[SecurityRatty] tag: gift

Should Banks Believe Their Customers Who Claim Online Fraud?

Mon, 25 Aug 2008 16:54:41 +0000

Should banks believe their customers when they claim someone hacked their accounts and committed online fraud? Apparently in one recent case, WaMu first reversed the charges when one customer claimed a hacker charged up debt in her itunes account — but later, the bank took back the credit, saying the customer was just plain lying. What great customer service.

The Consumerist has the story:

WaMu’s crack fraud department is at it again, according to reader Kristin. Someone broke into her iTunes account and bought a couple hundred dollars worth of iTunes gift cards with her debit card information. She disputed the charge and WaMu told her not to worry — they’d take care of it. Two months later, while on a trip to Chicago, WaMu reversed the credits, causing Kristin to become severely overdrawn. No amount of protesting will convince WaMu that she wasn’t lying about the iTunes break-in. Why? Because she never responded to some mail they sent to her old address.

Yuck. Read the customer’s full account, and more information about the credit card fraud laws, in the full article.

Employee fraud hits Baptist Health in Arkansas

Thu, 10 Jul 2008 20:00:20 +0000

Technorati Tag: Security Breach

Date Reported:
7/2/08

Organization:
Baptist Health*

*Baptist Health is the largest not-for-profit healthcare organization in Arkansas

Contractor/Consultant/Branch:
None

Victims:
Patients

Number Affected:
~1,800

Types of Data:
"name, address, date of birth, Social Security number, and reason for coming to Baptist Health"

Breach Description:
"LITTLE ROCK (AP) - A North Little Rock woman has been arrested for using financial information from patients at Baptist Health to illegally obtain Wal-Mart gift cards for her own use. The hospital has notified about 1,800 patrons of the ID theft."

Reference URL:
Associated Press via WXVT Channel 15 News
KARK Channel 4 News
Arkansas Democrat-Gazette

Report Credit:
Toby Manthey, Arkansas Democrat-Gazette

Response:
From the online sources cited above:

Baptist Health has sent letters warning about 1,800 patients that the hospital system’s records may have been breached
[Evan] Uh, "may have been breached"?!

The notification came after the arrest of a Baptist Health employee at a Wal-Mart store on 25 counts of financial identity fraud.
[Evan] Wouldn't life be grand if we could trust our employees? Maybe, I suppose.

The letters, mailed last week, follow the firing of the woman in early June

North Little Rock police say Tamara Hill, 30, of that city worked at Baptist Health Medical Center-North Little Rock in the emergency department.

Hill, an admissions clerk, was arrested May 30 at the Wal-Mart

Ebony Flowers, 25, also of North Little Rock, was arrested at the store the same day on three counts of identity fraud

Flowers was listed in a police report as a janitor for the North Little Rock School District
[Evan] Key word is "was".

Baptist Health recorded more than 950,000 patient visits systemwide in 2007, a number that includes repeat visits.

Mark Lowman, spokesman for the Little Rock-based Baptist Health system, confirmed that the system fired the employee after notification of the arrest.

Police reports say the women used a victim’s personal information to obtain temporary Wal-Mart "account authorization numbers" - credit cards, essentially - used to buy Wal-Mart gift cards.

The victim reported to police that he had not authorized the transactions

the same victim confirmed he was a Baptist Health patient

He expressed appreciation of the handling of the case by the system and by the North Little Rock police.

Among the items found during a search connected with the arrest of Hill was personal information for 24 other people, including "screen shots" - printouts showing the exact appearance of the images on a computer screen - that showed victims’ personal information.
[Evan] This seems like confirmation that "may have been breached" is not all that accurate.

Also found were four Wal-Mart gift cards and $ 1,490 in cash

Police found a small bag of marijuana on Flowers, according to the reports. In a search connected with her arrest, they also discovered a. 25-caliber magazine with six bullets, as well as a receipt for four of the gift cards and information on three-identity theft victims.
[Evan] A thug.

The U. S. Secret Service is helping with the investigation.

"Due to a breach of our information systems security policies, there is a possibility that some personal information, such as your name, address, date of birth, Social Security number, and reason for coming to Baptist Health, was accessed by an unauthorized person."
[Evan] This is from the letter to the victims.

