Privacy and Identity Theft

The chairman of the House Judiciary Committee on Friday asked Google Inc. and Facebook Inc. to cooperate with inquiries into their privacy practices.

Rep. John Conyers Jr. (D-Mich.) said he wants Facebook CEO Mark Zuckerberg to explain Faebook’s privacy practices amid recent changes and consumer and media uproar. Conyers also said that he wants Google to retain the data and records related to the Wi-Fi data that the company’s Google Maps cars collected in recent years.

Conyers said “I want to ensure that privacy concerns are as paramount as creativity to these and all Internet companies, and I look forward to hearing about ways they can ensure this is the case.”

IronKey’s Chief Technology Officer, Gil Spencer, was at the AUSCERT security conference in Australia this week. He was the lucky recipient of a promotional USB flash drive from IBM at the conference.

Today IBM sent out an apology. It seems that the USB flash drives that they handed out were infected with autorun malware. Nice one, IBM.

They should have given out IronKey secure devices. IronKey Enterprise devices have anti-malware software and hardware and firmware protection against autorun USB malware.

According to McAfee’s Q1 Threat Report, malware that is designed to spread onto USB removable storage devices was the most prevalent malware threat in Q1 2010. The number 1 most detected malware variant by McAfee researchers was “Generic! Atr”, followed by a number of password-stealing Trojans and the Autorun Conficker worm.

This should come as no surprise. The ability to infect USB drives, and then spread onto computers on which those drives are used, has become a widely exploited technique in many malware packages. Perhaps the most famous case of such an infection was in late 2008 when such a worm, “Agent.btz”, infected sensitive Department of Defense computers. This led to a lockdown by the DoD of all removable storage devices until they could define a set of technical operating requirements to ensure that malware cannot spread onto and from removable storage devices.

IronKey worked with the Department of Defense, National Security Agency, and other bureaus to help define these technical requirements. Now these capabilities are available to Enterprise customers of IronKey devices. They include services such as built-in anti-malware scanning, intelligent hardware-based autorun tamper prevention, read-only mode, etc.

I just tried the Electronic Frontier Foundation (EFF.org)’s new browser fingerprinting website, Panopticlick.eff.org. It is a webpage that collects data from your web browser, and creates a new type of device fingerprint. It compares it to a database of all other devices that have visited the web page, and then tells you how unique your browser fingerprint is. Almost 1 million people have visited the website.

Concerningly, I visited with my Safari browser on a Mac. The web page says that my browser is uniquely identified out of 909,639 tested so far. My browser has a fingerprint that conveys at least 19.79 bits of identifying information.

It appears that the fingerprint includes the list of browser plug-ins that are installed into your browser, as well as which fonts are being used by your browser, your timezone, screensize, etc. This is new information for fingerprinting a device, as typical fingerprinting has included IP addresses, browser type, language, computer platform, cookies, etc.

What this means is that device fingerprinting can be used to identify individual users across websites, independent of traditional tracking such as web browser cookies and flash cookies.

The EFF gives some recommendations for avoiding browser profiling-based tracking. The prime way to do this is to make your browser look similar to everyone else’s browsers.
1. Use a “standard” widely used browser with “standard” computer settings.
2. Disable JavaScript, and consider using a JavaScript blocking tool like Noscript
3. Use TorButton to spoof your browser’s identification string to websites.
4. Use the “private browsing” features of your web browser.

A new report was released by the Anti-Phishing Working Group, rat the Sao Paulo Brazil “Counter Electronic-Crime Operations Summit”.

The report is titled “Global Phishing Survey: Trends and Domain Name Use 2H2009″. It is focused on an analysis of domain name registrar abuse, and how fraudulently registered domain names are used to operate phishing scams as well as malware and crimeware distribution.

In the second half of 2009, the “Avalanche” cyber crime gang appears to have been responsible for two-thirds of all phishing attacks launched in the second half of 2009, and was responsible for the overall increase in phishing attacks recorded across the Internet.

The Avalanche gang appears to be a group, perhaps largely of the same people, that has taken over from the notorious “Rock” phishing gang. The Rock phishers were the most prevalent online crime gang in the 2007-2008 period. They invented technology to automate phishing, spam and malware attacks by coordinating the compromise, operation and cleanup of thousands of servers across the Internet. The Rock phishing gang invented the “Fast Flux” technique of rotating phishing and malware sites across a given domain name, but on hundreds of servers, so that takedown of these sites was extremely difficult, and only having a domain registrar or registry suspend the domain could guarantee a takedown. This made approach effectively defeated blacklisting techniques for protecting users from visiting known phishing and malware distribution sites.

The Avalanche gang appears to have taken the approach to a new level. They continue to use large numbers of domain, and they use subdomain hosting services. But they are now using botnets, running on computers of consumers who do not realize that their computers are infected, and are in fact being used at night time by cyber criminals to perform their evil tasks.

