|
Special to CNET News.com
Employees are still one of the greatest threats to
corporate security, as "new-age" mafia gangs infiltrate
companies, the U.K.'s crime-fighting agency has said.
Speaking on Tuesday at the Infosecurity 2006 conference
in London, Tony Neate, e-crime liaison for the Serious
Organised Crime Agency (SOCA), said insider "plants" are
causing significant damage to companies.
"We have fraud and ID theft, but one of the big threats
still comes from the trusted insiders. That is, people
inside the company who are attacking the systems," he said.
"(Organized crime) has changed. You still have
traditional organized crime, but now they have learned to
compromise employees and contractors. (They are) new-age,
maybe have computer degrees and are enterprising themselves.
They have a wide circle of associates and new structures,"
he added.
Charges laid in Bank
of Canada identity fraud
Subsequent to the recent
announcement of a joint Ottawa RCMP and Ottawa Police
Service investigation into the theft of personal information
from Bank of Canada databases, one individual has been
charged.
Charged: Chukwuemeka MADUMELU, 27 years old, of Ottawa
Charges:
Fraud over $5000, Section 380 (1) (a) of the Criminal Code
Possession of Property obtained by Crime, Section 355 (a) of
the Criminal Code
The RCMP and the Ottawa Police continue to focus their
investigation on the fraudulent redemption of Canada Savings
Bonds and the creation of counterfeit identity documents.
Additional individuals may be charged.
To date, the investigation has confirmed that the identities
stolen in Ottawa from the Bank of Canada's Savings Bond
payroll deduction database belonged to Canadians from
various parts of the country.
The stolen information has been used to obtain fraudulent
credit cards and open cellular telephone accounts in Ottawa,
Montreal and Calgary.
It has been confirmed that an additional 15 identities have
also been compromised. These people have been notified by
the Bank of Canada.
If you suspect that your identity has been used to commit
fraud, you must take immediate action. File a report with
your local police or with the police in the community where
the identity theft took place. Also, notify the creditors of
any accounts that have been opened or tampered with — for
example, credit card companies, phone companies, banks and
other lenders.
Identity theft is one of the fastest growing crimes in
Canada and it can happen to anyone. While it cannot be
prevented entirely, you can minimize your risk of falling
victim to this crime by carefully reviewing the accuracy of
your financial statements and remaining aware of the issue.
For information on how to recognize and stop identity fraud
and other scams, please visit the RCMP’s Scams/Fraud web
page at the following link: www.rcmp.ca/scams/index_e.htm.
Information:
Ottawa RCMP
Sgt. Monique Beauchamp
(613) 993-8820
Bots increasingly behind cybercrime
Online fraudsters and data thieves are more frequently
using bot networks to get home and business PCs to do their
bidding, with some estimates of the number of infected
systems as high as 47 million.
An article in USA Today delves into three arrests in the
last year of the people who allegedly created and controlled
bot networks, known as bot masters or bot herders: Jeanson
James Ancheta, who plead guilty in January to computer
intrusion charges; Farid Essebar, the alleged creator of the
Zotob worm; and Christopher Maxwell, charged with creating a
bot network to grow an adware affiliate network.
The Messaging Anti-Abuse Working Groups' believes that as
many as 7 percent of PCs worldwide--about 47 million--are
infected by bots and that 70 percent of spam is sent from
bot nets, according to the article.
Bot software, especially openly developed code that
allows plug-and-play programming, has quickly risen to
prominence in the past three years, despite some high
profile arrests. Bot masters can quickly develop attacks for
the latest vulnerabilities in popular software and update
their programs. More stealthy bots have infiltrated
computers at government agencies and large companies.
Fraudsters are using stolen information to lure victims
into divulging additional sensitive information in a new
form of phishing attack. These so-called personalised
phishing attacks target individual named accountholders at
specific banks, according to anti-fraud software firm Cyota.
Crooks are using real information about the accountholder
– such as the person’s name, correct full account number,
and other bank information – to make the emails look more
legitimate and thereby increase response rates. The approach
contrasts with typical phishing attack where fraudsters
randomly dispatch thousands of spam emails without the
slightest attempts to target their attacks.
Personalised phishing attacks seek to supplement existing
lists of stolen credentials with even more sensitive
information, such as ATM PIN numbers or credit card CVV
codes.
"This highly coordinated, two-phase fraud attack
demonstrates the lengths that fraudsters will go to maintain
a high rate of success, and the need for constant innovation
among banks and their security providers to match the
continuing evolution of online threats," said Amir Orad,
executive VP of marketing at Cyota.
