Wednesday, September 30, 2009

Cybercriminals breach payroll services firm, go after customers' computers

What's happening: After breaking into the computer systems of a payroll processing company, cybercriminals sent emails to the company's customers. Users who clicked on a link in the email had their computers taken over by the attacker resulting in the theft of their user-ids and passwords. According to the Post, the malware used to break into the payroll processing company is poorly detected by most anti-virus products.

What it means: First the top-echelon of cybercriminals has become very focused and targeted. While random attacks are still common, companies are increasingly coming under targeted attack. Second, we continue to see malware that's able to slip through anti-virus products. Third, phishing attacks are also becoming very targeted; emails used in this attack were addressed to recipients by name and included portions of their passwords.

What to do: This is another example of what we've already written. Senior management must proactively manage security of sensitive information through policies, awareness training, oversight of the IT security management function, etc. They should also strongly consider replacing their current ant-virus / anti-spyware product with an intrusion detection / prevention solution. Users must follow the mantra of an earlier blog: "Trust no one."

**********************************
From Brian Krebs; Washington Post: Hackers Breach Payroll Giant, Target Customers

Hackers last week apparently used stolen account information from a New Jersey company that provides online payroll services to target the firm's customers in a scheme to steal passwords and other information.

http://voices.washingtonpost.com/securityfix/2009/09/hackers_breach_payroll_giant_t.html

Monday, September 28, 2009

Cybercriminals rob not-for-profit healthcare providers

What's happening: Several not-for-profit health care providers have been hit with the same kind of online bank fraud that's affecting businesses and schools. Banks are resisting returning the stolen money claiming they follow "commercially reasonable practices."

What it means: Every organization must assume that they will come under attack and prepare accordingly. As our post from August 27 says: Trust No One.

What to do: Management must get on top of this problem. Train staff to recognize cybercrime danger signs. Tightly manage technology controls. Consider replacing anti-virus / anti-spyware solutions with intrusion detection / prevention solution. Check your cyber-insurance. Be prepared to sue your bank: Email your attorney our Guide: An Emerging Information Security Minimum Standard of Due Care.

**********************************
From Brian Krebs; Washington Post: Cyber Gangs Hit Healthcare Providers

Organized cyber thieves that have stolen millions from corporations and schools over the past few months recently defrauded several health care providers, including a number of non-profit organizations that cater to the disabled and the uninsured.

http://voices.washingtonpost.com/securityfix/2009/09/irs_scam_e-mail_could_be_costl.html

Cybercriminals use fake IRS emails to steal on-line banking credentials

What's happening: U.S.-CERT has issued an alert stating: "attacks arrive via an unsolicited email message and may contain a subject line of 'Notice of Underreported Income.' These messages may contain a link or attachment. If users click on this link or open the attachment, they may be infected with malicious code" designed to steal bank account credentials.

What it means: Users who fall for this scam are (1) giving control of their computers to cybercriminals; (2) exposing their organizations to online bank fraud.

What to do: Continue training users not to fall for phishing attacks. Take all the other steps to protect yourself from online bank theft that we've already discussed. Strongly consider replacing current ant-virus / anti-spyware product with an intrusion detection / prevention solution.

**********************************
From Brian Krebs; Washington Post: New IRS Scam E-mail Could Be Costly

The Department of Homeland Security's Computer Emergency Readiness Team is warning Internet users to be on guard against a convincing e-mail virus scam disguised as a message from auditors at the Internal Revenue Service. According to one victim interviewed by Security Fix, falling for the ruse could cost you or your employer tens of thousand of dollars.

http://voices.washingtonpost.com/securityfix/2009/09/irs_scam_e-mail_could_be_costl.html

Wednesday, September 23, 2009

Security of Online Banking Threatened by Defeat of Two-Factor Authentication

What's happening: Cybercriminals have learned how to steal money from business bank accounts even when bank security controls include second-factor authentication.

What it means: Most banks and businesses believe online banking is safe when protected with what's known as 2nd-factor [or multi-factor] authentication. While second-factor authentication is a step-up over single-factor, it is still not fail-safe. Take a look at our blog posting about a $447,000 cybertheft from a company that uses second-factor authentication. The two stories below describe the ease with which cybercriminals are bypassing second-factor authentication. After bypassing inadequate protection of the IT infrastructure, the cybercriminals succeed by taken advantage of untrained unaware staff.

