Wednesday, November 12, 2008

Warning: Financial crisis is a goldmine for online criminals

by Marcelle Amelia

Criminals are taking advantage of the confusion over recent bank mergers in the United States to send out fake e-mail messages in an attempt to steal your personal information.

You've probably heard of phishing scams: fraudulent e-mail messages or fake Web sites designed to steal your identity. Scam artists "phish" in an attempt to persuade people to disclose sensitive information.

According to the U.S. Federal Trade Commission, new bank merger scams might say something like this:



“We recently purchased ABC Bank. Due to concerns for the safety and integrity of our new online banking customers, we have issued this warning message... Please follow the link below to renew your account information.”

Or this:

"During our acquisition of XYZ Savings & Loan, we experienced a data breach. We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below to confirm your identity.”


If you click these links, you might be taken to a fake Web site designed for the purpose of identity theft.

For more information from the FTC (
www.ftc.gov) about this scam, see Consumers Warned to Avoid Fake E-mails Tied to Bank Mergers.

To help avoid phishing scams:

1) If you think you're received a phishing scam, do not respond to it.
2) Approach links in e-mail with caution.
3) Don't trust the sender information in an e-mail message
.


For more guidance see:

Recognize phishing scams and fraudulent e-mail
How to handle suspicious e-mail
What to do if you've responded to a phishing scam

Monday, November 10, 2008

Can Worms and Viruses Be Useful?

While most of the uses of viruses and worms are typically malicious or at least inconvenient in today's environment, this will change over time. Worm technologies are currently being viewed as a potential method to distribute critical security patches to systems on networks. Viruses can be used to distribute applications on some modern operating systems. Some countries have introduced legislation to outlaw all use of viruses and worms in all forms. This is a short-sighted and a simplex application of laws to a complex issue as the same technologies are being looked at, very seriously, for use in good - not evil.

With the conditions for development of viruses and worms remaining as-is, I expect the following situations to develop in the near future:

  • Infestations of "invisible" infrastructures. Most of us don't think about the software inside a cell phone, automotive electronic system, DVD player, radio frequency ID tag systems, parking lot gate attendant systems, toll booths, wireless luggage bag-to-passenger matching systems, point of sale terminals, automatic door openers, letter sorters, printing presses and many others. As these technologies become more sophisticated, so do their connectivity methods and operating environments. Companies that produce such products migrate towards general-use commercial off-the-shelf (COTS) technologies, which allow greater opportunities for attack.
  • Worm, virus and hybrid attacks against communications infrastructures due to lack of security controls in base networking protocols and "building block" protocols such as Abstract Syntax Notation.1 (ASN.1). Much of the communications infrastructure of the world is built on protocol security concepts developed in the 1970's which do not translate well into today's technical security needs.
  • Use of viruses and worms by terrorist organizations as a way to deteriorate, disrupt and disable economic and social support systems in use by countries dedicated to anti-terrorist efforts. As horrible and malicious as the various physical attacks have been by terrorists against the United States, those effects are minimal compared to a debilitating attack by a worm against our financial, transport or utility infrastructures.
  • Accelerated sponsorship by hostile nation-states where the use of cyber attack is a rapid method of furthering a country's political and economic goals (cyber warfare and information operations methodologies).
  • Worms/viruses that "jump" between operating environments and applications. Some have shown this capability already and it's a rapidly growing trend.

While there are many disturbing trends in virus and worm development, there are certain issues which experts are particularly concerned about:

1. Companies that provide critical services, such as utilities, transport and petrochemical entities are interconnecting historically isolated networks with Internet facilities. This results in such networks being attacked and infested with viruses and worms that cause the networks to become disabled and this can critically affect infrastructure.

2. Home consumer PCs are being increasingly targeted by viruses, worms and hybrids harnessed for use as part of world-wide malicious "chains" of attack systems (known as Zombies) to effect Distributed Denial of Service (DDoS) and worm attacks against Internet connected entities

3. Research and development into new security encoding and methods in base network protocols needs to be accelerated to help offset the continued development of malicious code used to attack infrastructure

4. Lack of law enforcement actions, globally, in the prosecution and arrest of virus and worm developers. An extremely low number of persons involved in the development and distribution of malicious code are ever identified or prosecuted due to a lack of technical tools, skills and personnel in most law enforcement organizations.

