[SecurityRatty] tag: duped

Yahoo, Hotmail, Gmail all vulnerable to password reset hack

Fri, 19 Sep 2008 20:00:00 +0000

Yahoo Mail isn't the only Web-based mail service that could be duped into giving up someone else's account password, the tactic that some have argued was used to break into Gov. Sarah Palin's e-mail earlier this week.

Olympic ticket scams just the start, says researcher

Sun, 03 Aug 2008 20:00:00 +0000

Scammers have duped hundreds of people out of thousands of dollars each using bogus Olympic ticket-selling sites, reports said today. A security expert warned that more will follow.

Criminals phish for CEOs via fake subpoenas

Tue, 15 Apr 2008 09:00:00 +0000

A mighty spearphishing attack appears to have duped at least 1,800 C-level execs who clicked on a plausible-looking notice that they were being sued in federal court.

S&K Menswear two-phased attack

Thu, 03 Jan 2008 07:40:36 +0000

Technorati Tag: Security Breach

Date Reported:
12/10/07 (backdated from 1/3/08)

Organization:
S&K Famous Brands (S&K)

Contractor/Consultant/Branch:
None

Victims:
Online customers of www.skmenswear.com

Number Affected:
Unknown*

*25 reported New Hampshire residents

Types of Data:
Names, addresses, email addresses, credit card numbers, and expiration dates.

Breach Description:
According to the breach notification letter sent to the New Hampshire Attorney General, on or about October 24th, 2007 personal information belonging to S&K online customers was accessed without proper authorization. S&K became aware of the unauthorized access after reports of fictitious spear phishing emails began circulating in which the attacker requested the CVV2 codes to match the credit card numbers. It is unknown how many customers were duped by the second phase of the attack.

Reference URL:
New Hampshire Attorney General Breach Notification

Report Credit:
New Hampshire State Attorney General

Response:
From the official breach notification and letter to customers:

This letter is to inform you that S&K Menswear has discovered that you personal information--including your name, address, credit card number, and expiration date--may have been accessed on or about October 24, 2007 without proper authorization.

stored in one of our databases has been retrieved by external sources

S&K was notified of a suspicious e-mail addressed to its customers on Wednesday, October 24th at approximately 3:00 p.m. The e-mail was sent from a fictitious S&K e-mail address. The body of the e-mail appeared to contain an S&K order number and the last four digits of the credit card number used by the customer to whom it was addressed. The e-mail requested that the customer provide a credit card identification number.
[Evan] The "suspicious e-mail" is the second phase of the attack. The credit card number, cardholder name, and expiration date were already obtained in the first phase. This spear phishing attack now aims to get the CVV2 code, which makes this much more valuable to the attacker. I am curious about how many people actually fell for this second phase.

Once notified, S&K immediately assembled a response team to assess the situation.

a decision was made at 3:30 p.m. the same day to disconnect the online store and disable remote access to S&K's network. Further to these actions, S&K:

Notified credit card issuers
Purged or masked credit card data on its servers
Changed all user names and passwords on the system
Hired a leading provider of information security to conduct a full forensic security audit as required by the major credit card issuers
Notified various law enforcement agencies including the FBI and Secret Service

[Evan] These all seem like prudent steps in response to an incident. Timing is critical and the response took ~30 minutes, which is good. The response to customers however was not quite as good. Judging from the date on the sample customer letter, it took 47 days to send notification to customers.

S&K's investigation of this incident is ongoing.

We want to stress, however, that no social security number, CVV2 data or track 2 magnetic stripe data was compromised at all.
[Evan] This isn't true, unless S&K can say with certainty that NONE of the customers fell victim to the second phase of this attack.

We sincerely apologize to you for this situation and want to assure you that protecting the security and privacy of your information remains a top priority. We have made and will continue to make significant investments in security software, systems and procedures, and will remain vigilant about protecting you.

We want to answer any questions and address any concerns that you may have about this matter. For more information, including a list of Frequently Asked Question (FAQs), please go to www.skmenswear.com\security\faq.htm or contact us at 1 (800) 690-4996
[Evan] I think the "\" in the URL is supposed to be "/". The first FAQ in the list of FAQs bugged me a little; "Q: Is this a major breach? A: No, our credit card security manager classifies this as minor."

Commentary:
At the top of the customer letter it states:
You do not need to make any changes to your S&K menswear accounts or to change the way you do business with us.

I am going to guess that S&K would be classified as a VISA Level 3 Merchant. Is it safe to assume that S&K is PCI DSS compliant? It sounds like they don't store prohibited data (CVV2, Full Magnetic Stripe, or PIN / PIN Block), but only 55% of Level 3 Merchants are PCI DSS validated as of 9/30/07. It should be easier for customers to find the status of an organization's compliance and information security practices rather than having to guess. Although now that I think about it, compliance doesn't really ensure security does it?

Anyway, I get the feeling that S&K would have liked to keep this breach quiet and minimize it as much as possible.

