Wednesday, May 07, 2008

Stolen information from 40 financial and medical institutions discovered on rogue server

Once in awhile, I speculate that stolen information is a lot more valuable to the criminal element before it becomes apparent that it's been stolen. I've also speculated aloud that there is probably a lot more stolen information out there than we are aware of. The good folks at Finjan are well on their way to substantiating this speculation.

Yesterday, they announced the following on their malicious page of the month:

While we were examining malicious code, we came across a domain which was being used as a command and control for the Crimeware that was executed on attacked machines. The domain was also used as the “drop site” for private information being harvested by that Crimeware.

When we further examined this server, we found the stolen data left unprotected and available for anyone on the web (i.e. no access restrictions, no encryption whatsoever).

The server that we analyzed contained more than 1.4Gb of data (both business and personal related) collected from infected PCs, which consisted of 5,388 unique log files, that were traced back to 5,878 distinct IP addresses. Both email communications and web related data were found.
The information discovered was from 40 unnamed financial and medical institutions from several different continents. The server used to store this information was being moved frequently, but if found, anyone could access it.

They made the observation that last year, according to what statistics are available, 8.5 million records were compromised. One of these statistics, obtained from IC3 states that 20 percent of the 206,884 cases (roughly 40,000) were due to computer hacking. Finjan points out that on this one server, they discovered approximately 5,000 records.

I’ll let the reader do their own math, but if this is true there is probably a lot of unknown hacking activity happening in the wild.

Please note that all the kind people compiling statistics only know what is reported to them, and some of them have been very vocal in pointing this out. My personal guess is that there is so much stolen information out there that when any individual case is investigated, it’s almost impossible to do more than speculate, exactly where the point of compromise occurred.

Besides that, hackers are unlikely to want to reveal where they are stealing all their information from. Once revealed, it’s harder to use and not worth as much money.

The information on the server included compromised medical information, online banking information (including passwords) and complete logs of payment card (debit/credit) card transactions, including CVV2 information and the miscellaneous “extras.” This all occurred on “supposedly” secure sites.

I found this interesting because the merchants have been under fire for becoming compliant with PCI data security standards in light of a few highly publicized data breaches. Of course in the recent Hannaford case, they were compromised and had been certified as being PCI compliant. PCI data security procedures are the payment card industries own standards for protecting information.


Based on these findings, hackers don’t have to compromise a merchant to steal everything they need to commit financial crimes and it’s pretty obvious that financial institutions are being compromised, also.

Also found on the server was a lot of business proprietary information harvested from a lot of internal e-mail accounts. In the past year or so there seems to have been a lot of campaigns to obtain other than financial information from businesses. The clear intent in this activity is corporate espionage (my speculation).

Finjan reports that this particular theft campaign was made possible with a do-it-yourself (DIY) crimeware kit called the AdPack Toolkit. They also reported that this kit gives the user command and control functions, enabling them to execute admin functions with the illicit software.

Finjan is not revealing (they never do) exactly which institutions were compromised. Even though they are not revealing names, they did report the activity to law enforcement and the institutions involved.

Saturday, May 03, 2008

Truston ID Theft protection and recovery platform rakes in another award!

It appears that Tom Fragala and the MyTruston team have raked in (yet) another award. This time from the Pacific Coast Business Times as one of the hot start-up companies coming from California's Central Coast.

Tom Fragala, Truston's CEO wrote on his blog, "This recognition comes on the heels of being named a 2008 Hot Company and receiving a technology award from the Info Security Products Guide."

Here is the reason why they were chosen:


Truston's MyTruston® service is the only fully online identity theft recovery system. It is web-based software that can help millions of people easily recover from and prevent identity fraud by supporting virtually any type of ID theft. MyTruston walks consumers step-by-step through the entire prevention or recovery process—dramatically reducing the time, financial cost, and emotional impact. And it can easily be embedded into a partner's own website on a private-label basis.


The press release also contains a comment from Tom Fragala, CEO of Truston:


“The Pacific Coast Business Times recognition of Truston as one of the hottest startups in Central California further validates our innovative products and strategy of offering our services to large partners in the identity theft, direct marketing and financial services markets,” said Tom Fragala, CEO and founder at Truston. “Superior technology and support for partners differentiates Truston from other companies in the identity theft protection market.”


Tom developed Truston based on his own personal experience as an identity theft victim and has spent thousands of hours assisting other victims of identity theft.

