viaForensics » Hackers steal $6.7 million in bank cyber heist

Hackers steal $6.7 million in bank cyber heist

lhaas — Thu, 19 Jan 2012 15:00:45 +0000

We’ve been preaching for years that organizations needs to take a more proactive approach to their security. Services, such as our liveForensics, add additional layers of security to protect against such breaches.

Unfortunately, the Postbank’s fraud detection system hasn’t performed as it should, and the crime was discovered only after everyone returned to work after the holiday break. Apparently, it should not come as a surprise – according to a banking security expert, “the Postbank network and security systems are shocking and in desperate need of an overhaul.”

The post office and the police have confirmed that the breach happened and that the National Intelligence Agency (NIA) is involved in the investigation. The bank has issued a statement saying that none of its customers’ bank accounts were affected by the heist.

The investigation will hopefully reveal whether the backdoor into the compromised computer was installed by the employee unwittingly or whether the employee was recruited by the gang to allow them access.

via Hackers steal $6.7 million in bank cyber heist.

FBI takes out $14M DNS malware operation

lhaas — Mon, 14 Nov 2011 15:11:46 +0000

Closing out a two-year investigation, U.S. law enforcement has reportedly shut down a huge Internet fraud scheme centered in Estonia that it says “injected malware in more than four million computers in over 100 countries while generating $14 million in illegitimate income.” Infected computers include over 500,000 U.S. computers, including some belonging to NASA.

The damage done goes beyond just collecting illegitimate income:

The FBI went on to note the harm inflicted by the defendants was not merely a matter of reaping illegitimate income. The defendants also inflicted the following:

Unwitting customers of the defendants’ sham publisher networks were paying for Internet traffic from computer users who had not intended to view or click their ads.

Users involuntarily routed to Internet ads may well have harbored discontent with those businesses, even though the businesses were blameless.

And then there is the harm to the users of the hijacked computers. The DNSChanger malware was a virus more akin to an antibiotic-resistant bacterium. It had a built-in defense that blocked anti-virus software updates. And it left infected computers vulnerable to other malware.

via Layer 8: FBI takes out $14M DNS malware operation.

The state of hacked accounts

lhaas — Tue, 11 Oct 2011 14:36:39 +0000

A recent study shows that mobile users are getting hacked at high rates. And as many as 62% aren’t even aware that they are even at risk.

The results of a survey presenting statistics on the theft, abuse and eventual recovery of Gmail, Yahoo, Hotmail and Facebook accounts, shows that:

Less than one-third of users noticed their accounts had been compromised, with over 50% relying on friends to point out their stolen accounts.

15% of users thought their credentials were stolen after they used a public Internet terminal or WiFi network.

One in eight hijacked accounts were used for a phony distress email scam that asks friends to wire funds to a foreign country, and over half of the accounts were used to send spam.

via The state of hacked accounts.

Senate Judiciary Committee Passes Three Data Security Bills

lhaas — Mon, 26 Sep 2011 14:24:09 +0000

Three new bills strengthening data breach security notification regulations bring us a step closer to Federal standards. The bills (1) require businesses to develop data privacy and security plans; (2) set a federal standard for notifying individuals of breaches of sensitive personally identifiable information; and (3) focus the Computer Fraud and Abuse Act statute more narrowly on hackers and identity thieves.

All three bills would replace existing state data breach notification laws – currently in effect in nearly all states – with a uniform federal rule requiring most businesses and government agencies to notify individuals of a breach of SPII that is “reasonably believed to have been accessed or acquired.” The Leahy and Feinstein bills would relieve businesses and agencies from breach notification if they conduct a risk assessment and conclude there is no significant risk of identity theft, economic loss or physical harm to individuals by the breach; the Blumenthalbill has the same formulation but refers simply to harm generally. Under all three bills, if businesses and agencies conclude there is no significant risk of harm arising from the breach, they must share the results of the risk assessment with the Federal Trade Commission (FTC). As we stated previously, CDT believes the “notification as default” or “notify unless there is no harm” contained in these bills is superior to a “notify only if there is harm” model of breach notification. CDT also believes requiring businesses to share risk assessments concluding there is no significant risk of harm with the FTC is a critical safeguard against companies conducting slipshod risk assessments.

via Senate Judiciary Committee Passes Three Data Security Bills

Recent security breach points to problems with 3rd party vendors

lhaas — Mon, 12 Sep 2011 17:24:32 +0000

A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year.

via Patient Data Posted Online in Major Breach of Privacy

What is most notable about the most recent high profile security breach is that it was caused by a 3rd party vendor. While companies may be doing much to secure their data within their own organizations, there is very little being done to protect this data when in use or in possession of an outside vendor. viaForensics has developed tools to deal with this problem. Read our case study describing how liveForensics kept a financial organization’s data secure while working with a 3rd party vendor.

