Yesterday, the U.S. Department of Justice announced that eleven perpetrators behind the largest known identity theft ring in history have been charged with conspiracy, computer intrusion and identity theft.
Allegedly, the group is responsible for stealing and selling more than 40 million credit and debit card numbers. The credit and debit card numbers were intercepted electronically at nine retailers, who transmitted their unprotected financial information using wireless networks. Once they hacked into the wireless networks, the group would install sniffer packets to capture card numbers and PIN numbers.
TJX, who was severely criticized for their breach of approximately 8.5 million records wasn't the only retailer being compromised. BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW were being compromised, also. The restaurant chain Dave and Busters was also compromised by having "sniffer packets" installed on their point of sale terminals by the group.
Merchants have been under fire for not meeting PCI data security standards, which were developed by the payment card industry to protect systems against compromises. The National Retail Federation has fired back at the payment card industry for forcing merchants to store sensitive information, which can easily be stolen. In a recent data breach involving the theft of 4.2 million card numbers, Hannaford Brothers had been certified as being PCI compliant, which led a lot people to speculate that PCI data security standards might be outdated, themselves.
Sniffer packets are used to monitor information in a network and can be used to gather a lot of sensitive information. Detecting a sniffer packet on a wireless network is known to be extremely difficult. A practice known as "wardriving" is when people drive around and try to pick up wireless signals from unprotected networks. Computer security experts highly recommend making wireless networks secure, including those of the home variety, by password protecting them. Software to assist people, who do this, is freely available on the Internet.
After the information was stolen it was stored on encrypted computer servers in Eastern Europe and the United States. Some of the stolen data was sold to other information criminals via the Internet. The group also counterfeited their own cards and used them to steal money from ATMs.
Recently, Finjan, a computer security company, announced finding servers with a lot of stolen information on the Internet. At least one the crimeservers found by Finjan wasn't even password protected. Finjan reported finding these crimeservers using simple Google searches.
The money was laundered using internet based currencies and by moving funds through banks in Eastern Europe.
Three executives at E-Gold, which is a internet based currency, recently pleaded guilty to allowing criminal activity of this nature (money laundering) using their service.
The criminal activity started in 2003 and went right up to the present time. Albert "Segvec" Gonzalez, of Miami, one of the main players in the group was previously arrested for similar activity in 2003. During the current investigation, the Secret Service discovered Gonzalez was working as a government informant and involved in the criminal activity at the same time.
Also charged in the indictments yesterday were Maksym "Maksik" Yastremskiy, of Kharkov, Ukraine, and Aleksandr "Jonny Hell" Suvorov, of Sillamae, Estonia. Hung-Ming Chiu and Zhi Zhi Wang, of the People's Republic of China were also charged. Sergey Pavolvich, of Belarus and Ukranians Dzmitry Burak and Sergey Storchak were also named in the indictment. Two U.S. citizens Christopher Scott and Damon Patrick Toey, finished up the long list of names from all over the world involved in this organized criminal enterprise.
The range of the activity took place in numerous countries, including the United States, Ukraine, Belarus, Estonia, the People’s Republic of China, the Philippines and Thailand.
These indictments are the result of a three-year investigation conducted by the Secret Service. As the case progresses, it is being reported that they will be working closely with the IRS, on the money laundering aspect of the case.
Showing posts with label crimeserver. Show all posts
Showing posts with label crimeserver. Show all posts
Wednesday, August 06, 2008
Wednesday, May 28, 2008
We are a long way to full disclosure in data breaches - even if we wanted to be!
I saw an article on PCWorld, written by Robert McMillan (IDG News), that according to the research firm Gartner -- not all data breaches are being reported by retailers.
I thought to myself ... here we go again ... burying our heads in the sand that all personal and financial information is hacked from retailers. Of course, that isn't to say that none of the stolen information is coming from retailers, either.
The conclusion was based on 50 retailers being interviewed and 21 of them saying they had been breached. Of these 21, allegedly only 3 had reported a data breach.
This led me to wonder if any of these retailers do business in an area, where disclosing data breaches is a matter of law?
My humble guess is that in the litigation happy society we live in today, no one is going to report anything unless they have to. As long as no one is certain (or they can get away with saying that) the information is probably buried, or someone comes up with a rationalization that it really didn't happen.
Going a little further, there has to be a lot of information being stolen that no one is even aware has been compromised. The fact that no one is aware it was compromised makes it easier to be used by the criminal element, effectively.
The sad truth is even if you could make computer systems bulletproof, human beings will continue to compromise information, either via social engineering techniques or to obtain financial compensation. We've made some of this information worth a lot of money.
Of course, information thieves often combine technology and social engineering, also. In the mysterious world of information crime, one shoe rarely fits all.
