[SecurityRatty] tag: perpetrators

Update on Cybercrime law by Congress

Wed, 17 Sep 2008 19:31:15 +0000

Adding Keyloggers to punishable offenses makes it a whole new playing field for all.

Congress Extends Cybercrime Laws

The amendment criminalizes the use of malicious spyware and keystroke loggers to damage a computer, by eliminating a requirement that the loss exceed $5,000 and making it a misdemeanor to send spyware that causes any loss. Perpetrators would face fines and up to one year in prison.

Corporate Identity Theft

Sat, 16 Aug 2008 05:58:30 +0000

I remember a talk by the value investor Mason Hawkins (Longleaf Funds) where someone asked him about investing overseas. He answered that he does, but mainly in places where the British flag flew at some point, where there is a rule of law. Here is one example of what he is worried about and why investing in places where your assets have no legal protection does not give the investor a margin of safety.

Hermitage Fund was until recently the largest fund in Russia. From the Business Week story "Hijacking the Hermitage Fund"

Corruption, intimidation, robbery, violent assault, forgery, large-scale fraud. No, not the subject of the latest John Grisham novel, but sensational allegations, made public Apr. 4 by Hermitage Capital Management -- until recently the largest foreign portfolio investor in Russia. In a detailed and damning report, titled Criminal Justice -- Russian-Style, Hermitage alleges the fund's Russian subsidiaries have fallen victim to an elaborate con designed to defraud the fund of hundreds of millions of dollars.

The most sensational part of Hermitage's allegations is that the attempted larceny was carried out with the direct connivance of officials in the Russian police. Hermitage alleges the police seized documents and equipment that were instrumental to the attempted fraud, which involved bogus court cases based on forged documents, the aim of which was to sue Hermitage subsidiaries for hundreds of millions of dollars. "The most shocking thing is not that there are corporate raiders in Russia who attempt to steal your shares," says Jamison Firestone, managing partner of Firestone Duncan, Hermitage's law firm. "The shocking thing is that the police worked hand-in-hand with them, and actually performed the theft of the documents so that the corporate raiders could then do their work."

From the most recent Hermitage Fund letter, here is the current state:

So the two-pronged scam worked in one area and failed in another. The perpetrators weren’t able to steal the assets from us based on the fake court claims, but they were able to steal $230 million from the Russian government by filing amended tax returns on behalf of our stolen companies. What makes this story even more shocking is that we filed six 255-page criminal complaints with the Russian authorities in December last year, one month before the tax fraud took place, and they did nothing to stop it. Two complaints were sent to the Russian General Prosecutor, two to the Russian State Investigative Committee and two to the Internal Affairs Department of the Interior Ministry. There was enough information to prevent the fraud and indict a number of people behind it if the government had acted.
Instead of doing anything to save the Russian state from this highly sophisticated and organized looting, two of our complaints were thrown out immediately; two were returned to the same Interior Ministry official we were complaining about (essentially, he was being asked to “investigate himself”); and one was thrown out for “lack of any crime committed.” Only one complaint was taken seriously. It was taken up by the Russian State Investigative Committee in early February, but before it could get any traction, the case was lowered to the South region of the Moscow district of the State Investigative Committee (the lowest level of the Committee) and by June, another senior Interior Ministry official whom we had named in our complaint had joined the “investigation” team (again, to “investigate himself”). To this day there has been no serious response by the Russian authorities to this massive fraud against the Russian state.
As we described in our April letter, the problem of corporate “raiding” is now so endemic in Russia that President Medvedev speaks about it as one of the biggest problems faced by Russian businesses. In this case, raiders have taken this problem to a new and absurd extreme by “raiding” the Russian state itself and so far getting away with it. Together with HSBC, we will shortly be filing new criminal complaints with the Russian General Prosecutor and Russian State Investigative Committee as well as with many law enforcement authorities outside of Russia. It is hard to predict what will happen next in this unfolding and unbelievable saga, but as always we will keep you updated on any further developments as they arise.

Of course we see individual identity theft on a regular basis (actually as Ross Anderson points out its not really identity theft but poor controls on the bank's parts using SSNs as secrets and so on), but you dont see a major corporation stolen every day.

Bust-out schemes are a fraud to make you go bust

Sun, 08 Jun 2008 20:00:00 +0000

Increasing globalization is proving to be a boon for perpetrators of a type of fraud known as a "bust-out scheme." This kind of fraud, commonplace in the computer and electronics industry, victimizes legitimate manufacturers and retailers. People in the industry should be aware of the particulars of such schemes so they can guard against them.

