Bank sued over $440K Cyber Theft

KrebsOnSecurity.com is reporting that Choice Escrow and Land Title, an escrow firm in Missouri, is suing its bank, BancorpSouth Inc., to recover $440,000 that organized cyber thieves stole in an online robbery earlier this year, claiming the bank’s reliance on passwords to secure high-dollar transactions failed to measure up to federal e-banking security guidelines.

The epidemic of on-line bank fraud by cyber criminals succeeds because

• Security procedures at too many businesses fail to prevent the compromise of workstations. This leads to the compromise of online bank credentials which the cyber criminal uses to commit fraud.
• ACH transfer security procedures at too many banks fail the test of "commercial reasonableness."

In our role of assisting clients with cyber security management, we have seen first-hand how too many companies (i) fail to provide effective awareness training to staff to meet the cyber crime challenge and (ii) fail to impose rigorous security requirements on the management of their IT infrastructures. 

We have also had the opportunity to see first-hand how easy it is for a bank to fail to meet the standard of commercial reasonableness of its ACH security procedures. 

1. Failing to consider the wishes of its customer expressed to the bank. 
2. Failing to consider the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank. 
3. Failing to implement security procedures in general use by customers and receiving banks similarly situated.  

We echo Krebs' warning that "The attack is the latest reminder that small businesses should assume that they are completely responsible for the security of their online transactions: Businesses do not enjoy the same legal protections afforded to consumers, and thus are responsible for any losses due to cyber theft or fraud."

Map of Online Bank Fraud Victims — Updated 11/11/10

Here's an updated map of known businesses and other organizations which have been victims of online bank fraud. Among the victims in the Southern California:

1. Genlabs in Chino, CA had $437,000 stolen
2. Zico USA in La Puente lost $150,000 
3. Village View Escrow in Redondo Beach had $465,000 stolen.

Thanks to KrebsOnSecurity.com for alerting us to this.

New Mobile Banking Flaws Demonstrate Buyers Must Be Skeptical About Security Claims

In our latest Weekend Patch and Vulnerability Report, we warned readers that significant vulnerabilities had been discovered in mobile banking applications from USAA, Chase, Wells Fargo, Bank of America, and TD Ameritrade. According to The Wall Street Journal and Yahoo News, the vulnerabilities discovered by viaForensics could potentially allow a hacker to learn your username, password, and financial information. Information could be stolen just by visiting a malicious website.

The report that critical vulnerabilities had been found in mobile banking applications brought to mind my blog post last September when I discussed the wisdom of mobile online banking with my friend, Biz Coach, Terry Corbell. In my interview with Terry on his blog I had said “I recommend that consumers ignore any and all attempts to induce them to use their phones for online banking.”

Needless to say, Terry received a scathing comment to that blog post from a marketing representative in the mobile banking industry. The commenter was absolutely positively certain that mobile banking was secure, that the software had been thoroughly tested and vetted, and that I didn't know what I was talking about.

With this week's story, it turns out that I was the one who knew what he was talking about not the mobile banking guy. But this blog isn't about who's right and who's wrong. This blog is about learning from experience, particularly that when it comes to cyber security we all need to be a lot more intellectually humble when we talk about how secure something is.

Right now, the cyber criminals are winning. They are winning in part because too many people have a false sense of their own security. They have this false sense of security because they haven't "been there, done that." I have.

For me it was a no-brainer that significant security vulnerabilities were going to be found in mobile banking applications. I had worked for several years in the Aerospace industry securing critical national security software. Before that I had been a research mathematician studying the logic of computer programs. And, as Yogi Berra said,  "You can observe a lot just by watching."

I can remember the day we found a critical vulnerability in Cruise missile software that might have kept us from successfully responding to a nuclear attack. I know the managerial, political and especially intellectual challenges we went through to be in a position to catch that mistake. And that's just one example of how experience has taught me that writing high quality software is incredibly challenging (and expensive).


We're taught that pride goeth before the fall. That is certainly true in the battle against cyber crime. That's why perhaps the most important thing I learned in trying to prevent, find and fix critical logic errors in complex software is intellectual humility.

Intellectual humility is the ability to suspend our own belief in something we normally believe in, like the attorney hiring another attorney to find weaknesses in his argument or the doctor seeking a second opinion to look for holes in his diagnosis.

Most of us develop a normal amount of intellectual humility in those areas of our greatest expertise. We understand and appreciate just how hard it is to do the things that we are accustomed to doing and we learn through experience how to pay detailed attention to the things we need to do to do our job.