Because of this, coupled with the fact that he is selling this technology to large partners, he still takes care of us "little people" by offering a free 45 day trial (no credit card needed) of the Truston platform.

Saying that, I should mention that the platform has always protected people free of cost and only charges for using it to recover after a person is a confirmed identity theft victim. Most companies charge you right from the beginning and will only help you if you were paying at the time of the crime (pardon the pun). Many of them also require that you surrender all your personal details, which they maintain on a database. Information on databases are a favorite place for identity theft thieves to obtain the resources they need to commit their crimes.

There are some, who believe one of the root causes of identity theft is the multi-billion dollar business of buying and selling information, which is normally maintained in databases.

If you are interested in checking out the Truston platform while it is still free, I've provided a link, here.

Does the proposed class action settlement in the Certegy data breach case lack teeth?

I happened to notice, I was getting a lot of hits on some posts about the Certegy data breach and discovered that there is a proposed settlement in the class action law suit against them.

Tim Wilson at Dark Reading pointed out that this settlement amounts to Certegy paying less than $1 per victim and wrote:

Certegy Check Services is proposing to settle a class action lawsuit of last year's security breach on behalf of 8.4 million victims for about $4 million.

According to a report in the St. Petersburg (Fla.) Times, Certegy will also offer free credit monitoring services to some victims and reimbursement of credit monitoring expenses totaling $1 million on a first-come-first-served basis.
He also surmised in his article that:

While plaintiffs' lawyers hailed the offer as a victory, critics said the relatively small settlement will not help the cause of identity protection. The massive TJX breach also resulted in a relatively small settlement for the victims, netting about $6.5 million for customers.

Of note, I would imagine the plantiff's lawyers made A LOT more than $1 each for orchestrating this event. In all fairness, given the precedent set by similar actions might mean there isn't a very "deep pocket" on this type of action.

At $1 million for monitoring divided by 8.4 million potential victims, if any of them want the free monitoring, they better move quickly.

So far as the $4 million being set aside to make victims whole, I wonder how hard it is going to be for them to prove (as required by this settlement) that Certegy was the point-of-compromise in their case? The general rule of thumb is that identity thieves, even if they are caught (rare), probably aren't 100 percent sure where the information came from themselves. There is so much stolen information out there, it's being traded over the Internet.

The sad truth is that with all the data breaches out there, it might be hard to prove exactly where an identity theft victim's information was compromised.

So far as the criminal prosecution of the employee, one William Sullivan, who sold off 8.5 million people's records, I did a post in November about how he was able to make a plea bargain and get a reduced sentence in this case. There was a mention of a data broker being a co-conspirator, but they never seemed to be named (at least in public).

Personally, I've always had mixed feelings about law suits that result when data breaches occur. There is an argument that at least some (my opinion) of the organizations being breached are victims in the overall equation, also.

Saying that, if this class action and the one for TJX have set the legal precedent on this type of action, they are unlikely to serve as much of a deterrent against data breaches, or all the identity theft that results from them. Furthermore, the criminal prosecution of William Sullivan in his case is unlikely to be much of a deterrent, either.

In fact these results are probably going to do little to inspire organizations to protect their information better and for some, will probably be viewed as a cost of doing business.

I guess it's time to go back to the drawing board to figure out a way to effectively address information/identity theft and data breaches?

Here are the original posts, I did on this matter, which contain some angry commentary from more than one victim:

Not to worry, check processing company (Certegy) believes the 2.3 million stolen records will not be used for fraud!

Certegy reveals their data breach is a lot larger than originally reported

Class action law suit filed against Certegy for data breach

Friday, May 02, 2008

Federal Reserve backs proposing reforms on credit card rules

Credit card fees, which a lot of consumer groups, have called out as unfair and abusive are in the news again. Today, the Federal Reserve Board proposed changes, which some believe have been a long time coming.

From the Federal Reserve's press release:

The Federal Reserve Board on Friday proposed rules to prohibit unfair practices regarding credit cards and overdraft services that would, among other provisions, protect consumers from unexpected increases in the rate charged on pre-existing credit card balances.
Without going to to the regulations governing this, here is what is being proposed:

Banks would be prohibited from increasing the rate on a pre-existing credit card balance (except under limited circumstances) and must allow the consumer to pay off that balance over a reasonable period of time.

