Privacy and Identity Theft

I’ve been hearing recent chatter about new malware variants that are attempting to get Facebook users to give up Ukash vouchers. It is a variant of the encryption extortion scheme. In this scheme, the malware gets onto a Facebook user’s computer, and blocks access to their Facebook account. It demands a Ukash payment in order to unlock the Facebook account.

In separate news, I’ve been looking at the money laundering uses of Ukash. It looks ripe for such abuse.

I was reading an article about Ocean Bank being fined $10.9M for not being in compliance with anti-money laundering guidelines by the Bank Secrecy Act.

The bank had anti-money laundering (AML) software that tracked suspicious funds transfers, however the bank’s staff was not using the software properly.

Cyber criminals have been attacking the online accounts of small businesses, government agencies, municipalities, non-profit organizations, property escrow companies and high net work individuals. They install secret malicious software on a user’s computer, and then use that to break into their corporate online bank account and fraudulently wire money from the account.

In June 2011, the FFIEC has issued new guidance for banks to protect against online account takeovers of corporate bank accounts.

The Federal Financial Institutions Examination Council (FFIEC) is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau* (CFPB).

Many online account takeovers are used in money laundering. For example, many accounts are used as intermediary accounts for money mules, where stolen money is sent between bank accounts before being moved outside of the country to offshore cyber crooks.

I think there is a serious risk that banks could get fined under anti-money laundering regulations if their customer’s online bank accounts are taken over, and the bank has not implemented sufficient controls to be in compliance with the FFIEC security guidelines.

Earlier this year RSA Security was hacked. Attackers used a combination of spear-phishing social engineering and targeted crimeware to infiltrate internal desktop computers of employees, and then explore their way through RSA’s networks. They eventually found the database of symmentric RSA SecurID keys, and stole these. This allowed criminals to create virtual duplicates of tens of millions of RSA SecurID tokens.

Brian Krebs today posted an article that looks at the IP addresses of networks that contacted the command & control servers that controlled the malware inside of the RSA network. It turns out that over 760 other enterprises have been contacting those C&C servers, indicating that those companies were also infected, and are potentially the victims of the same type of Advanced Persistent Threat.

Some of the interesting names on the list include:

Abbott Labs, the Alabama Supercomputer Network, Charles Schwabb & Co., Cisco Systems, eBay, the European Space Agency, Facebook, Freddie Mac, Google, the General Services Administration, the Inter-American Development Bank, IBM, Intel Corp., the Internal Revenue Service (IRS), the Massachusetts Institute of Technology, McAfee, Motorola Inc., Northrop Grumman, Novell, Perot Systems, PriceWaterhouseCoopers LLP, Research in Motion (RIM) Ltd., Seagate Technology, SurfControl, Thomson Financial, Unisys Corp., USAA, Verisign, VMWare, Wachovia Corp., and Wells Fargo & Co.

You can see the entire list on Brian Krebs’ blog.

This week IronKey and Imation announced a pretty major partnership.

Essentially, Imation will be acquiring the security hardware business of IronKey, and the two companies will be partnering to sell IronKey’s online security services to enterprises, government and consumers.

IronKey has over 3,000 enterprise and government agency customers that use our multifunction security devices and online security services to protect their employees and customers. In fact, most of the users of IronKey security devices use our online security services for remote management, password security, transaction security and secure web surfing.

At IronKey, we have experienced fantastic growth, and are very grateful to all our customers, partners and employees.

We have decided to partner with Imation in order to allow us to focus on the security services part of our business, and to ensure that our hardware business can grow to its fullest potential.

Imation is an ideal partner for us. They sell over $1 Billion a year of storage hardware, and have a strategic focus on growing their security business. Imation already sells several lines of hardware encrypted USB drives and hard drives, as well as remote management software for encryption. They sell products in over 100 countries. Imation’s CEO, Mark Lucas, has a vision to grow their security business into many aspects of their current storage business. He is a great guy, and is really driving this strategy from the top of the company. I am pleased to have him and the whole Imation team as partners to grow our security hardware business. I am confident that they will be able to provide you, our customers and partners, with an ever-expanding line of security devices that exceed your expectations in terms of quality and performance.

This is also great for IronKey’s security services business line. It will allow us to focus on the many areas of innovation that will be needed as cyber crime gets ever more sophisticated and intense. As you know, I have been fighting cyber crime for over a decade, and have seen it evolve to become a professional enterprise with global reach. The risks have never been greater than they are today.

We are facing sophisticated financial criminals, hostile governments, hacktivist collectives, and all new kinds of social and technical attacks. IronKey will continue to build out our security services, in partnership with Imation and all our global partners and customers, to protect people, data and transactions on the Internet.

Please drop me a note, comment or tweet with questions that you might have.

Sincerely,
Dave Jevans
Chairman and Founder

The Coastal Bank is now offering IronKey Trusted Access to protect their online customers from malware and crimeware that can compromise their online banking security. Check it out at: https://www.thecoastalbank.com/#/home

In their August report, Kaspersky Labs has detected 35 unique malicious trojans that target the Bitcoin virtual currency.

These fall into two types:
1. Wallet stealers. These scan your disk for a bitcoin wallet, where your coins are stored, and then copies this. Criminals can then “spend” those coins, or trade them in on a trading exchange for one of a multitude of global currencies.

2. Mining trojans. These form a botnet of infected computers, and use your CPU and GPUs to mine for new bitcoins. Those are sent to a set of receiving addresses controlled by criminals.

There are also phishing attacks ongoing against users of bitcoin trading sites. I recommend that users of those sites use strong authentication (two factor) if offered by the site.

I met Coweta Sheriff’s Investigator Casey Mullis when I was speaking at the Atlanta Infragard security conference. Casey is very experienced in cyber forensics. We were talking, and he was interested in taking a focused security review on the IronKey.

Investigator Mullis used a series of advanced tools to try to break into his IronKey device.

I am pleased to say that the IronKey survived a prolonged period of intensive forensic analysis and password attacking, including the use of large rainbow tables.

You can read a nice detailed article about the security tests that helped prove that the IronKey is the most secure USB storage device available.

The FS-ISAC has released a study of 77 banks, and attempts at online account takeover of their customer’s commercial bank accounts. From 2009 to 2010, the incidents of commercial bank account takeover on the Internet almost tripled! Banks are deploying systems to better detect online fraud, and endpoint security software and hardware to enable secure web surfing and user authentication for end users. This is a wise investment, when attempts at account takeover are growing so quickly.

Here’s a little video blog I put together.

RSA security reported that an email containing these 13 words was responsible for infecting machines inside their internal networks with one-off malware, allowing cyber criminals access to their internal networks. Cyber criminals then spread throughout RSA’s internal systems, eventually finding the database of all RSA SecurID One Time Password Token secret seeds. They stole that data, and then used it to clone RSA hardware devices, and successfully attacked defense contractors including Lockheed Martin and Level 3.

It is amazing how a simple email, sent to only 4 employees, was responsible for compromising a security infrastructure used by hundreds of millions of people and tens of thousands of companies and government agencies to authenticate users on the Internet.

This proves a few things:
1. current anti-spam filters than clean out 99% of spam are still not sufficient
2. cyber criminals are executing highly targeted attacks against companies that go largely undetected
3. isolation of browsing environments and email from such attacks is crucial.

Security researchers have published data today that a fraudulent certificate for *.google.com domains is circulating on the Internet. The certificate was issued by Certificate Authority (CA) Diginotar in the Netherlands. Most likely the CA was hacked, and someone used their root key to issue the fraudulent certificate. This certificate is trusted by most Web browsers in the world.

This would allow ISPs and governments to intercept encrypted communications to any Google online service, including Gmail, and decrypt it in a man-in-the-middle attack.

Interestingly the certificate was issued on July 10, 2011, and was not detected and revoked until August 29, 2011. Previous attacks using fraudulently obtained certificates, though revoked, can be continued if the attacker controls the ISP or upstream networks, as the attacker blocks revocation lists. Therefore whoever started this attack could potentially still intercept and decrypt communications to Google and Gmail for a long time to come.

The attack was detected yesterday by a user in Iran. It is thought that the Iranian government is using this to intercept and decrypt email traffic to the Gmail service.

This is another example of how the threat environment on the Internet is increasing in sophistication, and how nation states are potentially being involved in very focused, targeted, sophisticated advanced persistent threats. Trying to undermine huge utilities such as the Gmail service require some serious focus and dedication.

I’m still somewhat skeptical that alternate SSL trust mechanisms, such as Convergence can realistically be adopted, but I’ve got an open mind. Certainly the current system of hundreds of “trusted” CAs inside of browsers is not working. What is interesting about Convergence is that it uses a pseudo-crowd sourced methodology for invoking or revoking trust from certificate issuers. This is not dissimilar to the way that Bitcoin works to validate transactions across a distributed open source network.

UPDATE 8/30/2010

Interview with Diginotar (owned by security firm VASCO) reveals that several other companies were affected by fraudulently issued digital certificates. They claim that they still do not know how the breach occurred. Apparently fake digital certificates were being issued since July 2011.