Wednesday, March 28, 2007

The coming IDentiWall era will protect us from phishers and ID thieves

Web attacks get personal

Matt Hines


March 27, 2007 (InfoWorld) Malware purveyors are increasingly tailoring their virus distribution and attack techniques to take advantage of different classes of end-users, according to researchers with the Internet Security Systems' X-Force team at IBM.

Top experts with the Atlanta-based research operation said that malware writers, phishing scheme operators, and botnet herders are more frequently employing so-called personalization tools to make their attacks more effective.

Much like the online marketing companies that gather bits of information to target advertising at individual Web users, cyber-criminals are creating malware outlets and code executions that scan readily-available details about users' computing habits and traits to find appropriate recipients for their work.

The approach uses any information that is found to isolate the right attack to deliver based on factors like the particular Web browser or operating system that an individual who being targeted is using.

By combining the more intelligent threat delivery approach with hard-to-detect Trojan, botnet, and cross-site scripting attacks, cutting-edge criminals are finding plenty of ways to take advantage of end users, said Gunter Ollman, director of security strategy for IBM ISS.

"With every Web page request, people send out a header that describes their browser and also tells you what language the request is being made in and sometimes even the cache level of the host it is running on; there's a lot of information in there, including the IP address of the person making the request," Ollman said.

According to X-Force's 2006 annual report on security trends, 30 percent of malicious Web sites were already using personalization techniques by the end of last year. The company said it is expecting that number to grow rapidly in 2007.

"By combining the IP address and all the host details in the browser, we're seeing that attackers build sites that ensure they only use exploits that will work against a specific host," the expert said.

In addition to determining which version of browser or OS software someone is using, many of the attacks can assess what level of security patch a particular program has in place, according to the researcher.

Cyber-criminals are also loading malware-infected Web pages with numerous code execution threats to assault many different aspects of varied sets of users with dozens of pieces of code being served up on a single URL.

Many of the threats are hidden in individual elements of Web pages, including flash files, pdfs and images, which may each contain multiple attacks meant to take advantage of different vulnerabilities.

Ollman said that ISS has also observed that these more advanced malware efforts are also collecting IP address information from end users to ensure that they don't repeatedly send the same threats to their computers. The smartest groups are also trading information about IP addresses known to be used by security researchers to keep their latest work from being discovered.

"If you browse that type of malware site, it will serve exploit code, but only try it once; they know that people might start to get suspicious if the same part of a site crashes twice or acts abnormally," said Ollman. "These attackers don't want people to get copies of their new code or to know what sites they have hosting the content; they know that sites get closed down or added to black lists very quickly these days if they're not careful."

Ollman said that most of the exploits do not deliver spyware, but instead pass along smaller files known as droppers that are less likely to be identified by anti-virus systems that sit quietly but then call out across the Internet and draw-in real malware programs.

Many of the eventual spyware programs that are downloaded are even stealthy, the researcher said. The attacks frequently wait until a user opens a specific site or application before springing to life and beginning to intercept users' details, according to ISS's research.


IDentiWall case

ID theft threats have surged 200% since Jan. 1

Gregg Keizer


March 28, 2007 () Identity theft threats jumped 200% in the first two months of 2007, a security company said today, noting that fraudsters have shifted to simpler, more effective tactics.

Cyveillance Inc. of Arlington, Va., compiled data from its Internet sweeps to report that the average daily count of URLs hosting malicious downloads climbed to 60,000 in February, 200% over the December 2006 figure. A single-day spike in midmonth came close to 140,000 such sites.

"The traditional phishing technique is being replaced by putting a URL in the e-mail," said Manoj Srivastava, Cyveillance's CTO. "The trend now is to use the browser as the attack vector."

Phishing attacks have shifted from the usual e-mails that try to con users into visiting reproductions of legitimate pages, then duping them into entering their personal information. Instead, thieves simply stick a link in an e-mail message and count on users' gullibility.

"It works," Todd Bransford, vice president of marketing for Cyveillance, said when asked what might be behind the rise. "It's proved to be a highly effective way of taking control of someone's PC."

Malicious sites typically exploit browser vulnerabilities to conduct "drive-by" downloads, installing bot Trojans that let a hacker control the machine or password-stealing keyloggers on compromised systems.

Srivastava speculated that another reason for the rapid rise in malicious sites is, ironically, the effectiveness of antiphishing software. "The phishing detection business has gotten good -- ours included -- and [so] it's far easier to detect conventional phishing techniques" than to gauge the potential for harm from a Web site.