The challenge is that, human nature being what it seems to be, our intellectual humility doesn't easily carry over to domains where we lack firsthand knowledge and experience. We tend to over-simplify in those places we know little about. This isn't usually a problem: any intellectual humility I might lack regarding how dangerous lions are is mitigated by the fact that I am under no threat from a lion. Unfortunately, when it comes to cyber security, because we're all on the Internet it's as if the lion is right next door. And he's hungry.



We can't expect a marketing representative in the mobile banking industry to have tested communications software controlling our nuclear missiles any more than we can expect the CEO of a bank to have written cyber security software requirements for an advanced military intelligence system. Nor can we expect the people who run our business IT networks to have the same sensitivity to security that we had 25 years ago when we designed a secure network for the Strategic Air Command.

You can see where the danger is in this since these are the same people who influence (and often make) buying decisions about software that we use to manage money and sensitive information; software that has to be adequately secure to protect the money and information it touches. And, lacking the experience, these otherwise well-meaning men and women don't understand the necessity of being intellectually humble in the presence of complex software.

That's why people who have to make decisions about cyber security management must maintain their own healthy skepticism, resisting any temptation they may have to believe cyber security claims, whether from marketing people, their banks or their own internal IT staff. Ronald Reagan is famous for saying: "Trust. But verify." Do him one better: drop the trust.


© Copyright 2010. Citadel Information Group. All Rights Reserved.

Hackers Steal $600,000 from Brigantine, NJ

KrebsOnSecurity.com reports that "organized cyber thieves took roughly $600,000 from the coastal city of Brigantine, New Jersey this week after stealing the city’s online banking credentials. ... Brigantine City officials said the incident began sometime before 6 p.m. on September 28th, when TD Bank notified city finance officers that multiple wire transfers had been made from its accounts. Brigantine Police’s Lt. James Bennett said in a written statement:

“Unknown person(s) had apparently obtained a user name and password for the city’s main TD Bank account when our finance personnel attempted to login (through either a fake Web page or an undetectable virus). Then several wire transfers were started with amounts ranging from a few thousand to over $300,000, for a total of about $600,000. The last update from TD Bank was that they were able to recall approximately $400,000 in transfers and were working on recalling the remainder. The investigation is being handled by the FBI, New Jersey State Police with the Brigantine Police Department and TD Bank security.”

Fake LinkedIn Emails Deliver Online Bank Theft Trojan Horse

KrebsOnSecurity reports that a "major new malware spam campaign mimicking invites sent via business networking site LinkedIn.com leverages user trust and a kitchen sink of browser exploits in a bid to install the password-stealing ZeuS Trojan," a well-known Trojan horse used in online bank thefts.

Krebs continues: "The spam campaign began Monday morning, according to security experts at networking giant Cisco Systems, and for a while the fake LinkedIn invitations accounted for as much as 24 percent of all spam. Recipients who click links in the message are taken to a Web page that reads, “Please Waiting, 4 seconds,” and then sent on to Google.com. ... On the way to Google, however, the victim’s browser is silently passed through a site equipped with what appears to be the SEO Exploit Pack, a commercial crimeware kit that tries to exploit more than a dozen browser vulnerabilities in an attempt to install ZeuS."

This spam campaign is another illustration of how cybercriminals use social engineering to get users to take action (in this case clicking a link in an email) that bypasses normal defenses. As a general rule, it's a good idea to refuse to click on email links unless the sender is known to you. And even when you know the sender, you still must develop a new kind of "common sense" that recognizes the dangers associated with the Internet.

Interpol Says Cybercrime is "World's Most Dangerous Criminal Threat"

Concerned with the growing threat from an estimated $105-billion-dollar illegal business, 300 top law enforcement officials from 56 countries met in Hong King for the first ever national police anti-cybercrime conference.

Ronald K. Noble, secretary general of the Interpol, told the assembled law enforcement officials that "considering the anonymity of cyberspace, it may in fact be one of the most dangerous criminal threats we will ever face."

More on this story is available from Yahoo News.

Adobe Issues Security Advisory for Critical 0-Day Flash Player Vulnerability

Adobe has announced a critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability (CVE-2010-2884) could allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows.

As attacks exploiting this vulnerability are likely to get by anti-virus and anti-malware defenses, users should consider installing advanced intrusion-prevention technology capable of blocking 0-day attacks.

Cybercriminals Exploit New 0-Day Adobe Acrobat/Reader Vulnerability

Adobe has announced that a critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX. The vulnerability is also present in Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh.

The vulnerability (CVE-2010-2883) could allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.

Users are advised to take extra precautions in opening Adobe PDF files. As attacks exploiting this vulnerability are likely to get by anti-virus and anti-malware defenses, users should consider installing advanced intrusion-prevention technology capable of blocking 0-day attacks.

