Although a rogue employee may use a mobile phone to help steal or distribute confidential information, it remains far less likely that a trustworthy iPhone owner’s use of downloadable apps presents any major new security risk. As mentioned in the introduction, the primary risk of mobile phones remains their theft or loss. Organizations need to be prepared for the loss of confidential information when staff member phones are misplaced or stolen unless the iPhones are equipped with encryption software. In addition to using a password or personal identification number (PIN) to protect the phone itself from unauthorized access, some useful encryption and data protection apps for the iPhone are:

• SplashID
• 1Password
• My Eyes Only
• Verisign Identity Protection (VIP)
• Jaadu VNC

With appropriate precautions, corporate security managers can survive the latest wave of innovation from Apple.

* * *

Richard H. Steinberger, CISSP, CISM, has over 20 years of hands-on and supervisory experience with computers and networks with special expertise in Internet and network security; security principles and products including firewalls, routers, VPNs, vulnerability assessment tools, intrusion detection systems, and hacking tools; advanced Unix software development; and system administration. He has taught network security at University California Berkeley Engineering Extension and for several years as Adjunct Professor of Information Assurance in the MSIA Program at Norwich University. You may reach Ric by e-mail.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.

2009-09-03T08:54:00.000-07:00

iPhone security, Part 1

Security Strategies Alert By M. E. Kabay , Network World , 05/19/2009

Identity Theft Malware Surges 600%

Hard times appear to be one reason for the explosion of malicious software designed to steal sensitive personal and financial information.

By Thomas Claburn
InformationWeek
August 19, 2009 07:02 PM

The indictment of Albert Gonzales of Miami, Fla., for allegedly hacking into corporate computers and stealing more than 130 million credit and debit cards may not have much impact on the identity theftunderground.

In the first half of 2009, the number of computer users affected by malware engineered to steal personal information has risen by 600% compared to the January through June period in 2008, according toPandaLabs, part of computer security company Panda Security. In quantitative terms, Panda reports identifying 391,406 computers infected with identity-theft malware in the first six months of the year.

Panda reports receiving more than 35,000 new malware samples -- viruses, worms, Trojans and the like -- every day. Trojan software designed to steal bank details, credit/debit card numbers, or online accountlogin names and passwords represents 71% of this total. That's up from 51% in 2007.

The methods used to propagate identity theft malware have also become more diverse. Whereas e-mailused to be the primary medium for malware distribution, social sites have become a major attack vector, along with infected Web pages, SMS messages containing Web links, and spyware that attempts to convince users to pay for fake antivirus programs.

InformationWeek Analytics has published an independent analysis on data-loss prevention. Download the report here (registration required).

2009-08-20T03:37:00.000-07:00

SQL injection attacks led to Heartland, Hannaford breaches

Details of the attacks could spur focus on Web app security

Jaikumar Vijayan

August 18, 2009 (Computerworld) This week's disclosure that the huge data thefts at Heartland Payment Systems and other retailers resulted from SQL injection attacks could finally push retailers to pay serious attention to Web application security vulnerabilities, just as the breach at TJX focused attention on wireless issues.

A federal grand jury on Monday indicted Albert Gonzalez and two unidentified Russian accomplices on charges related to data intrusions at Heartland, Hannaford Bros., 7-Eleven and three other retailers. Gonzalez is alleged to have masterminded an international operation that stole a staggering 130 million credit and debit card numbers from those companies. Gonzalez and 10 other individuals were indicted in May 2008 on charges related to similar intrusions at numerous other retailers, including TJX Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

Court documents filed in connection with Monday's indictment spelled out howGonzalez and his accomplices used SQL injection attacks to break into Heartland's systems and those of the other companies. Once they gained access to a network, the attackers then planted sophisticated packet-sniffing tools and other malware to detect and steal sensitive payment card data flowing over the retailers' networks.