The quick climb might also be a result of the increasing ease with which identity thefts are crafted. "[Phishing] kits have become common. It's so simple to launch attacks now that there's something of a geometric progression going on with the numbers," said Srivastava. "The economics and risks involved being what they are, more people are learning about identity theft and how to make money from it. This looks like an inflection point."

Cyveillance also uncovered hundreds of thousands of credit and debit card account numbers in its sweeps of IRC channels and server logs of botnet operators. In the first two months of the year, the company's monitoring technology found more than 320,000 credit and debit card numbers, more than 1.4 million potential Social Security numbers and approximately 1.3 million account log-on credentials.

"We're pretty solid on those numbers," said Srivastava. Although the Social Security numbers were not actually verified, he said, they match the nine-digit criteria and the algorithm used to construct the numerical strings.


you can hide your information or you can also use IDentiWall

Calif. official ends online access to public records with Social Security numbers

Jaikumar Vijayan


March 27, 2007 (Computerworld) Three years after it first made available certain documents containing Social Security numbers and other sensitive data on its Web site, the California secretary of state's office last week finally shut down online access to the records because of identity theft concerns.

In a statement (download PDF), Secretary of State Debra Bowen said her office was also freezing bulk electronic sales of its Uniform Commercial Code (UCC) database until all but the last four digits of Social Security numbers were removed from documents. There are approximately 2 million UCC filings on record with the secretary of state's office; about a third contain Social Security numbers.

Bowen said her office is considering using redaction technology to block out the first five digits of the Social Security numbers from UCC documents. And it has posted a warning online urging UCC filers not to include the numbers in their documents. Bowen also announced support for legislation sponsored by state Assembly member Dave Jones (D-Sacramento) that would require no more than four digits from an individual's Social Security number on public records -- both at the state and county levels.

Officials in Bowen's office could not be reached for comment.

UCC documents are financial statement filed with the state by banks and other creditors when an individual takes out certain types of loans. The documents are considered public records and are available for purchase by the public. Over the past few years, several states have been posting images of such records on their Web sites without redacting any of the sensitive information -- much to the outrage of privacy advocates.

"This is yet another place where our laws haven't kept pace with advances in technology," Bowen said in the statement. "To make the agency more business-friendly, previous Secretaries of State have made these records available on the Internet. However, until we find a way to remove all but the last four digits of people's Social Security numbers from the records in the electronic database, I've decided to pull the plug on the system."

Bowen's decision came just weeks after her office was notified by Jones about the easy availability of Social Security numbers on its Web site, and the danger that poses for potential identity theft.

An aide to Jones today described how he purchased about 20 UCC records from the site at $6 per record and discovered that 14 of them contained Social Security numbers, full names, addresses and even images of signatures. "It was totally easy to get those records," said the aide, who asked his name not be used. All it involved was clicking through as a nonsubscriber, entering some basic contact information and credit card details and searching for records using common last names, he said. One record contained Social Security numbers for seven people.

"Californians like to fancy ourselves about being so good on privacy," the aide said. "But what we saw on the site was mind-boggling." Because state laws prohibit the posting of such information in public records at the county level, "it was surprising to see this happening at the state level."

But California is not the only state to post UCC documents on the Web, nor is it the first one to take the postings down, said B.J. Ostergren, a privacy advocate in Richmond, Va., who has been pressing state and county governments to remove such data from their Web sites.

Ostergren runs The Virginia Watchdog, which has for the past several years documented cases where county governments and secretary of state offices around the country have routinely posted sensitive data online. Many are moving to block online access to the information because of heightened privacy concerns, she said. Some, such as the Ohio secretary of state's office, did so only after being threatened with a class action lawsuit. Even then, that state has not been entirely successful in removing the sensitive information.

Among the states that have pulled down images of UCC documents with Social Security numbers are Oregon, Missouri, New Mexico, Vermont, New York and North Carolina, Ostergren said. But several other states continue to make UCC documents containing sensitive data either available for free or for purchase, she said. The list includes Florida, Georgia, Iowa, Maryland and Massachusetts, Ostergren said.


IDentiWall, IDentiWall, IDentiWall.......

UK e-crime chief: Cyber criminals are undeterred

Jeremy Kirk


March 27, 2007 (IDG News Service) Last year, the United Kingdom dissolved the National High-Tech Crime Unit (NHTCU), the agency responsible for investigating computer crime. The unit was folded into the Serious Organized Crime Agency (SOCA), a new organization that investigates fraud, drug trafficking and immigration-related crime. Critics charged that online crime would become a lower priority.

Nearly a year later, SOCA is "not achieving the kind of long-term impact on serious and organized crime ... that's needed," said William Hughes, SOCA's director general, at the International e-Crime Congress in London on Tuesday.

