In the January 27, 2012 issue of The Wall Street Journal, Jean Eaglesham and Andrew Ackerman wrote an article with the title “SEC Says Latvian Hacked Accounts: Commission Alleges Four Firms Helped Trader Make Unauthorized Online Stock Purchases and Sales.” The article describes the apparent unwitting complicity by four U.S.-based electronic trading firms in a pump-and-dump fraud scheme supposedly perpetrated by a Latvian hacker. According to the article, the alleged perpetrator hacked into the online brokerage accounts at large broker-dealers from mid-2009 until August 2010 resulting in $2 million in losses at those firms. The fraudster is believed to have used the hijacked accounts to affect the prices of more than 100 stocks and the hacker traded those stocks through electronic trading firms, which are the targets of an SEC enforcement action. The hacker is reported to have netted $850,000 in “illegal profits.”

What is interesting to me is the similarity of this operation to one that occurred more than five years ago. In a major 2006 fraud, detailed in an October 24, 2006 Computerworld article by Eric Lal with the title “Identity thieves hit customers at TD Ameritrade, E-Trade: Stock fraud scheme involving overseas hackers cost $22M in losses,” the perpetrators opened online brokerage accounts and bought substantial quantities of penny stocks. The article is available at http://www.computerworld.com/s/article/9004416/Identity_thieves_hit_customers_at_TD_Ameritrade_E_Trade  The thieves also obtained account access information and logged into existing accounts (or created false accounts) in order to buy large amounts of the same penny stocks. When the prices rose due to their purchases into the hijacked accounts, they sold their holdings of those stocks from their previously-established accounts and pocketed the profits to the tune of at least $22 million. TD Ameritrade compensated legitimate customers, whose accounts had been hijacked, for $4 million in losses, and E-Trade paid out $18 million.

© BlogInfoSec.com, 2012. | Permalink | No comment | Add to del.icio.us
Post tags: hacking, information security incidents, pump-and-dump, spotlight

Siobhan Gorman is back in strong form on the front page of the December 21, 2011 Wall Street Journal with her article “China Hackers Hit U.S. Chamber,” which suggests at first glance that  hackers made from porcelain were successfully thrown into some U.S. person’s bedroom. However, the subtitle, “Attacks Breach Computer System of Business Lobbying Group; Emails Stolen,” makes things a little clearer. And when we begin to read the text we see that “a group of hackers in China” broke (electronically) into the U.S. Chamber of Commerce, possibly stealing some “six weeks of their email.”

While this type of breach can be extremely damaging, not only to those who have had their personal data hijacked, but also to political relations between involved countries, as well as destroying any trust members may have had in the Chamber’s computer systems and networks, such incidents are neither unusual nor unexpected. And it is more than likely that this event is only a very small tip of a very large iceberg.

Two all-too-common characteristics of this breach jump out: One is that the Chamber did not discover the breach itself but supposedly was informed by the FBI, which spotted the transfer of the stolen data to servers in China (Nota Bene: This alone does not prove unequivocally that a Chinese group did it). A second common characteristic is that the breach was apparently discovered only in May 2010 after it had been active since “November 2009 or earlier,” which is seven or more months after apparent inception.

© BlogInfoSec.com, 2012. | Permalink | No comment | Add to del.icio.us
Post tags: china, data breach, FBI, forensics, functional security testing, hackers, Siobhan Gorman, spotlight, U.S. Chamber of Commerce

Joel Brenner’s new book, America the Vulnerable – Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare (The Penguin Press, 2011), is another book of the genre of Richard Clarke’s several volumes of non-fiction, such as his most recent book, published with Robert Knake, Cyber War: The Next Threat to National Security and What to Do About It (Ecco, 2010) and a couple of novels, including Breakpoint (Putnam, 2007).

In these works, we get the real inside scoop about the frightening threats to, and vulnerability of, our critical agencies and sectors and about terrifying cyber events that have taken place within government. This is not the speculative hearsay often seen elsewhere. Among other influential positions, Brenner was senior counsel at the National Security Agency. So he really knows what was going on.