5. Inclusion of basic system and application protection methodologies by developers of same. Basic technologies such as polymorphic checksums and cryptographic signature methods are well known and available. Such technologies could be used by all manner of developers to stop infestations and propagation of these malicious code segments.

6. Lack of senior corporate management to act properly, responsibly, rationally and quickly in the deployment of security technologies to prevent infestations and propagation of malicious code. Too many companies still do not invest in the basics.

7. Acknowledgement that viruses and worms are truly a multinational problem. While leadership by technologically advanced countries is crucial, introduction of viruses and worms into network infrastructure is easily done by the "weakest link" in connectivity - a small country with no laws on cyber-crime, no assets to protect, and no national will or means to prosecute perpetrators becomes the entry point for the world to be attacked. Remember that access to a small country's infrastructure does not require a physical presence - even a dial-up connection from anywhere on the planet will do just fine.

The "cure" for infestations is a long way off and will require partnership with industry and government to solve. Base research in network security improvements, deployment of security technologies, legislative efforts to prevent criminal use of worms and viruses, improvement in operating systems to stop infestations, application-level security technologies, law enforcement prosecution of cyber criminals involved in the creation and distribution of virus and worm technologies, improvement in base critical infrastructure and education and training through all levels of corporations, government and society will need to be combined to come up with effective eradication solutions.

Perhaps the most ironic aspect of viruses and worms is not just the cost to repair or prevent infestation - it's not like biological, chemical or nuclear terrorism where thousands or millions of dollars are required to make such an attack happen. It's just the entry cost necessary to create and distribute worms and viruses:

A PC with an Internet connection.

Copyright © 2008 - Kevin M Nixon. All Rights Reserved.  This document may be reprinted in part or whole with appropriate citation.

Worldmap and user

Sunday, November 2, 2008

Un-Common Knowledge

Ok, here is a test for you.
What do the Division of Motor Vehicles Colorado, the University of Utah Hospitals and Clinics in Salt Lake, Monster.com, the University of Miami and Fidelity National Information Services all have in common? (Hint: Think TJ Maxx) Give up?
Answer: Each was the victim of a data security breach that resulted in the exposure of over 2 Million computer records which contained confidential, non-public, private information.

In the case of Fidelity the total number of computer records exposed exceeded 8.5 million! You can monitor the events yourself the Privacy Rights Clearinghouse where you will find a frightening amount of information. Just yesterday, November 1st, 2008, privacyrights.org reported that the Seattle Washington School District released 5000 social security numbers to a local union representing some of the district workers. More than half of the district's workers were affected by leak. No wonder that the FBI and the National White Collar Crime Center saw Americans report losses of $239 million as a result of online fraud.

Don't assume that an "identity thief" is a "hacker" in the computer crime underworld. The "identity thief" may simply obtain the information from a source and then sell the information. However, "identity thieves" are now recruiting "hackers" to obtain access to electronic databases which contain the most choice data. The trafficing of stolen data is a quick operation. The hard earned reputation, financial & banking records as well as personal information such as age, marital status, and children's names can all be sold for a few dollars each. Think about that. If 2 million records are stolen and sold for $2 per record, the "ID Thief" has made a cool $4 million off of what took you years of honest hard work to create. The same technology used to steal your information is often used to sell your information. Your data is often sold through large instant-message groups or via online auctions, both of which may only exist for a few hours or days to avoid detection by authorities.

Here are a few tips that may alert you that your credit information has been compromised.

1) When ever possible go "paperless". You simply receive an email stating that your statement is available online for viewing and you can pay electronically too.

2) If you can't go paperless and you have a mailbox on the curb that anyone can walk by and open, consider getting a PO Box or a lockable mailbox. It is real easy for a thief to simply take a credit card statement containing most of the info they need out of the box on the curb.

