Privacy and Identity Theft

In a very strange turn of events, PlainsCapital bank is suing its customer, Hillary Machinery Inc, in a case regarding cyber-theft.

It seems that in November 2009, Romanian fraudsters gained access to the usernames and passwords of Hillary Machine’s online corporate bank account with PlainsCapital. They transfered $800,000 out of the account. The bank was eventually able to recover $600,000, leaving Hillary Machinery, Inc. with a loss of $200,000.

Hillary Machinery complained to the bank and demanded that they cover the losses, and alleged that the bank’s security systems were not adequate.

Strangely, PlainsCapital has responded with a lawsuit, demanding that the courts find that their systems were in fact secure, and that it was a breach of authentication credentials that happened on Hillary Machinery’s computers (likely through Zeus malware infections).

Hillary Machinery has posted an alert about the issue on their website. “Small Business Alert – PlainsCapital Bank Target of Cyber Robbery. Is Your Bank Watching Your Back?”.

The Anti-Phishing Working Group released their fraud report for Q3 2009. They found a record number of phishing reports, unique phishing websites, brand-domain pairs, and hijacked brands.

Customers of financial services companies were the most targeted.

The full report can be found here.

The Financial Times in the UK today reported that social networks were used by attackers to target employees at Google, Adobe, and possibly other companies, in last month’s targeted malware attacks. In the incident, attackers got targeted malware onto the computers of Google employees, and used it to break into the company’s networks and steal sensitive corporate data. The attackers, allegedly from a group in China suspected of working with the Chinese government, used social networks to gain information about the friends of targeted employees. They then sent spoofed emails and initiated Instant Messaging conversations with the targeted employees, and sent malicious software to those targets. The malware exploited vulnerabilities in Microsoft’s IE 6 web browser, and installed itself on the employees’ computers.

The use of social networks to perform advanced reconnaissance by hostile attackers isn’t new, but it’s becoming more and more clear that cyber-criminals are getting much more sophisticated in their targeting and pre-planning of attacks.

These recent events are causing concern in the financial services industry, where malware such as the Zeus trojan, is getting onto the computers of finance and accounting professionals at companies, and is allowing cyber-thieves to hijack online banking sessions and transfer hundreds of thousands, and in some cases, millions of dollars from corporate coffers.

I’ve written about massively parallel systems and how they could be used to crack passwords for software encryption. In fact, we designed the IronKey hardware to withstand brute-force password guessing attacks by implementing all password checking and brute force counters in silicon on the CryptoChip itself.

Well, there’s a new cloud-based service on the Internet that can crack software encrypted ZIP files, and even Wi-Fi passwords. It’s called WPA Cracker. It runs brute force password guessing attacks using a network of 400 computers (I wonder if it’s EC2???). There’s a 135 million word dictionary for cracking WPA passwords, and the service costs $17. The dictionary for cracking ZIP files is 284 million words, in addition to random raw brute force of passwords of various lengths. They now have a German dictionary too!

Lockheed Martin Corporation has announced their partnership with IronKey to develop a secure, portable “PC on a stick”, using the IronKey Enterprise devices and remote systems management server.

The product, named “IronClad”, puts the entire operating system onto the IronKey device. The result is a highly secure “PC on a stick”.

IronClad technology runs the operating system directly off of the flash drive, meaning the user’s files never touch the hard drive of the borrowed computer, and the device leaves no trace that it was ever there. Each IronClad device is fully encrypted and delivers hardware-level protection against today’s most insidious malware threats, including nearly undetectable rootkits. The product allows the operating system to boot from the IronKey device, thereby avoiding malware that may be infecting the host computer. There is also additional protection in the form of BIOS verification, on-board anti-malware, and sandboxing of applications inside the booted OS.

More information can be found here.

Connecticut Attorney General Richard Blumenthal announced last week that he is suing Health Net of Connecticut for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees. A further portion of the complaint is that Health Net failed to promptly notify consumers that their data was breached.

“Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months—most likely by thieves—before Health Net notified appropriate authorities and consumers,” said Blumenthal. “The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers.”

This is the first legal action by a state attorney general involving violations of the Health Insurance Portability and Accountability Act (HIPAA).

First Tech credit union has issued a security alert regarding a fraudulent Android smartphone app posted on Google’s Android Marketplace. The app purports to be mobile banking tool. Naturally it is actually a phishing scam, that will steal your banking username and password if you actually use it to log into your online bank account.

The app was posted by a user with the alias “Droid09″.

SCMagazineUS.com wrote today that several applications that were fraudulently using the names of banks, without their permission, have been removed from the Google Android Market.

This week there were widespread reports that hardware-encrypted USB thumb drives from SanDisk, Kingston and Verbatim suffer a serious security design flaw, allowing them to be unlocked without knowing a user’s password.

Security guru Bruce Schneier posted an article about this, and dicussed in particular how the FIPS 140-2 Level 2 security validation that the SanDisk device had received from NIST would allow such a fatal security flaw.

Today there are been discussion that the affected device has undergone Common Criteria EAL2 certification. Common Criteria is thought to ensure a higher level of security than the FIPS 140-2 Level 2 validation.

However, blog posters were quick to point out that there is no government approved “protection profile” for hardware encrypted USB removable storage devices (though I am told that NSA is working on developing one). This means that the vendor, in this case SanDisk, is simply verifying that the device works as THEY specify, and is not actually validating their product against industry standard security requirements.

Here is the link to the Common Criteria Security Target and Evaluation at the Australian Government Department of Defense.

Effectively the security target document excludes the password authentication and trusted communication path between host PC and the device. This means that even though the product has “Common Criteria EAL2″ certification, the critically vulnerable component, password authentication, was not in fact part of that certification.

All this commotion is bringing to light that security certifications are important, but do not by themselves make a product secure. Buyers, and vendors themselves, need to understand exactly what components have been validated, and whether they are being validated against a standard set of security requirements, or are simply being “validated” to do what the vendor says they do, even if that implies security vulnerabilities.

The Computer Security Division of the National Institute of Standards and Time (NIST), sets security standards for security and encryption for the US Government. Products that protect data with encryption must meet the rigorous NIST FIPS 140-2 security standard.

This week there have been widespread reports of FIPS 140-2 Level 2 validated hardware-encrypted USB flash drives having serious security vulnerabilities that allow an attacker to unlock any of these devices without knowing the user’s password.

IronKey devices are NOT vulnerable to these attacks.

NIST today said that they will be investigating the affected products and companies.

“From our initial analysis, it appears that the software authorizing decryption, rather than the cryptographic module certified by NIST, is the source of this vulnerability,” according to a NIST statement in ComputerWorld. “Nevertheless, we are actively investigating whether any changes in the NIST certification process should be made in light of this issue.”

Customers, partners, security researchers and government employees are invited to join IronKey Chief Executive Officer, David Jevans, for a question and answer session and brief webinar to discuss the recent spate of serious security vulnerabilities with “secure” USB flash drives.

In this webinar I will discuss:
1) What is the vulnerability to FIPS validated “secure” USB flash drives, and how dangerous is it?
2) Are IronKey’s customers safe?
3) Which vendors are affected by this vulnerability?
4) How was the vulnerability discovered?
5) How could security devices, validated to FIPS 140-2 Level 2 by NIST, have such a critical vulnerability?
6) What are the next steps to keep yourself protected?

I will welcome your questions during the session.

The webinar will be on Wednesday January 13, 2010 at 10am Pacific Standard Time.

You can sign up for the webinar here.