The company advises consumers not to follow links within
emails ostensibly from their bank or online merchant
requesting personal or account information. Instead, users
should go directly to the site concerned to verify a request
or complete the transaction
Many popular browsers are affected by a vulnerability
that makes it easy to spoof the content of websites,
security firm Secunia warns.
Features built into browsers makes it possible for
malicious websites to change the content of pop-up windows
created by trusted websites such as online banks. Users
would have no inkling that potentially hostile content has
been injected into a pop-up window. Exploits rely on
misusing browser functionality rather than taking advantage
of a software bug. Thomas Kristensen, Secunia’s chief
technology officer, described the problem as “perhaps the
simplest phishing trick yet.”
Secunia has confirmed the vulnerability on fully patched
versions of Internet Explorer 6.0 and Windows XP SP1 and SP2
(advisory here), Mozilla 1.7.3, Mozilla Firefox 1.0,
Netscape 7.2, Apple's Safari 1.2.4, Opera 7.54, and KDE's
Konqueror 3.2.2-6. Other versions of these browsers might
also be affected. Secunia has issued five advisories
(summary here) and an on-line test.
Secunia describes the vulnerabilities as "moderately
critical". It advises users not to browse untrusted sites
while browsing trusted sites.
First it was a security breach that left
ChoicePoint's treasure chest of personal information
(145,000 accounts) vulnerable to prying eyes. Less than a
fortnight later, Bank of America backup tapes containing
data on 1.2 million accounts went missing. More recently,
someone hacked into a confidential database containing as
many as 32,000 records at Seisint, a company owned by
LexisNexis.
The Enterprise Strategy Group recently surveyed 229
U.S.-based security professionals from organizations with
more than 1,000 employees. The majority of respondents (52
percent) came from organizations with more than $1 billion
in annual revenue. Our goal was to get an objective metric
of just how bad the internal security threat really is.
The results paint a frightening picture. For example, 23
percent of respondents reported their organization had
suffered an internal security breach in the past 12 months,
while 27 percent didn't know if it had or not. Note to self:
Make sure the people you do business with know whether
they've been hacked or not.
The Privacy Acts of Canada and the United States mean
companies can be sued and fined for data leakage
Tower Records has reached a settlement with the Federal
Trade Commission (FTC) over a 2002 security problem that made
data on customers accessible to outsiders. A site redesign had
opened a hole in Tower Records' e-commerce site that allowed
users to call up customers' order histories by manipulating an
identification number in the order status page, revealing
names, addresses, e-mails, phone numbers, and past purchases.
In the settlement, Tower Records promises to maintain a
comprehensive security program, to be certified by an
independent expert within six months and biannually for ten
years.
The company faces an $11,000 fine for each violation
of the agreement. The FTC has no authority over Internet
security, but can target companies for deceptive trade
practices. In the case of Tower Records, the FTC targeted
statements in its privacy policy to address the
security breach.
Microsoft filed 117 lawsuits this week
against people who it charges created phishing Web sites
designed to look like pages hosted by the software giant.
The suits are being brought against operators of Web sites
that feature trademarked logos or images used by Microsoft
on its official Web pages and products. Every one of the
sites named in the lawsuits, which were online sometime
between October 2004 and March 2005, has already been taken
down, said Aaron Kornblum, Internet safety enforcement
attorney at Microsoft.
Case Files
Most techniques that people use to assure
information privacy fail when data storage equipment is sold
on the secondary market. For example, any protection that
the computer’s operating system offers is lost when someone
removes the hard drive from the computer and installs it in
a second system that can read the on-disk formats, but
doesn’t honor the access control lists. This vulnerability
of confidential information left on information systems has
been recognized since the 1960s.
• The Pennsylvania Department of Labor and
Industry sold a collection of computers to local resellers.
The computers contained “thousands of files of information
about state employees” that the department had failed to
remove.
• Dovebid auctioned off more than 100
computers from the San Francisco office of the Viant
consulting firm. The hard drives contained confidential
client information that Viant had failed to remove.
• A Purdue University student purchased a
used Macintosh computer at the school’s surplus equipment
exchange facility, only to discover that the computer’s hard
drive contained a FileMaker database containing the names
and demographic information for more than 100 applicants to
the school’s Entomology Department.