Brenner’s book describes the horrific state of affairs in the cyber world at great length and then prescribes, in a final chapter, a set of mitigation strategies. The recommended approaches depend on the responsiveness of government, collaboration between the public and private sectors, and the like, which are neither forthcoming in the current economic environment nor likely to gain much traction even in more prosperous times. In all such appeals for action, the problem is that those who get it don’t have the power to fix it; and those with the power don’t get it.

Unfortunately, those, such as Brenner, who raise issues regarding the Nation’s cyber vulnerability and the need to do something about it, are mild-mannered, well-meaning intellectual types, who are highly respected by those of us who care about protecting the U.S. against cyber attacks from within or from abroad. However, they generally have difficulty generating an appropriate level of concern, enthusiasm and action. The go-get-’em tough guys are mostly into kinetic attacks and responses and many of them seem to have little understanding of the cyber world. As described in my March 29, 2010 column “Cybergeddon … Ho Hum” (see … http://www.bloginfosec.com/2010/03/29/cybergeddon-%e2%80%a6-ho-hum/), I was particularly affected by Vice Admiral Michael McConnell’s testimony that nothing substantive will be done by the government until we experience a “catastrophic event.”  This is not a happy situation,

© BlogInfoSec.com, 2011. | Permalink | 2 comments | Add to del.icio.us
Post tags: America the Vulnerable, cyber attack, Joel Brenner, Michael McConnell, National Security Agency, NSA, spotlight

In June 2011, the FFIEC (Federal Financial Institutions Examination Council) issued a “Supplement to Authentication in an Internet Banking Environment,” available at http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf

The FFIEC comprises five financial regulatory agencies, namely, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and the Office of Thrift Supervision. These are the regulatory agencies that oversee U.S. banks, but not the securities industry, which is under the purview of the SEC (Securities and Exchange Commission).

The original guidance entitled “Authentication in an Internet Banking Environment” was issued in October 2005, more than five years ago, and was itself based on the August 2001 guidance “Authentication in an Electronic Banking Environment.” The former is available at http://www.ffiec.gov/pdf/authentication_guidance.pdf   The 2011 supplement is justified, according to the Guidance document, because “[s]ince 2005, there have been significant changes in the threat landscape.” To see an extensive list of recent hacks, go to the August 6, 2011 CNET post by Elinor Mills “Keeping up with the hackers (chart)” at http://news.cnet.com/8301-27080_3-20071830-245/keeping-up-with-the-hackers-chart/?tag=mncol;title and click on the link to the chart.

The bottom line is that the FFIEC has been advising banks about managing the risks of online banking for at least a full decade. And yet, because of the changing threat environment, there seems to be an increasing number of ever-more damaging hacks against online banking and payment card accounts as the above-mentioned chart depicts.

Between the 2005 and 2011 FFIEC Guidance reports, there have been a number of significant events, not least of which was the attack on RSA, which was reported in March 2011, and the consequent compromise of SecurID tokens. So, just as an exercise, I decided to see how the guidance might have changed in this area.

© BlogInfoSec.com, 2011. | Permalink | No comment | Add to del.icio.us
Post tags: authentication, FFIEC, hacking, Internet banking, RSA, SecurID, spotlight

Google’s foray into Facebook’s space hit an unfortunate glitch during its “field trial” … the system ran out of disk space and was down for more than an hour and those users, who were affected, received a deluge of emails … see Graham Cluley’s post “Google+ runs out of disk space, spams users with notifications” at http://nakedsecurity.sophos.com/2011/07/10/google-runs-out-of-disk-space-spams-users-with-notifications

This event was particularly troublesome. First, it doesn’t help user acceptance to have a new service fail during its initial tryout period, even though everyone is given to understand that the purpose of a trial is to flush out such problems. Secondly, for the many who see cloud computing, with its “infinite” processing power and storage, as the model of future systems, it was particularly disturbing to see that the Google+ notification system failed because it ran out of storage. Add to that the spamming of users and you have a double whammy against user confidence in the abilities of a premier company, such as Google, to manage its systems resources and the functioning of its applications under error conditions.