What to do: Management must get on top of this problem. Train staff to recognize cybercrime danger signs. Tightly manage technology controls. Consider replacing antvirus / antimalware solutions with intrusion detection / prevention solution. Check your cyber-insurance. Be prepared to sue your bank: Email our Guide: An Emerging Information Security Minimum Standard of Due Care to your attorney.

**********************************
From ZDNet: Modern banker malware undermines two-factor authentication

Once pitched as an additional layer of security for E-banking transactions, two-factor authentication is slowly becoming an easy to bypass authentication process, to which cybercriminals have successfully adapted throughout the last couple of years. http://blogs.zdnet.com/security/?p=4402

From MIT Technology Review: Real-Time Hackers Foil Two-Factor Security. One-time passwords are vulnerable to new hacking techniques. http://www.technologyreview.com/computing/23488/

Company sues bank after $588,000 stolen by cyberthieves

What's happening: Another corporate victim of cybertheft goes public; sues bank over sophisticated online bank heist

What it means: This is our 9th posting on online bank theft in the last month. It illustrates how the world of cybercrime has changed. Cybercriminals are targeting small and medium-size organizations, hacking into their computer systems and stealing money. Banks are reluctant to return the money, claiming that they are following "commercially reasonable" practices. In the case of the bank in the article, they appear not to have been following commercially reasonable practices. Even when banks are following commercially reasonable practices, that may not be sufficient; see our discussion of T. J. Hooper v. Northern Barge in our Guide An Emerging Information Security Minimum Standard of Due Care where Judge Learned Hand wrote: in most cases reasonable prudence is in fact common prudence; but strictly it is never its measure ... there are precautions so imperative that even their universal disregard will not excuse their omission.

What to do: Management must get on top of this problem. Check bank transactions daily. Train staff to recognize cybercrime danger signs. Tightly manage technology controls. Consider a separate PC used only for on-line banking. Check your cyber-insurance. Be prepared to sue your bank: Email our Guide: An Emerging Information Security Minimum Standard of Due Care to your attorney.

**********************************
From Brian Krebs; Washington Post: Maine Firm Sues Bank After $588,000 Cyber Heist

A construction firm in Maine is suing a local bank after cyber thieves stole more than a half million dollars from the company in a sophisticated online bank heist.

http://voices.washingtonpost.com/securityfix/2009/09/construction_firm_sues_bank_af.html

Tuesday, September 22, 2009

Cyberthieves using Twitter to sell fake antivirus software

What's happening: Cyberthieves are taking advantage of security weaknesses in Twitter to take sell them fake antivirus software

What it means: The Twitter situation corroborates IBM's recent study of web security in which they wrote: The result is "an unprecedented state of Web insecurity as Web client, server and content threats converge to create an untenable risk landscape," according to the report." See our blog posting http://citadelonsecurity.blogspot.com/2009/08/ibm-online-threat-report-trust-no-one.html.

What to do: Don't fall for online ads "scareware." Keep your systems patched -- not just Windows but Acrobat Reader, JAVA, Flash and all the other software on your PC. Keep Twitter, Facebook and other social sites out of the corporate environment. Consider replacing antvirus / antimalware solutions with intrusion detection / prevention solution.

**********************************
From Computerworld: Scammers auto-generate Twitter accounts to spread scareware.
They use bogus accounts, real tweets, to dupe people into installing fake antivirus software.

http://www.computerworld.com/s/article/9138361/Scammers_auto_generate_Twitter_accounts_to_spread_scareware?source=CTWNLE_nlt_security_2009-09-22

Wednesday, September 16, 2009

Adding Insult to Injury, Cybercrime Victims May Be Faced with Expensive "Breach Notification" Costs

What's happening: Cyberthieves stealing money from corporate bank accounts are also trigerring "breach disclosure" laws

What it means: At least 44 states plus the District of Columbia have "breach disclosure" laws requiring businesses and other organizations to notify consumers when they have reason to believe that private consumer information has been compromised. According to insurance industry studies, current "breach notification costs" exceed $200 for every person that has to be notified.