No information in the patient’s "medical records" and no information about the patient’s diagnosis or prognosis was accessed

while no "medical record" information was accessed, the letter mentioned the patient’s "reason for coming" to the system possibly was accessed

Lowman said a reason stated by a patient using the system isn’t considered medical information because the reason is a layman’s explanation, not one from a medical professional.
[Evan] This is Mark Lowman, spokesman for the Little Rock-based Baptist Health system

He said the breach wouldn’t violate the Health Insurance Portability and Accountability Act, or HIPAA.

But Pam Dixon, executive director of the San Diego-based World Privacy Forum, a privacy advocacy group, thinks all the information mentioned in the letter falls under HIPAA.

"It doesn’t matter that [it’s not ] a prognosis or diagnosis," she said.
[Evan] Splitting hairs. The bottom line is that confidential personal information was stolen and there are victims. Whether or not it is a HIPAA violation seems somewhat irrelevant.

Dixon found the system’s letter lacking in several respects, such as clarifying the exact meaning of a "reason for coming to Baptist Health." The letter also should have mentioned when and for how long the breach occurred, she said.

"Almost all breach letters have that," Dixon added.
[Evan] Almost all breach letters have what? A mention about for how long the breach occurred? I must be reading some of the wrong breach letters because it seems to me that this information is 50/50 at best. Also missing is the "we have no reason to believe that the information will be misused", but this one doesn't fit does it?

Dixon said Baptist Health should have offered in the letter to set up free credit monitoring for victims.
[Evan] Why? One year (or two) of credit monitoring is almost useless. Credit monitoring alerts a victim after fraud has already occurred and one year (or two) of monitoring is too limited for information that has a much longer lifespan. I guess credit monitoring would be better than nothing, but not by much.

Lowman said the health system continually conducts audits to know which staff members are accessing what information, and whether or not the access is appropriate.
[Evan] Good!

"We’re always looking to provide better audits and better oversight of private, confidential and protected information," Lowman said.
[Evan] And Good!

Commentary:
Preventing and detecting employee fraud has always been a challenge. This doesn't mean we give up though. We have some tools at our disposal such as employee background checks, role-based access control, segregation of duties, and job rotation to name a few.

I don't think that these two crooks are anything more than common criminals. The fact of the matter is that identity theft and fraud are very easy crimes to commit and require very little skill.

Past Breaches:
Unknown

New Jersey's Gift to Music

Wed, 25 Jun 2008 17:41:17 +0000

Wow. Just wow. So the Feelies are playing together again after 18 years or so! I have really enjoyed some of the offshoots like Wake Ooloo, but I really never thought I would get to hear the real Feelies again. Amazing. If you know them you are excited as me that they are playing in Hoboken next month. If not, then everything good that REM did in the early 80s was taken from "Crazy Rhythms", and I will put "The Good Earth" with any other record.

Security Through Obscurity

Wed, 18 Jun 2008 09:13:26 +0000

Sometimes security through obscurity works:

Yes, the New York Police Department provided an escort, but during more than eight hours on Saturday, one of the great hoards of coins and currency on the planet, worth hundreds of millions of dollars, was utterly unalarmed as it was bumped through potholes, squeezed by double-parked cars and slowed by tunnel-bound traffic during the trip to its fortresslike new vault a mile to the north.
In the end, the move did not become a caper movie.

“The idea was to make this as inconspicuous as possible,” said Ute Wartenberg Kagan, executive director of the American Numismatic Society. “It had to resemble a totally ordinary office move.”

[...]

Society staff members were pledged to secrecy about the timing of the move, and “we didn’t tell our movers what the cargo was until the morning of,” said James McVeigh, operations manager of Time Moving and Storage Inc. of Manhattan, referring to the crew of 20 workers.

From my book Beyond Fear, pp. 211-12:

At 3,106 carats, a little under a pound and a half, the Cullinan Diamond was the largest uncut diamond ever discovered. It was extracted from the earth at the Premier Mine, near Pretoria, South Africa, in 1905. Appreciating the literal enormity of the find, the Transvaal government bought the diamond as a gift for King Edward VII. Transporting the stone to England was a huge security problem, of course, and there was much debate on how best to do it. Detectives were sent from London to guard it on its journey. News leaked that a certain steamer was carrying it, and the presence of the detectives confirmed this. But the diamond on that steamer was a fake. Only a few people knew of the real plan; they packed the Cullinan in a small box, stuck a three-shilling stamp on it, and sent it to England anonymously by unregistered parcel post.
This is a favorite story of mine. Not only can we analyze the complex security system intended to transport the diamond from continent to continentthe huge number of trusted people involved, making secrecy impossible; the involved series of steps with their associated seams, giving almost any organized gang numerous opportunities to pull off a theftbut we can contrast it with the sheer beautiful simplicity of the actual transportation plan. Whoever came up with it was really thinkingand thinking originally, boldly, and audaciously.

