Sunday, February 11, 2007

Cyberattacks Up 50% By 2010, VeriSign Says

As long as cybercrime continues to grow as an industry, don't count on malicious attacks to abate on their own, the company's CEO says.

VeriSign's unveiling Thursday of Project Titan, which seeks to expand the capacity of its global Internet infrastructure by 10 times by 2010, will be both a blessing and a bane to Internet users, creating a wider freeway for access to revolutionary new multimedia content while at the same time creating a greater number of targets for malicious attackers.

Cyberattacks will increase by 50% between now and Project Titan's completion, VeriSign CEO and chairman Stratton Sclavos said Thursday during his RSA Conference keynote. As long as cybercrime continues to grow as an industry, don't count on malicious attacks to abate on their own. "Where the money goes, so do the threats," he added.

While it's easy, not to mention good business, for security vendors to predict gloom and doom for the IT industry, Sclavos' point was punctuated by Tuesday's massive denial-of-service attack against the 13 servers that help manage worldwide Internet traffic. This was a sophisticated attack consisting of "very, very large packets," Sclavos said. "Every request [made by those packets] was bogus, and every [packet] source was false."

Even worse, it was a sophisticated attack that "was very simple to deploy and scales phenomenally well," Sclavos said. "In fact, we're convinced that the perpetrators didn't even know how well it scales."

But the VeriSign CEO pointed the finger at himself and his colleagues in the security space, rather than dwelling on the attackers.

"Shame on all of us in this room who are security vendors," he said. "If we force our customers to choose between ease of use and better security, they will always choose simplicity. We have the security technology and have had it for years. Yet our consumers feel more vulnerable today than they've ever felt."

Still, it's not impossible for organizations to beat back the bad guys. Sclavos pointed to PayPal, one of the companies most targeted by attackers, as a company that has had some security success because it's taken the threats seriously.

"They are using (Extended Validation SSL Certificates) to be sure users don't make a phishing site for PayPal's site," he added.

Microsoft announced that it has enabled support for these certificates in Internet Explorer 7. When a user visits a site with a valid EV SSL Certificate, IE 7 alerts the user to the available identity information by turning the background of the address bar green and displaying identity information. Twelve certificate authorities, including VeriSign, Cybertrust, and Entrust, issue EV SSL Certificates.

Certificate authorities won't issue EV SSL Certificates without first making the organization go through a stringent sign-up process, says Michael Barrett, PayPal's chief information security officer. In addition, PayPal next week will begin offering certain clients, businesses, and possibly those who've been the victim of past fraud pass code-generating tokens for securely logging on to their PayPal accounts.

Barrett admits there's no easy way to keep bogus e-mailers (known as phishers) and other bad elements at bay, but that's no excuse for not trying, even if it means forcing cybercriminals to change their tactics. "There's no silver bullet," he says. "It's how much lead can you get in the air from a shotgun."

NSA Employee Steered Cyberdefense Funds To Self

"Schepens ... had access to the account into which the taxpayer funds were deposited."

Dynamic Security could have prevented this.!

A Maryland man admits to awarding more than $750,000 in federal funds to a business he and his wife ran from their home.

By K.C. Jones

A former National Security Agency employee pleaded guilty this week to steering federal money for cybercrime defense to a company co-owned by his wife.

Wayne Schepens of Maryland admitted to awarding more than $750,000 in federal funds to a business he and his wife ran from their home. The firm participated in Cyber Defense Exercises at Navy, Marine, and Army schools, including the U.S. Military Academy at West Point.

All branches of the U.S. military engage in cyberdefense activities and training.

It's illegal for government employees to spend taxpayer money on government contracts that benefit them financially. Schepens created the cyberdefense exercises and competitions, awarded the money to support them, and had access to the account into which the taxpayer funds were deposited. In April, he will face sentencing, which could include five years imprisonment, up to $250,000 in fines, and probation.

The former NSA employee's wife, Jennifer Schepens, answered the phone at the business, CDXperts Inc., and said only that she would like to comment on the plea but could not at this time.

Labels: , ,

T.J. Maxx Security Breach

The Massachusetts attorney general is leading a probe into the security measures parent company TJX took to protect its consumer-related information from data leaks and hacker attacks.

By Sharon Gaudin

The Massachusetts attorney general is heading up a multistate civil investigation into the recently disclosed security breach at TJX.