• An author of this article purchased 10
used computer systems from a local computer store. The
computers, most of which were three to five years
old,contained all of their former owners’ data. One computer
had been a law firm’s file server and contained privileged
client–attorney information. Another computer had a database
used by a community organization that provided mental health
services. Other disks contained numerous personal files.
• A woman in Pahrump, Nevada, purchased a
used IBM computer for $159 and discovered that it contained
the prescription records of 2,000 patients who filled their
prescriptions at Smitty’s Supermarket pharmacy in Tempe,
Arizona. Included were the patient’s names, addresses and
Social Security numbers and a list of all the medicines
they’d purchased. The records included people with AIDS,
alcoholism, and depression.
Phishers develop sophisticated lure
By John Leyden Published
Fraudsters have developed phishing emails capable of
automatically stealing bank log-in details without requiring
users to click on a website link, email filtering firm
MessageLabs warns.
Over the last two weeks, MessageLabs has monitored a
small number of these dangerous new emails, which are
capable of sidestepping the need for user intervention in
phishing attacks. Users who only open maliciously
constructed emails to be exposed to risk. These emails
contain scripts that rewrite the host files of targeted
machines. This means that next time a user attempts to
access their online banking account they will be
automatically redirected to a fraudulent website instead,
enabling their log-in details to be stolen. So far,
MessageLabs has only intercepted copies of emails targeting
three Brazilian banks, but if the technique catches on it
could have potentially serious consequences.
A defence is available. Providing surfers have Windows
Scripting Host disabled they are not at risk from this
particular type of phishing attack. MessageLabs said the
technique illustrated the increased sophistication of
phishing techniques fraudsters are developing.
Alex Shipp, senior anti-virus technologist at MessageLabs,
said: "By reducing the need for user intervention, the
perpetrators are making it easier to dupe users into handing
over the contents of their bank accounts. Most banks have
advised their customers to be wary of any email asking for
personal banking details, but in this case all they have to
do is open an apparently innocent email and their bank
details could be silently sabotaged.
"We currently detect between 80 and 100 new phishing
websites a day, showing just how prolific the threat has
become. It is a moving target, making it harder to identify
and defend against," he added.
Thousands of Canadians Victims of 'Phishing'
(The Globe and Mail - Sinclair Stewart) -
Risk Management
A new survey conducted by Visa Canada suggests as many as
200,000 Canadians may have been unwittingly victimized by "phishing,"
a scheme in which people are duped into providing personal
information and financial data over the Internet. Visa
Canada said phishing attacks around the world are growing by
the "alarming" rate of 50 percent each month, and in the
United States alone, the problem has cost consumers and
companies an estimated (US)$500-million. Despite the growing
attacks, only 16 percent of all Canadians are familiar with
phishing, and 4 percent of respondents to the study said
they have divulged personal information after being
contacted by e-mail.
Source: Computerworld
The US Secret Service has announced the arrest of 28
people from eight states and six countries on charges of
identity theft, computer fraud, credit card fraud, and
conspiracy. The Secret Service considers the sting,
codenamed "Operation Firewall", a significant disruption of
organized online crime targeting US financial
infrastructure.
The group allegedly trafficked in 1.7 million stolen
credit card numbers and cost financial institutions an
estimated $4.3 million in losses. The operation involved
agents from thirty field offices around the globe and law
enforcement in other countries. Secret Service Director W.
Ralph Basham credits the operation with preventing the
potential loss of hundreds of millions of dollars. Operation
Firewall began in July 2003 and quickly grew into a
transnational investigation, targeting groups identified as
Shadowcrew, Carderplanet, and Darkprofits. The groups
operated websites to traffic in stolen data and provide
information and tools for comm! itting fraud. The British
National High-Tech Crimes Unit (NHTCU), the Vancouver Police
Department's Financial Crimes Section, the Royal Canadian
Mounted Police, Europol, and officials in Bulgaria, Belarus,
Poland, Sweden, the Netherlands, and Ukraine also
participated in the investigation.
Fujitsu has developed a method of embedding
data invisibly within printed pictures.
The procedure, commonly known as
steganography, will allow numerical information
to be hidden within a color image and accessed
via a camera.
Steganograghy involves altering an image in a
way that cannot be perceived by the human eye,
but which can be detected electronically.
Fujitsu's technique can apparently hide a
12-digit number in a 1-centimeter square.
This would allow data such as phone numbers
or a URL to be planted into a poster, a magazine
advertisement or business card. To extract the
information, users would just have to point
their camera phone or PDA at the image--as long
as the device was configured to find the hidden
message.