What to do: Take all the steps we've previously identified to keep from being a cybercrime victim. Delete sensitive private information of customers when it is no longer needed. As part of breach disclosure planning, know how to contact customers should you need to notify them of a breach. Talk to your insurance broker about breach-notification insurance.

**********************************

Brian Krebs: Washington Post:

Data Breach Highlights Role Of 'Money Mules'

On Friday, Brunswick, Maine-based heating and hardware firm Downeast Energy & Building Supply sent a letter notifying at least 850 customers that the company had suffered a data breach. Downeast sent the notice after discovering that hackers had broken in and stolen more than $200,000 from the company's online bank account.

The attack on Downeast Energy bears all the hallmarks of online thieves who have stolen millions from dozens of other businesses, schools and counties over the past several months. In every case, the thieves appeared more interested in quick cash than in pilfering their victims' customer databases. Nevertheless, the intrusions highlight an additional cost for victims of this type of crime: complying with state data breach notification laws.

http://voices.washingtonpost.com/securityfix/2009/09/money_mules_carry_loot_for_org.html?hpid=sec-tech

Tuesday, September 15, 2009

Like Generals, in Battle Against Cybercrime IT Staff Are Fighting Yesterday's War

What's happening: A new study from the respected SANS Institute finds that as IT departments have become better at defending against yesteday's cyberthreats, cybercriminals have moved on to a new generation of ever-more sophisticated attacks.

What it means: Sensitive corporate information — including access to the corporate coffers — is not being adequately protected.The security-software company McAfee estimated that companies around the world lost more than $1 trillion to cybercrime in 2008, .

What to do: Senior management must proactively manage the way IT staff manages network security. Review IT vulnerability management plans. Consider investing in a modern intrusion detection / prevention system. Since technology defenses alone are inadequate, make sure staff is trained to meet their security responsibilities and that they know cybercrime warning signals. Talk to your insurance broker about cybercrime insurance.

**********************************

Security Pros Are Focused on the Wrong Threats
By Riva Richmond
New York Times

Corporate information technology departments are prioritizing the wrong threats to their computer systems, focusing on old problems and leaving their companies open to a raft of new cyberattacks aiming at private customer and corporate information.

http://bits.blogs.nytimes.com/2009/09/15/security-pros-are-focused-on-the-wrong-threats/?hpw

Monday, September 14, 2009

Cyber Crooks Target Public & Private Schools

What's happening: It's not just businesses that are losing money to cybercriminals. This post shows that schools are also at risk. We can conclude, by inference, that not-for-profits are being hit as well. The news just hasn't surfaced.

What it means: Every small and medium size organization is at financial risk from cybercrime.

What to do: Management must get on top of this problem. Check bank transactions daily. Train staff to recognize cybercrime danger signs. Tightly manage technology controls. Consider a separate PC used only for on-line banking. Check your cyber-insurance. Be prepared to sue your bank: Email our Guide An Emerging Information Security Minimum Standard of Due Care to your attorney.


**********************************

Brian Krebs: Washington Post: A gang of organized cyber criminals that has stolen millions from businesses across the United States over the past month appears to have turned its sights on public schools and universities.

On the morning of Aug. 17, hackers who had broken into computers at the Sanford School District in tiny Sanford, Colorado initiated a batch of bogus transfers out of the school's payroll account. Each of the transfers was kept just below $10,000 to avoid banks' anti-money laundering reporting requirements, and went out to at least 17 different accomplices or "money mules" that the attackers had hired via work-at-home job scams.

http://voices.washingtonpost.com/securityfix/2009/09/cyber_mob_targets_public_priva.html?wprss=securityfix

Thursday, September 10, 2009

Cyber Thieves Steal $447,000 From Wrecking Firm

What's happening: News continues to surface of businesses being hit by cybercriminals. This story is particularly bad in that the company and the bank had strong technology in-place (multifactor authentication) designed to prevent this kind of attack. Unfortunately, an employee missed a clear danger signal.

What it means: Cybercriminals can get by the best technology in the world when employees aren't sensitive to the danger signs.