This kind of counterintuitive security is common in the world of gemstones. On 47th Street in New York, in Antwerp, in London: People walk around all the time with millions of dollars’ worth of gems in their pockets. The gemstone industry has formal guidelines: If the value of the package is under a specific amount, use the U.S. Mail. If it is over that amount but under another amount, use Federal Express. The Cullinan was again transported incognito; the British Royal Navy escorted an empty box across the North Sea to Amsterdam -- where the diamond would be cut -- while famed diamond cutter Abraham Asscher actually carried it in his pocket from London via train and night ferry to Amsterdam.

Picture of Camera Thieves Uploaded by Eye-Fi

Thu, 05 Jun 2008 11:09:06 +0000

This story is a bit cute, but it's true: Alison DeLauzon, Reuters reports, had her camera stolen when left an equipment bag in a restaurant in Florida. The folks who allegedly took the bag also took pictures of themselves, which isn't unusual. But DeLauzon had an Eye-Fi wireless Secure Digital (SD) card in her camera, received as a gift. The thieves apparently wandered by an open access point with the same SSID as one that DeLauzon had configured for use, and pictures of her baby and the thieves were uploaded to her picture-sharing account. Nifty.

This is reminiscent of another recent story in which an Apple Store employee was able to use Mac OS X 10.5 Leopard's Back to My Mac remote access software to connect to a laptop that was stolen from her apartment to grab images and screenshots of the two men alleged to have taken the laptop and other gear.

E-Mail After the Rapture

Mon, 02 Jun 2008 09:09:47 +0000

It's easy to laugh at the You've Been Left Behind site, which purports to send automatic e-mails to your friends after the Rapture:

The unsaved will be 'left behind' on earth to go through the "tribulation period" after the "Rapture".... We have made it possible for you to send them a letter of love and a plea to receive Christ one last time. You will also be able to give them some help in living out their remaining time. In the encrypted portion of your account you can give them access to your banking, brokerage, hidden valuables, and powers of attorneys' (you won't be needing them any more, and the gift will drive home the message of love). There won't be any bodies, so probate court will take 7 years to clear your assets to your next of Kin. 7 years of course is all the time that will be left. So, basically the Government of the AntiChrist gets your stuff, unless you make it available in another way.

But what if the creator of this site isn't as scrupulous as he implies he is? What if he uses all of that account information, passwords, safe combinations, and whatever before any rapture? And even if he is an honest true believer, this seems like a mighty juicy target for any would-be identity thief.

And -- if you're curious -- this is how the triggering mechanism works:

We have set up a system to send documents by the email, to the addresses you provide, 6 days after the "Rapture" of the Church. This occurs when 3 of our 5 team members scattered around the U.S fail to log in over a 3 day period. Another 3 days are given to fail safe any false triggering of the system.

The site claims that the data can be encrypted, but it looks like the encryption key is stored on the server with the data.

Airlines Profiting from TSA Rules

Tue, 20 May 2008 02:51:32 +0000

From CNN:

Before 9/11, airlines and security personnel -- and I use the term "security personnel" loosely -- might have let a nickname or even a maiden name on a ticket slide. No longer. If you have the wrong name on your ticket, you're probably grounded. And there are two reasons for this: security and greed.
The Transportation Security Administration wants to be sure the same person who bought the ticket, and who was screened, is boarding the plane. But when there's an inexact match, the airline can either charge a $100 "change" fee or force you to buy a new ticket. In an industry where every dollar counts, the exact-name rule is the government's gift to cash-starved air carriers.

That's the situation Gordon was confronted with, even when it was obvious that "Jan" and "Janet" were one and the same. There were suggestions that a new ticket might need to be purchased. "We didn't let it get to that," he recalls. Instead, he asked to speak with a supervisor who could finally fix the codes so that the ticket and passport matched up. How did all of this happen in the first place? Turns out Jan Gordon had signed up for a frequent flier account under her informal name, so when she booked an award ticket, it also used her informal -- and inaccurate -- name.