The Avalanche gang is not only using this massive infrastructure for phishing, but they have been also using it to distributed malware and crimeware, notably the Zeus banking trojan.

Read all the details of the report here.

The US Federal Bureau of Investigation is planning a major prosecution to bust up the operations that cyber criminals use to turn funds stolen online into readily available cash, a top bureau official said Tuesday.

The FBI is targeting the end of the criminal supply chain—the “money mules” who receive transfers of stolen funds in their banks accounts—to raise public awareness and dissuade people from becoming mules, said Patrick Carney, acting chief of the FBI’s Cyber Criminal Section.

Money mules are people who think they have a legitimate work-at-home job, where they receive goods or get money wired into their bank accounts, and their job is to forward the goods or a portion of the funds, to another person. These scams are usually presented as a work-from-home shipping clerk job, or perhaps a business consultant or an accounting administrator.

These jobs are posted on job boards like Monster.com and HotJobs.com They are sent out by spam. They are advertised online and even in newspapers.

But the reality is that these are scams, and are operated by the cyber underground as a way to launder stolen funds or goods purchased online with stolen credit cards.

We do not know how many people are working as “mules”, but it must be ten thousand or more in the USA. The anti-money-laundering website BobBear.co.uk lists hundreds of active fake companies that are fronts for money mules.

ICT Review has published Dave Tripier’s article: “How Cybercriminals Are Stealing Corporate Funds, and Putting Pressure on the Global Banking System”.

“The last eighteen months have delivered some of the most testing challenges to the global banking system. Whilst financial institution and businesses alike both struggle to emerge from a brutal recession, they’re now having to face up to a new threat which can potentially steal away their funds and corporate reputation with the simple click of a mouse.

In this article Dave Tripier, CMO of IronKey, explains how organised cyber crime rings have begun to target corporate banking transactions – and offers valuable advice to help banks and businesses to deal with this new threat.”

Read the full article here.

Financial Services Technology magazine has published my new article, “The 21st Century Trojan War”. In it I talk about the new corporate banking trojan threats, and how the cyber-underground is advancing their attacks against the financial services infrastructure by infiltrating the computers of finance professionals inside corporations and government agencies.

“In 2009, organized cyber crime rings began to shift away from massive phishing attacks against consumer banking users, and instead target bigger fish – corporate banking users. The cybercriminals use advanced malicious software (malware) to attack the computers of finance professionals in companies and government agencies. If a computer that is used to access a commercial online banking services becomes infected, the attackers can effectively take over the corporate financial accounts in real time by hijacking active banking sessions, and issue commands for funds transfers.

Symantec detected over 70,000 variants of the Zeus Trojan in 2009.

Documented losses to corporate banking customers from fraudulent wire transfers initiated in the USA by next-generation malware on corporate computers have ranged from $10,000 to over $1,000,000 per incident. Much of this money was successfully transferred to ‘money mule’ accounts overseas, and was never recovered. It is far more lucrative for cyber criminals to make numerous $9000 transfers from a single corporate bank account, than to try to hijack thousands of consumer-based accounts and make small money transfers. It is also reasonable to expect that online corporate banking fraud will track historical online consumer banking fraud patterns, and will grow dramatically over the next several years.”

Read the rest of the article at: Financial Services Technology Magazine.

A 12 year old boy found an unencrypted USB thumb drive memory stick in the parking lot of ASDA supermarket in Stenhousemuir, Scotland. To the surprise of the young lad and his parents, the memory stick contained patient records of mental patients at nearby Bellsdyke Hospital in Falkirk, Scotland.

The UK National Health Service issued the following statement: “We are very concerned to learn of this incident and are looking into it as a matter of urgency. We have clear policies in place on the safe use of portable data devices. We can confirm a member of staff has been suspended in connection with this incident.”

This is a clear example that policies in the workplace cannot guarantee compliance. For removable media, it is critical that healthcare companies and hospitals enforce always-on encryption by only using hardware encrypted portable storage devices such as an IronKey.

Yury Mashevsky of anti-virus company Kaspersky Labs has published a good article that outlines the state of the crimeware threat environment that we face in 2010.

Mashevsky illustrates the exploding number of financial crimeware/malware samples that Kaspersky has received on a quarterly basis since the financial crimeware industry got started in 2005.

This graph shows the increase in the number of unique malicious programs used to steal money from Internet users. Source: Kaspersky Lab

As banks roll out new security technologies and techniques, the criminal underground quickly develops means to defeat these technologies. The exploits are rapidly (often within 30 days) widely available in numerous crimeware variants that criminals can purchase over the Internet. Attacks are often hosted on computers in different countries that where the banks and their customers are located, making it very difficult to get websites that host malware or command & control servers taken down.

Mashevsky concludes that to make meaningful progress in the battle against an exponentially growing threat will require much tighter collaboration between financial institutions, their customers, the security industry, and government agencies.