The Consumer Protection Division of the Attorney General's Office is investigating the breach, which was revealed last month by the Framingham-based company. The state is looking specifically at what security measures the company took to protect consumer information

"TJX has been very cooperative with the Attorney General's Office, and we are interested in continuing to work closely with the company so that we can protect Massachusetts consumers and the marketplace from credit card and other fraud," Attorney General Martha Coakley said in a written statement.

TJX, whose properties 826 T.J. Maxx, 751 Marshalls, and 271 HomeGoods stores, was victim to a hacker who accessed the company's computer systems that process and store information related to customer transactions at its stores in the United States and Puerto Rico, as well as for some stores in Canada, and potentially Canada and Ireland.

The stolen information may include credit and debit card sales transaction data from 2003 as well as data from mid-May through Dec. 2, 2006.

Since taking office last month, Coakley has said that addressing identity theft and credit card fraud will be one of her administration's top priorities.

"The recent TJX date breach demonstrates that Massachusetts citizens do not have all the necessary tools to protect themselves against identity theft or credit card fraud," Coakley said in her statement. "There are several proposals pending, including those that would require notification of consumers when their data was stolen or released, or that would give consumers the right to place a security freeze on their credit reports, which we are interested in reviewing. I look forward to working with the Legislature to determine the best ways to help consumers protect themselves and their credit."

Tips To Protect Yourself

The Massachusetts AG's office is recommending people who have shopped at any of the TJX stores should take these precautionary steps:

· Call one of the three major credit bureaus and place a one-call fraud alert on your credit report. Call either Equifax: at 800-525-6285 , Experian at 888-397-3742 , or TransUnion at 800-680-7289 .

· Order a copy of your credit report, and look for unauthorized activity.

· If there is unexplained activity on your credit report, place an extended fraud alert on your credit report.

· You may want to contact the fraud department of the credit card company or bank that you used when you made purchases at the TJX stores. These financial institutions can monitor your account for suspicious activity.

TJX has established a toll-free customer help line. Callers from the United States can call 866-484-6978 . In addition, the company has posted information on its Web site under Important Customer Alert.

Labels: ,

Johns Hopkins Loses Data On 130,000 Patients, Employees

Dynamic security integrated with RFID tracking could have prevented this loss.

An outside contractor lost nine backup tapes that held sensitive personal information on 52,000 workers and 83,000 employees. The data is thought to have been destroyed.

Johns Hopkins disclosed this week that it has lost the personal data on roughly 52,000 employees and 83,000 patients.

The Maryland-based organization, which comprises Johns Hopkins University and Johns Hopkins Hospital, has reported that nine backup computer tapes were not returned from a contractor, which routinely takes them and makes microfiche backups of them. Eight of the tapes, according to a notice on Johns Hopkins Web site, contain "sensitive" personal information on employees, and a ninth tape contains "less sensitive" personal information on the hospital's patients.

All nine tapes had been sent to the contractor's Baltimore-area facility on Dec. 21, according to the organization's release. Both the contractor and Johns Hopkins investigated the incident and reportedly determined that the tapes never reached the facility. "It also concluded that it is highly likely that the tapes were mistakenly left by a courier company hired by the contractor at another stop. They were thought to be trash, collected and later incinerated," reads the statement on the Web Site.

Johns Hopkins says it has no evidence that the tapes were stolen or that the information on them has been misused. The statement also calls the risk of identity theft "very, very low."

"Our best information is that the tapes have been destroyed," said William R. Brody, president of Johns Hopkins University, in a written statement. "Nevertheless, we are concerned that there was ever even a possibility that the information on them was out of authorized hands. On behalf of Johns Hopkins, I apologize to all affected employees and patients. We will review our processes and procedures and make any appropriate changes in an effort to ensure that this does not happen again."

University payroll information, including Social Security numbers, and, in some cases, bank account information for present and former employees was among the lost tapes, according to Johns Hopkins. That includes retirees and students who held campus jobs. Employees with information on the lost tapes worked in every university unit, except the Applied Physics Laboratory.

The tape with hospital information held personal information on all new Johns Hopkins Hospital patients first seen between July 4 and Dec. 18, 2006. However, it also has data on any patients who had changed their demographic information in that same time period. The patient information included names and dates of birth. It did not include addresses, Social Security numbers, or financial or medical information, according to Johns Hopkins.