3) Monitor your statements. Did you really put $2 worth of gas in the car? One of the ways thieves validate that a stolen card is still active is to charge a very small amount and if the transaction goes through they know that the card is still good.

4) Be alert to creditors calling to verify a telephone number! Creditors performing information verification often call telephone numbers associated with credit applications. The 3 big agencies are not offended when you question why the information is needed. Thieves often take personal information and attempt to open "business accounts" which makes the transaction more difficult to trace.

5) And last but not least, your Social Security Card (and number) should only be used for tax purposes. Says so right on the card. Do not use for ID.

Your social security number is not "required" for anything else under the law. It serves one purpose, to associate your earnings with your taxes. Banks, insurance companies, and others are required by law to use alternative photo ID cards. If the person or company won't do business without your Social Security number, ask to borrow their telephone, and call the local Social Security office and report the company. Then take your business someplace else!
Copyright 2008 - Kevin M Nixon. All Rights Reserved.

Wednesday, October 22, 2008

CSO Online Article

Third-Party Anonymous Proxies? No! No! No!

Two security pros explain why they'd never use an anonymous proxy service from a Web-based third party. Part three in a series

»
Comments

By Bill Brenner, Senior Editor

October 21, 2008 — CSO

This is the third installment of a three-part series on the pros and cons of anonymous proxy services. Read the
first installment here and listen to the second installment here.

There are a variety of legitimate reasons for security professionals to use anonymous proxy servers. But would they trust a third-party service that lives on the Web?

-- Read More --

Saturday, October 18, 2008

Palin's Privacy Problem: Conducting Confidential State Business On A Web Based Email Account That Can Be Hacked By Anyone Using An Anonymous Web-Based Proxy Server Is As Safe and Useful As A Frontal Lobotomy!

____________________________________________________

by Kevin M. Nixon, MSA, CISSP, CISM

Extended Abstract

Recently Alaskan Governor Sarah Palin's  Yahoo! email account was compromised by a hacker. 

From Gawker.com:

"Did the Internet just cause Sarah Palin to destroy evidence?  The potential US Vice-President is in a bit of trouble for conducting state business using her personal, unarchived email address (gov.sarah@yahoo.com) instead of her official account (which is, of course, subject to laws requiring the retention of government records).  Emails from that Yahoo account are already being sought in connection with the "Troopergate" investigation.  Now comes word that Anonymous, the fun-loving Internet trouble-makers based loosely around the message board 4Chan, gained access to another Palin email account: gov.palin@yahoo.com.  The offending posts, screenshots, heretofore unseen family photos, and emails have all been deleted from Imageshack and 4Chan. But Gawker.com has them plus her contact list and more."

Open, anonymous web based proxy servers may be honeypots to steal your information, or may be an incorrectly configured server (belonging to someone else, i.e., some big corporation) which has been left open accidentally. This allows the honeypot operator to snag your data on the fly, while appearing to be a legitimate "business".  Do you really want your most confidential information "protected" by a business that "operates solely off money derived from advertising shown during the proxy session"?

____________________________________________________

 

Hello, is anyone in there ?!?

 

Why was the State of Alaska's Information Security Officer allowing private, non-public information, protected data to be transmitted by the State's "Executive Officer" via an uncertified, non-FISMA compliant, non-HIPAA compliant, non-FACTA compliant, non-GLBA compliant, non-NIST compliant, public, anonymous web-based, proxy server?  Not only was the Security and Technology officer taking a big risk that information might be compromised but more importantly the State of Alaska was violating Federal Law!

Need more proof, just ask the maverick from Alaska, Sarah Palin who had her email Yahoo! account hacked by a guy using Ctunnel.com to get to her  email .

