Sunday, December 21, 2008

Who Hacked the Halls of Congress?

Came across an interesting story about the halls of Congress being hacked in October 2006. Although no one knows or is saying, some speculate that the attack can be traced to the Chinese, who seem to get accused of hacking into a lot of government systems (worldwide). Of course, the Chinese officially deny these allegations.

Shane Harris of the National Journal reported the attack was initially discovered in one office, but cyber-investigators eventually traced it to eight members' offices, where one or more computers were infected. Besides this, seven committee offices, including the Commission on China, Ways and Means and the International Relations Committee were identified as having compromised computers in them. The International Relations Committee (now the Foreign Affairs Committee) had 25 infected computers and an infected server found in it.

The virus discovered was a trojan designed to allow malware (malicious software) to invade government machines and steal information. The investigation revealed that the trojan was probably downloaded by an employee, who clicked on a link in a spam e-mail. This method of dropping a virus on a computer is usually referred to as Phishing.

Phishing attacks are normally designed to steal personal and financial information, which is later used to commit financial crimes and identity theft. While most phishing attacks (from a historical perspective) have been financially motivated, we are now seeing more person/position-targeted attacks. This type of phishing is referred to as spear phishing or whaling. In April, there were reports of spear phishing attacks against corporate executives all over the country.

The unidentified hackers used a wide-array of attack methods and the malware was downloaded from random Internet addresses. It's suspected they were using other infected machines to launch the attacks, which makes the activity even harder to trace. In this latest instance, it makes sense; the intent was to steal confidential and sensitive information.

The article points out that there is a lot of evidence that the Chinese have "penetrated deeply" into both government and corporate systems.

Just hours before the Olympics, Joel Brenner, the top U.S. counterintelligence official, warned Americans to leave their smart phones and other wireless computer devices at home. He told CBS News that the public security services in China can turn on a cell phone and activate its microphone when the owner thinks it's off. In July, Senator Sam Brownback also warned that China was planning to mount a massive espionage operation on guests staying at major hotels during the Olympics.

Last year there was speculation in the press that Commerce Secretary Carlos Gutierrez's laptop was hacked during a visit to China and the information was used to hack into government computers. Even scarier, rumors abound that Chinese hackers have already attacked power grids and that they are developing a cyber-warfare capability.

The article's conclusion points to a just released Report of the CSIS Commission on Cybersecurity for the 44th Presidency. The study recommends that President Elect Obama establish a Cyber-Security Directorate in the NSC, who would direct a National Office for Cyberspace.

As a mere observer of all of this, I think President Elect Obama needs to take this report seriously. We need to remember (especially while a financial crisis is going on) that besides being a threat to National security, hacking also threatens our financial stability. Although this post points to the Chinese, they certainly aren't the only players in the International hacking game, and the problem it presents isn't going away. Sadly, some believe the problem is getting worse.

There is little doubt that change is needed in the way we address this problem and hopefully this is what will occur.

Sunday, December 14, 2008

Keeping an ID Theft Victim's Information Private is Catching On



Tom Fragala, CEO of Truston Identity Theft Services, started his MyTruston identity theft and recovery product based on the principle that he didn't believe an identity theft victim should have to give up their information to a third-party to protect themselves. After all, most of this information gets stored in a database, which is one of main places (besides trash cans) identity thieves go to steal information.

Information stored on databases is legitimately bought and sold by information brokers all the time. Criminals sometimes pose as having a legitimate interest to access the information. Of course, there have also been cases of dishonest employees selling it without a so-called legitimate purpose. This makes it extremely difficult to determine exactly where any stolen information originally came from. At this point in time, so much information has been stolen, we routinely hear about it being sold in chat rooms right over the Internet.

It didn't make sense to Tom to put all this information in another place, where it could potentially be compromised again. Databases have created an ability to store more information than ever before and transfer it with a click of a mouse.

Having been an identity theft victim himself, Tom had some rather personal feelings on the subject. It should also be mentioned that Tom has spent thousands of hours being a personal advocate for victims of this crime.

Since launching the do-it-yourself tool — where you don't have to be an expert to protect yourself or recover from identity theft — it has received numerous awards and become a hot topic within the technology industry itself. Besides not having to be an ID theft expert — you don't have to expose any of your personal information to a third party and the protection aspect is and always has been free. There is a charge for using the recovery tool, which can be cancelled anytime. I'll tell you a secret about that last statement, further down.