While it is true that the Web has substantial resiliency and that most issues, though not all, affect only a minority of customers and have relatively short durations, it is more a matter of recognizing how easily the integrity of systems can waiver and fail. And that is just the human-error component. You can be sure that potential attackers are taking notes. If major systems can fail badly without outside interference, just imagine what a concerted effort might do. Google may have more or less dodged the bullet this time, but systems are only getting more complicated and interrelated, raising concern that future glitches might have much greater consequences.

© BlogInfoSec.com, 2011. | Permalink | No comment | Add to del.icio.us
Post tags: Ben Edelman, cloud computing, FST, functional security testing, Google, Google Plus, software engineering, spotlight

Is that what the epitaph for modern economies will be if the rapidly rising trend in breaches gets completely out of hand?

The first time I noticed the excuse given for the success of a breach a being that the hackers were very sophisticated was when Heartland Payments was hacked some three years ago. The company took pains to emphasize that this was no ordinary attack, but one by some really smart and capable criminals. Now such an excuse appears to have become commonplace, and even accepted, that the bad guys run ahead of the defenders in capabilities. In fact, it was formalized in an article by Ben Worthen and Anton Troianovski in the June 17, 2011 Wall Street Journal with the title “Firms Come Clean on Hacks,” in a quote by Michael Fox of ICR Inc. to the effect that “Breaches are increasingly viewed less as a weakness on the part of the company and more as the sophistication and relentlessness on the part of the hackers.”

If that is the case, then why bother about cyber security at all? If there is no chance of winning, why even play the game? We somehow hope that we can change the game but, as I wrote in my May 10, 2011 column, “Security Innovation – Trying to Change the Game,” the hackers don’t play by the rules, so changing the rules won’t likely do much good.

In any event, the tone of resignation in Worthen and Troianovski’s WSJ article is most distressing. It smacks of giving up. The resolution to a hack is to “come clean” and admit that it happened, and that you cannot be expected to have avoided or protected against the attack because the hackers are so much smarter than the defenders. What kind of nonsense is that? The answer is to take a realistic view at the assets at risk and protect them as effectively as is reasonable, avoid giving access to sensitive and valuable assets to those who have no need-to-know, monitor access and use by those who do need to know, and strictly enforce laws, regulations, policies, and standards with severe negative consequences for those not adhering to the rules as a strong deterrent.

© BlogInfoSec.com, 2011. | Permalink | One comment | Add to del.icio.us
Post tags: Anton Troianovski, Ben Worthen, hackers, Heartland Payment Systems, Michael Fox, Security Breaches, spotlight

There has been much publicity surrounding the reporting of a breach of RSA’s systems in March 2011. However, what is more amazing about the breach is that the subsequent attack on Lockheed Martin appeared to come as a complete surprise to so many. But why else would anyone steal information about RSA SecurID tags if not to break into highly secret systems? The attack on RSA was purportedly planned carefully, likely using insider assistance, and had clear motivation, namely, to access high value systems and abscond with the goods.

OK, so I agree that it’s easy to say that we all should have known in 20/20 hindsight. And one could have taken RSA’s chairman Art Caviello’s letter as reassuring. But now that it has been demonstrated that RSA’s pronouncements as to the likelihood of further compromise were overly optimistic, it’s harder to take the subsequent note from Mr. Caviello to the effect that customers are overreacting. As he put it in Siobhan Gorman and Shara Tibken’s article “SecurIDs Come Under Siege” in the June 7, 2011 Wall Street Journal, “The whole thing has reached a crescendo where customers don’t want to tolerate any level of risk, whether it’s real or perceived.” Real or perceived? Is there still a question as to the reality of the risk?

And now we learn that it could take six to eight months to replace up to 30 to 40 million active tokens in the hands of employees, contractors, and others at some 25,000 customers, according to a June 17, 2011 Wall Street Journal article, “Long Wait for RSA Security Tokens,” by Spenser E. Ante and Shara Tibken. That leaves plenty of time for attackers to “make hay.” I agree with Chris Wysopal, who is quoted in the article, when he wonders what level of risk might apply during this lengthy replacement period … and what customers should do in the mean time.