Banks would be prohibited from applying payments in excess of the minimum in a manner that maximizes interest charges.

Banks would be required to give consumers the full benefit of discounted promotional rates on credit cards by applying payments in excess of the minimum to any higher-rate balances first, and by providing a grace period for purchases where the consumer is otherwise eligible.

Banks would be prohibited from imposing interest charges using the "two-cycle" method, which computes interest on balances on days in billing cycles preceding the most recent billing cycle.

Banks would be required to provide consumers a reasonable amount of time to make payments.
Sub prime credit card products are also being addressed by limiting fees that can be automatically applied to a balance. Greater transparency on interest rates and credit limits is being proposed, also.

ConsumersUnion.org issued a press release the day before the Federal Reserve did offering a mixed reaction to the proposal:

"It’s about time federal regulators offered consumers some relief from unfair bank practices," said Consumers Union Financial Services Campaign manager Gail Hillebrand. "This proposed rule finally acknowledges that some practices just aren’t fair. All the disclosure in the world can’t make it fair to send the bill too close to the due date; to raise the interest rate on money already borrowed: or to charge a fee for a problem caused by the bank’s practice to allow a credit hold or a debit hold.”

The proposed rules respond to a sustained outcry from consumers and strong interest in Congress in credit card reform and in reform of bank account practices such as overdraft loans.
Consumers Union praised the approach of the proposed rule to ban, not just require more disclosure about, some of the worst credit card practices.

They also issued a press release on April 30th commending Senator Dodd, who is the Senate Banking Committee Chairman, for introducing the Credit Card Accountability, Responsibility and Disclosure Act.

ConsumersUnion.org has long been critical of the credit card industry and has an ongoing campaign to bring about reforms to the industry.

Federal Reserve press release, here.

Thursday, May 01, 2008

Internet Gangstas don't appreciate software piracy, either!

Crimeware salesmen, like most e-commerce types, take a dim view when their creations are knocked-off (pirated). To protect themselves, they warn their customers (Internet criminal types) that if their products are counterfeited, they can and will be reported to the anti-virus companies.

Specifically, the verbiage used as reported on the Symantec blog is, "the binary code of your bot will be immediately sent to antivirus companies."

The reason reporting reporting the binary code of a bot defeats the crimeware kit in question (Zeus) was mentioned in a previous post on this blog:

Known as the "Zeus kit," in honor of the Zeus Trojan, the kit is pretty resistant to computer security programs and has the ability to mask itself using a binary generator. The binary generator sends out a unique set of numbers every time it is used, making it hard for security programs to detect since they rely on spotting what is known as a "signature." Even if a security program recognizes one signature, the binary generator changes it the next time, and the security program will probably fail to recognize it.

Here are the details, as reported on the Symantec blog by Liam OMurchu:

Here is a perfect example. The screen shot below is taken from a typical underground software package. Shown in the screen shot are the terms and conditions of the sale—the “licensing agreement.” Yes, that’s right; some underground packages come with a licensing agreement. The document is written in Russian, but a translation is provided below.



2. The Client:
1. Does not have the right to distribute the product in any business or commercial purposes not connected with this sale.
2. May not disassemble / study the binary code of the bot builder.
3. Has no right to use the control panel as a means to control other bot nets or use it for any other purpose.
4. Does not have the right to deliberately send any portion of the product to anti-virus companies and other such institutions.
5. Commits to give the seller a fee for any update to the product that is not connected with errors in the work, as well as for adding additional functionality.

In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies.


It should be noted that these crimeware kits, as I've written frequently, make it fairly easy for not very technical criminals to commit technical crimes. As noted in their licensing agreement, the criminals selling these kits in underground forums even provide technical support.

Interestingly enough, Liam noted:

Despite the clear licensing agreement and the associated warnings, this package still ended up being traded freely in underground forums shortly after it was released. It just goes to show you just can’t trust anyone in the underground these days.

Of course, in most instances, there is no honor among thieves.

Liam notes that this licensing agreement is for much talked about Zeus kit, which has "drive-by" capabilities. If you are unfamiliar with what "drive by" means on the Internet, it means that your computer only needs to visit a site to become infected.

Here is a previous post, I recently did about the "drive by" problem, which is making the Internet a more dangerous place all the time:

Nowadays, all you need to do is visit the wrong site to have your personal information stolen!

Liam's post on the Symantec blog, here.