KrebsOnSecurity.com reports that "cyber thieves stole more than $600,000 from the Catholic Diocese of Des Moines, Iowa earlier this month. The funds were spirited away with the help of dozens of unwitting co-conspirators hired through work-at-home job scams, at least one of whom was told the money was being distributed to victims of the Catholic Church sex abuse scandals."
According to Krebs "In a statement released last week, the diocese said the fraud occurred between Aug. 13 and Aug. 16, apparently after criminals had stolen the diocese’s online banking credentials. The Diocese it was alerted to the fraud on Aug. 17 by its financial institution, Bankers Trust of Des Moines. ... The diocese also said the FBI and U.S. Treasury Department were notified, and that the FBI had taken possession of several diocesan computers. To date, roughly $180,000 has been recovered. ... The diocese added that law enforcement had advised them that the theft seems to have been the work of a highly sophisticated operation based overseas, which moved the stolen money out of the United States by recruiting people who unknowingly act as intermediaries."
Monday, August 30, 2010
Saturday, August 28, 2010
Might the Best CyberSecurity Defense Be a Good Offense?
According to a story in the Washington Post, the Pentagon is developing a suite of advanced generation cyber-defense weapons that can best be described as "taking the battle to the enemy." The tools can "attack and exploit adversary information systems" and can "deceive, deny, disrupt, degrade and destroy" information and information systems, according to Defense Department budget documents.
Gen. Keith Alexander, the head of the Pentagon's new Cyber Command, told an audience in Tampa this month "We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us."
Deputy Secretary of Defense William J. Lynn III has said the approach includes "reaching out" to block malicious software "before they arrive at the door" of military networks. "We need to be able to protect our networks," Lynn said in a May interview. "And we need to be able to retain our freedom of movement on the worldwide networks."
Military officials have declared that cyberspace is the fifth domain - along with land, air, sea and space - and is crucial to battlefield success.
Gen. Keith Alexander, the head of the Pentagon's new Cyber Command, told an audience in Tampa this month "We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us."
Deputy Secretary of Defense William J. Lynn III has said the approach includes "reaching out" to block malicious software "before they arrive at the door" of military networks. "We need to be able to protect our networks," Lynn said in a May interview. "And we need to be able to retain our freedom of movement on the worldwide networks."
Military officials have declared that cyberspace is the fifth domain - along with land, air, sea and space - and is crucial to battlefield success.
Friday, August 27, 2010
Cyber-Bank Theft Pits Victim vs Bank. Got Insurance?
KrebsOnSecurity.com reported recently that "a business telephone equipment company in Texas is trying to force its bank to settle a liability claim over an attack by organized cyber thieves last year that cost the company $50,000."
This is a common story which we continue to write about. [See many of our postings under the tag: Financial Systems Security.]
The unfortunate truth [as we wrote in an earlier blog] is that banking laws put the responsibility for cybercrime losses onto the customer. If the customer wants the bank to reimburse it for the fraud losses, it's up to the customer to prove that the bank's security procedures are not commercially reasonable [as that phrase is defined in the Uniform Commercial Code, Article 4A-202]. The result, all too often, is that the customer has little choice but to sue the bank. [See our blog post, for example.]
The good news: There's a very good chance the bank's procedures fail the test of commercial reasonableness. In an analysis of a bank whose customer lost $600,000 when cyberthieves uploaded fraudulent payroll databases, our firm found significant technical, procedural and managerial weaknesses in the banks security procedures. These weaknesses were so egregious that they left us no alternative to the conclusion that the bank's security procedures were not commercially reasonable.
The bad news: The cost of proving the bank's procedures are not commercially reasonable [so that the bank will share in the responsibility for the loss] is huge. I have no idea of the legal fees involved but I do know that fees for expert analysis do not come cheap. Consequently most organizations will not have the deep pockets to sustain a lawsuit, particularly under the cash flow pressures that will inevitably follow a large loss.
That's why Citadel continues to recommend that every organization discuss cybercrime insurance with their insurance broker. As Brian Krebs wrote in his blog KrebsOnSecurity.com "cyber theft insurance can be a reasonable and effective investment in an era when ultra-sophisticated cyber thieves increasingly are defeating the security that surrounds many commercial online banking accounts."