There are two things to get pissed off about here. One, the airlines profiting off a TSA rule. And two, a TSA rule that requires them to ignore what is obvious.

Metro Round-Up: OpenAirBOston

Mon, 14 Apr 2008 07:12:29 +0000

Dubiousness on future of Long Island project: Long Island network builder E-Path has lost out in Trenton, where it asked for a mere $250,000 in contracted services to build a 7.5 sq mi network; Delay Beach, Flor., hasn't progressed, either. Trenton's business administrator states the problem clearly: "You can't expect a company to come in and expend millions of dollars on build out costs without having some level of guarantee that they're going to recover their costs." But there's more problems with E-Path in Long Island, where the utility that needs to grant pole access for two pilot projects says they gave access months ago. We'll see what shakes out. I was dubious from the start about the scale of the project with no anchor tenant, and with a firm that had no comparable projects of scale even underway. It's not a lack of confidence in E-Path (I have no opinion on their abilities); rather, the state of financing for projects of this sort.

Extremely fair article on Sebastopol Wi-Fi networking health debate: The local paper manages to push the camel through the eye of the needle in presenting various aspects of the vote by the local council to rescind the gift of a local ISP to provide city-wide Wi-Fi. It neither ridicules the symptoms of people who describe themselves as electrosensitive, nor ignores the clinical research that shows such sensitivity to be unprovable, even as the symptoms are clearly manifest (just not correlated with EMF). The article notes that one radio host who speaks on health has his words carried by a station that is bumping more signal out across Sebastopol than any Wi-Fi network would. In a true Sonoma moment, however, the leading opponent to the city-wide network and the owner of the ISP cross paths in front of Whole Foods where high school students in favor of the network were gather signatures for a petition--and hugged. That kind of behavior is more of what we need: civility, understanding, and mutual working forward to improve everyone's health. More research? Sure. And more kindness, too.

Wired's Wi-Fi map: now, useful! My friend and colleague Cyrus Farivar spent weeks researching what municipal projects were proceeding, on hold, or dead across the U.S., and I wasn't very impressed by the way in which Wired presented this material in their print issue. But never fear! Online, paired with Google Maps, his research is tremendously accessible. It's now a few weeks out of date, but still useful for the scope and locations of projects. It makes me want to build an ongoing effort of the same kind!

Complimentary essay on Boston's pace: By not building fast, OpenAirBoston avoids the mistakes of other municipal networks. True. But in the end, they need to build something; they are only "behind" in the sense of not having put their neck out too far.

Massive IFRAME SEO Poisoning Attack Continuing

Thu, 27 Mar 2008 18:12:29 +0000

Last week's massive IFRAME injection attack is slowly turning into a what looks like a large scale web application vulnerabilities audit of high profile sites. Following the timely news coverage, Symantec's rating for the attack as medium risk, StopBadware commenting on XP Antivirus 2008, and US-CERT issuing a warning about the incident, after another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site's web application security practices - or the lack of.

What has changed since the last time? The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves.

Keep it Simple Stupid for the sake efficiency is what makes the campaign relatively easy to track once you understand the importance of hot leads, and real-time assessments for the purpose of setting the foundation for someone else's upcoming piece of the puzzle in an OSINT manner. The main IPs within the IFRAMES acting as redirection points to the newly introduced rogue software and malware, remain the same, and are still active. The very latest high profile sites successfully injected with IFRAMES forwarding to the rogue security software and Zlob malware variants :

USAToday.com, ABCNews.com, News.com, Target.com, Packard Bell.com, Walmart.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Sears.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Circuitcity.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu.

Which are the main IPs injected as IFRAME redirection points?

72.232.39.252

NetRange: 72.232.0.0 - 72.233.127.255

CIDR: 72.232.0.0/16, 72.233.0.0/17

NetName: LAYERED-TECH-

NetHandle: NET-72-232-0-0-1

Parent: NET-72-0-0-0-0
NetType: Direct Allocation

NameServer: NS1.LAYEREDTECH.COM

NameServer: NS2.LAYEREDTECH.COM

Comment: abuse@layeredtech.com

195.225.178.21
route: 195.225.176.0/22

descr: NETCATHOST (full block)