Right after reading the PCWorld article, I happened upon more research from Finjan, which might provide evidence that there must be a lot of computer systems out there that are NOT very "bulletproof."
As stated on Finjan's MCRC blog:
Even more alarming, it didn't take a lot of know-how to access all this information. The people at Finjan were able to do it, using simple Google searches.
I highly recommend taking a look at the entire blog post from Finjan (link provided at the bottom of this page) -- there are some alarming visual presentations indicating how much information is out there.
I'll include one, which shows a compromised (actual info blocked out) SSN:
The blog post also has visual presentations (screenshots) of user names and passwords to internal company sites, porn sites and online banking sites.
Now let me see ... if stolen information is being hosted on unprotected (anyone can access) crimeservers ... and it is being indexed (cached) by search engines ... it's probably safe to assume we don't have any real idea how much stolen information there is out there.
Also, please note it's safe to say not all this information came from retailers.
Last, but not least, I've seen commentary that we should blame Google for all this. First of all, I doubt that Google is the only place this information can be found. Another thing to contemplate is that thinking like this is as narrowly focused as thinking that retailers are to blame for most of the stolen information out there.
Unless we stop blaming each other -- we are going to be a long way from achieving transparency in data breaches. Exposing problems often is the first step in correcting them.
Until we embrace transparency, the people to blame (criminals) are going to be laughing all the to the bank.
Finjan post from their MCRC blog, here.
I thought to myself ... here we go again ... burying our heads in the sand that all personal and financial information is hacked from retailers. Of course, that isn't to say that none of the stolen information is coming from retailers, either.
The conclusion was based on 50 retailers being interviewed and 21 of them saying they had been breached. Of these 21, allegedly only 3 had reported a data breach.
This led me to wonder if any of these retailers do business in an area, where disclosing data breaches is a matter of law?
My humble guess is that in the litigation happy society we live in today, no one is going to report anything unless they have to. As long as no one is certain (or they can get away with saying that) the information is probably buried, or someone comes up with a rationalization that it really didn't happen.
Going a little further, there has to be a lot of information being stolen that no one is even aware has been compromised. The fact that no one is aware it was compromised makes it easier to be used by the criminal element, effectively.
The sad truth is even if you could make computer systems bulletproof, human beings will continue to compromise information, either via social engineering techniques or to obtain financial compensation. We've made some of this information worth a lot of money.
Of course, information thieves often combine technology and social engineering, also. In the mysterious world of information crime, one shoe rarely fits all.
Right after reading the PCWorld article, I happened upon more research from Finjan, which might provide evidence that there must be a lot of computer systems out there that are NOT very "bulletproof."
As stated on Finjan's MCRC blog:
In our recent MPOM report, we reported on a Crimeserver hosting 1.4G of unprotected stolen data, including passwords, medical data, emails etc.Additionally, Finjan reported:
Many people asked us how we found the data. Was the data secure or not?
Although we cannot disclose all information to the public (for obvious reasons), I can say that the data on that Crimeserver was unprotected, meaning anyone could access it.
Today we came across another Crimeserver - it seems that we are finding one every other day...
As we disclosed in our Q3/2006 Trend report, malicious code is hosted on caching servers of leading Search Engine Providers. This time we reported in our recent MPOM that stolen end-user data is also stored on these caching servers. Yes, your passwords, Social Security numbers, Online banking information …. no data is safe, as the examples below illustrate.
Even more alarming, it didn't take a lot of know-how to access all this information. The people at Finjan were able to do it, using simple Google searches.
I highly recommend taking a look at the entire blog post from Finjan (link provided at the bottom of this page) -- there are some alarming visual presentations indicating how much information is out there.
I'll include one, which shows a compromised (actual info blocked out) SSN:
The blog post also has visual presentations (screenshots) of user names and passwords to internal company sites, porn sites and online banking sites.
Now let me see ... if stolen information is being hosted on unprotected (anyone can access) crimeservers ... and it is being indexed (cached) by search engines ... it's probably safe to assume we don't have any real idea how much stolen information there is out there.
Also, please note it's safe to say not all this information came from retailers.
Last, but not least, I've seen commentary that we should blame Google for all this. First of all, I doubt that Google is the only place this information can be found. Another thing to contemplate is that thinking like this is as narrowly focused as thinking that retailers are to blame for most of the stolen information out there.
Unless we stop blaming each other -- we are going to be a long way from achieving transparency in data breaches. Exposing problems often is the first step in correcting them.
Until we embrace transparency, the people to blame (criminals) are going to be laughing all the to the bank.
Finjan post from their MCRC blog, here.
Subscribe to:
Posts (Atom)