What to do: Check bank transactions daily. Consider a separate PC used only for on-line banking. Train staff to recognize on-line danger signs. Check your cyber-insurance. Be prepared to sue your bank: email our Guide An Emerging Information Security Minimum Standard of Due Care to your attorney.


***********************************

Brian Krebs; Washington Post: Organized cyber thieves are increasingly looting businesses in heists that can net hundreds of thousands of dollars. ... In mid-July, computer crooks stole $447,000 from Ferma Corp., a Santa Maria, Calif.-based demolition company, by initiating a large batch of transfers from Ferma's online bank account to 39 "money mules," willing or unwitting accomplices who typically are ensnared via job search Web sites into bogus work-at-home schemes.

http://voices.washingtonpost.com/securityfix/2009/09/cyber_theives_steal_447000_fro.html#more

Updates Plug iPhone, QuickTime Security Holes

What's happening: All software has vulnerabilities; weaknesses that cybercriminals exploit to break into computers. As software developers find these vulnerabilities, they release fixes for them.

What it means: An unpatched system is the devil's playground.Cybercriminals gain access to computers by exploiting vulnerabilities in unpatched computers. Standard antivirus/antispyware protection may be ineffective against attacks.

What to do: Management must make sure IT staff is diligently patching computers, not just Windows but all the software on the computer. Home computers also need to be patched. Consider replacing antivirus/antimalware with intrusion newer detection and prevention.

***************************

Brian Krebs; Washington Post: Apple has shipped a security update to fix multiple vulnerabilities in the iPhone and iPod Touch. The company also pushed out a patch to plug security holes in Windows and Mac versions of its QuickTime media player ... The QuickTime update brings that software to version 7.6.4 and fixes at least four separate security problems. Apple users can grab the update via Software Update, while Windows users will need to use the bundled Apple Software Updates application. The iPhone and iPod Touch updates are only available through iTunes.

http://voices.washingtonpost.com/securityfix/2009/09/new_updates_plug_iphone_quickt.html

Wednesday, September 9, 2009

Critical bug infests newer versions of Microsoft Windows

What's happening: A vulnerability has been found in a critical portion of Microsoft Vista that Microsoft does not yet have a patch for.

What it means: Vulnerabilities not having patches are particularly serious because cybercriminals often target this known problem. Standard antivirus/antispyware protection may be ineffective against attacks.

What to do: Management must alert IT staff to get in-front of the problem and apply mitigating controls. Ask IT staff for guidance with home computers. Warn staff to be particularly alert to danger signals. Consider replacing antivirus/anti-spyware solutions with newer intrusion detection and prevention solutions.

**********************************

The Register: Microsoft has promised to patch a serious flaw in newer versions of its Windows operating system after hackers released exploit code that allows them to take complete control of the underlying machines. The flaw affects various versions of Windows Vista, 2008, and the release candidate version of Windows 7.

Marc Maiffret, director of professional services at our strategic partner The DigiTrust Group, is quoted in the article.

http://www.theregister.co.uk/2009/09/09/microsoft_windows_security_bug/

Tuesday, September 8, 2009

Microsoft Fixes Eight Security Flaws

What's happening: All software has vulnerabilities; weaknesses that cybercriminals exploit to break into computers. As software developers find these vulnerabilities, they release fixes for them.

What it means: An unpatched system is the devil's playground. Cybercriminals gain access to computers by exploiting vulnerabilities in unpatched computers. Standard antivirus/antispyware protection may be ineffective against attacks.

What to do: Management must make sure IT staff is diligently patching computers, not just Windows but all the software on the computer. Home computers also need to be patched. Consider replacing antivirus/antimalware with intrusion newer detection and prevention.

**********************************

Brian Krebs; Washington Post: Microsoft today pushed out software updates to plug at least eight critical security holes in computers powered by its various Windows operating systems. The patches are available through Windows Update or via Automatic Updates. ... The flaws were addressed in a bundle of five patches, each of which earned Microsoft's most dire "critical" rating, meaning they are serious enough that attackers could break into systems without any help from users.

http://voices.washingtonpost.com/securityfix/

Monday, September 7, 2009

Citadel's Stan Stahl talks about web security and mobile banking with Biz Coach, Terry Corbell

Read why I say: “cell phone on-line banking is a big NO!!!”

http://www.bizcoachinfo.com/archives/1399

Personal Privacy Threatened: How Secure Are Your Email Passwords?