UltimateBet cheating goes undetected for almost 21 months

Wed, 04 Jun 2008 06:55:17 +0000

Technorati Tag: Security Breach

Date Reported:
5/29/08

Organization:
Tokwiro Enterprises ENRG*

*"Tokwiro Enterprises Enrg" is a recognized Mohawk owned and controlled, gaming sole proprietorship, presently undergoing a licencing process with the "Kahnawake Gaming Commission" ("KGC"), which was itself established on the 10th day of June, 1996. (Source: www.ultimatebet.com/about-us)

style="font-weight: bold;">Contractor/Consultant/Branch:
UltimateBet

Victims:
Customers

Number Affected:
Unknown

Types of Data:
"hole card information during live play" resulting is financial loss

Breach Description:
"MONTREAL, CANADA (MAY 29, 2008) --- Tokwiro Enterprises ENRG ("Tokwiro"), proprietors of UltimateBet.com ("UltimateBet"), one of the world's largest online card rooms, today announced the results of its lengthy investigation into allegations of unfair play, which was triggered by concerns about an account named 'NioNio'."

Reference URL:
UltimateBet Statement (full statement text below)
CJAD NewsTalk Radio
Card Player
PokerListings

Report Credit:
Tokwiro Enterprises ENRG and Bob Pajich at Card Player

Response:
From the online sources cited above:

Tokwiro Enterprises, the company that owns both Absolute Poker and UltimateBet, today released a statement confirming that cheating had gone on at UltimateBet by people who, according to the release, "worked for the previous ownership of UltimateBet prior to the sale of the business to Tokwiro in October 2006."
[Evan] Shouldn't an information security and risk assessment be conducted as part of the acquisition and integration? If so, then wouldn't a code review of the proprietary software that came with the acquisition be included? This is the proprietary software that really drives the purpose of the site.

The player or players behind the 18 screen names that were identified as being corrupted have not been named.

Tokwiro will refund players their losses once the investigation is complete.
[Evan] I wonder how expensive this will be.

The usernames that were used to cheat are: NioNio, Sleepless, NoPaddles, nvtease, flatbroke33, ilike2win, UtakeIt2, FlipFlop2, erick456, WhackMe44, RockStarLA, stoned2nite, monizzle, FireNTexas, HeadKase01, LetsPatttty, NYMobser, and WhoWhereWhen.

The cheating was able to take place because the perpetrators had access to what Tokwiro is calling an "unauthorized software code" that allowed the cheaters to see their opponents’ holecards.
[Evan] This "unauthorized software code" use went undetected for almost 21 months!

The cheating took place from March 7, 2006 to Dec. 3, 2007, and it’s not known how much money the cheater(s) illicitly won.

The company refused to disclose the amount of fraudulent winnings, but poker observers have said it runs into the millions.

As soon as the cheating was suspected, Tokwiro said it contacted the Kahnawake Gaming Commission (KGC), the most used online poker regulatory commission, to start the investigation.

Tokwiro is mandated to contact KGC if any suspicious activety might be taking place.

This is the second cheating incident to hit the company since it purchased Absolute Poker and UltimateBet.

The first occurred when it was discovered that several players at Absolute Poker also had access to software that allowed them to see opponents’ holecards.
[Evan] A link is included below

ULTIMATEBET ISSUES STATEMENT REGARDING UNFAIR PLAY

MONTREAL, CANADA (MAY 29, 2008) --- Tokwiro Enterprises ENRG ("Tokwiro"), proprietors of UltimateBet.com ("UltimateBet"), one of the world's largest online card rooms, today announced the results of its lengthy investigation into allegations of unfair play, which was triggered by concerns about an account named 'NioNio'. Tokwiro has worked diligently in cooperation with its regulatory body, the Kahnawake Gaming Commission ("KGC"), and with independent third-party experts to conduct a thorough investigation that included a comprehensive review of hand histories and game data, thorough analyses of software and network security, and audits of its security practices and procedures.

The investigation has concluded that certain player accounts did in fact have an unfair advantage, and that these accounts targeted the highest limit games on the site. The individuals responsible were found to have worked for the previous ownership of UltimateBet prior to the sale of the business to Tokwiro in October 2006. Tokwiro is taking full responsibility for this situation and will immediately begin refunding UltimateBet customers for any losses that were incurred as a result of unfair play.