VASCO responds to fraudulently issued certificate incident

lhaas — Thu, 01 Sep 2011 17:38:09 +0000

On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com.

Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures.
At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate.

via DigiNotar reports security incident

You’re only as secure as your business partners

lhaas — Tue, 30 Aug 2011 17:48:57 +0000

Roger A. Grimes warns: you’re only as strong as your weakest link. Have your partners and vendors undergone a security audit? Have you?

The successful hack attacks on RSA and Sony have served as wake-up calls to the world’s CEOs. Both attacks, aptly dubbed “reputational events,” have resulted in hundreds of millions — potentially billions — of dollars in lost revenue. Restoring a company’s good reputation after these types of incidents is not easy; sometimes it’s impossible.

Almost every company could be owned just as RSA and Sony were, even firms that embrace the security best practices I’ve advocated for the past 20 years, including better end-user education,faster and more inclusive patching, stronger authentication, improved monitoring, and quicker response to incidents. Of course, my regular readers have been taken all these important measures for a long time — but how about your partners? If they haven’t, they might well be putting your organization at risk.

via You’re only as secure as your business partners

Charlie Miller On Hacked Batteries, Cloud Security, And The iPad

lhaas — Thu, 04 Aug 2011 14:41:23 +0000

Charlie Miller of Accuvant Labs responds to a question on the Defenders Dilemma:

I have to say, things are a bit bleak when you put it that way. There will always be vulnerabilities and there will always be criminals, so it’s hard to figure the way out. Especially as end users there is almost nothing you can do; you have to rely on the security of the software you run and have little control over how secure it is. As a society, we cannot eliminate computer attacks. However, what we can do (and this is the approach the industry is sort of taking) is make it so hard and expensive to pull off attacks that it becomes economically infeasible for most attackers. And even for those with the expertise to still pull off the attack, it minimizes the number of attacks they can perform. The way we make it more difficult is to reduce the number of vulnerabilities and ensure users’ software is up to date and “secure by default”. Also, make the OS resilient to attack with things like stack canaries, ASLR, DEP, and sandbox applications so that multiple exploits are needed. We also need to better control the software loaded on our devices (i.e. Apple’s App Store model). So, instead of having to write a single exploit, it takes three or four in order to perform an attack. This means most attackers won’t be able to pull it off, and those who can will have to spend much more time working it out.

via Charlie Miller On Hacked Batteries, Cloud Security, And The iPad

EU considers stricter data breach notification rules

lhaas — Mon, 25 Jul 2011 13:04:59 +0000

The European Commission is examining whether additional rules are needed on personal data breach notification in the European Union.

Telecoms operators and Internet service providers hold a huge amount of data about their customers, including names, addresses and bank account details. The current ePrivacy Directive requires them to keep this data secure and notify individuals if such sensitive information is lost or stolen. Data breaches must also be reported to the relevant national authority.

However Digital Agenda Commissioner Neelie Kroes announced on Thursday that she was opening a public consultation to see if more regulation was needed.

via EU considers stricter data breach notification rules

Internet Bill Could Help Hackers, Experts Warn

lhaas — Fri, 22 Jul 2011 13:30:19 +0000

Legislation cracking down on rogue websites could inadvertently help hackers who have struck major corporate and government targets in recent weeks, a group of computer science experts said on Thursday.

“America is getting hacked,” security consultant Dan Kaminsky said at a Center for Democracy and Technology briefing. “On a deep architectural level, we have to fix this or our economy cannot work.”

Senate Judiciary Chairman Patrick Leahy, D-Vt., introduced the PROTECT IP Act to crack down on websites that sell copyrighted and counterfeited materials, and it passed out of committee in May.

But Kaminsky and other Internet architecture experts object to a section that requires Internet service providers to use a controversial method known as domain name system filtering to direct traffic away from websites selling copyrighted or counterfeit materials.

… Kaminski, Steve Crocker of the security consultancy Shinkuro, David Dagon of the Georgia Institute of Technology, Danny McPherson of security firm Verisign, and Paul Vixie of the Internet Systems Consortium wrote a white paper in May predicting that businesses relying on secure connections will quickly feel the repercussions of the proposal when hacking increases.

via Internet Bill Could Help Hackers, Experts Warn