Washington Post: When Elaine Cioni found out that her married boyfriend had other girlfriends, she became obsessed, federal prosecutors say. So she turned to YourHackerz.com. ... And for only $100, YourHackerz.com provided Cioni, then living in Northern Virginia, with the password to her boyfriend's AOL e-mail account, court records show.

Some Major Email Hacking Cases:
Sarah Palin
Dave Briggs
The Twitter Hack
Miley Cyrus
Paris Hilton
George Mason University Provost Peter N. Stearns

http://www.washingtonpost.com/wp-dyn/content/article/2009/09/06/AR2009090602238.html?wpisrc=newsletter

Sunday, September 6, 2009

Hackers already exploiting IIS flaws

What's happening: A vulnerability has been found in a critical portion of Microsoft that affects the security of web sites

What it means: We often find IT staff miss patching these vulnerabilities.

What to do: Better safe than sorry. Readers should forward this post to their IT staff in case they missed it. Management should make sure IT staff have a rigorous vulnerability identification and management plan in place.

**********************************

Phil Muncaster; V3.co.uk: Microsoft has revealed that hackers are already exploiting newly disclosed vulnerabilities in its Internet Information Services (IIS) web server software.

http://www.v3.co.uk/v3/news/2248979/hackers-already-exploiting-iis

Saturday, September 5, 2009

Hackers embed malicious links in websites about stars like Biel

What's happening: This post is a good illustration of just how dangerous the internet has become. Criminals put their own malicious computer programs on legitimate websites. These programs are designed to exploit unpatched vulnerabilities on the computers of visitors to the website. When a user accesses the website, the criminal's program is run and the user's computer is now under the control of the criminal.

What it means: Having taken control of the user's computer, the cybercriminal can steal bank account passwords, send spam, store hacker tools or do whatever else he wants. And the user may likely never know. Traditional antivirus / antispyware tools are often ineffective against these attacks.

What to do: Train staff to recognize danger signs. Diligently keep computers patched. Consider replacing antivirus / anti-spyware products with intrusion detection / prevention technology. Consider using Firefox running No-Script instead of Internet Explorer. Check your cyber-insurance. Be careful at home as well.

**********************************

USA Today: Anti-virus firm McAfee recently analyzed search results for queries using celebrity names on Google, Bing and Yahoo Search. This ranking shows the likelihood, in percentage terms, that someone doing a celebrity-related search will click on a bad link that could turn control of his or her computer over to an intruder.

http://www.usatoday.com/tech/news/2009-09-02-bad-links-hackers-stars-internet_N.htm

Friday, September 4, 2009

Court Allows Woman to Sue Bank for Lax Security After $26,000 Stolen by Hacker

What's happening: Banks continue to assert they are not responsible when cyberthieves show up at the online-teller-window with legitimate user-ids and passwords. This lawsuit will test that assertion.

What it means:
Banks may be losing the shield they have been hiding behind that absolves them of responsibility for cybercrime.

What to do:
Stay tuned as we watch the legal playing field evolve. Email our Guide An Emerging Information Security Minimum Standard of Due Care to your attorney.

**********************************


Threat Level; Wired Magazine: An Illinois district court has allowed a couple to sue their bank on the ... grounds that it may have failed to sufficiently secure their account, after an unidentified hacker obtained a $26,500 loan on the account using the customers’ user name and password. ... As initially reported by legal blogger, David Johnson, Marsha and Michael Shames-Yeakel sued Citizens Financial Bank in 2007 in the northern district of Illinois on several grounds, including a claim that the bank failed to provide state-of-the-art security measures to protect their account. ... Judge Pallmeyer stated that, “In light of Citizens’ apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access.”

http://www.wired.com/threatlevel/2009/09/citizens-financial-sued/

More Business Banking Victims Speak Out

What's happening: News continues to surface of businesses being hit by cybercriminals.

What it means: Cybercriminals are shooting fish in a barrel.