The fraudulent activity was enabled by unauthorized software code that allowed the perpetrators to obtain hole card information during live play. The existence of this vulnerability was unknown to Tokwiro until February 2008 and existed prior to UltimateBet's acquisition by Tokwiro in October 2006. Our investigation has confirmed that the code was part of a legacy auditing system that was manipulated by the perpetrators. Gaming Associates, independent auditors hired by the KGC, have confirmed that the software code that provided the unfair advantage has been permanently removed.

Throughout the investigation of this incident, Tokwiro's consistent priorities have been:

To permanently remove the ability to engage in unfair play;
To complete its investigation and come to a full understanding of what occurred;
To refund the affected customers; and
To implement measures that prevents future incidents.

The Company said, "We would like to thank our customers for their patience, loyalty and support, as well as for their understanding that we are doing everything we can to correct this situation. The staff and management of UltimateBet are fully committed to providing a safe and secure environment for our players, and we want to assure customers of our unwavering resolve to monitor site security with every resource at our disposal."

Investigation Timeline
These are the key events in the course of the incident.

January 2008: UltimateBet is alerted to suspicions of unfair play on the part of the account "NioNio". Within 24 hours, UltimateBet contacts the KGC to provide formal notice that UltimateBet has initiated an investigation of the incident. UltimateBet subsequently forwarded a copy of all related data to the KGC.
January 2008: The "NioNio" account and related accounts are suspended pending further investigation.
February 2008: Preliminary findings indicate abnormally high winning statistics for the suspect accounts. After discussions with the KGC, UltimateBet engages third-party gaming experts to assist with the analysis.
February 2008: Investigators confirm that the suspect accounts are associated with individuals who had worked for UltimateBet under the previous ownership.
February 2008: UltimateBet discovers the unauthorized code that allowed the perpetrators to obtain hole card information during live play. The code was part of a legacy auditing system that was manipulated by the perpetrators of the fraud.
February 2008: UltimateBet immediately removes the unauthorized code and works with the KGC and with third-party auditors to verify that the security hole has been eliminated.
March 2008: Six player accounts are confirmed to have participated in this scheme. No accounts were deleted at any point, although some account names were changed multiple times. The following account names are known to have been used in the fraudulent activity: NioNio, Sleepless, NoPaddles, nvtease, flatbroke33, ilike2win, UtakeIt2, FlipFlop2, erick456, WhackMe44, RockStarLA, stoned2nite, monizzle, FireNTexas, HeadKase01, LetsPatttty, NYMobser, and WhoWhereWhen.
May 2008: The investigation confirms that the fraudulent activity took place from March 7, 2006 to December 3, 2007.
May 2008: Gaming Associates certifies that the software code that enabled unfair play was removed from UltimateBet servers in February of 2008.
May 2008: Customers affected by this incident are identified, and plans for corrective action are reviewed with the KGC.

Corrective Actions Taken
The following actions have been taken or are currently underway as a direct result of this investigation.

The security hole identified in UltimateBet's investigation has been permanently eliminated.
UltimateBet is establishing a state-of-the-art software Security Center that consolidates and greatly enhances existing security capabilities. The first release of the new Security Center focuses solely on the immediate detection of abnormal winnings. Gaming mathematicians, poker professionals, and security software developers have all contributed to the specifications for the new Security Center.
UltimateBet customers are no longer permitted to change account names unless they have suffered abuse in chat rooms. Requests for changes must be supported by proof of abuse and must be approved by the Chief Compliance Officer.
In addition to its existing security department, UltimateBet has established a new specialized Poker Security team of professionals dedicated to fraud prevention.
The refund process will begin immediately. The accounts associated with fraudulent activity did not use an unfair advantage in all play sessions. Regardless, UltimateBet is refunding all losses to these accounts.
Accounts related to the fraudulent activity have been disabled, and the individuals associated with those accounts permanently banned from the site.
UltimateBet has worked closely and transparently with its governing body, the KGC and its designated expert auditors, to determine exactly what happened, how it happened, and who was involved, and has taken action to prevent any possibility of this situation recurring.
Tokwiro is pursuing its legal options in regard to this incident.

For further inquiries please contract press@ultimatebet.com

Commentary:
This is potentially a multi-million dollar loss for Tokwiro Enterprises ENRG and its very troubling that this breach went undetected for so long. The software used by the site is proprietary and should really be subject to a significant amount of information security scrutiny.

If I were a player, I think I would be beyond angry. Not just angry about the loss of money, but angry about the loss of confidence and being cheated in general. I personally know people that refuse to play online poker because of the risk posed by poorly secured sites.

Information security of online gaming sites must be a #1 priority for the companies that run them. Seems obvious, but many statements in the information security business seem obvious. Personally, I like the response from Tokwiro. If they follow through (which I assume they would), Tokwiro's actions should go a long ways towards reducing risk and restoring customer confidence.