The agency has a 94 percent conviction rate and made 684 arrests from April 2006 through February, mostly for drug trafficking but also including some e-crime, Hughes said. However, online banking fraud in the U.K. continues unabated. Online banking fraud losses in the U.K. rose to $44.5 million in 2006, up from $30.8 million in 2005 and $16.2 million in 2004, according to the Association for Payment Clearing Services, a payments trade group,

Sharon Lemon, a 30-year police veteran who headed the NHTCU, is now in charge of the e-crime unit within SOCA. She spoke on the sidelines of the e-crime conference on how the new unit has been running since becoming part of SOCA last year. What follows is an edited transcript of the interview:

IDG News Service: Given the growth in online crime, how do you prioritize cases?

Sharon Lemon: It's such a big area that we've had to really regroup and consider what our priorities are. To enable that, we need to be informed, so we've got a comprehensive knowledge base. We're not just randomly chasing people who happen to attract our attention. We've got a quite significant assessments team who assess the crime on the Internet and assess the threat, look at the new approaches. As a result, we'll consider the best operation. So it's much more focused and thought through.

IDGNS: How significant is the amount of money lost as part of an incident?

Lemon: If you have a look at the combined effect of many, many low-level amount frauds, that's organized crime. By attacking some 300,000 people for a small amount, it's the same as one person losing £300,000. We look at emerging trends, what's happening on the criminal forums and then decide what's the best approach. It's not always traditional prosecution. We've got to look at different approaches. Traditional prosecutions always have a place, but they are very long and complex, and by the time we get to court, the cyber criminals have come up with something new. So we need to be as flexible and responsive as they are.

IDGNS: What types of online crimes has the unit focused its energy on?

Lemon: Most of our investigations have been around fraud, which I summarize as lying to get your money. A lot of traditional investigation techniques apply but just online. I think we get a bit intoxicated by the IT element of it. It's just normal crime. That's why we need our international partners, because with this type of crime it's not the person next door, it could be the person on the other end of the world.

IDGNS: Can you describe the backgrounds of investigators in the unit?

Lemon: We've got a really good mix. We've got traditional law enforcement and we have experienced technical people. We have people interested in the subject matter, a really diverse group. That's changed. Previously in the NHTCU, it was mostly law enforcement. We found that having people from different sectors has proved really effective, and we're hoping perhaps to do some industry exchanges and perhaps get some people from academia. That's our approach.

IDGNS: The U.K. recently amended its computer crime law and increased the penalties for some offenses. Do you think that will have some deterrent effect?

Lemon: No, I don't think that really at the moment cyber criminals have got any real threat from law enforcement. I'm not proud to say that, but that's the way I feel.


rest assure that the soon coming IDentiWall will solve the fishing problem

PayPal asking e-mail services to block messages

Jeremy Kirk


March 27, 2007 (IDG News Service) PayPal, the Internet-based money transfer system owned by eBay Inc., is trying to persuade e-mail providers to block messages that lack digital signatures, which are aimed at cutting down on phishing scams, a company attorney said Tuesday.

So far, no agreements have been reached, but the idea is one that PayPal would like to see from other e-commerce businesses, said Joseph E. Sullivan, PayPal's associate general counsel, at the International E-Crime Congress in London.

An agreement with, for example, Google Inc. for its Gmail service could potentially stop spam messages that look legitimate and bypass spam filters.

PayPal is using several technologies to digitally sign its e-mails now, including DomainKeys, Sullivan said. DomainKeys, a technology developed by Yahoo Inc., enables verification of the sender and integrity of the message that's sent.

PayPal is one of the most highly spoofed brands, with fraudsters sending out spam to lure vulnerable users to look-a-like Web sites where their log-in details and passwords are collected and abused for profit.

Once a hacker has gained control of a PayPal account, it's possible to send money to other PayPal accounts or purchase goods. PayPal has introduced rules to counter fraud, such as limits on how much money can be transferred. PayPal also compensates users who've had their accounts hijacked, Sullivan said.

But the phishing problem is getting worse than when he started working for eBay five years ago, Sullivan said.

Last week, Sullivan said he got a call from his father, who said he'd fell prey to a phishing scam. While spam filtering technologies have improved and awareness around phishing is rising, users tend to be the weakest point, falling for sometimes very convincing social engineering tricks.

"I think one lesson we've learned is that education isn't going to stop this," Sullivan said. "Phishing attacks are too good now. Every company that does business on the Internet is being targeted by phishing scams now."

The number of phishing sites is also rising. A report released last week by the Anti-Phishing World Group, a consortium of vendors and government agencies, said the number of fraudulent Web sites in January reached an all-time high of 29,930.


Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc