Privacy and Identity Theft

In November 2008, the US Department of Defense banned the use of USB flash drives and other removable medial on all Defense Department networks, after a DoD network was infected by a USB flash drive that had an autorun malware on it.

Today, Navy Vice Admiral Carl Mauney, deputy commander of the United States Strategic Command said: “After extensive testing of mitigation measures, DoD decided to make this technology available again on a strictly controlled basis on DoD computers. Since the order restricting use of removable media, DoD developed capabilities and processes that allow safe use of these devices. Removable media use will be limited to mission-essential operations, and only after strict compliance requirements are met.”

An article at Government Info Security lists the requirements for using removable storage devices in the Department of Defense:

• Employing approved procedures and hardware that prevent unauthorized use, and scan, clean and wipe the devices removing malicious software.
• Restricting use to operational mission requirements
• Allowing only properly inventoried, government-procured and -owned devices for use in Defense Department information systems.
• Prohibiting personally owned devices on all military networks and computers.
• Banning use of DoD-procured and owned devices on non-government networks or computers without authorization from an approval authority.
• Using flash media only as a last resort to transfer data from one location to another and only when other authorized network resources are not available.
• Subjecting randomly selected users and drives to periodic audits.
• Requiring combatant commands, cervices, and agencies to establish their own approval authorities for determining whether selected flash media may be used within their individual organizations.

In an interview published by the Armed Forces Press Service today, Navy Vice Admiral Mauney said active operations in Afghanistan, Iraq and elsewhere will get priority in implementation of the new guidelines. “In terms of the mechanics, we’ve put together several small kits of the equipment that’s needed and we’ll be transitioning those to people out in the theater – in Afghanistan in particular – to help certain groups facilitate their use,” he said. The kits will contain hardware and software to ensure the safe use of removable media, including the required anti-malware scanning capabilities.

InsideDefense.com and Wired.com today reported that U.S. Strategic Command (STRATCOM) has lifted last year’s ban on the use of removable storage devices inside the Department of Defense.

USB flash drives and other removable storage devices were banned by the DoD in November 2008 after a military network was infected by the Agent.btz worm, which was introduced into the network from a USB flash drive.

The Wired.com article is incorrect in its assertion that STRATCOM has not addressed the problem of spreading viruses from removable media devices. IronKey and other vendors of hardware encrypted secure storage have been working with Joint Task Force – Global Network Operations (JTF-GNO) at STRATCOM to develop technical and operational requirements for preventing malware from infecting removable storage devices, and from migrating from devices onto networks.

IronKey partnered with Tresys who has a File Sanitization Tool designed to clean devices from malware when moved between different government networks.

IronKey Enterprise devices also feature an anti-malware scanner, to ensure that files stored on IronKeys do not have malware. IronKey devices also have active anti-malware capabilities preventing tampering with the autorun.inf on the device, which prevents malware from spreading from devices onto host computers.

Banking analyst firm Javelin Strategy & Research has released their 2010 Identity Fraud Survey Report. They surveyed a nationally representative sample of 5,000 US adults, including 703 fraud victims. People were asked a 50-question phone interview to gain insight into crime and the effects on victims.

The report found that there were more victims than in any period since Javelin began performing these surveys in 2003. Much of the increase in fraud as so-called “new account fraud”, which showed longer periods of misuse and lack of detection, and therefore more dollar losses than any other type of fraud. An example of this fraud would be where a criminal applies for a credit card or personal loan using someone else’s identity information.

More information about the report can be found on Javelin’s website.

Bruce Schneier and Marcus Ranum had an interesting debate this week regarding anonymity on the Internet. Bruce ascertains that anonymity will always be there (and I agree that the TOR project basically proves it), whereas Marcus argues that limited anonymity for whistle blowers is good, but should eventually be compromised.

What do you think?

Experi-Metal Inc. (EMI) in Sterling Heights, MI is suing Comerica Bank to recover $550,000 that was stolen from the company’s online banking account. EMI alleges that Dallas-based Comerica opened its customers to phishing attacks by sending emails asking customers to click on a link to update the bank’s security software. EMI says even though the bank had two-factor authentication using One Time Password devices for its online banking portal, the scam was able to circumvent these measures.