Letters are being sent to all affected Johns Hopkins University employees, current and former, and to all affected Johns Hopkins Hospital patients with available addresses.

Patients may obtain more information at this Web site, and employees may get information at this site.

Labels: ,

Hacker Defaces Nuclear Site With Exploding Bomb Photos

Dynamic Security could have stopped this hacker!

The security breach hit the Canadian Nuclear Safety Commission Wednesday afternoon. No critical information was reportedly affected.

Hackers penetrated the Web site for the Canadian Nuclear Safety Commission this week, replacing text and graphics with photos of a nuclear explosion.

The organization, which acts as a nuclear safety watchdog in Canada, reports that there was a security breach on Wednesday, Feb. 7 during the afternoon. Aurele Gervais, a spokesman for the commission, says they had the Web site down within five minutes of being alerted to the attack. He adds they are not sure when the hacker broke into the site or how long he or she was there.

Gervais would only say that the news release section of the site was replaced with graphic images, but would not describe them. It was widely reported in the Canadian press that the images were of a nuclear explosion. The Ottawa Citizen newspaper published a color photo of one of the pages that had been tampered with, but the photo is not shown online.

The Web site is not linked to the commission's internal computer network so no critical information was in danger of being tampered with or stolen, according to Gervais, who adds that this is the first time their Web site has been hacked into.

The Web site is back online. Gervais says the Royal Canadian Mounted Police are investigating.

Labels: , ,

A Walk Through Cybercrime's Underworld

"..any price paid for proper security policy and execution on that policy is worth it," How much is Dynamic Security Policy enforcement worth to you?

By Larry Greenemeier,
05:55 PM ET, Feb 2, 2007

What's a piece of data worth? It's not too hard to find out. Just go to one of the dozens of online marketplaces where stolen credit card numbers, PINs, and Social Security numbers can be purchased--individually or in bundles--starting at just a few dollars. A few dollars is all that's needed to ruin someone's credit rating, drive up their debt, and make them question whether to trust you with their information next time.

Anyone in management at TJX Companies would tell you that any price paid for proper security policy and execution on that policy is worth it, as that company faces the consequences of Payment Card Industry Data Security Standard violations and class-action lawsuits from banks and consumers. In just a few months, a number of fraudulent transactions have resulted from an intrusion into TJX's IT systems. InformationWeek will soon publish a story that delves deeply into the seedy underground of the cybercrime economy, describing how stealing information begets identity theft and fraud.

Here's just a little of what we've learned so far.

How stolen bits and bytes of data can be monetized by cybercriminals is an interesting process. It starts with data theft, which can take the form of an intrusion into a company's systems through a network hack, a phishing scam where victims are duped into actually volunteering their personal information, an inside job where a disgruntled employee steals an employer's records, or a smash and grab, where a corporate laptop is stolen from an employee or contractor's car.

From there, the data can be advertised on online marketplaces that let thieves sell stolen data to fraudsters. It's always a good idea to be on the lookout for a bargain, so the fraudsters try to buy their information in bundles. According to security vendor Trend Micro, a credit card number with PIN can fetch about $500 on the open market, while billing data, including account number, address, Social Security number, home address, and birth date, goes for between $80 and $300. Not surprisingly, credit cards with a low balance and high spending limit (such as a platinum or gold card) are the most valuable types of cards.

Thieves and fraudsters do business much the same way you and I would use eBay to buy and sell a cocktail napkin signed by a celebrity. A price is negotiated, and then payment arrangements are made through a peer-to-peer payment system like PayPal or E-gold, which lets people exchange electronic currency backed by the value of gold bullion rather than a particular national currency.

Once the fraudsters take possession of the stolen data, they can use it to make online purchases or even sign up for more credit cards, assuming they've purchased all of the different types of information required to fill out a purchase order or card application. The more industrious fraudsters will program the data into counterfeit credit and debit cards, sometimes using discarded gift cards from the holidays. They can then take these cards to stores and attempt to make purchases by signing a bogus name, as long at the cashier doesn't check the signature (and how many do?).

In the early 1990s, the same person took on multiple roles, which included stealing the information and using the stolen information to commit fraud, Uriel Maimon, an RSA Consumer Solutions researcher, told me the other day. Today, one person writes the malware used to steal information, while another person plants and collects the stolen information, and a third person uses that stolen information to steal money. Another new trend is the tendency for attackers to target high-worth accounts rather than stealing smaller amounts of money from a larger number of accounts, Maimon added.

