[SecurityRatty] tag: criminals

Senator Obama's security concerns

Fri, 29 Aug 2008 14:42:00 +0000

It appears as if the authorities in Colorado are trying to down play the reported assassination plot of Senator Obama. Question is; how real was it?

It would certainly appear that the suspects were preparing for something out of the ordinary as they were reported as having a bullet proof vest and a high powered rifle with telescopic scope in their possession when apprehended. The fact that one of the them was described by his cohort as a "white supremist" who did not believe that a man of color could be the President of the U.S.A. is surely telling.

These three criminals were caught in much the same manner as the domestic terrorist, Timothy McVeigh. A dilgent policeman was doing his duty and pulled over the first suspect on a traffic stop. Some may call that luck, but having been a former Law Enforcement officer, I look upon it as good Police work. Many others might have not noticed the one little sign that made that officer suspicious and prompted him to check out the driver of the van.

That is why security can never rest. Whether it is foiling a potential terrorist plot or finding a child who has been abducted, we must always remain vigilant. It is a shame that there are those who believe a man is inferior based upon the color of his skin. It is even more terrible to realize that such a person would be willing to kill another based on racial hatred.

Unfortunately, this is a sad fact of life and steps need to be taken to thwart those disturbed individuals. Was this latest episode a non-event or by dismissing it are we attempting to sweep the shame of racism under the carpet? I for one, don't think that we should take these warnings lightly. Afterall, it has been 45 years and people still debate the assassination of JFK. We still hear it being said that Lee Harvey Oswald was incapable of carrying out the killing himself.

I recently watched a documentary on the assassination of Robert Kennedy, produced on the 40th anniversary of his death. When interviewed, the brother of the asssassin claims that his brother was too nice a guy to do something so awful. The fact of the matter however, is that both Kennedys were brutally gunned down. I am sure it is something that nobody ever wants to see repeated.

Let us hope that whomever succeeds as President in November has a long and healthy Presidency and helps to allevitae the problems that have been piling up.

If there were gold medals for Data Leakage...

Wed, 27 Aug 2008 20:00:00 +0000

I've just returned from my summer vacation, somewhat foolishly deciding to spend it under canvas in the south-west of the UK and expecting to get good weather. If my tent had leaked as badly in the last couple of weeks as data seems to have been leaking in the UK during the same period, I'd be in need of an aqualung by now! If it were an Olympic sport, Britain would have beaten China for pole position in the medals table!

It all started with the loss of a memory stick by a UK Government contractor which contained somewhere around 120,000 records, including the details of 10,000 of our nation's most serious criminals. We then heard about a compromise at global hotel chain Best Western...

Erase Your Hard Drives Before Selling Them

Wed, 27 Aug 2008 06:48:00 +0000

Sounds like a no-brainer, but it’s a lesson that some large companies still have to learn.

IT manager Andrew Chapman purchased a used drive on eBay, for just 77 British pounds, only to find that it contained the financial history and information for several million people, customers of the Royal Bank of Scotland (RBS) and its subsidiary, Natwest. Luckily for them, Chapman had their best interests at heart and reported the problem, rather than selling or using the information.

According to Evan at the Breach Blog:

The University of Glamorgan conducted research about hard drives bought on eBay that contained sensitive information and published their findings in September 2007. If people don’t think that criminals are buying hard drives on eBay, searching for sensitive information (personal information, health information, corporate secrets, intellectual property, etc.), then they are deluded

Click here to read the full article.

And the attacks keep coming...

Thu, 21 Aug 2008 16:29:00 +0000

Seems like the intensity and frequency breaches have just started to warm up! Even as we pat ourselves about the recent indictment of criminals we see reports of increased activity. Millions of cards stolen and more loss...

Brings us back to a hard question we have to ask ourselves - are we ready to tackle this seriously? Vendors, retailers, banks, government and consumers all have a huge stake in this (and don't forget, so does organized crime). However, it seems like organized crime is living up to its name - they seem a bit more organized about this. Not having looked at the numbers, but is feels like we are being pushed back and they currently have the upper hand...

Not a very PC thing to say, I know. However, we have to wake up to the reality and get more serious about this.

Compromised Cpanel Accounts For Sale

Mon, 18 Aug 2008 06:42:50 +0000

Is the once popular in the second quarter of 2007, embedded malware tactic on the verge of irrelevance, and if so, what has contributed to its decline? Have SQL injections executed through botnets turned into the most efficient way to infect hundreds of thousands of legitimate web sites? Depends on who you're dealing with.

A cyber criminal's position in the "underground food chain" can be easily tracked down on the basis of tools and tactics that he's taking advantage of, in fact, some would on purposely misinform on what their actual capabilities are in order not to attract too much attention to their real ones, consisting of high-profile compromises at hundreds of high-profile web sites.