Fujitsu says that consumers could even use
its procedure to add embedded information to
personal photos and print them out at home.
The Japanese manufacturer is now working to
make its procedure easier to use. It is also
eager to collaborate with mobile phone companies
and content providers to get the technology to
market.
Fujitsu is claiming that this is the first
time technology has been developed to hide
numerical data within printed images, but many
other IT companies are also working on
steganography. A demonstration of a similar
technique took place at Intel's IDF show last
year, running on the chipmaker's reference
mobile phone platform.
|
|
"Cleaned" hard drives reveal secrets
NewScientist.com news service
Discarded and recycled computer drives can reveal
financial and personal information even when apparently
wiped clean, MIT researchers have found.
Simson Garfinkel and Abhi Shelat, graduate students at
the Massachusetts Institute of Technology, analysed 158
second hand hard drives bought over the internet between
November 2000 and August 2002. They were able to recover
over 6000 credit card numbers, as well as email messages and
pornographic images.
The pair wrote a program to scour the disk drives for any
trace of credit card information. They found card numbers on
42 drives of the drives they bought.
One drive had previously been used in an ATM cash machine
and contained 2868 different numbers, as well as account and
transaction information. Another drive contained a credit
card number within a cached web page.
Privacy failure
Much of the information the researchers found had been
"deleted" before the disks were sold. But simply deleting a
file with most computer operating systems does not remove it
from the hard drive, it only removes a tag pointing to the
file.
Furthermore, even re-formatting the disk does not
properly remove the contents of files.
"Most techniques that people use to assure information
privacy fail when data storage equipment is sold onto the
secondary market," the researchers write in an article to
appear in the IEEE magazine Security and Privacy. "The
results of even this limited initial analysis indicate that
there are no standard practices in the industry [for
sanitizing disks]."
A customer database and the current access codes to the
supposedly secure Intranet of one of Europe's largest
financial services group was left on a hard disk offered for
sale on eBay. The disc was subsequently purchased for just
£5 by mobile security outfit Pointsec Mobile Technologies.
According to Pointsec, one of the hard discs contained
"highly sensitive information from one of Europe's largest
financial services groups with pension plans, customer
databases, financial information, payroll records, personnel
details, login codes, and admin passwords for their secure
Intranet site. There were 77 Microsoft Excel documents of
customers email addresses, dates of birth, their home
addresses, telephone numbers and other highly confidential
information, which if exposed publicly could cause
irrevocable damage to the company." Pointsec isn't prepared
to name the careless company.
The incident recalls the episode four years where Sir
Paul McCartney's banking details were discovered on a
second-hand computer discarded by merchant bankers Morgan
Grenfell Asset Management. The PC was released into the
second-user market without first being wiped clean of data,
a precaution that the majority of sellers still fail to
take.
Pointsec purchased 100 hard discs over auction site as
part of its research into the "lifecycle of a lost laptop".
Pointsec found that they were able to read seven out of 10
hard-drives bought over the Internet at auctions such as
eBay despite the fact all of had "supposedly" been
"wiped-clean" or "re-formatted". The company said the
exercise illustrated how easy it is for identity thieves or
opportunists to access highly sensitive and valuable company
information from lost laptops and hard-drives. All the 100
hard drives and laptops purchased as part of Pointsec's
research will be destroyed.
Lost in transit
The researchers also wanted to find out how easy it is to
purchase and access information on laptops that are lost in
transit at an airport Gatwick or handed into the Police. In
all cases they found the laptops and all the information
residing on them, were put up for auction if they were not
reclaimed after three months. Pointsec visited one of the
auctions used by Gatwick airport, near Chertsey and found
that before even purchasing the laptops, the researchers
were able to start up the laptops to inspect whether they
worked. Using password recovery software they were able to
access the information on one in three of these laptops. The
exercise was repeated in Sweden, the US and Germany.
In Sweden the first laptop Pointsec purchased at auction,
contained sensitive information from a large food
manufacturer. When the hard disc was analysed they found
four Microsoft Access databases containing company and
customer related information and 15 Microsoft PowerPoint
presentations containing highly sensitive company
information.
Tony Neate Tactical & Technical Industry Liaison at the
UK National Hi-Tech Crime Unit said: "Pointsec's research
demonstrates just how easy it is to access information which
is not adequately protected. Encryption and other security
measures are vital to ensure that security is not
compromised - something as simple as a hard disk drive
password can deter the opportunist."
|