There's plenty more insight into the cybercriminal economy to come, so keep a lookout for our upcoming story in the pages of InformationWeek and on

Labels: ,

Down To Business: The End Of Security As We Know It?

"Integrated security" is an illusion - you need many different solutions, and a system that ties them together.

The big, acquisitive infrastructure vendors insist that security inevitably will be built into their architectures, but critics rightly warn of the pitfalls of a fully integrated approach.

Since the dawn of time, it customers and vendors alike have debated "best of breed" vs. "integrated solution." Preaching lower total costs, simpler management, and ease of use, the biggest software vendors have pushed ahead with their integrated "platforms," sometimes to the chagrin of the competition authorities.

Windows is now crammed with Web browsing, media playing, and other adjunct features. Enterprise application suites pack supply chain and CRM modules. Databases are integrated with analytics tools, and management systems are taking on software distribution, compliance, and other capabilities. Best-of-breed software vendors still compete at the edges, but the platform purveyors are taking charge.

Security is a different beast, however. Although the industry is consolidating, it's still populated by hundreds of small to midsize companies that sell intrusion detection, event management, vulnerability assessment, authentication, identity management, network forensic, anti-spam, antivirus, access control, and other point products. The acquisitive infrastructure vendors now insist that security, too, inevitably will be built into their architectures, but critics warn of the pitfalls of a fully integrated approach.

Art Coviello, president of RSA Security, acquired by EMC last year, told the audience at his RSA Conference in San Francisco last week that security must be built "more and more" into infrastructure to assure active, manageable defenses. He predicted the demise of the standalone security industry within three years. "If I'm proven wrong about the timing," Coviello said, "I won't be proven wrong in the need for this."

Not so fast, said John Thompson, CEO of Symantec, the largest of the "independent" security vendors. Security products and services must continue to be offered by specialist companies, he said in a separate conference address. "Who would entrust one company to do this?" Thompson said. "You wouldn't want the company that creates your company's operating system to be the one to secure that operating system. It's a conflict of interest."

Not that Microsoft or its infrastructure brethren Cisco, EMC, and IBM are conflicted about building the best security they can into their software, networking, storage, and management platforms. But what about interoperability with other products? Independent security vendors will remain critical as long as every last customer isn't a card-carrying Microsoft, Cisco, EMC, IBM, or some other shop. Before his Internet Security Systems was acquired by IBM last year, CEO Tom Noonan argued that big infrastructure vendors such as Microsoft and Cisco have no incentive to work with competitors on security. Doesn't that reasoning also extend to IBM Tivoli, which is now building ISS security into its management infrastructure?

But customers also can't manage 32 separate security vendors and their products--a number cited by Noonan last week as the average these days for a large enterprise. IT security spending continues to grow at three times the rate of other tech investments, he said, "a pretty unsustainable business problem."

Customers are conflicted. When asked to rate their most important criteria in selecting a security vendor, the 966 U.S. respondents to last year's InformationWeek Global Security Survey picked "integration considerations" fifth, behind the technical strength of the product, total cost of ownership, vendor service and support, and pricing. More than half of those companies said the most compelling reason to build their security around a single vendor would be to reduce the complexity of managing the technology, not so much to improve their security. However, in Europe, China, and India, where a total of 1,227 companies were surveyed, superior protection was cited as the most compelling reason to go with an integrated solution.

Built-in security may prevail by the sheer force of the biggest vendors' will, but the independents will remain a force for the foreseeable future.


How Does The Hacker Economy Work?

Just because you are paranoid, doesn't mean everyone is not out to get you. A whole industry is out to get you in fact.

It's a murky world of chat rooms, malware factories, and sophisticated phishing schemes. Here's a look inside.

By Larry Greenemeier, J. Nicholas Hoover, InformationWeek
Feb. 10, 2007

When retailer TJX disclosed Jan. 17 that the computer systems that store data related to credit card, debit card, check, and merchandise return transactions had been broken into, it said it had discovered the hack in December. But security officials at Visa had been seeing an increase in fraudulent activity on credit and debit cards related to TJX properties, such as T.J. Maxx, Marshalls, and HomeGoods stores, since mid-November. That means it's possible the purloined consumer data has been floating around the Internet, available for purchase on black market Web sites and chat rooms, for at least two months, maybe longer.