Embedded malware may not be as hot as it used to be in the last quarter of 2007, but thanks to the oversupply of stolen accounting data, certain individuals within the underground ecosystem seem to be abusing entire portfolios of domains on the basis of purchasing access to the compromised accounts. In fact, the oversupply of compromised Cpanel accounts is logically resulting in their decreasing price, with the sellers differentiating their propositions, and charging premium prices based on the site's page ranks and traffic, measured through publicly available services, or through the internal statistics.

SQL injections may be the tactic of choice for the time being, but as long as stolen accounting data consisting of Cpanel logins, and web shells access to misconfigured web servers remain desired underground goods, goold old fashioned embedded malware will continue taking place.

Interestingly, from an economic perspective, the way the seller markets his goods, can greatly influence the way they get abused given he continues offering after-sale services and support. It's blackhat search engine optimization I have in mind, sometimes the tactic of choice especially given its high liquidity in respect to monetizing the compromised access.

The bottom line - for the time being, there's a higher probability that your web properties will get SQL injected, than IFRAME-ed, as it used to be half a year ago, and that's because what used to be a situation where malicious parties would aim at launching a targeted attack at high profile site and abuse the huge traffic it receives, is today's pragmatic reality where a couple of hundred low profile web sites can in fact return more traffic to the cyber criminals, and greatly extend the lifecycle of their campaign taking advantage of the fact the the low profile site owners would remain infected and vulnerable for months to come.

Related posts:
Embedding Malicious IFRAMEs Through Stolen FTP Accounts
Injecting IFRAMEs by Abusing Input Validation
Money Mule Recruiters use ASProx's Fast-flux Services
Malware Domains Used in the SQL Injection Attacks
Obfuscating Fast-fluxed SQL Injected Domains
SQL Injecting Malicious Doorways to Serve Malware
Yet Another Massive SQL Injection Spotted in the Wild
Malware Domains Used in the SQL Injection Attacks
SQL Injection Through Search Engines Reconnaissance
Google Hacking for Vulnerabilities
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

Great Trend Micro article on Understanding Malware

Sat, 09 Aug 2008 11:33:56 +0000

Reading this article will be worth your time.
Cyber criminals are constantly coming up with new angles to get you to become infected with their Malware.

clipped from newsletters.trendmicro.com

Malicious URLs: Ticket to Malware

To better understand malicious URLs, it helps to divide them into two broad categories: 1) URLs that use social engineering to initially entice users to click on them, and 2) techniques that do not involve social engineering, but instead employ various technological means.

Indictments Against Largest ID Theft Ring Ever

Thu, 07 Aug 2008 08:45:29 +0000

It was really big news yesterday, but I don't think it's that much of a big deal. These crimes are still easy to commit and it's still too hard to catch the criminals. Catching one gang, even a large one, isn't going to make us any safer.

If we want to mitigate identity theft, we have to make it harder for people to get credit, make transactions, and generally do financial business remotely:

The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated, and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. This is what's been in the news recently: ChoicePoint, LexisNexis, Bank of America, and so on. But data privacy is more than just fraud. Whether it is the books we take out of the library, the websites we visit, or the contents of our text messages, most of us have personal data on third-party computers that we don't want made public. The posting of Paris Hilton's phone book on the Internet is a celebrity example of this.
The second issue is the ease with which a criminal can use personal data to commit fraud. It doesn't take much personal information to apply for a credit card in someone else's name. It doesn't take much to submit fraudulent bank transactions in someone else's name. It's surprisingly easy to get an identification card in someone else's name. Our current culture, where identity is verified simply and sloppily, makes it easier for a criminal to impersonate his victim.

Proposed fixes tend to concentrate on the first issue -- making personal data harder to steal -- whereas the real problem is the second. If we're ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.

I am, however, impressed that we managed to pull together the police forces from several countries to prosecute this case.

Eight Steps to Responsible Surfing

Wed, 06 Aug 2008 20:30:41 +0000

Web threats and attacks will continue to evolve, but surfers can protect themselves against the majority of malicious code by following eight different steps. To provide the greatest degree of security, surfers cannot rely entirely on technology, and should also address the behavioral issues that are most likely to create risky situations.

Changing Behavior

The safest way to deal with a danger is avoidance. By surfing safely and adapting offline sensibilities online, surfers can greatly reduce their danger of exposure to malware.