Check out the comments at Card Player to get some insight into what some players are thinking.

Past Breaches:
Tokwiro Enterprises ENRG/Absolute Poker:
October, 2007 - Online poker cheating blamed on employee

The Cybercrime Arms Race

Tue, 19 Feb 2008 11:00:00 +0000

(Source: Kaspersky Labs) Sophisticated groups are leading underworld efforts into cybercrime, creating viruses, spyware, Trojans, worms and other malware. These groups now even provide complementary criminal services to their clients helping them to outsmart Internet security providers and users. With little or no investment, there's plenty of payback for cybercrime perpetrators at every level of this ecosystem. Download this whitepaper to learn more.

Thieves steal four Diocese of Providence computers

Mon, 04 Feb 2008 05:48:02 +0000

Technorati Tag: Security Breach

Date Reported:
2/1/08

Organization:
Roman Catholic Diocese of Providence

Contractor/Consultant/Branch:
None

Victims:
Current and former Catholic school employees

Number Affected:
about 5,000

Types of Data:
Names, addresses and Social Security numbers

Breach Description:
Sometime during the weekend of January 27th, 2008 thieves broke into the Chancery of the Roman Catholic Diocese of Providence and stolen four desktop computers, one of which contained sensitive personal information belonging to current and former Catholic school employees.

Reference URL:
The Diocese of Providence online announcement
The Providence Journal online story

Report Credit:
The Diocese of Providence

Response:
From the online sources cited above:

An individual or individuals broke into the Diocesan Office Building (also known as the Chancery) located at One Cathedral Square in Providence. The perpetrator(s) gained access by breaking through an office window in the Catholic School Office suite.

Once in the building, the perpetrators forcibly entered through two locked office doors where they stole desktop computers and other equipment.

The office suite that was burglarized did not have an alarm system
[Evan] It was reported that the Diocese does employ a security guard, but it is not known where he/she was at the time of the break-in. The fact that the timeframe in question is 8 hours (10 PM Friday - 6 AM Saturday) is interesting. Typically security guards are expected to make regular rounds (~ once every hour or two) throughout the area being guarded. Eight hours is a long time for a break-in to go undetected, so an alarm system would have been very beneficial as an alert if not a deterrent.

One of the stolen computers (a desktop computer, not a laptop) contained a substantial amount of data that included personnel information on present and former Catholic school employees throughout the Diocese of Providence.

The Rhode Island State Police have been notified of this incident. Additionally, the Providence Police Department has assumed responsibility for the investigation.

Thus far, the stolen equipment has not been recovered however, the Catholic Schools Office is fully cooperating with law enforcement who are investigating the situation.

Present and former employees of Rhode Island Catholic schools may be affected.

A number of safeguards are in place such as: locked offices, password protected computers, local administrator account password protected, guest accounts disabled.
[Evan] These are all good security practices.

Employees have unique passwords that they are required to change every few weeks
[Evan] Another good security practice, but every few weeks might be a little too often. If we make people change their passwords too often we increase the chances that they will write them down.

Additionally, personal information of students, teachers, parents and others associated with the Catholic Schools Office are prohibited from storage on lap top computers.
[Evan] Yet another good security practice.

Personal information of students and their parents and or guardians was not stored on the stolen equipment.

In addition to notifying current and former employees by letters sent to last known addresses, the Catholic Schools Office has created this page on the web site and established a special phone number, 401/278-4678 to answer inquiries from those who feel they may have been affected

Another diocese office was broken into about a year ago and a computer stolen

“The Catholic schools office sincerely apologizes for any inconvenience this incident may cause its current and former employees,”

Commentary:
Judging from what the Diocese has told us about their security practices it is easy to see that they have made a conscience effort to secure confidential information. They put some sound information security practices to use, but now we understand that it wasn't enough. At least two vital information security controls were missed; data at rest encryption and adequate physical security (alarm system missing). There is no mention as to whether or not the Diocese or Chancery are surveilled.

Past Breaches:
Unknown

Stolen Wendy's laptop affects 1,092 employees

Thu, 03 Jan 2008 11:08:27 +0000

Technorati Tag: Security Breach

Date Reported:
12/21/07

Organization:
Wendy's International, Inc.

Contractor/Consultant/Branch:
None

Victims:
Wendy's employees

Number Affected:
1,092

Types of Data:
Name, email address, Social Security number, employee identification number, and salary information.