I discovered the latest news that the Truston concept is catching on when reading Tom's blog, which is well worth a read if you are interested in identity theft or privacy issues. "Today we announced that our MyTruston product has been included in the portfolio of the Affinion Security Center, the largest provider of identity protection and privacy services. Affinion has nearly 35 years of industry experience and over 65 million members of their many products. Clients of their identity protection and privacy products include Wells Fargo, Bank of America and The Hartford Insurance. Truston's Software-as-a-Service technology is deeply integrated within the Affinion Security Center’s core solution platform, IdentitySecure," according to Tom himself.

Just the day before, Truston also announced a partnership with CreditFYI, which is a one-stop shop for the best credit card rates, best loan rates, as well as, to learn how to protect your good name and credit rating.

Besides Affinion Group and CreditFYI, Truston is a private label partner with Identity Force, which provides identity theft protection services to the U.S. Government. Truston has been given a Four-Star rating by PC Magazine and has received several awards. "Truston's awards include a 2008 Product Innovation Award, a Hot Company 2008 Award, being selected for 10 Companies to Watch in 2008 by the Pacific Coast Business Times, the 2008 Tomorrow's Technology Today award, and it was identified as a leader by Javelin Strategy & Research in their December 2007 identity theft market report," according to the press releases.

If you are interested in just how user-friendly the tool is, the Truston site has a tour you can take.

I've also had the pleasure of speaking with Tom on several occasions and beta tested the tool myself before it rolled out. I've covered this in several blog posts on Tom and the MyTruston identity theft tool.

Now for the secret I promised earlier in the post. I mentioned that using the tool always has been and always will be free, but there is a nominal charge for using he recovery services. The secret is that if you go directly to the Truston site - you can use everything free for 45 days. Last, but not least, this free trial doesn't require you give them a credit card (which will get charged if you forget to cancel) until after the trial expires.

Most Internet Scams Start with Spam

I'm sure we've all noticed spam levels are slightly down, or that our spam filters seem to be working a little better. Nevertheless, spam continues to get through filters and for the next few weeks, a lot of it will have a holiday theme. Due to the sour economic situation, it's also likely going to take advantage of financial fears or the promise of a rescue from an already bad situation.

Since most unfortunate situations involving fraud, phishing, and financial misdeeds on the Internet start with a spam e-mail, it pays to use a little common sense and caution before falling for a too good to be true, or sometimes scary e-mail from an unknown source.

Last week, Symantec issued its December 2008 State of Spam Report. It predicts that although spam volumes are down after a lot of providers blocked access to sites hosted by McColo.com, we will likely see them rise again. Spam levels dropped a reported 65 percent after this happened. "McColo.com was allegedly hosting a significant number of botnet command-and-control systems'" according to the report. The bad news is that the report indicates the bad guys are moving elsewhere and that a number of them are hosting their efforts from IP addresses in (where else) China.

Getting back to the holiday season, the report notes that spammers are mimicking marketing come-ons from legitimate retailers offering holiday shopping deals. This makes it hard to distinguish exactly who is behind the e-mail. Sometimes the line between legitimate and illegitimate becomes a little blurry, which is something spammers have always taken advantage of.

The report also reveals a lot of links leading to malware infected sites in spam e-mails are using political themes to draw in their victims. Items related to Barack Obama are especially popular with spammers and scammers. In another twist to using Obama's good name, one spam campaign offered a Barack Obama coin, "a piece of history for only $9.95 plus shipping." This was an attempt to steal debit and credit card information.

Hot news stories were also used as lures to download malicious software. In particular, the recent Mumbai terrorist attacks pointed to links designed to infect machines. Ironically, a lot of this malware is designed to turn a computer into what is referred to as a "zombie," which when used in a botnet is used to send out even more spam.

While we haven't seen the holiday season pass, spammers of the scammer type are already using the IRS name to steal personal and financial information. The pre-tax season phishing scheme mentioned in the Symantec Report involved a come-on designed to snare people by telling them they had a tax refund or economic stimulus payment due to them. The link in these e-mails went to fake IRS site(s) — complete with offical logos — designed to steal personal and financial information.

The IRS isn't alone when it comes to having their good name spoofed. Just this week the FBI reported that their name was being used (yet again) in a campaign involving a typical Nigerian 419 scam. If an intended victim got leery after initially responding — they were threatened with "official consequences" should they fail to turn over the required personal and financial information.

Fear or scaring a victim into submitting to a scam is nothing new. In fact, some of it is now being referred to as Scareware. Scareware most frequently surfaces as a fake message claiming your computer is infected. In then offers to fix the problem for a nominal amount of money. My guess is that malware might actually be downloaded on a system by clicking on one of these come-ons.