© BlogInfoSec.com, 2011. | Permalink | No comment | Add to del.icio.us
Post tags: Art Caviello, Donn Parker, Lockheed Martin, real v. perceived risk, RSA breach, spotlight

There was an interesting May 18, 2010 article by the CBS Interactive staff with the title “Photocopier fallout: Congress, FTC ‘concerned’” available at http://news.cnet.com/8301-1009_3-20005277-83.html?tag=mncol;title  The article describes how electronic versions of all documents copied on certain copier machines are stored on internal disk storage devices and that, when the machines are scrapped, someone could access the disks and read their contents. Who knew?

Apparently, from the comments on the article, there are many (IT folks) who have been aware of this phenomenon for years. I am not one of those. Sure, I realized that modern copiers scan original documents and print from an electronic image on to the paper, since copies are printed well after the last page has been scanned. I just assumed that the pages were stored in memory and discarded once the pages had been printed. But saving the images to disk! Why would anyone even want to do that?  I can only imagine that the same folks who delight in scanning telephone logs so that they can charge employees for “personal calls” might be scanning the contents of the disks for “personal copies” so that they can charge back the cost to the employees. I have always believed that the cost of monitoring personal use of phone calls, copies, and the like often exceeds any monies retrieved and that the lowering of morale of such oversight only adds to the cost of such surveillance.

On the other hand, a high security establishment, such as a government research institute, might want to check that no copies were made of highly secret documents. But by the time such unauthorized copying were caught, the copies would probably have been sent on their way to their designated recipients, although nowadays electronic copies are more likely to be shared, as with WikiLeaks, say.

And of course, there have been privacy and security issues relating to the newer network-attached scanner-copier-printer devices, where one can scan and send documents without having to print them. These are really of greater concern, since scanned documents can be sent off-site in a heartbeat.

I have to believe that for many, the fact that images are being stored on copier storage devices came as a revelation. Seemingly Congress and the FTC were not aware. This falls into a category of unknown-unknowns similar to those that I covered in my May 10, 2010 column “Insider Threat – Not Knowing That You Don’t Know What You Don’t Know.” Clearly it is in the interest of those bent on theft and fraud (as well as perhaps blackmail and other crimes) not to have the knowledge of such data-leak mechanisms made public. So much data are regularly discarded on electromagnetic media residing in discarded PCs, cell phones, and the like. Increasingly, electronic copies of data flow uncontrolled throughout the cloud.

Making the public aware that copies of personal information and intellectual property might be so compromised could have some deterrent effect and make people more circumspect. However, it is unlikely that such awareness will have much impact. If the need or reward is great enough, and the chances of getting caught are thought to be small, then the convenience of making those unpermitted copies will most likely prevail, whether or not the person doing the copying is aware that the content is being stored within the machine.

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: data breaches, data leak, MFD, multi-function devices, photocopiers, spotlight

It was, in my opinion, another lost opportunity and a disappointment, I’m afraid.

On her April 21, 2010 show on MSNBC, Rachel Maddow interviewed former special adviser for cybersecurity to the White House, Richard A. Clarke about his new book Cyber War: The Next Threat to National Security and What to Do About It, which he co-authored with Robert Knake, and related topics. You can read some comments about the book in Ronald Redling’s April 27, 2010 Bloginfosec column, “Cyber War,” on this website. I will reserve comments on the book at this time and discuss the Maddow interview.

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: cyber terrorism, cyber war, cyber warfare, Rachel Maddow, Richard A. Clarke, spotlight

Yes, I know, I know … There I was, just one year ago, roundly criticizing the RSA Conference for its pretentiousness, and this year not only did I attend RSA 2010, but also gave a presentation, conducted a book-signing and did a couple of video interviews and a podcast. So what is going on here? Was this a sellout?

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: ChoicePoint, data breaches, DHS, Donn Parker, FBI, HSBC, RSA, RSA Conference, spotlight