EMI is complaining that the bank’s historical process of sending out emails to corporate customers, asking them to update security tools (in this case, digital certificates), effectively “trained” the customer to fall for phishing scams. In 2008 Comerica switched from digital certificates to One Time password devices for authenticating customers. OTPs offer a lower level of security than digital certificates, as they can be vulnerable to man-in-the-middle and quick replay phishing attacks.

In early 2009 an EMI employee opened a fake email purporting to be from Comerica Bank, and instructing them to click on a link and update their security software. The user did so, and was taken to a phishing site, which requested the username, password and One Time Password number from the token. The user inputted this information, and the phishers used it to quickly log into the actual account and begin doing funds transfers. Over a period of a few hours, 47 wire transfers totalling $550,000 were made from EMI’s account to the bank accounts of criminals in other countries and in the US.

Security researchers at SecureWorks have discovered a new trojan malware family designed to infect the computers of business finance professionals, and steal money from corporate bank accounts when they log into those accounts over the Internet.

They have dubbed the new malicious software “Bugat”.

This appears to be a different strain than the Zeus banking trojan that has been used by cyber criminals to steal tens of millions of dollars from corporate bank accounts over the last several months.

Bugat uses an SSL encrypted communication link to send stolen passwords and cookies over the Internet to command & control servers operated by cyber criminals.

The malware uses a list of “websites of interest”, and when a user logs into one of those websites, it starts collecting information. Many of the targeted websites are business banking and wire transfer sites.

A town supervisor in Poughkeepsie, New York has criticized TD Bank after online criminals transferred $379,000 from the city’s bank account to the Ukraine.

It seems that malware infected the computer that the comptroller of the town uses to access the bank’s corporate banking system. Cyber criminals were then able to steal the bank account login and password, and access the bank’s online banking system. They initiated numerous small funds transfers on January 11 and 12, 2010, taking a total of $378,000.

This is yet another of the increasingly visible attacks against users of corporate online banking systems with sophisticated malware, such as the Zeus, silentbanker, zbot or clampi trojans.

In a very strange turn of events, PlainsCapital bank is suing its customer, Hillary Machinery Inc, in a case regarding cyber-theft.

It seems that in November 2009, Romanian fraudsters gained access to the usernames and passwords of Hillary Machine’s online corporate bank account with PlainsCapital. They transfered $800,000 out of the account. The bank was eventually able to recover $600,000, leaving Hillary Machinery, Inc. with a loss of $200,000.

Hillary Machinery complained to the bank and demanded that they cover the losses, and alleged that the bank’s security systems were not adequate.

Strangely, PlainsCapital has responded with a lawsuit, demanding that the courts find that their systems were in fact secure, and that it was a breach of authentication credentials that happened on Hillary Machinery’s computers (likely through Zeus malware infections).

Hillary Machinery has posted an alert about the issue on their website. “Small Business Alert – PlainsCapital Bank Target of Cyber Robbery. Is Your Bank Watching Your Back?”.

The Anti-Phishing Working Group released their fraud report for Q3 2009. They found a record number of phishing reports, unique phishing websites, brand-domain pairs, and hijacked brands.

Customers of financial services companies were the most targeted.

The full report can be found here.

The Financial Times in the UK today reported that social networks were used by attackers to target employees at Google, Adobe, and possibly other companies, in last month’s targeted malware attacks. In the incident, attackers got targeted malware onto the computers of Google employees, and used it to break into the company’s networks and steal sensitive corporate data. The attackers, allegedly from a group in China suspected of working with the Chinese government, used social networks to gain information about the friends of targeted employees. They then sent spoofed emails and initiated Instant Messaging conversations with the targeted employees, and sent malicious software to those targets. The malware exploited vulnerabilities in Microsoft’s IE 6 web browser, and installed itself on the employees’ computers.

The use of social networks to perform advanced reconnaissance by hostile attackers isn’t new, but it’s becoming more and more clear that cyber-criminals are getting much more sophisticated in their targeting and pre-planning of attacks.

These recent events are causing concern in the financial services industry, where malware such as the Zeus trojan, is getting onto the computers of finance and accounting professionals at companies, and is allowing cyber-thieves to hijack online banking sessions and transfer hundreds of thousands, and in some cases, millions of dollars from corporate coffers.