In SQL injection attacks, hackers can take advantage of poorly coded Web application software to introduce malicious code into a company's systems and network. The vulnerability exists when a Web application fails to properly filter or validate the data a user might enter on a Web page -- such as when ordering something online. An attacker can take advantage of this input validation error to send a malformed SQL query to the underlying database to break into it, plant malicious code or access other systems on the network. Large Web applications have hundreds of places where users can input data, each of which can provide a SQL injection opportunity.

The vulnerability is well understood, and security analysts have warned retailers about it for several years. Yet a large number of all Web-facing applications are believed to contain SQL injection vulnerabilities -- a fact that has made SQL injection the most common form of attack against Web sites.

"We see SQL injection as the top attack technique on the Web," said Michael Petitti, chief marketing officer at Trustwave, a Chicago-based company that conducts security and compliance assessments for some of the largest retailers in the world, including -- ironically -- Heartland, for whom it was a security assessor.

"Not only is it the most attempted, it is also the most successful" form of attack now employed by malicious hackers, Petitti said.

Launching such attacks is not difficult, said Chris Wysopal, co-founder and chief technology officer at Veracode, a firm that offers application penetration testing services for companies. Tools are available that allow attackers to quickly check home-grown and third-party Web applications for SQL injection vulnerabilities, he said. One such tool might find a form field on a Web page, enter data into it, and check the response it gets to see whether a SQL injection vulnerability exists.

"It doesn't require much expertise at all," Wysopal said. "It is at the script-kiddie level to do these kinds of attacks." Exacerbating the situation is the fact that many companies are still using older versions of the MS SQL Server database that allow attackers to essentially take complete control of the database via SQL injection, Wysopal said.

The use of SQL injection attacks has gained popularity as companies have gotten better at shutting down other avenues for breaking into corporate systems and networks, said Matt Marshall, vice president of security engineering at Redspin, which performs security assessments for businesses. "One of the few ports that are still allowed through the firewall is Web traffic through the Web server," he said. "It is one of the few avenues of attacks that are still readily available" to hackers.

Those factors seem to have influenced Gonzalez's plans in attacking retailers. Initially, most of the attacks -- including the one at TJX -- took advantage of weak wireless access points. But starting around August 2007, he stopped using wireless vulnerabilities and turned almost exclusively to SQL injection attacks.

The success of those attacks and the high-profile nature of the retailers affected are likely to push more companies to deal with Web application security issues. "When vulnerable technologies get deployed, security people notice it and inform [clients], but no action is usually taken until attackers start becoming successful," Marshall said. "Until TJX, people didn't start locking down their wireless networks. If Heartland and Hannaford are not a wake-up call [for Web application security], I wonder what is."

According to Wysopal and others, there are several measures companies can take to limit their exposure to SQL injection vulnerabilities. One involves a code review of all Web applications to identify input validation errors. Companies need to identify such coding flaws and ensure that a Web form accepts only legitimate input. Web application firewalls can also be useful in protecting against SQL injection attacks, though they must be tuned properly to automatically block malicious traffic while permitting legitimate traffic to get through.

Hardening the underlying database and ensuring that the Web application connecting to it has limited access are also helpful in fending off attacks, Wysopal said.

2009-08-19T02:46:00.000-07:00

Inside The Year's Biggest Data Breach
Taylor Buley, 08.18.09, 5:20 PM ET

BURLINGAME, CALIF. -

The U.S. Department of Justice's indictment of Albert Gonzalez on Monday seems to have all the elements of a Hollywood crime drama: A hacker gains access to millions of credit and debit card numbers and has the power to take down a nation. Too bad for Tinseltown, the attack itself was about as sexy and a pile of routers.

According to the indictment, Gonzalez, 28, gained a foothold into the systems of credit card processors such as Heartland Payment Systems and retailers like OfficeMax,Barnes & Noble and TJX Cos. using an amateur hacking technique called "wardriving," which uses wireless access points to find vulnerable networks from which to launch attacks. Once connected to those private networks, Gonzalez used a well-known technique called "SQL injection" to trick Web applications into forking over private information that gave him deeper access into networks. Even though it sounds complicated, techies liken this kind of hack to simply turning the front doorknob to get into a house.