mnt-routes: WZNET-MNT

mnt-routes: NETCATHOST-MNT

origin: AS31159

notify: vs@netcathost.com

remarks: Abuse contacts: abuse@netcathost.com

89.149.243.201

inetnum: 89.149.241.0 - 89.149.244.255

netname: NETDIRECT-NET
remarks: INFRA-AW

admin-c: WW200-RIPE

tech-c: SR614-RIPE
changed: technik@netdirekt.de 20070619

89.149.220.85

inetnum: 89.149.220.0 - 89.149.221.255

netname: NETDIRECT-NET

remarks: INFRA-AW

admin-c: WW200-RIPE

tech-c: SR614-RIPE

changed: technik@netdirekt.de 20070619

Newly introduced malware serving domains upon loading the IFRAMES :

mynudedirect.com/3/5144 (216.255.186.107) loads mynudenetwork.com/flash2/?aff=5144 (85.255.120.203) which attempts to load mynudenetwork.com/load.php?aff=5144&saff=0&sid=3 where the malware is attempting to load upon accepting the ActiveX object :

Scanners Result: Result: 12/32 (37.5%)

Suspicious:W32/Malware!Gemini; W32/BHO.BVW

File size: 107536 bytes

MD5: e50f2c9874a128d4c15e72d26c78352c

SHA1: 91f8a0e2531ea63ce22d0c7f90e7366a78ebeb8a

Moreover gift-vip.net/images/index1.php (195.225.178.19) is still loading from the previous campaign, this time pointing to webmovies-b.com/movie/black/0/21/411/0/ (58.65.234.25), and of course, e.pepato.org/e/ads.php?b=3029 (58.65.238.59) :

Scanners Result: 2/32 (6.25%)

JS.Feebs.rv; JS/Feebs.gen2 @ MM

File size: 16098 bytes

MD5: 64bbd8ba8a0c9ce009d19f5b8c9d426e

SHA1: 1b313198ef140d2c74f36aa84c13afe9497865b6

We also have vipasotka.com/in.php?adv=5032&val=43c46ed2 (119.42.149.22) loading and redirecting to golnanosat.com/in.php?adv=5058&val=e32a412f (119.42.149.22)

Scanners Result : Result: 11/32 (34.38%)

Trojan.Crypt.AN; FraudTool.Win32.UltimateDefender.cm

File size: 61440 bytes

MD5: 5d83515199803e1fbcd3d2d8e0cd4ce5

SHA1: 4c1f0eba4be895cf3b018e41fa7f13523424874d

Last but not least is d08r.cn (203.174.83.55) a new domain introduced within the IFRAMES, which is also responding to, another scammy ecosystem :

07search.com
5m9h41.com
a666hosting.info

gzoe7w.com
l6q7x6.com
nashepivo.com
nbb3g1.com
sraly.com
uvilo.com
vmksxo.com
credits-counselor.com
hx0k21.com
mob-shop.net
smart-search.net

For the time being, Google is actively filtering the results, in fact removing the cached pages on number of domains when I last checked, the practice makes it both difficult to assess how many and which sites are actually affected, and of course, undermining the SEO poisoning, as without it the input validation and injecting the IFRAMEs would have never been able to attract traffic at the first place.

The attack is now continuing, starting two weeks ago, the main IPs behind the IFRAMES are still active, new pieces of malware and rogue software is introduced hosting for which is still courtesy of the RBN, and we're definitely going to see many other sites with high page ranks targeted by a single massive SEO poisoning in a combination with IFRAME injections. Which site is next? Let's hope not yours, as if you don't take care of your web application vulnerabilities, someone else will.

Related posts:
More High Profile Sites IFRAME Injected
More CNET Sites Under IFRAME Attack
ZDNet Asia and TorrentReactor IFRAME-ed
Rogue RBN Software Pushed Through Blackhat SEO
Massive RealPlayer Exploit Embedded Attack
Another Massive Embedded Malware Attack
Yet Another Massive Embedded Malware Attack
Massive Blackhat SEO Targeting Blogspot
Massive Online Games Malware Attack

Do yourself a favor and subscribe to this blog

Sun, 23 Mar 2008 13:31:35 +0000

Peters Blog is a must for those who want to stay informed on the baddies out there who want to destroy your comfy fuzziness while online.

clipped from peterhgregory.wordpress.com

Securitas Operandi™

“Reach the widest possible worldwide audience with information on data security, business security, and information assurance. Achieve this mission through published books, magazine articles, online forums, public speaking, expert court testimony, and teaching.”

Make a New Year’s resolution: safer computing

Give the gift of safe Internet usage