[SecurityRatty] tag: colin

Fraud Detection in Financial Services Reloaded

Sat, 20 Sep 2008 18:36:27 +0000

I read an interesting post by the former CTO of out-of-business Kaskad Technology, where event processing colleague Colin Clark respectfully disagrees with my assesement of the (lack of) capabilites in current-generation “CEP engines” for detecting complex fraud in financial services. I’ll respond with a quote from my September 2007 post, End Users Should Define the CEP Market.

“Experienced end users are very intelligent.

These end users know the complex event processing problems they need to solve; and they know the limitations of the current COTS approaches marketed by the CEP community. Even in Thailand, a country many of you might mistakenly think is not very advanced technologically, there are experts in telecommunications (who run large networks) who are working on very difficult fraud detection applications, and they use neural networks and say the results are very good.   However, there is not one CEP vendor, that I know of, who offers true CEP capability in the form of neural nets.

Almost every major bank, telco, etc. has the same opinion, and the same problem. They need much more capability than streaming joins, selects and rules to solve their complex event processing problems that Dr. Luckham outlined in his book.   The software vendors are attempting to define the CEP market to match their capability; unfortunately, their capabilities do not meet the requirements of the vast majority of end users who have CEP problems to solve.

If the current CEP platforms were truely solving complex event processing problems, annual sales would be orders of magnitudes higher. Hence, the users have already voted.   The problem is that the CEP community is not listening.”

Not to be overly repetitive, but the last part of this quote from a year ago is worth highlighting:

“If the current CEP platforms were truely solving complex event processing problems, annual sales would be orders of magnitudes higher. Hence, the users have already voted. The problem is that the CEP community is not listening.”

Frankly speaking, nothing in the “CEP world” has changed, technologically speaking, since this September 2007 post was written. From a sales perspective, we have seen less CEP-related sales in 2008 than in prior years. If these so called CEP products were actually capability of detecting “real” complex network-centric situations (threats) in real-time, they would be selling faster than a cup of ice water in the blazing hot Sahara desert.

Don’t shoot the messenger. Build better detection engines!

On the other hand, maybe complex detection is too hard for most of these companies and that is why they focus on routing, mediation and relatively simple rule-based scenarios, versus complex event processing?

Doctoring Photographs without Photoshop

Wed, 27 Aug 2008 03:27:27 +0000

It's all about the captions:

...doctored photographs are the least of our worries. If you want to trick someone with a photograph, there are lots of easy ways to do it. You don't need Photoshop. You don't need sophisticated digital photo-manipulation. You don't need a computer. All you need to do is change the caption.
The photographs presented by Colin Powell at the United Nations in 2003 provide several examples. Photographs that were used to justify a war. And yet, the actual photographs are low-res, muddy aerial surveillance photographs of buildings and vehicles on the ground in Iraq. I'm not an aerial intelligence expert. I could be looking at anything. It is the labels, the captions, and the surrounding text that turn the images from one thing into another. Photographs presented by Colin Powell at the United Nations in 2003.

Powell was arguing that the Iraqis were doing something wrong, knew they were doing something wrong, and were trying to cover their tracks. Later, it was revealed that the captions were wrong. There was no evidence of chemical weapons and no evidence of concealment. Morris's mockery of the sweeping interpretations made in Powell's photographs.

There is a larger point. I don't know what these buildings were really used for. I don't know whether they were used for chemical weapons at one time, and then transformed into something relatively innocuous, in order to hide the reality of what was going on from weapons inspectors. But I do know that the yellow captions influence how we see the pictures. "Chemical Munitions Bunker" is different from "Empty Warehouse" which is different from "International House of Pancakes." The image remains the same but we see it differently.

Change the yellow labels, change the caption and you change the meaning of the photographs. You don't need Photoshop. That's the disturbing part. Captions do the heavy lifting as far as deception is concerned. The pictures merely provide the window-dressing. The unending series of errors engendered by falsely captioned photographs are rarely remarked on.

BlackHat Picks, Day 1

Mon, 28 Jul 2008 16:35:32 +0000

Well, it’s almost BlackHat time. Here are my picks so far for Day 1. As you can see, I still haven’t narrowed it down completely.

11:15-12:30 Option 1: Dan Kaminsky, “DNS Goodness”. On one hand, the DNS vulnerability is already public; on the other hand, the talk will probably still be interesting even if the 0day hype is missing. Option 2: Nate Lawson, “Highway to Hell: Hacking Toll Systems”. My formal education and early work was in Electrical Engineering, so I’m always interested in hardware talks. I haven’t touched a soldering iron in years so I have to live vicariously through people like Nate.

13:45-15:00 Option 1: Chris Hoff, “The Four Horsemen of the Virtualization Security Apocalypse”. I haven’t been paying enough attention to virtualization security and I think this talk will be quite informative. Option 2: Danny Quist and Colin Ames, “Temporal Reverse Engineering”. Sounds like an interesting approach.