Breach Description:
A Wendy's laptop was stolen during a car burglary at a company employee's home on December 1, 2007. The laptop contained sensitive personal information belonging to 1,092 Wendy's employees including Social Security numbers and salary information. The employee reported the theft to Wendy's on December 3rd, and Wendy's reported the breach on December 21st.

Reference URL:
New Hampshire Attorney General breach notification

Report Credit:
New Hampshire State Attorney General

Response:
From the official New Hampshire breach notification:

We are writing to advise you of a recent incident involving the theft of a company-issued laptop containing certain personal information belonging to Wendy's employees.

On December 3, 2007, we were notified by any employee of a car burglary at an employee's residence on December 1, 2007, which resulted in the theft of a company-issued laptop.

Several cars in the neighborhood were the subject of break-ins that evening. Accordingly, it may well be that the computer data was not the target of the burglary, that the perpetrators are not aware that personal information in on the laptop, or that they are not sophisticated enough to access the data (the employee's log-in and password are required for traditional access methods, and the information was in a subfolder with an uninformative title).
[Evan] I can see the logic in this statement, but it doesn't excuse the fact that the information was not well protected. Little (or no) sophistication is required for someone to gain access to the data on the laptop (circumvent the employee log-in) if someone wanted to, and there is little (or no) security in the fact that the information wasn't labeled "identitythiefopenme.xls".

The information included the name, email address, social security number, employee identification number, and salary information

The total number of affected individuals was around 1092 (U.S.)

In order to ensure that affected individuals could take immediate steps to protect themselves from possible identity theft or other monetary damage, Wendy's will be sending a communication by first class mail on December 21, 2007
[Evan] Not really so "immediate", unless 20+ days is immediate.

at this time Wendy's has no specific knowledge that any information contained on the laptop has been accessed or misused

We are also determining internally whether having that data on the laptop was consistent with Wendy's data security policies and exceptions.
[Evan] This is the one statement that is the most troubling to me. The letter was written by the Wendy's Chief Information Officer (CIO) and you would think that a person in this position would know without too much investigation. Information security policies must be clear and concise so that all people completely understand them. Avoid gray areas whenever possible and create a policy waiver request and approval process for exceptional circumstances. Policy waivers that are approved (granted) are logged and archived.

If you have questions, please contact your local HR staff member or contact Wendy's International, Inc. Corporate Office at 1-800-443-7266 and when prompted by the automated attendant, dial ext. 8052.

Please also accept my personal apology for any concern that this situation might create for you.

Commentary:
What can you say other than what was already written above. This is another instance of confidential data that was not adequately secured. It baffles me that there is a question as to whether or not the actions that led to this breach are against company policy. If the storage of confidential information on mobile media (thumb drives, CDs, DVDs, laptops, etc.) without encryption (and other controls) is not in policy, it certainly should be! Information security training and awareness also appear to be lacking.

Past Breaches:
Unknown

A downside to being a Billionaire

Mon, 03 Dec 2007 12:51:00 +0000

I guess the grass isn't always greener on the other side. Even if the other side is you having a couple billion dollars. I dug into the archives for this post by Ed Dickson, which described how NYC Mayor Bloomberg was victimized twice, almost simultaneously, by thieves trying to get at his multi-billion dollar wallet.

Check out Ed's post for the details, but let's take a quick look at what we can learn from these attacks. The first was a pretty standard check counterfeiting attack. Not much you can do about that. If someone gets a copy of your check, with the routing number and account number, then they can produce a likeness that could be accepted by any number of merchants out there.

The banks invest a lot in anti-counterfeiting marks on the checks, but in the end it's up to the merchant and your bank as to whether they will accept the fake. Most of the time they won't, but other times they may. That's why it's so important for you to keep on top of your finances and check your balances daily. Then you'll know if unauthorized charges are showing up. This is discussed in detail in Step 6 of Security Mike's Guide to Internet Security.

The second attack involved the criminal logging into Mr. Mayor's bank account and transferring money to a 3rd party financial institution. How did someone get his login and password? Who knows? It could have been anything. This is another example where staying on top of your account balances would have shown a weird transfer and you could have investigated it.

I'm sure Bloomberg has people to look into this. That's how they found the issues and with a high profile victim like the Mayor, the banks and law enforcement will work hard to bring the perpetrators to justice. It makes for good PR. I'm sure the bank also returned the money right where they found it, and no one but the criminals are any worse for wear.

So I guess the grass is greener after all for the Billionaires out there. If it's not, you certainly can afford a lot of spray paint, sod or whatever else you want to use to make your grass seem greener.