Time Magazine reports that the Alaska governor could face charges for conducting official state business using her personal, unarchived e-mail account (a crime); some critics accuse her of skirting freedom-of-information laws in doing so. (See:  "Sarah Palin's E-Mail Hacked" By M.J. Stephey, TIME.com,   Wednesday, Sep. 17, 2008)

Why would anyone hand over trusted TCP/IP addresses (along with data being transmitted) to any company that has a policy like Ctunnel.  Here is a portion of Ctunnel.com's disclosure statement (Note:  The paragraph below is a direct quote from Ctunnel's website.  The misspelled words alone should have given officials in the Alaskan government IT department a reason for pause.) :

"To earn your trust I will be as open and honest with you as possible. See below for information about who I am and why I run this service. Open proxies may be honeypots to steal your information, or may be left open accidentally and be down tommorow, or be otherwise unreliable. Ctunnel however, operates soley off money derived from advertising shown during the proxy session, and therefore will not be down tommorow. Because our visitors value their privacy, it is not in our interests to spy on you, lest we lose traffic and advertising revenue. Because government subpenoa could require us to hand over our server access logs, access logs are regularly deleted to protect your privacy."

Most web based proxy server operators are not compliant with the Federal Information Security Management Act (FISMA), the Fair and Accurate Credit Transactions Act of 2003 (FACTA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) or the Sarbanes-Oxley Act of 2002 (SOX) compliant. These are the laws and regulations we depend on to protect our privacy and require specific steps to be taken to insure protection.

If State Governments or Federal Agencies use these types of unsafe  services, how can we expect Banks, Corporations, Hospitals and the Executives and Senior Managers of those institutions to take the laws, regulations, fines and punishment seriously.  A lack of knowledge or understanding of the law does not, (repeat DOES NOT) provide relief from prosecution.

Now, think about the current state of the global economy.  If publicly-traded Corporations use these services and do not disclose the risk in their Sarbanes-Oxley (SOX) disclosures to the Securities and Exchange Commission (SEC) they are committing a Crime and deserve the fines and deserve to serve the time in prison as stipulated by law. We hear calls for stiffer regulations, oversight and transparency, but; do we really know how much of our private information is "out walkin' around" already?

In short, you get what you pay for. A "protection product" that earns money from web ads or charges $9.95 per month should be a great big red flag.

Companies, executives and security folks need to stop doing things on the cheap. All anyone has to do is view the hacker web sites and read how easy it is to obtain the info off of web based proxy servers. There are even new browser plug-in "toolz" that make hacking a "point and click" operation.

Anyone that considers open, anonymous web based proxy servers totally safe should simply post all of their bank account numbers, passwords and any other highly confidential data on a wide open website for all to see.

____________________________________________________

But wait, the story gets worse!

 

The Huffingtonpost.com on October 10th in an article written by Associated Press reporter Mark Thiessen as well as Karl Vick a reporter for The Washington Post  on October 11th disclosed  that Alaskan Governor Sarah Palin had more than one external account through which she conducted official state business AND to top things off, she shared confidential state information with her husband Todd by CC'ing him on many of the emails which were exchanged.

An Anchorage judge has ordered Alaskan Governor Sarah Palin to preserve e-mails from private accounts she has used to conduct state business.

Superior Court Judge Craig Stowers on Friday also ordered Alaska's attorney general to recover messages from a Yahoo.com account of Palin's that was breached by hackers last month. That break-in prompted Sen. John McCain's presidential campaign to order closed at least one additional private account Palin maintained.

The judge issued the orders at the request of Andree McLeod, an Anchorage activist whose pursuit of Palin's e-mails revealed that the governor did perform considerable state business from a Yahoo e-mail address -- an arrangement that bypassed the safeguards and accountability of the state's secure e-mail system.  Then too, there are all those pesky Federal Data Privacy Laws which require strict protection of non-public private data.  The fact that most of the regulations carry a "due diligence" requirement is also a matter of consideration.  You see when an individual is responsible for protecting the privacy of information about other people, then any federal, state, or local agency and it's employees must insure that the creation, transmission, storage and access to the data is only performed by employees of those agencies on very narrowly defined need to know basis.  Once the Governor began transmitting information in an unprotected manner via her personal web-based email account, which was outside the State of Alaska's highly secure and well protected network, there was no way to guarantee the safety and integrity of those date floating in cyber-space.  In other words, there was no way for the Governor or other state employees to know if the information which was being transmitted was being intercepted and read by someone who was not authorized under the State's Data Security Policies and Procedures or the Federal Data Privacy Laws.