Hacking isn't a kid's game anymore. It's big business. Online black markets are flush with stolen credit card data, driver's license numbers, and malware, the programs that let hackers exploit the security weaknesses of commercial software. Cybercriminals have become an organized bunch; they use peer-to-peer payment systems just like they're buying and selling on eBay, and they're not afraid to work together.

While the independent hacker still exists (pardon us, but in this story, we'll refer to "hacker" in the layman's sense), the FBI sees true organized crime in parts of the hacking community, particularly in Eastern Europe, says special agent Chris Stangl, who works in the bureau's cybercrime division, the agency's third largest behind counter-terrorism and intelligence. "You'll have hackers cracking the machines, individuals collecting the data, and individuals selling for profit," Stangl says.

Getting a clear picture of the hacker economy isn't easy. It's a murky underground about which few people are willing to talk on the record. But the general outlines can be gleaned from inside and outside sources.

It's not a crime to point out vulnerabilities on the Net, making malware hard to prosecute, says eEye's Maiffret.

It's not a crime to point out vulnerabilities on the Net, making malware hard to prosecute, says eEye's Maiffret.

Direct Approach
Some hackers take the direct approach. Ransom scams--in which a criminal infects a company's systems with malware that encrypts data and then demands money to provide the decryption key--are common in Russia. Uriel Maimon, a researcher with the consumer division of RSA, a security vendor now owned by EMC, says he's seen a half-dozen of these scams over the past five months.

But in the scheme of things, those kinds of scams aren't all that common because they're risky--they require "a direct financial connection between the victim and the author or proprietor of the malware," says David Dagon, a researcher with the Georgia Tech Information Security Center. More omnipresent is the thriving black market in data. Online sites abound where credit and debit card numbers, cardholder names, and the card verification value, a three- or four-digit code that's used to verify a card's authenticity, can be bought and sold. Jeff Moss, who goes by the handle "The Dark Tangent" and is the founder of Black Hat, a security research and training firm (owned by InformationWeek parent CMP), says he knows of one European cyberattacker who makes nearly a half-million dollars annually buying and selling databases and customer lists.

money in hand

The Black Market

Trojan program to steal online account information

Credit card number with PIN

Billing data, including account number, address, Social Security number, home address, and birth date

Driver's license

Birth certificate

Social Security card

Credit card number with security code and expiration date

PayPal account logon and password

Data: Trend Micro

Direct Approach
Credit card information is mostly sold in bulk. "You don't just buy one Amex card with no limit; you typically buy a set because any one could be canceled or entered into fraud claims," Dagon says. Though some sites have list prices, basic card information can go for as low as $1 a card, and prices often depend on the quality of the data, says Johannes Ullrich, CTO of the SANS Internet Storm Center.

Credit card thieves, who call themselves "carders," often ply their wares through IRC chat rooms, private and public forums with names like CardersMarket and, and even conventional-looking e-commerce sites. The experienced hackers and carders stick to private, encrypted, password-protected IRCs, Ullrich says.

One forum,, has more than 100,000 posts from 13,000 registered members, most of whom write in Russian. The site's English section includes offers for Bank of America, Fidelity Bank, and PayPal logons; credit card information from around the world; valid gift cards; and services for the safe transfer of large amounts of money. Most sellers and buyers on the forum request that purchases or offers be taken to private messages on the bulletin board system or to ICQ instant messaging.

A site called Dumps International appears to provide credit cards and equipment for reading and encoding credit cards, as well as Social Security numbers, dates of birth, mothers' maiden names, PINs, and batches of credit card "dumps" that contain card numbers, cardholder names, and expiration dates. The cost for U.S. credit card numbers on the site ranges from $40 for a standard credit card up to $120 for a "signature" card, one step above platinum and corporate cards. There are even specials--buy 100 cards in a mixed batch and the price drops to $30 a card.

The average life expectancy for such sites is about six months before they're rerouted through a new proxy server to throw off law enforcement., which functioned until last summer, even offered a list of "rippers," those who'd used the marketplace but were unreliable, and "verified vendors," those who had proved that they could deliver on their promised goods.

Cybercriminals close their deals using peer-to-peer payment systems like PayPal and e-gold, which lets people exchange electronic currency backed by the value of gold bullion rather than a particular national currency. Some use Western Union wire transfers to make payment. E-gold says it "in no manner condones" the use of its service for criminal acts, and PayPal chief information security officer Michael Barrett says the company regularly works with law enforcement when it identifies usage patterns that indicate criminal activity.