In the seven-layer Open System Interconnection model, a popular reference guide for securing a network software stack, the application layer is at the top. SQL injection is a Web-based attack that happens on this surface level. Securing the application layer is entry-level security stuff, which raises the question of why so many credit card handlers were vulnerable in the first place.

They certainly shouldn't have been vulnerable, says Kurt Roemer, chief security strategist of Citrix Systems. Citrix is on the board of advisers for the Payment Card Industry (PCI) security standards council, an industry effort for hardening the security systems of businesses that handle credit cards.

Roemer says businesses need to use either a Web application scanner or Web application firewall to guard against SQL injections. A Web application scanner likely would have likely caught the SQL injection vulnerabilities Gonzalez exploited. If it didn't, an application firewall probably would have isolated the attacker from gaining access to other parts of the compromised networks.

"PCI specifically calls this out," Roemer says. "The way these guys got hacked there's no way they would have satisfied" those standards.

The PCI rules also try to mitigate the threats of wardriving. Earlier this year, the PCI standards body called for the phase-out of any wireless networks using WEP encryption, a digital lock that takes only a couple of minutes to break.

Though the way Gonzalez broke into systems is hardly the work of a criminal mastermind, Roemer says he's impressed by how Gonzalez and his co-conspirators were able to use relatively simple means to gain powerfully damaging access.

"The criminals would rather have something that's pretty easy and gets them the maximum amount of data," he says. "I'm just amazed at how they profiled all these companies and actually had a complete attack methodology."

2009-08-09T09:45:00.000-07:00

China syndrome

Hacking schools flourish in China

Published 8 August 2009

Chinese hackers have been on the forefront of sustained hacking and disruption campaign against Western business and government networks -- some do it for fun, other for profit, but many do so on behalf of the Chinese government and its many intelligence and military agencies; ever wondered where all these hackers come from? "Hacker schools" are big business in China, generating $34.8 million last year

As if the world did not have enough problems caused by Chinese hackers, now comes this: China has seen the emergence of online training schools that teach students the skills necessary to either be a network defender or a cybercriminal. These "hacker schools," as they are known, are also big business, generating $34.8 million last year, China Dailyreports.

Matthew harwood writes that Students can enroll in online classes for as little as a few hundred yuan. While some schools advertise themselves as training the next generation of security experts, many worry a percentage of the students will use their skills to commit various cybercrimes, such as identity theft or stealing trade secrets.

Wang Xianbing-a security consultant for a prominent online hacking school, Hackbase.com, likens the training provided by the Web site to that of the locksmith trade. "It's like teaching lock picking," he told Beijing Today. "No one can guarantee the student will become a professional locksmith rather than a future thief."

Rather, it is up to the individual and his conscience whether to use his knowledge for good or evil, Wang said. Interviewed by China Daily, he said that the company's students are explicitly told not to use their knowledge for illegal activities. "Lots of hacker schools only teach students how to hack into unprotected computers and steal personal information," said Wang. "They then make a profit by selling users' information."

Imparting such knowledge, even with caveats, runs obvious risks. Last year alone, according to China Daily, hacking cost the Chinese economy approximately $1 billion. Globally, Symantec estimates cybercrime cost firms a total of $1 trillion in 2008, CNet.com reported in January (but see 27 March 2009 HSNW for skepticism about this high figure).

Money is not the only motivation, reports China Daily.

A 25-year-old hacker school student from Shanghai surnamed Wang, said most of his "classmates" simply enroll in hacker school for personal reasons, such as spying on relatives, showing off their computer-savvy skills or taking revenge on a rival's Websites, rather than making money.

Wang described the Catch-22 of teaching a new generation of security experts the tools of the trade: "They have to learn how to attack a Web site before they can learn how to defend it."