1. Educate yourself.
At least every 6 to 12 months, surfers should browse the educational information provided by their operating system and security vendors and subscribe to any security-related newsletters they might offer. According to David Perry, familiarity with the latest threats, dangers, and recommended safety tips will allow surfers to make safe choices. “Until you know what’s out there, you’re just flying blind. Without an education, you’re wide open”.
2. Avoid suspect sites.
While criminals can infect even mainstream Web sites, sites such as gambling sites, adult Internet sites, and illegal file-sharing sites are far more likely to carry malicious code. Web sites that offer “something for nothing” frequently recoup their losses by infecting visitors’ PCs.
3. Lose Your Comfort Zone.

Web surfers should migrate their offline precautions to their online experience. By beginning with an attitude of healthy skepticism and only doing business with trusted Web sites, surfers can bypass a good deal of risk.

Recommended Technology

Despite the best precautions, every user will encounter Web-based malware. While no technology can guarantee protection against all attacks, a combination of preventive technologies provides the most comprehensive protection possible.

4. Use an updated virus scanning suite.
The most important component of any threat mitigation system is a virus scanning suite. In addition to detecting and removing known viruses and malware, modern virus scanning suites provide additional protections against new attacks by disabling their known protocols. For example, Trend Micro™ Internet Security encrypts keyboard traffic, protecting personal data from keyboard logging programs that might go unnoticed. Users should update their scanner and virus definitions as frequently as possible to ensure the best possible coverage.
5. Upgrade your OS and browser.
In addition to offering more features, Microsoft’s Internet Explorer version 7 and the latest Mozilla Firefox are both substantially more secure than previous-generation browsers. Users of older browsers should upgrade immediately to take advantage of increased security. Similarly, Windows Vista and Mac OS X are more secure than their predecessors, and users of older operating systems should consider upgrading, as well.
6. Disable scripting and “widgets.”
Many Web-based attacks use various scripting languages to run infectious programs in a browser or use downloadable “widgets” to execute infections locally. By disabling scripting and avoiding downloadable widgets wherever possible, surfers disable these common attack vectors.
7. Rate your Web pages.
Some available services rate the risk of Web pages in search results, allowing surfers to avoid unwanted content and hidden threats before viewing the pages. Rating applications (e.g., Trend Micro TrendProtect™) consume few system resources and run unobtrusively, so they are suitable for any Web-enabled personal computer.
8. Ask your provider.
Commerce companies, banks, and credit card associations are all interested in computer security, and many offer additional features. For example, Visa’s Verified By Visa program requires cardholders to enter a second password to identify themselves during a transaction, while businesses in Poland require cell-phone confirmation of credit card purchases. While nothing will be 100 percent effective, any additional security measure provided by a trusted source will increase protection, and surfers should adopt as many as possible.

This article provided for your reading pleasure by Trend Micro.

Smackdown on data criminals

Tue, 05 Aug 2008 17:05:00 +0000

The long arm of the law finally flexed in a major indictment of criminals who were charged with hacking and stealing credit cards from major retailers.

Eleven folks were charged with the crimes ranging from conspiracy, computer intrusion, fraud and identity theft.

Interesting nuggets from the report:

They hacked nine major U.S. retailers, stole and sold more than 40 million credit and debit card numbers...
Apparently this is the single largest and most complex identity theft case ever charged in this country

"While technology has made our lives much easier it has also created new vulnerabilities. This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results. Consumers, companies and governments from around the world must further develop ways to protect our sensitive personal and business information and detect those, whether here or abroad, that conspire to exploit technology for criminal gain," said U.S. Attorney Michael J. Sullivan.

I agree with the US Attorney - we need better ways to prevent such hacking. But one point is clear again in this case - those who hack work for increasingly sophisticated criminal enterprises and will deploy significant resources to steal as long as the returns are worth it.

Italians Use Soldiers to Prevent Crime

Tue, 05 Aug 2008 02:36:44 +0000

Interesting:

Soldiers were deployed throughout Italy on Monday to embassies, subway and railway stations, as part of broader government measures to fight violent crime here for which illegal immigrants are broadly blamed.
[...]

The conservative government of Silvio Berlusconi won elections in April while promising to crack down on petty crime and illegal immigrants. The new patrols of soldiers, who are not empowered to make arrests, do not seem aimed only at illegal immigrants, though the patrols were deployed to centers where illegal immigrants are housed.

“Security is something concrete,” Mr. La Russa said on Monday. The troops, he said, will be a “deterrent to criminals.”

That reminds me of one of my favorite logical fallacies: "We must do something. This is something. Therefore, we must do it." It does seem largely to be a demonstration of "doing something" by the Berlusconi government. The legitimate police, of course, think it's a terrible idea.

“You need to be specially trained to carry out some kinds of controls,” Nicola Tanzi, the secretary of a trade union that represents Italian police officers. “Soldiers just aren’t qualified.”
He also questioned whether the $93.6 million that will be spent for the extra deployment, called Operation Safe Streets, might not have been better used to increase the budgets for Italy’s police and military.