Moving money around can be dangerous for hackers, since transactions over $10,000 must be reported by banks and wire transactions can be easy to track. Georgia Tech's Dagon says large transactions can be split up, with some in the hacker gang taking payment in plasma TVs, large numbers of compromised iTunes accounts, World of Warcraft credentials, and even access to compromised routers.

Malware For Sale
Another valuable commodity in the hacker economy is malware such as viruses, worms, and Trojan horse programs. These so-called exploits provide hackers entrée into corporate systems.

A recent report by Internet Security Systems (acquired last year by IBM) warns of the emergence of an "exploits-as-a service" industry, with sophisticated manufacturing and distribution networks similar to the computer industry's legitimate production channels. "Managed exploit providers are purchasing exploit code from the underground, encrypting it so that it cannot be pirated, and selling it for top dollar to spam distributors," the report says.

As with any market economy, the most valuable commodities command the highest prices. In December, a flaw in Microsoft's new Windows Vista operating system was found for sale on a Romanian Web forum for $50,000, says Raimund Genes, CTO of security vendor Trend Micro, who contends that the malware industry commands more revenue than the $26 billion that legit security vendors generated in 2005.

Serious money like that has attracted an equally serious criminal element. Zero-day exploits--which take advantage of security vulnerabilities as soon as they're discovered, before vendors can patch their products--were selling late last year for as much as $20,000 to $30,000 each, Genes says.

However, despite the danger zero-day and other security vulnerabilities pose to companies and their customers, there's little law enforcement can do to prevent someone from writing a program that exploits one of these vulnerabilities. It's not a crime "to point out an unpatched vulnerability on the Internet," says Marc Maiffret, founder and chief hacking officer of eEye Digital Security.

Phishing Pays Off
Phishing scams are also a thriving underground business, often employing groups of people who bring different skills to the table, says a Web application security consultant who goes by the name RSnake. The "spammer" scours the Web for e-mail addresses that can be sold to "hackers," who look for security vulnerabilities to exploit, create phishing sites, and tell the spammers where to send the phishing e-mails on their behalf. Meantime, "carders" buy the information stolen by hackers to create the fraudulent credit and debit cards they use to steal money or sell to other criminals. Of course, the same cybercriminal can multitask, RSnake adds.

The Anti-Phishing Working Group, a cooperative of public and private organizations, says the tools used by phishing fraudsters are getting a lot more sophisticated. The group's report for December cites 340 new variants in the keyloggers and Trojan horses used by phishers that month alone--a record high. That increase is mostly because of "better use of software tools to automate the creation and testing of new variants," the report says.

Hackers hope businesses hold onto their data, Kaminsky says.

Hackers hope businesses hold onto their data, Kaminsky says.

Chances are, those tools were spawned by tech-savvy Eastern Europeans known for creating automated phishing programs and spam engines, RSnake says. "The people I've spoken to in Eastern Europe are actually pretty young guys, in their 20s," he says. "Some have formal educations, but some don't. Some live in countries like Romania, where houses have more Internet throughput than some businesses in the U.S. They've grown up on the Internet for the past 10 years, and the laws in their countries are less stringent than in other places, like the U.S."

Sophisticated technology isn't the only tool of the phishing trade. It seems unbelievable, but Nigerian "419" scammers continue to fleece gullible e-mail users. These are the e-mails that usually begin, "I need your help," and describe a situation where a large amount of money needs to be rescued or transferred from one country to another. They're known as "advance fee" solicitations because they ask the victim to send money to help free up the funds, with the promise of a lucrative payoff. The 419 designation refers to the section on fraud in the Nigerian criminal code.

Last month, the former treasurer for Michigan's Alcona County was arrested and charged with embezzling $1.2 million in public funds, at least some of which he sent to a notorious Nigerian e-mail scammer. The Federal Trade Commission posts this warning on its Web site: "If you receive an offer via e-mail from someone claiming to need your help getting money out of Nigeria--or any other country, for that matter--forward it to the FTC at"

Pump And Dump
On Jan. 25, the Securities and Exchange Commission charged a 21-year-old Florida man with breaking into numerous online brokerage accounts, then liquidating their portfolios. Investigators say Aleksey Kamardin of Tampa, during a five-week span last summer, made more than $82,000 by using funds in multiple compromised accounts at Charles Schwab, E-Trade, JPMorgan Chase, TD Ameritrade, and other online brokers to buy shares in lightly traded companies. Those purchases gave the illusion of increased legitimate trading, which raised the stocks' price. Kamardin then sold the shares he had purchased earlier, and other legit investors saw the stock price fall sharply, investigators say.