What's More Powerful than a Strong Password?

Keyloggers are computer programs that capture every keystroke a user types. This includes user-ids and passwords to sensitive information, like a user's online bank account. When used by cybercriminals, these captured keystrokes are secretly transmitted back to the cybercriminal for their own dishonest use.

It was a keylogger that enabled cybercriminals to steal $400,000 from Village View Escrow last March. (See our blog post: e-Banking Bandits Target Title and Escrow Companies.) Most, if not all, of the online bank theft stories we've covered involve a keylogger used to steal online bank credentials.
 
There are several ways users can get their computers infected by a malicious keylogger. They are often surreptitiously installed as part of a virus or malware attack. Inadequately protected web sites can infect visitors with a keylogger. (See our blog post from April: Visitors to Web Sites Hosted by Network Solutions Again at Risk and August: Network Solutions Once Again Serves Up Malware.) There are even physical keyloggers that can be installed on a user's workstation.

There are three specific things you need to pay attention to keep a malicious keylogger off your workstation.

1. Diligently keep your workstation updated with security fixes. This includes your operating system (Windows or Apple), your application programs (like Adobe reader), and your browser add-ons (like Flash).
2. Keep your anti-virus anti-malware up to date, Consider a modern intrusion prevention system able to counter the attacks that get by your anti-malware defenses.
3. Be very suspicious of emails, particularly those containing attachments. If the email is not from someone you know and is not something you expect, then treat it the same way you would treat a suspicious package you discover ticking in an airport bathroom.

Today's New York Times has an up-to-date overview of some new thinking about password security: A Strong Password Isn’t the Strongest Security.

Cyberthieves Steal Nearly $1,000,000 from University of Virginia

KrebsOnSecurity reports that cyberthieves stole nearly $1,000,000 from a satellite campus of The University of Virginia. Krebs writes that sources familiar with the case had told him that thieves stole the funds after compromising a computer belonging to the university’s comptroller. The attackers used a computer virus to steal the online banking credentials for the University’s accounts at BB&T Bank, and initiated a single fraudulent wire transfer in the amount of $996,000 to the Agricultural Bank of China. BB&T declined to comment for this story.

In an update published by the student newspaper, a University spokesperson said the money was stolen on August 25 but has since been recovered.

Cyberthieves Steal $600,000 From Catholic Diocese of Des Moines, Iowa

KrebsOnSecurity.com reports that "cyber thieves stole more than $600,000 from the Catholic Diocese of Des Moines, Iowa earlier this month. The funds were spirited away with the help of dozens of unwitting co-conspirators hired through work-at-home job scams, at least one of whom was told the money was being distributed to victims of the Catholic Church sex abuse scandals."

According to Krebs "In a statement released last week, the diocese said the fraud occurred between Aug. 13 and Aug. 16, apparently after criminals had stolen the diocese’s online banking credentials. The Diocese it was alerted to the fraud on Aug. 17 by its financial institution, Bankers Trust of Des Moines. ... The diocese also said the FBI and U.S. Treasury Department were notified, and that the FBI had taken possession of several diocesan computers. To date, roughly $180,000 has been recovered. ... The diocese added that law enforcement had advised them that the theft seems to have been the work of a highly sophisticated operation based overseas, which moved the stolen money out of the United States by recruiting people who unknowingly act as intermediaries."

Cyber-Bank Theft Pits Victim vs Bank. Got Insurance?

KrebsOnSecurity.com reported recently that "a business telephone equipment company in Texas is trying to force its bank to settle a liability claim over an attack by organized cyber thieves last year that cost the company $50,000."

This is a common story which we continue to write about. [See many of our postings under the tag: Financial Systems Security.]

The unfortunate truth [as we wrote in an earlier blog] is that banking laws put the responsibility for cybercrime losses onto the customer. If the customer wants the bank to reimburse it for the fraud losses, it's up to the customer to prove that the bank's security procedures are not commercially reasonable [as that phrase is defined in the Uniform Commercial Code, Article 4A-202]. The result, all too often, is that the customer has little choice but to sue the bank. [See our blog post, for example.]

The good news: There's a very good chance the bank's procedures fail the test of commercial reasonableness. In an analysis of a bank whose customer lost $600,000 when cyberthieves uploaded fraudulent payroll databases, our firm found significant technical, procedural and managerial weaknesses in the banks security procedures. These weaknesses were so egregious that they left us no alternative to the conclusion that the bank's security procedures were not commercially reasonable.