Since it's hard to pay in cash over the Internet, anyone who pays on this form of extortion might have their method of payment stolen, also. Symantec recently released another report showing how many personal and financial details are for sale (super-cheap) on the Internet.

Alex Eckelberry of Sunbelt Software and the popular Sunbelt Blog just posted a visual presentation of scareware examples on his Flickr account.

There is little doubt that spam and its intended purposes have made the electronic world somewhat of a "virtual minefield" at times. It pays to make your computer bullet-proof by using good state of the art software from a legitimate vendor, but even if you are protected in this manner, you also need to protect yourself from social engineering schemes designed to lure a person into doing something they are going to regret later.

The Anti Phishing Working Group offers sage advice (from a variety of reputable sources) to the average person on how to avoid becoming a victim. Interestingly enough, they also recently released a report that is rather ominous stating the the number of crimeware spreading URLs are at an all-time high. Crimeware is another name for malware when it has a pure criminal intent.

To close this post, I'll point to a amusing video Symantec did on the 12 Days of Christmas Spam. It's probably best to end on a lighter note on what has become a serious problem.

Saturday, December 06, 2008

Is the CheckFree Hack a New Information Theft Trend?

It was revealed earlier in the week that hackers had taken command and control of a free e-bill Web site called CheckFree.com. CheckFree offers their customers the ability to collect all their bills and pay them with a few clicks of a mouse.

CheckFree is one the larger companies in e-payment business and serves about 24.7 million customers. Given this, there is little doubt they have a large amount of personal and financial data passing through their site.

The hacking method appeared to be a little less than sophisticated. Someone stole the username and password to the site and put in changes that directed users to a page that installs malware on the user's machine. This was done by changing the address in CheckFree.com's domain name system (DNS) to redirect visitors to an Internet address in the Ukraine. Although CheckFree is still analyzing the malware, Brian Krebs at the Washington Post was able to quote Trend Micro as saying the malware was designed to steal user credentials.

The registrar, Network Solutions, was quick to claim there had been no breach of their system. At this point in the game — since no one knows or is saying -- my guess is that this statement probably means there was one that they don't know of at this time. Network Solutions did warn their customers about a phishing attack on their customers about a month ago. This has led to speculation that the credentials were stolen by information-stealing malware, or by social engineering (someone being tricked into giving them up).

The Washington Post story also mentions that U.S. Bank might have been affected by this attack, but isn't commenting. In a subsequent post in Security Fix (Washington Post), Brian Krebs noted that Internet security firm known as Internet Identity reported that 71 other domains were pointed at the Ukrainian domain in question during the attack.

Thus far, about 5,000 victims have been identified. As in the past, instances where identities were compromised are being offered free identity theft protection for their unfortunate circumstance.

I decided to look at the CheckFree site itself. The reason I did this is because whenever I see the word "free," especially in cyberspace, I've learned to be wary.

According to CheckFree.com, everything is free on their site except for fees charged for the use of credit cards and emergency (rush payments). On the site, they publish in bold phrases like "one easy," "secure location," "no charge," and "100% guarantee."

They even run an ad for FreeCreditReport.com on the main page of their site. Although I have to admit that the guitar dude FreeCreditReport.com uses on their ad is pleasing to the eye, the catch is that you automatically sign up for a service that charges you $14.95 a month. You can get around this by cancelling within the first seven days. If you read the fine print disclaimer on FreeCreditReport.com, it says, "ConsumerInfo.com, Inc. and FreeCreditReport.com are not affiliated with the annual free credit report program. Under a new Federal law, you have the right to receive a free copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under that law, you must go to http://www.annualcreditreport.com/." Most experts agree that a person can do the same thing these services offer for free and that most of them do not protect from all forms of identity theft.

I got a little off-track with the FreeCreditReport.com ad, but it amazes me how few people read the small print on guarantees. Because of this, I decided to check out some of the small print on the CheckFree site.

So far as the fraud guarantee — if you read the disclaimer — you have to notify them within two days of the transactions to limit your liability to $50.00. It's pretty unlikely that anyone falling for a fraud on a financial transaction is going to figure it out in two days.

It also guarantees payments will make it on time, as long as you send them within the time period specified in the service agreement. In looking at the service agreement, this is two days before the bill is due. Of course, they do offer rush payments for a fee.

So far as "secure location" statement, if hackers were able to get the admin username and password to their site, this assertion is, at the very best, questionable.