This is a common story which we continue to write about. [See many of our postings under the tag: Financial Systems Security.]
The unfortunate truth [as we wrote in an earlier blog] is that banking laws put the responsibility for cybercrime losses onto the customer. If the customer wants the bank to reimburse it for the fraud losses, it's up to the customer to prove that the bank's security procedures are not commercially reasonable [as that phrase is defined in the Uniform Commercial Code, Article 4A-202]. The result, all too often, is that the customer has little choice but to sue the bank. [See our blog post, for example.]
The good news: There's a very good chance the bank's procedures fail the test of commercial reasonableness. In an analysis of a bank whose customer lost $600,000 when cyberthieves uploaded fraudulent payroll databases, our firm found significant technical, procedural and managerial weaknesses in the banks security procedures. These weaknesses were so egregious that they left us no alternative to the conclusion that the bank's security procedures were not commercially reasonable.
The bad news: The cost of proving the bank's procedures are not commercially reasonable [so that the bank will share in the responsibility for the loss] is huge. I have no idea of the legal fees involved but I do know that fees for expert analysis do not come cheap. Consequently most organizations will not have the deep pockets to sustain a lawsuit, particularly under the cash flow pressures that will inevitably follow a large loss.
That's why Citadel continues to recommend that every organization discuss cybercrime insurance with their insurance broker. As Brian Krebs wrote in his blog KrebsOnSecurity.com "cyber theft insurance can be a reasonable and effective investment in an era when ultra-sophisticated cyber thieves increasingly are defeating the security that surrounds many commercial online banking accounts."
Wednesday, August 25, 2010
Military Computer Attack Confirmed. Classified Systems Breached.
William J. Lynn III, U.S. Deputy Secretary of Defense, has confirmed a previously classified computer attack in which a foreign intelligence agent used a flash drive to infect computers, including those used by the Central Command in overseeing combat zones in Iraq and Afghanistan. Writing in the latest issue of the journal Foreign Affairs, Lynn describes the 2008 incident as "the most significant breach of U.S. military computers ever."
According to Lynn, "The flash drive's malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control. It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary."
According to the New York Times, Lynn's "article appeared intended partly to raise awareness of the threat to United States cybersecurity — “the frequency and sophistication of intrusions into U.S. military networks have increased exponentially,” he wrote — and partly to make the case for a larger Pentagon role in cyberdefense.... Various efforts at cyberdefense by the military have been drawn under a single organization, the U.S. Cyber Command, which began operations in late May at Fort Meade, Maryland, under a four-star general, Keith B. Alexander.... But under proposed legislation, the Department of Homeland Security would take the leading role in the defense of civilian systems."
According to Lynn, "The flash drive's malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control. It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary."
According to the New York Times, Lynn's "article appeared intended partly to raise awareness of the threat to United States cybersecurity — “the frequency and sophistication of intrusions into U.S. military networks have increased exponentially,” he wrote — and partly to make the case for a larger Pentagon role in cyberdefense.... Various efforts at cyberdefense by the military have been drawn under a single organization, the U.S. Cyber Command, which began operations in late May at Fort Meade, Maryland, under a four-star general, Keith B. Alexander.... But under proposed legislation, the Department of Homeland Security would take the leading role in the defense of civilian systems."
Adobe, Apple Issue Security Updates
KrebsOnSecurity reports that both Adobe and Apple have released security updates or alerts in the past 24 hours. Adobe pushed out a critical patch that fixes at least 20 vulnerabilities in its Shockwave Player, while Apple issued updates to correct 13 flaws in Mac OS X systems.
Apple’s update affects Mac OS X Server 10.5, Mac OS X 10.5.8 , Mac OS X Server 10.6 , Mac OS X 10.6.4 and is available via Software Update or from Apple Downloads.
Krebs writes "The Adobe patch applies to Shockwave Player 11.5.7.609 and earlier on Windows and Mac operating systems. Adobe recommends that users upgrade to Shockwave Player 11.5.8.612, available at this link. But before you do that, you might want to visit this link, which will tell you whether or not you need to update, and indeed whether you currently have Shockwave installed at all. If you visit it and don’t see an animation, then you don’t have Shockwave (and probably aren’t missing it either)."
Apple’s update affects Mac OS X Server 10.5, Mac OS X 10.5.8 , Mac OS X Server 10.6 , Mac OS X 10.6.4 and is available via Software Update or from Apple Downloads.
Krebs writes "The Adobe patch applies to Shockwave Player 11.5.7.609 and earlier on Windows and Mac operating systems. Adobe recommends that users upgrade to Shockwave Player 11.5.8.612, available at this link. But before you do that, you might want to visit this link, which will tell you whether or not you need to update, and indeed whether you currently have Shockwave installed at all. If you visit it and don’t see an animation, then you don’t have Shockwave (and probably aren’t missing it either)."
Friday, August 20, 2010
Was Malware Responsible for Crash of Spanair Flight 5022?
The Registry reports that malware may have been a contributory cause of the crash of Spanair flight JK 5022 crashed in August 2008. The flight crashed moments after taking off from Madrid's Barajas Airport on a scheduled flight to Las Palmas with 172 on board.
According to the Registry, the airline's central computer which registered technical problems on planes was infected by Trojans at the time of the fatal crash and this may have resulted in a failure to raise an alarm over multiple problems with the plane.
According to the Registry, the airline's central computer which registered technical problems on planes was infected by Trojans at the time of the fatal crash and this may have resulted in a failure to raise an alarm over multiple problems with the plane.
Thursday, August 19, 2010
Adobe Issues Acrobat, Reader Security Patches
KrebsOnSecurity.com reports Adobe Systems Inc. today issued software updates to fix at least two security vulnerabilities in its widely-used Acrobat and PDF Reader products. Acrobat and Reader users can update to the latest version, v. 9.3.4, using the built-in updater, by clicking “Help” and then “Check for Updates.”
Krebs writes that "today’s update is an out-of-cycle release for Adobe, which recently moved to a quarterly patch release schedule. ... More information on these patches, such as updating older versions of Acrobat and Reader, is available in the Adobe security advisory."
Krebs writes that "today’s update is an out-of-cycle release for Adobe, which recently moved to a quarterly patch release schedule. ... More information on these patches, such as updating older versions of Acrobat and Reader, is available in the Adobe security advisory."
Wednesday, August 18, 2010
Apple Patches Fix Security Vulnerabilities
KrebsOnSecurity reports Apple has released a series of patches to correct security vulnerabilities in several of its products:
- QuickTime 7.6.7, for Windows 7, Vista and XP
- iTunes 9.2.1, for Mac OS X 10.4.11 or later, and Windows 7, Vista and X
- iOS 3.2.2 Update for iPad, iOS 3.2 and 3.21 for iPad [Addresses the flaw that allowed jailbreaking on 3.21 iPads, iPhones and iTouches.]
- iOS 4.0.2 Update for iPhone and iPod touch (2nd generation or later) [Addresses the flaw that allowed jailbreaking on these devices
- Safari 5.0.1, Update for Mac OS X 10.5.8, 10.6.2 or later, and Windows 7, Vista and XP
- Safari 4, on Mac OS X 10.4.11, OS X Server 10.4.11, et al
Monday, August 16, 2010
Network Solutions Once Again Serves Up Malware
KrebsOnSecurity is reporting that hundreds of thousands of Web sites parked at NetworkSolutions.com have been serving up malicious software thanks to a tainted widget embedded in their pages. The problem has been traced to the “Small Business Success Index” widget, an application that Network Solutions makes available to site owners through its GrowSmartBusiness.com blog. Network Solutions has a history of weak security controls that put visitors to its customers web sites at risk of malware infection. See, e.g., our April 19 blog post.
The report is a reminder to employ defense-in-depth on business and home computer systems, including
The report is a reminder to employ defense-in-depth on business and home computer systems, including
- Keep operating system and all applications patched and up-to-date
- Keep anti-malware software up-to-date with current data files
- Consider switching from less-effective anti-malware solutions to more powerful intrusion detection and prevention systems
- Run Firefox instead of Internet Explorer; Run Firefox with the No-Script add-on if you're technical
Friday, August 13, 2010
Certificate Authorities: A Weak Link in eCommerce and eBanking?