What to do: Management must get on top of this problem. Staff must be trained to recognize danger signs. Technology controls must be tightly managed. Check bank transactions daily. Consider a separate PC used only for on-line banking. Don't assume you're secure; our experience is that you are not. Check your cyber-insurance. Be prepared to sue your bank: Email our Guide An Emerging Information Security Minimum Standard of Due Care to your attorney.


**********************************

Brian Krebs; Washington Post: Since our story about Eastern European cyber crooks targeting small to mid-sized U.S. businesses ran last week, I've heard from a few more victims.

http://voices.washingtonpost.com/securityfix/2009/09/more_business_banking_victims.html

Thursday, September 3, 2009

Apple Updates Java, Backdates Flash

Brian Krebs; Washington Post: Apple Thursday shipped an update to plug a slew of critical security holes in its version of Java for Leopard systems (OS X 10.5). In other Apple patch news, it appears those who have updated to the latest version of OS X -- 10.6/Snow Leopard -- received an insecure version of the Adobe Flash player. http://voices.washingtonpost.com/securityfix/2009/09/apple_updates_java_backdates_f.html

Tuesday, September 1, 2009

5 More Indicted in Probe of International Carding Ring

Threat Level; Wired Magazine: Five eastern European men were indicted in New York on Monday as part of an international ring allegedly responsible for at least $4 million in credit card theft.

The ring, which authorities dubbed the Western Express Cybercrime Group, operated between 2001 and 2007 and trafficked in at least 95,000 known stolen credit card numbers, including some belonging to victims in New York, where the case is being prosecuted by the Manhattan District Attorney’s office.

The ring allegedly operated an online carding forum called the International Association for the Advancement of Criminal Activity, where thieves trafficked in stolen credit card numbers and other information. The defendants also allegedly forged credit cards using stolen numbers, and turned them into cash with the unwitting help of eBay users.

http://www.wired.com/threatlevel/2009/09/westernexpress/

Blog Purpose: Assist Senior Management Secure Organization Against Cybercrime Threat

"The secret of success lies in managing risk, not ignoring it.”
Merrill Rukeyser

Cyberspace has become the new Wild Wild West. Cybercriminals roam at will. They steal our money. They steal our identities. They steal our business' intellectual property. They control our computers. They threaten our children. They even threaten our national defense.

In the earlier days of the internet, threats to information systems rarely drew the attention of senior management. The mantra of the day was firewall and anti-virus. And most of the time that was enough.

That’s changed. Just glance at four of our recent bloglines:
· Cyber Thieves Steal $447,000 From Wrecking Firm
· More Business Banking Victims Speak Out
· Eastern European cyber gangs stealing millions from small to mid-sizes businesses through online banking fraud

These aren’t the stories of pimply-faced 14-year olds proving their manhood by launching I Love You viruses on the still-pure internet. No. These are the stories of criminals stealing money from corporate bank accounts.

If this isn’t business at risk, we don’t know what is!

Senior management can no longer ignore the risk of cybercrime. The price of inattention has grown too high.

Senior management must take responsibility for managing the risk of cybercrime.

CitadelOnSecurity is all about how to do this.

Effectively managing cyber-risk requires understanding the cybercrime challenge. It requires knowing the information security management strategies and tactics required to meet this challenge. And it requires insightful leadership to integrate these strategies and tactics into the broader organizational culture.

It is the purpose of CitadelOnSecurity to provide you this understanding, knowledge and insight.

CitadelOnSecurity is organized into three main elements:
  1. Cybercrime news stories categorized into topical elements for easy browsing. We post these stories because they say something important about the cybercrime threat and what’s required to successfully manage cyber-risk.
  2. Citadel information security management guides designed to provide practical usable information and guidance on managing cyber-risk.
  3. Citadel thought-pieces—like this one—designed to provide more of a big-picture perspective about information systems security.
There’s an old saying that when life gives you lemons, make lemonade. It’s no different with cybercrime.

The lemons of cybercrime provide the ingredients for competitive advantage. As the threat of cybercrime grows, consumers and businesses alike are increasingly insisting that the organizations they do business with take effective steps to manage the security of their information. This means that organizations with strong security management will have a competitive advantage over those that do not. Thus, investments in information security management have the opportunity to translate into a positive return on that investment. Sometimes good deeds are rewarded.

Stan Stahl, Ph.D.
President
Citadel Information Group