In a second post about this story in Security Fix (Washington Post), it brings up evidence that registrars have been identified by the cyber-criminal community as lucrative targets. This assertion is backed up by recent security studies on the security of domain registrars. This makes sense because some of these sites like CheckFree are a window to hundreds of financial institutions, protected by a single username and password.

I'm surprised no one has raised the question of whether or not the financial information — which presumably has to be stored for record keeping purposes — might have been compromised.

In my limited experience with domain registrars, I've run into some frustrating experiences when trying to report sites (sometimes laden with malware) that were set up for no other reason than to steal personal and financial information. I've found that if you want to get a quick response with some of them, you need to be persistent to the point of being a pest. Given that most fake sites are designed to only stay in operation for a short period of time before they move on, it's like playing a game of whack-a-mole. Because of these experiences, I'm not confident they will be quick to react to this new security challenge. Let's hope I'm wrong.

In the world where outsourcing and contracting have become the norm, it isn't surprising that financial institutions are using third-party platforms to perform financial transactions. Every time information is given to a third party, it makes protecting it more difficult. The reason for this is different standards for protecting information (especially when international borders are crossed) and the fact that back door access is being given to more and more people. In the end, it is human beings who come up with the schemes to steal, not computers.

Whether or not this becomes a trend or not probably depends on how financially lucrative this method of attack becomes for the hackers who did the dirty deed. Of course, if we learn from it and take immediate action, perhaps we can limit some of the damage that could occur. I guess time will be the best judge of that.

Wednesday, December 03, 2008

How to Legally Buy Hot Merchandise


(Courtesy of PropertyRoom.com)

Auction sites like eBay and Craigslist are frequently criticized for the amount of stolen and counterfeit items being sold on their sites. Even worse, stories about their customers being scammed have become Internet folklore.

Now there is a site that openly advertises that it is selling stolen merchandise. Even better, when you buy hot merchandise off this site, you need not worry about the authorities showing up at your door in the wee hours of the morning with a search warrant. The reason for this is that the site is stocked by over 1500 Police Departments and is run by former law enforcement types.

The site, PropertyRoom.com is an e-version of the more traditional auctions held by Police departments to get rid of unclaimed stolen property. "With distribution and service centers nationwide, PropertyRoom.com specializes in the auction of stolen, seized, found and surplus goods and vehicles. Serving over 1,100 law enforcement agencies nationwide, we offer a fraud-free marketplace with superior customer support." according to the "about us" page on the site.

I decided to surf the site and it contains a wide array of goodies at cheaper prices than what I've seen being fenced (speculative) on other Internet auction sites. For instance, desktop computers being auctioned were being bid at well under $100, laptops were showing bids of $100 to $400 and iPods were being bid anywhere from about $16 to $150. Of course computers aren't the only items available on the site, which hawks all kinds of electronics, watches, jewelry, tools, cameras, cars and a host of other high theft items.

It is well known that criminals like to steal high value items that are easy to transport. They also tend to go after items that are popular and easy to sell (fence). If you are looking for popular items, this site is a good place to buy them at an almost too good to be true price, legally.

PropertyRoom.com also is in the fund raising business and will help charitable organizations raise money. All the costs of putting on the event are covered by PropertyRoom.com. I should also mention that some of the proceeds of the sales on the site help fund law enforcement agencies, who like the rest of us, are dealing with ever-dwindling financial resources.

They also maintain the only nationwide registry available to the general public for recovering lost or stolen goods. This service is completely free. You can register items that were stolen already, or your high value items that might be stolen at a later date. If they receive an item that matches what you have registered — your property will be returned to you. Try doing this at any of the other auction sites!

The Internet has opened new avenues for criminals to fence stolen merchandise. This has made it easier to sell stolen merchandise and there are many who believe that it contributes to the problem. The most recent survey by the National Retail Federation estimates that Organized

Retail Crime is a $30 billion a year issue. Their most most recent Organized Crime Survey showed that e-fencing on traditional auction sites has grown by six percent. In response to this, they are even pushing bills in Congress to force the auction sites to allow more access to law enforcement and retailers, who are attempting to shut down this activity.

Even the government has found some of their stolen merchandise available for sale on eBay and Craigslist.

Please remember this doesn't even take into account the billions of dollars of property stolen from ordinary people. It also doesn't take into account the ordinary people who are scammed on auction sites, either. I wouldn't worry about getting scammed on PropertyRoom.com — I'm pretty sure they cooperate with law enforcement to the fullest extent.

We all know money is tight this Christmas season and there are a lot of people trying to stretch their limited resources. PropertyRoom.com is a place where you can do it and be certain that you are not contributing to a growing problem.