15:15-16:30 Option 1: Hovav Shacham, “Return-Oriented Programming: Exploits Without Code Injection”. The topic sounds pretty straightforward conceptually but it will be interesting to see the implementation. Option 2: Tom Stracener and Robert Hansen, “Xploiting Google Gadgets: Gmalware and Beyond”. Not expecting any huge revelations on this one but it’s likely to be entertaining.

18:00-19:00 The Pwnie Awards. Turnout last year was kind of slim, but I bet the room will be full this year as it’s been publicized more.

Day 2 picks coming soon!

BlackHat Picks, Day 1

Mon, 28 Jul 2008 16:35:32 +0000

Well, it’s almost BlackHat time. Here are my picks so far for Day 1. As you can see, I still haven’t narrowed it down completely.

18:00-19:00 The Pwnie Awards. Turnout last year was kind of slim, but I bet the room will be full this year as it’s been publicized more.

Day 2 picks coming soon!

Links for 2008-06-06 [del.icio.us]

Fri, 06 Jun 2008 20:00:00 +0000

Business Creativity & Innovation - How Promote an Innovative Culture
Content Discovery vs. E-Discovery vs. Content Classification | securosis.com
Enroll For: The Art of Evangelism
Event Logging (Windows)
IFTF's Future Now: Post-scientific society
So I was especially struck by Gregg Zachary's latest column in the New York Times, which asks, "might cheap science from low-wage countries help keep American innovators humming?" At least a few policy analysts and scholars studying global trends in scien
Inside Innovation with Colin Stewart » Blog Archive » 11 innovation lessons from creators of World of Warcraft - OCRegister.com
Intel Open Port: IT@Intel Blog: How do you measure something that doesn't happen?
Marissa Mayer's 9 Principles of Innovation | Fast Company

Speaking of Security Podcast #103

Sun, 04 May 2008 20:00:00 +0000

EMC PowerPath Encryption with RSA

Happy Cinco de Mayo and welcome to the latest Speaking of Security video podcast. Today Host Paul Joyal speaks with Colin Bailey of EMC and Katie Curtin-Maestre of RSA, The Security Division of EMC, about this new scalable solution that leverages RSA Key Manager for the Datacenter.

Skipton Financial Services personal customer data on stolen laptop

Fri, 04 Jan 2008 19:21:58 +0000

Technorati Tag: Security Breach

Date Reported:
12/21/07 (backdated from writing of 1/4/08)

Organization:
Skipton Building Society

Contractor/Consultant/Branch:
Skipton Financial Services (SFS)
Moore Stephens Consulting

Victims:
Skipton clients with money invested in the Fidelity FundsNetwork

Number Affected:
Up to 14,000

Types of Data:
Names, addresses, dates of birth, National Insurance numbers*, and fund investment details including how much was invested.

*~equivalent to Social Security numbers in US

Breach Description:
A laptop computer was stolen from a locker being used by a Moore Stevens Consulting employee that contained sensitive personal information belonging to as many as 14,000 Skipton Financial Services (SFS) clients who had invested money in the Fidelity FundsNetwork. Moore Stevens Consulting was on contract with SFS at the time of the theft.

Reference URL:
Yorkshire Post Story
The Register
Attrition.org Data Loss Archive

Report Credit:
Rowena Mason, Yorkshire Post via Attrition.org

Response:
From the online sources cited above:

Up to 14,000 customers of the financial giant Skipton have been left open to identity fraud, after the company admitted that a laptop containing customers' personal details was stolen

Investors with money in the Fidelity FundsNetwork were told yesterday that the stolen information includes names, addresses, date of birth, National Insurance numbers, fund investment details – and even how much each person had invested.

the laptop was taken from a locker being used by a staff member of an information technology (IT) consultancy employed by Skipton Financial Services.

Moore Stephens Consulting was carrying out work on an IT system for the Yorkshire-based investment company when the theft took place
[Evan] An IT consultant should know better than to store confidential information on a laptop without encryption.

Last night a Skipton spokesman stressed that the laptop was password-protected and all affected accounts with Skipton Financial Services had been immediately suspended.
[Evan] Password protection is NOT adequate protection, and suspending the account does nothing to protect victims against identity theft. Does suspending the account provide any protection?

Managing director Simon Holt wrote to all 14,000 customers apologising for the breach of security and assuring them that an investigation had been launched.

Mr Holt yesterday denied that his company had any responsibility for the loss of the laptop and said every possible step had been taken to reduce risk to clients.
[Evan] I respectfully disagree with Mr. Holt. Organizations must hold their vendors, consultants, and contractors to the same security standards as those used within the organization. Customers (data owners) gave Skipton the information and Skipton is responsible for it until it is destroyed. No passing the buck allowed.