The bad news: The cost of proving the bank's procedures are not commercially reasonable [so that the bank will share in the responsibility for the loss] is huge. I have no idea of the legal fees involved but I do know that fees for expert analysis do not come cheap. Consequently most organizations will not have the deep pockets to sustain a lawsuit, particularly under the cash flow pressures that will inevitably follow a large loss.

That's why Citadel continues to recommend that every organization discuss cybercrime insurance with their insurance broker. As Brian Krebs wrote in his blog KrebsOnSecurity.com "cyber theft insurance can be a reasonable and effective investment in an era when ultra-sophisticated cyber thieves increasingly are defeating the security that surrounds many commercial online banking accounts."

Network Solutions Once Again Serves Up Malware

KrebsOnSecurity is reporting that hundreds of thousands of Web sites parked at NetworkSolutions.com have been serving up malicious software thanks to a tainted widget embedded in their pages. The problem has been traced to the “Small Business Success Index” widget, an application that Network Solutions makes available to site owners through its GrowSmartBusiness.com blog. Network Solutions has a history of weak security controls that put visitors to its customers web sites at risk of malware infection. See, e.g., our April 19 blog post.

The report is a reminder to employ defense-in-depth on business and home computer systems, including

1. Keep operating system and all applications patched and up-to-date
2. Keep anti-malware software up-to-date with current data files
3. Consider switching from less-effective anti-malware solutions to more powerful intrusion detection and prevention systems
4. Run Firefox instead of Internet Explorer; Run Firefox with the No-Script add-on if you're technical

While nothing you do will make you 100% secure, there's a lot you can do to minimize the risk of attack.

Certificate Authorities: A Weak Link in eCommerce and eBanking?

Suppose you call up your banker and ask him to send someone over to pick up a cash deposit. An hour later, a woman who identifies herself as having been sent from the bank arrives at your office. You ask for her credentials and she shows you an ID Card that says she works at the bank. Do you give her the deposit?

Suppose, instead of calling your banker, you go online to your bank. The web page in your browser; it's like Sally. She [the web page] says she's from the bank .. you can even see her "ID card;" the "https:" in the browser window and the "closed lock" in the browser. That lock is something we've learned to trust from the earliest days of the web.

Now comes a story in the New York Times that, perhaps, it's time to adjust our thinking. According to the Times, "those sites which are typically identified by a closed lock displayed somewhere in the Web browser, rely on a third-party organization to issue a certificate that guarantees to a user’s Web browser that the sites are authentic. But as the number of such third-party “certificate authorities” has proliferated into hundreds spread across the world, it has become increasingly difficult to trust that those who issue the certificates are not misusing them to eavesdrop on the activities of Internet users, the security experts say."

The article quotes Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation, an online civil liberties group, as saying “It is becoming one of the weaker links that we have to worry about.”
According to the Electronic Frontier Foundation, more than 650 organizations can issue certificates that will be accepted by Microsoft’s Internet Explorer and Mozilla’s Firefox, the two most popular Web browsers. Some of these organizations are in countries like Russia and China, which are suspected of engaging in widespread surveillance of their citizens.

The Times reports that Eckersley identified Etisalat, a wireless carrier in the United Arab Emirates, as the weakest link in the "trust chain."

Stephen Schultze, associate director of the Center for Information Technology Policy at Princeton University. is quoted as saying “I think it is a really big deal,” but “is not a reason to panic and stop doing online banking or e-commerce. But it is a bad enough problem that it should be receiving a lot more attention and we should be trying to fix it.”

Another Survey Tells Same Sad Story of Growing Internet Dangers

McAfee released a report today showing that incidents of malware (malicious software) reached its highest levels ever in the first half of 2010. The company identified 6 million malicious files in the second quarter, making for a total of 10 million malicious files over the first six months of the year. Among the most common attack vectors were attacks targeted to social media users. Password stealing Trojan horses — commonly used used in online bank thefts — were among the most common payloads.

The report reconfirms everything we've been saying since we began our blog 18 months agoThere has been a sea change in cybercrime. Threats are more sophisticated than ever, weaknesses and vulnerabilities abound. Defenses have not kept pace.

The report is a reminder to every organization to take a critical look at its defenses — everything from policies and employee awareness training to modern intrusion prevention systems. It needs to make sure it's employing a cost-effective defense-in-depth strategy covering all three critical information security management domains:

1. Corporate security management
2. Security management of the IT infrastructure
3. Point-in-Time security of the IT infrastructure

It's also a time to talk to your attorney and your insurance broker. Your attorney can make sure you're aware of your legal responsibilities and can provide counsel on sharing sensitive information with 3rd parties. Your insurance broker can help you mitigate some of your security risk through cyber-insurance policies.

Thanks to Terry Corbell for alerting us to this story.

Spyware Targets Industrial Facilities, including SCADA systems

Following up our blog post of last week in which we described new malware attacks on industrial control systems, the Christian Science Monitor writes "cyberspies have launched the first publicly known global attack aimed at infiltrating hard-to-penetrate computer control systems used to manage factory robots, refineries, and the electric power grid."

According to the Monitor, "the spyware had spread for at least a month undetected and has already penetrated thousands of industrial computer systems in Iran, Indonesia, India, Ecuador, the United States, Pakistan, and Taiwan, according to a Microsoft analysis. ... The attack is part of a sophisticated new wave of industrial cyberespionage that can infiltrate corporate systems undetected and capture the "crown jewels" of corporations – proprietary manufacturing techniques that are worth billions, experts say. It's significant, too, because of its potential to infiltrate and commandeer important infrastructure, such as the power grid."

The Monitor goes on to write "No one knows who's behind it. Cybersecurity analysts aren't even sure yet what the spyware's creators intend it to do to those industrial systems. The intent could be to sell corporate proprietary secrets – or to seek an advantage over the US in some future assymetric conflict, such as a cyberwar."

CyberSecurity Threat Indicator Raised as Critical Windows Zero-Day Vulnerability Discovered

Computerworld and other sources are reporting a newly-discovered critical bug in all versions of Windows. The bug is so critical that the Internet Storm Center (ISC) has pushed its Infocon threat indicator to "Yellow," a rare move, while Symantec also bumped up the status of its ThreatCon barometer to "Elevated." Users are being warned to expect widespread attacks.

"The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch," said Lenny Zeltser, an ISC security analyst.

Last Friday, Microsoft confirmed that attackers can use a malicious shortcut file, identified by the ".lnk" extension, to automatically execute their malware by getting users to view the contents of a folder containing such a shortcut. Malware can also automatically execute on many systems when a USB drive is plugged into the PC.

All versions of Windows, including the just-released beta of Windows 7 Service Pack 1 (SP1), as well as the recently retired Windows XP SP2 and Windows 2000, contain the bug.

In a related post, we reported that Sieman is warning customers about attacks on its industrial control software that exploit this bug.

New Malware Targets Industrial Control Systems, like SCADA

PCWorld reports that Siemens is warning customers of new and highly sophisticated malware targeting the computers used to manage large-scale industrial control systems used by manufacturing and utility companies [SCADA]. The malicious software is designed to infiltrate the systems used to run factories and parts of the critical infrastructure. The zero-day malware targets Siemens management software called Simatic WinCC, using a previously undisclosed Windows bug to break into the system.

Microsoft Warns of Uptick in Attacks on Unpatched Windows Flaw

KrebsOnSecurity reports "Microsoft is warning that hackers have ramped up attacks against an unpatched, critical security hole in computers powered by Windows XP and Server 2003 operating systems. The software giant says it is working on an official patch to fix the flaw, but in the meantime it is urging users to apply an interim workaround to disable the vulnerable component." Microsoft issued a statement last week saying the pace of attacks against Windows users had picked up, and that more than 10,000 distinct computers have reported seeing this attack at least one time.

The following graphic from Krebs' blog shows both the daily number of attacks and the cumulative distinct PCs being attacked. As can be seen, peak attacks occurred during the six days from June 22 until June 27.

IT Departments running Windows XP or Server 2003 need to consider running Microsoft’s stopgap “FixIt” tool to disable the vulnerable Help Center component.  Users running Windows XP should consider doing this as well. To do so, click this link, then click the “FixIt” button in the middle of the page under the “enable this fix” heading.

New CyberSecurity Study says "Most senior execs unaware of impact from cyberattacks." ISSA-LA Committed to Doing Something About It.

According to an article in USA Today, a new Ponemon Institute poll of 591 technology managers shows that 83% indicated their organization has been a recent target of advanced threats while 81% felt that senior execs lacked awareness of the seriousness of advanced threats. Our experience confirms the validity of these statistics. The cybercrime problem is only going to get worse as more and more small and medium size businesses fall victim to online bank fraud.

The biggest challenge we see is helping the men and women who have to dedicate resources (people or money) understand (1) why they need to improve the security of their information systems, (2) the basic steps involved in improving systems security, and (3) the ancillary competitive benefits they can get from improved information systems security management.

It's to meet this challenge that we in the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) have embarked on an aggressive Community Outreach Program. Our objective is nothing less than to raise information security awareness throughout the Los Angeles community. This is the most important thing we can do to help our community protect itself from the scourge of cybercrime. Having successfully concluded our 2nd Annual Information Security Summit we know the time is right to bring the community together around this problem and we are dedicated to doing so.