Suppose you call up your banker and ask him to send someone over to pick up a cash deposit. An hour later, a woman who identifies herself as having been sent from the bank arrives at your office. You ask for her credentials and she shows you an ID Card that says she works at the bank. Do you give her the deposit?
Suppose, instead of calling your banker, you go online to your bank. The web page in your browser; it's like Sally. She [the web page] says she's from the bank .. you can even see her "ID card;" the "https:" in the browser window and the "closed lock" in the browser. That lock is something we've learned to trust from the earliest days of the web.
Now comes a story in the New York Times that, perhaps, it's time to adjust our thinking. According to the Times, "those sites which are typically identified by a closed lock displayed somewhere in the Web browser, rely on a third-party organization to issue a certificate that guarantees to a user’s Web browser that the sites are authentic. But as the number of such third-party “certificate authorities” has proliferated into hundreds spread across the world, it has become increasingly difficult to trust that those who issue the certificates are not misusing them to eavesdrop on the activities of Internet users, the security experts say."
The article quotes Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation, an online civil liberties group, as saying “It is becoming one of the weaker links that we have to worry about.”
According to the Electronic Frontier Foundation, more than 650 organizations can issue certificates that will be accepted by Microsoft’s Internet Explorer and Mozilla’s Firefox, the two most popular Web browsers. Some of these organizations are in countries like Russia and China, which are suspected of engaging in widespread surveillance of their citizens.
The Times reports that Eckersley identified Etisalat, a wireless carrier in the United Arab Emirates, as the weakest link in the "trust chain."
Stephen Schultze, associate director of the Center for Information Technology Policy at Princeton University. is quoted as saying “I think it is a really big deal,” but “is not a reason to panic and stop doing online banking or e-commerce. But it is a bad enough problem that it should be receiving a lot more attention and we should be trying to fix it.”
Suppose, instead of calling your banker, you go online to your bank. The web page in your browser; it's like Sally. She [the web page] says she's from the bank .. you can even see her "ID card;" the "https:" in the browser window and the "closed lock" in the browser. That lock is something we've learned to trust from the earliest days of the web.
Now comes a story in the New York Times that, perhaps, it's time to adjust our thinking. According to the Times, "those sites which are typically identified by a closed lock displayed somewhere in the Web browser, rely on a third-party organization to issue a certificate that guarantees to a user’s Web browser that the sites are authentic. But as the number of such third-party “certificate authorities” has proliferated into hundreds spread across the world, it has become increasingly difficult to trust that those who issue the certificates are not misusing them to eavesdrop on the activities of Internet users, the security experts say."
The article quotes Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation, an online civil liberties group, as saying “It is becoming one of the weaker links that we have to worry about.”
According to the Electronic Frontier Foundation, more than 650 organizations can issue certificates that will be accepted by Microsoft’s Internet Explorer and Mozilla’s Firefox, the two most popular Web browsers. Some of these organizations are in countries like Russia and China, which are suspected of engaging in widespread surveillance of their citizens.
The Times reports that Eckersley identified Etisalat, a wireless carrier in the United Arab Emirates, as the weakest link in the "trust chain."
Stephen Schultze, associate director of the Center for Information Technology Policy at Princeton University. is quoted as saying “I think it is a really big deal,” but “is not a reason to panic and stop doing online banking or e-commerce. But it is a bad enough problem that it should be receiving a lot more attention and we should be trying to fix it.”
Tuesday, August 10, 2010
Another Survey Tells Same Sad Story of Growing Internet Dangers
McAfee released a report today showing that incidents of malware (malicious software) reached its highest levels ever in the first half of 2010. The company identified 6 million malicious files in the second quarter, making for a total of 10 million malicious files over the first six months of the year. Among the most common attack vectors were attacks targeted to social media users. Password stealing Trojan horses — commonly used used in online bank thefts — were among the most common payloads.
The report reconfirms everything we've been saying since we began our blog 18 months agoThere has been a sea change in cybercrime. Threats are more sophisticated than ever, weaknesses and vulnerabilities abound. Defenses have not kept pace.
The report is a reminder to every organization to take a critical look at its defenses — everything from policies and employee awareness training to modern intrusion prevention systems. It needs to make sure it's employing a cost-effective defense-in-depth strategy covering all three critical information security management domains:
Thanks to Terry Corbell for alerting us to this story.
The report reconfirms everything we've been saying since we began our blog 18 months agoThere has been a sea change in cybercrime. Threats are more sophisticated than ever, weaknesses and vulnerabilities abound. Defenses have not kept pace.
The report is a reminder to every organization to take a critical look at its defenses — everything from policies and employee awareness training to modern intrusion prevention systems. It needs to make sure it's employing a cost-effective defense-in-depth strategy covering all three critical information security management domains:
- Corporate security management
- Security management of the IT infrastructure
- Point-in-Time security of the IT infrastructure
Thanks to Terry Corbell for alerting us to this story.
Critical Updates for Windows, Flash Player
KrebsOnSecurity.com reports Microsoft issued a record number of software updates today, releasing 14 update bundles to plug at least 34 security holes in its Windows operating system, Microsoft Office and other software. More than a third of flaws earned a “critical” severity rating, Microsoft’s most serious.
Krebs also reports Adobe released a patch for its ubiquitous Flash Player that fixes at least six flaws in Flash. The newest version brings Flash to v. 10.1.82.76. If you’d like to know what version of Flash you are currently using, browse to this link.
Krebs also reports Adobe released a patch for its ubiquitous Flash Player that fixes at least six flaws in Flash. The newest version brings Flash to v. 10.1.82.76. If you’d like to know what version of Flash you are currently using, browse to this link.
Sunday, August 8, 2010
Security Flaw Allows Users to Jailbreak their iPhones
When is a security flaw not a security flaw? There are a lot of happy iPhone people this week who have been able to "jailbreak" their iPhones thanks to a security flaw in Apple's iOS4 [through version 4.0.1]. While many iPhone users — myself included — are content to run our iPhones the way Steve Jobs intended, many users are known to chafe at the limits that Jobs [and AT&T] have built into the iPhone. Hence the demand for products that allow these disgruntled users to break their iPhone out of the jail to which they have been sentenced by Jobs and [AT&T].
The Apple flaw manifests in PDF readers, like those of Adobe and Foxit. And while no one knows of any security exploits targeting this vulnerability, as security experts, these kinds of holes are the scary stuff that keeps us up at night.
As Brian Krebs writes in KrebsOnSecurity.com: "I’m left wondering what to call these sorts of vulnerabilities that quite obviously give users the freedom that jailbreaking their device(s) allows (the ability to run applications that are not approved and vetted by Apple) but that necessarily direct the attention of attackers to very potent vulnerabilities that can be used to target jailbreakers and regular users alike."
Perhaps we ought to view these jailbreakers the same way we view the proverbial canaries in the mine: as early-warning systems designed to alert the rest of us to vulnerabilities needing to be corrected. If the jailbreakers can find vulnerabilities before the cybercriminals have found and exploited them, then the community benefits from their efforts.
The Apple flaw manifests in PDF readers, like those of Adobe and Foxit. And while no one knows of any security exploits targeting this vulnerability, as security experts, these kinds of holes are the scary stuff that keeps us up at night.
As Brian Krebs writes in KrebsOnSecurity.com: "I’m left wondering what to call these sorts of vulnerabilities that quite obviously give users the freedom that jailbreaking their device(s) allows (the ability to run applications that are not approved and vetted by Apple) but that necessarily direct the attention of attackers to very potent vulnerabilities that can be used to target jailbreakers and regular users alike."
Perhaps we ought to view these jailbreakers the same way we view the proverbial canaries in the mine: as early-warning systems designed to alert the rest of us to vulnerabilities needing to be corrected. If the jailbreakers can find vulnerabilities before the cybercriminals have found and exploited them, then the community benefits from their efforts.
Subscribe to:
Posts (Atom)