Skipton Financial Services told their customers about the missing data after advice from the Information Commissioner's Office

The managing partner of Moore Stephens, Colin Moore, said his firm was doing everything it could to protect data and review security procedures.
[Evan] Moore Stephens did not do "everything it could to protect data".

A helpline for people whose details might have been taken is open from 8am to 8pm Monday to Friday on 0800 137832.

Commentary:
More stolen laptops with confidential information without protection equals more victims. What torques me more about this breach is the fact that an IT consultant was partly to blame. An organization pays a consultant because they believe that the consultant is an expert and knows how to do work at a high-level.

I am a consultant and look, my laptop is encrypted...

Organizations that employ consultants which access confidential information resources MUST ensure that the consultants follow proper information security policies and procedures. This is accomplished through the creation of a Vendor/Third-Party Security Policy, thorough evaluation before a contract is signed, adding information security language to the contract, and regular reviews of the consultant's information security practices throughout the life of the contract.

Past Breaches:
Unknown

Social Security numbers widely available online, reports the Washington Post

Fri, 04 Jan 2008 05:00:00 +0000

Post reporter finds numbers for Colin Powell and Troy Aikman, among others

Thwarting a large-scale phishing attack

Mon, 11 Jun 2007 07:35:00 +0000

Posted by Colin Whittaker, Anti-Phishing Team

In addition to targeting malware, we're interested in combating phishing, a social engineering attack where criminals attempt to lure unsuspecting web surfers into logging into a fake website that looks like a real website, such as eBay, E-gold or an online bank. Following a successful attack, phishers can steal money out of the victims' accounts or take their identities. To protect our users against phishing, we publish a blacklist of known phishing sites. This blacklist is the basis for the anti-phishing features in the latest versions of Firefox and Google Desktop. Although blacklists are necessarily a step behind as phishers move their phishing pages around, blacklists have proved to be reasonably effective.

Not all phishing attacks target sites with obvious financial value. Beginning in mid-March, we detected a five-fold increase in overall phishing page views. It turned out that the phishing pages generating 95% of the new phishing traffic targeted MySpace, the popular social networking site. While a MySpace account does not have any intrinsic monetary value, phishers had come up with ways to monetize this attack. We observed hijacked accounts being used to spread bulletin board spam for some advertising revenue. According to this interview with a phisher, phishers also logged in to the email accounts of the profile owners to harvest financial account information. In any case, phishing MySpace became profitable enough (more than phishing more traditional targets) that many of the active phishers began targeting it.

Interestingly, the attack vector for this new attack appeared to be MySpace itself, rather than the usual email spam. To observe the phishers' actions, we fed them the login information for a dummy MySpace account. We saw that when phishers compromised a MySpace account, they added links to their phishing page on the stolen profile, which would in turn result in additional users getting compromised. Using a quirk of the CSS supported in MySpace profiles, the phishers injected these links invisibly as see-through images covering compromised profiles. Clicking anywhere on an infected profile, including on links that appeared normal, redirected the user to a phishing page. Here's a sample of some CSS code injected into the "About Me" section of an affected profile:

style="border-width:0px;width:1200px; height:650px;"
src="http://x.myspace.com/images/clear.gif">

In addition to contributing to the viral growth of the phishing attack, linking directly off of real MySpace content added to the appearance of legitimacy of these phishing pages. In fact, we received thousands of complaints from confused users along the lines of "Why won't it let any of my friends look at my pictures?" regarding our warnings on these phishing pages, suggesting that even an explicit warning was not enough to protect many users. The effectiveness of the attack and the increasing sophistication of the phishing pages, some of which were hosted on botnets and were near perfect duplications of MySpace's login page, meant that we needed to switch tactics to combat this new threat.

In late March, we reached out to MySpace to see what we could do to help. We provided lists of the top phishing sites and our anti-phishing blacklist to MySpace so that they could disable compromised accounts with links to those sites. Unfortunately, many of the blocked users did not remove the phishing links when they reactivated their accounts, so the attacks continued to spread. On April 19, MySpace updated their server software so that they could disable bad links in users' profiles without requiring any user action or altering any other profile content. Overnight, overall phishing traffic dropped by a factor of five back to the levels observed in early March. While MySpace phishing continues at much lower volumes, phishers are beginning to move on to new targets.

Things you can do to help end phishing and Internet fraud

Learn to recognize and avoid phishing. The Anti-Phishing Working Group has a good list of recommendations.

Update your software regularly and run an anti-virus program. If a cyber-criminal gains control of your computer through a virus or a software security flaw, he doesn't need to resort to phishing to steal your information.

Use different passwords on different sites and change them periodically. Phishers routinely try to log in to high-value targets, like online banking sites, with the passwords they steal for lower-value sites, like webmail and social networking services.