Past Breaches:
Unknown

Oak Ridge National Laboratory visitor information exposed

Tue, 11 Dec 2007 10:45:21 +0000

Technorati Tag: Security Breach

Date Reported:
12/3/07

Organization:
UT-Battelle, LLC

Contractor/Consultant/Branch:
Oak Ridge National Laboratory (ORNL)*

*Oak Ridge National Laboratory (ORNL) is the Department of Energy's largest science and energy laboratory. ORNL was established in 1943 as a part of the secret Manhattan Project to pioneer a method for producing and separating plutonium. Today, ORNL is home to the world's largest civilian science project, the $1.4 billion Spallation Neutron Source, and has been selected to build the fastest unclassified scientific computer in the world. - Source State Science and Technology Institute

Victims:
"visitors to the lab between 1990 and 2004"

Number Affected:
"about 12,000"

Types of Data:
Personal information including names, addresses, Social Security numbers and dates of birth.

Breach Description:
More than a dozen Oak Ridge National Laboratory employees were duped into installing unauthorized software consisting of keyloggers and other malicious software through a targeted phishing attack ("spear phishing"). The targeted phishing attack consisted of roughly 1,100 emails and resulted in the compromise of personal information pertaining to lab visitors over a 14 year period.

Reference URL:
eWeek.com Story
SecurityFocus.com Story
MyEyeWitnessNews.com Story
Oak Ridge National Laboratory Potential Identity Theft Page

Report Credit:
Oak Ridge National Laboratory

Response:
From the official breach notification site and sources cited above:

Oak Ridge National Laboratory has been bombarded by a coordinated phishing attack aimed at multiple national labs and may have unwittingly handed over to attackers the personal information of anybody who visited the lab over a 14-year span, including Social Security numbers.

"Oak Ridge National Laboratory (ORNL) recently experienced a sophisticated cyber attack that appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country." - Laboratory Director Thom Mason on December 3rd.

"When the employees opened the attachment or accessed an embedded link, the hacker planted a program on the employees' computers that enabled the hacker to copy and retrieve information. The original e-mail and first potential corruption occurred on October 29, 2007. We have reason to believe that data was stolen from a database used for visitors to the Laboratory." - Laboratory Director Thom Mason

The attack comprised approximately 1,100 targeted phishing attempts.

The attackers cooked up seven phishing variations, one of which purportedly advertised a scientific conference, another of which posed as a notification about a complaint on behalf of the Federal Trade Commission.

"No classified information was lost"

"If you visited ORNL between the years 1990 and 2004 your name and other personal information such as your social security number or date of birth may have been part of the stolen information. While there is no evidence that the stolen information has been used, the Laboratory deeply regrets the inconvenience caused by this event."

Mason said reconstructing the crime is tedious and time-consuming and will likely take weeks, if not longer. ORNL is attempting to send letters to every visitor potentially affected but may have difficulties due to out-of-date addresses, management said in its advisory.
[Comfyllama] If the reports about this attack originating (or proxying through) China are true, then it is unlikely that a full "reconstructing" will ever be complete.

"every security system at ORNL was in place and in compliance."
[Comfyllama] Compliant DOES NOT MEAN Secure! Although we all need to be compliant, this doesn't mean that efforts should stop at that. Do you want to trust the security of your information to a Senator or other lawmaker?

"If you think you're going to prevent all phishing attempts from [succeeding] in an enterprise, that's probably false. And if you think that with training, not a single employee will [click on phishing attempts and let an attacker] get through, that's probably false," - Application Security Vice President of Marketing and Strategy Ted Julian

"There's a million [conduits to data theft], and now that the attackers have gotten much more professional and focused, they only need one to get at the information. You only need one unsecured avenue and they're off and running."

it's likely that employee training about phishing attempts will be given renewed emphasis in the future in order to attempt to close down this particular avenue of data theft.

"While our hope is that no one would fall for these kinds of tricks from hackers, we believe there is an ongoing benefit to re-emphasizing staff awareness about cyber-security issues," "We must not click on e-mail attachments if we are not absolutely sure who the e-mail is from and we must not click on [URLs] embedded in e-mails unless we are certain of the source." - Laboratory Director Thom Mason

The lab has sent letters to about 12,000 potential victims.

"We continue to put in place new and more sophisticated security systems in an attempt to stop thieves who are equally determined to break into the cyber network." - Laboratory Director Thom Mason

Commentary:
Scary! Supposedly, there is evidence that points to these attacks originating from servers in China and thus these attacks were sponsored by the Chinese government. I like a conspiracy theory as much as anyone else, but I don't subscribe to this theory. IF the Chinese government were attacking ORNL, I think the attacks would be much more covert.

Think about this for a minute. If I were going to attack a system in the United States without getting caught. Why wouldn't I use (proxy through) an insecure server located in a country that will not cooperate with U.S. authorities? In order to find my true location, investigators will need some level of access to the (proxy) server to look through the evidence. Do you think China (or Iran, North Korea, Russia, etc.) will allow investigators the access they need? Highly unlikely. If I were to guess, I would say that this is a sophisticated attack aimed at gathering information for money and probably orginated by one of the more educated "phishing gangs".

I certainly agree with ORNL Application Security Vice President of Marketing and Strategy Ted Julian in the fact that there is likely no way to prevent all avenues of attack, but the risk of this type of attack can be significantly reduced through regular information security training and awareness. People will be people, no matter what.

Final note, I am curious why ORNL needs to store Social Security numbers in the first place.

Past Breaches:
Unknown