Had the hackers only gained access to the Governor's personal email, only the hackers would be under investigation.  BUT, because the Governor also exchanged confidential state information (which contained information about other people) she failed to follow the data privacy regulations, which placed the confidentiality of protected data at risk of being intercepted by unauthorized individuals.  Which is exactly what happened.  Email containing information on  DPS employees and the DPS department's budget were intercepted and posted on a website along with lists of potential judicial appointment candidates and their backgrounds, which may also be considered sensitive and protected data.  As a result, not only did the hacker come under investigation for "gaining access in excess of authority", so too can the Governor potentially be investigated for failing to adequately insure the protection of private information entrusted to her, which may be considered "a dereliction of the Governor's duties".  A violation of Federal Law.

What happened in Alaska is every Information Security Officer's worst fear as well as their toughest battle.  Due to the proliferation of easy and simple Internet access, private information is flying past us every minute.  We have become a "shoot me a quick email" society.  As a result of time constraints corporate executives, federal and state employees and all those "good ole Joe Six-Packs and Hockey Moms" are willing to take risks that highly confidential information won't get accidentally intercepted.  Now as long as the information being transmitted only contains the senders personal information, and they are willing to risk sending something like their bank account number or password on a "virtual postcard" then if compromised, the data breach only affects the sender.

However, when anyone that is granted the trust of another to protect information and is bound by law to do so, and either intentionally or unintentionally takes the same risks as they might with their personal data (regardless whether the information is compromised or not), they have potentially violated privacy laws and are subject to investigation. 

Yes we all have busy schedules.  We are all rushing to get somewhere else.  But when, as a result of our actions someone else is negatively affected, then we are responsible.  And we are as guilty as some of those Wall Street executives, who after being "bailed out" with our tax dollars took expensive "marketing trips".  You know, all those guys that everyone is so angry with.  Well, take a moment and think about the following, we live in a era where information at times is even more valuable than a few hundred thousand tax dollars.  So why aren't we just as angry about all that private data flying past us each day?  It is because we have a lack of knowledge about the value of information.  The Internet isn't a dark alley we have to walk down afraid that we might be assaulted. Everyone feels safe and secure because we can't equate data bits with dollar bills.  I guarantee you if bits were bills flying through the air, everyone would be attempting to grab them because they are just floating by.  Be warned, some people would rather grab those bits instead of the bills, and Governor Palin will more then likely have to answer some really tough questions about the data which she was entrusted to protect.

Here is the perfect example of what I mean by everyone having a lack of knowledge regarding the importance of data protection.  Alaska's Lieutenant Governor, Sean Parnell told the Associated Press; "Until she was hacked, we were communicating just about daily.  "Now I'm talking with her chief of staff." 

Judge Stowers called the effort to recover and preserve Palin e-mails relating to state business "important" and noted that Alaska's public record law was last updated before the rise of the Internet. However, Judge Stowers should also research those pesky Federal Laws, most of which snuck up on us after 9/11.

In closing, remember any federal, state, or local agency and it's employees (or anyone in a corporation, hospital, law office, bank, etc.) MUST insure that the creation, transmission, storage and access to personal, confidential non-public private data is only performed by individuals employed by the entity on a very narrowly defined need to know basis. 

 

 The Washington Post reported  that Governor Palin is being requested to release of some 1,100 e-mails the governor held back from an earlier public records request, citing executive privilege presumably because they contained official state business. However, The Washington Post also noted that about 40 of the emails may have been copied to the Governor's husband Todd Palin, who is not a state employee, and therefore would have not been allowed privileged access!  But, that will have to be the topic of another article.  Perhaps something along the lines of "data classification, access controls, the law and you"?

 

Copyright © 2008 - Kevin M Nixon - All Rights Reserved.  
This article may be referenced, quoted, reprinted in whole or part provided that the author is credited.

Powered By Blogger