It's a variation on the old "pump-and-dump" stock scam. In these scenarios, the thief will have invested in cheap, or penny, stocks using accounts based in the Cayman Islands or elsewhere offshore, where the accounts can be established anonymously. Once the thief buys or steals identity information, he can set up fraudulent accounts--or break into other people's accounts, as in the case of Kamardin--and buy large quantities of those penny stocks, driving up the price.

This presents a tricky situation for financial services firms. "They don't want to prohibit people from trading, so the creation of these fraudulent accounts becomes part of the financial services firms' risk of doing business," asserts Marc Gaffan, director of marketing for RSA's consumer solutions division. Also, it's difficult to scrutinize trade orders because they're time-sensitive, Gaffan says. Delays cost investors money and discourage them from doing business with a given company. E-Trade experienced this dilemma last year when a compromised computer opened the door for cyberattackers to run pump-and-dump scams on E-Trade clients, resulting in fraudulent activity that contributed to the $18 million in fraud losses the company reported for its third quarter.

What's To Be Done?
The Secret Service's New York Electronic Crimes Task Force made one of its biggest busts in 2002 when it charged former Prudential Insurance database administrator Donald McNeese with identity theft, credit card fraud, and money laundering. McNeese stole records from a Prudential database that contained information on about 60,000 employees. When he tried to sell the stolen info over the Web, Bill Moylan, a 25-year veteran of Long Island's Nassau County Police Department who was working undercover for the task force, spotted it and contacted him. McNeese sent Moylan about 20 of the employees' identities and encouraged him to use the stolen records to create fraudulent credit cards, with a portion of the proceeds to be sent to McNeese's home in Florida. McNeese was ultimately sentenced to three years probation and ordered to pay $3,000 in restitution.

The Secret Service is the federal agency primarily responsible for investigating cybercrime, and it continues to make progress against the hacker economy. In 2004, agents arrested a group of hackers running a site called, and the following year six of those men pleaded guilty in federal court to trafficking in stolen credit and bank card numbers and identity information. Last March the Secret Service announced the arrests of seven suspects, for a total of 21 in three months, as part of Operation Rolling Stone, an investigation of identity theft and online fraud "through criminal Web forums."

Despite these successes, the hacker economy continues to flourish. At the RSA Security Conference in San Francisco last week, RSA president Art Coviello told the audience that the market for stolen identities has reached $1 billion, according to IDC research, and that malware has risen by a factor of 10 in the last five years, according to the Yankee Group.

"The fundamental issue is that we have a law enforcement model that's geographically based, but there's no geography on the Internet," says Dan Kaminsky, a security researcher with DoxPara Research. Says RSnake: "They can't do wiretaps overseas or raid someone's house in Romania without local cooperation. There just isn't enough talent in our federal agencies to keep on top of this efficiently."

As a result, law enforcement has come to rely heavily on cooperation from the private sector, such as financial institutions, Internet service providers, and telcos. Also, there are about a dozen electronic crime task forces operating in local law enforcement agencies around the country, many of which have access to FBI InfraGard, an information sharing system between the FBI and the private sector. InfraGard began in the FBI's Cleveland field office in 1996 as a local effort to gain support from IT pros and academia for the FBI's cyber-related investigations.

Vendors must take some responsibility for opening the door to the mercenary market for malicious code and stolen data by shipping software with security flaws. IBM's ISS reported that last year a total of 7,247 software security vulnerabilities were reported, up nearly 40% from 2005, with Microsoft, Oracle, and Apple the biggest offenders.

Businesses and end users must shoulder some of the responsibility as well for lax security measures and for simply storing too much data. In the case of TJX, it turned out the retailer was storing credit-card data contrary to Visa's rules. "It just feels wrong to people to throw away data," says DoxPara's Kaminsky.

Companies need to give careful thought to the data they're managing and realistically assess their ability to protect it. If they don't, they just might see it show up on a black market site.

Labels: ,

Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc