On Q Professional Investigations

Seems like everything gets hacked these days. Baby monitors. White House employees’ personal email. Toilets.

If it’s connected to the Internet, it seems at least a little vulnerable.

But surely we can trust that workhorse selfie-generator, the iSight webcam built into the top bezel of Mac laptops. Or… Maybe not. Yesterday, security researchers Steve Glass and Christopher Soghoian were passing around a National Security Administration factsheet with a little bit of advice for Mac users on how to “harden” their computers to attacks.

Among the tips, we find the following suggestion: “Disable Integrated iSight and Sound Input.”

“The best way to disable an integrated iSight camera is to have an Apple-certified technician remove it,” the NSA writes (emphasis added). Then, you might try “placing opaque tape over the camera” or try the software-only method of removing one of the components of Quicktime’s files. And if the NSA doesn’t trust a particular piece of hardware can’t be used for surveillance, it’s probably safe to assume an average user shouldn’t either.

View Source

The single-click Google account login for Android apps is a little too convenient for hackers, according to Tripwire’s Craig Young, who has demonstrated a flaw in the authentication method.

The mechanism is called “weblogin”, and basically it allows users to use their Google account credentials as authentication for third-party apps, without sharing the username and password itself: a token is generated to represent the user’s login details.

Young claimed the unique token used by Google’s weblogin system can be harvested by a rogue app and then used to access all of the advertising’s giants services as that user.

To demonstrate the flaw at this month’s Def Con 21 hacking conference in Las Vegas, Young created an Android app that asks for access to the user’s Google account to display stocks from Google Finance.

Assuming the user grants permission the app, it issues a token to access the requested data. The rogue app sends that token back to the hacker, who can paste it into a web session to access all of the user’s Google services, said Young.

That includes unrestricted access to Gmail, Google Drive, Google Calendar and so forth, even though the permission was only given for an Android app to access Google Finance, we’re told.

Users do have to give multiple permissions to the app first: to access local accounts; to access the network; and to kick off a web session accessing finance.google.com – the last bit being when the web-usable token is issued. But if the user is expecting integration with Google Finance, then none of that would surprise them.

Handing over the keys to their Google Drive files would, however.

Once the miscreant has a valid token then they could see their mark’s search history, among other things. Young points out that should our victim happen to be a Google Administrator then the attacker could take control of the administered accounts, changing passwords, modifying privileges, etc.

But they’ll have to move fast – Google’s automated scanning may not have noticed the app’s behaviour (his rogue app was only removed from the Google Play app store following a complaint despite being clearly marked as a security test) but since being informed about the vuln in February the Chocolate Factory has been working to close the security hole. (The the PC World blog has more details on the bloke’s research.)

The flaw is typical of what happens when simplicity overtakes security in developers’ order of priorities. It’s unlikely that anyone but the most-dedicated spear-phisher would take advantage of a flaw like this, but its exposure reminds us to be aware of the permissions we grant – and keeps Google et al fixing flaws which shouldn’t exist in the first place.

View Source

Stealing Cash, it’s Even Better than Stealing Money…

There was a popular Aflac Insurance commercial series that ran several years ago featuring New York Yankee great Yogi Berra, known as much for his clever quips as his Hall of Fame baseball talents. In the spot Berra stated about the company, “they give you cash, which is just as good as money.” Turns out Yogi may have been onto something because in today’s cyber world, cash may be even better than money. Confused? Let me explain.

We are seeing some interesting trends amongst cybercriminals whereas they are developing simple but effective methods that allow them to use cyber tools and tactics to steal cash. Now you may ask, haven’t they been doing this all along? No, they have been stealing money and valuables, but not cash. Herein lays the difference and why these schemes can be so dangerous.

One of the few comforts that security teams for high-risk industries such as banking and financial services enjoy is that while they are under constant attack, they are also very good at remediation and forensic analysis so they are able to quickly trace the source of an attack and block it or recover assets. Unfortunately, those abilities and protections do not translate to a cash theft. Let’s use a simple analogy, if you are travelling and your credit card is lost or stolen, there are built in protections for you. You can cancel the card, the credit card company will launch an investigation and in most cases, you will not be held responsible for any of the charges that took place once the card was compromised. However, if you are travelling with a couple of thousand dollars in cash that is lost or stolen, you are simply out of luck and the chances of ever recovering the money are nearly non-existent.

A perfect example of this type of scheme was back in early May when a global network used sheer manpower to steal more than $45 million from cash machines around the globe. In announcing the case, Brooklyn U.S. Attorney Loretta Lynch, described the theft as “a massive 21st-century bank heist.” From what we are seeing in the security community, this is not a onetime incident, but a dangerous trend. A trend that puts even greater emphasis on the ability to predict which assets are most at risk within your organization and tightening security around them.

Rose Romero, a former federal prosecutor and regional director for the U.S. Securities and Exchange Commission, would seem to agree with this assessment. After these attacks were uncovered she stated that “unfortunately these types of cybercrimes involving ATMs, where you’ve got a flash mob going out across the globe, are becoming more and more common. I expect there will be many more of these types of crimes.”

Here’s a quick look at how, by using cyber tactics, hackers were able to turn a routine breach into a massive physical crime worth millions of dollars. By breaching bank databases, they were able to manipulate the accounts and eliminate withdrawal limits on pre-paid debit cards. This also created access codes that enabled them to load the critical data onto any plastic card with a magnetic stripe. Whether it was a real credit card or not did not matter as long as it carried the account data and correct access codes. A coordinated and highly effective scheme, as the dollar amounts indicate.

My colleague, Ken Pickering, is an expert on these matters and was a resource from media outlets ranging from the Associated Press to the BBC after the story first broke. I think Ken said it best in his interview with the AP, “Once you see a large attack like this where they made off with close to $45 million that’s going to wake up the cybercrime community. Ripping off cash, you don’t get that back. There are suitcases full of cash floating around now, and that’s just gone.”

While the ATM example stated above represents an attack of a very sophisticated nature, we are also seeing a rise of the quick and simple attacks designed to get away with cash in $50 – $100 increments as well. Another colleague, Matt Bergin, was recently featured in the New York Times after discovering he could hack a cash register remotely, popping it open, by sending two digits from his smartphone to the service running on the cash register’s point-of-sale system.

According to Matt, they were able to reverse-engineer Xpient’s point-of-sale system, expecting that to interact with it he would have to crack a password or break through a layer of encryption. To their surprise, they encountered neither. By simply sending a two-digit code from his phone to the point-of-sale system, they discovered that they could pop open the cash register remotely. Think about that for a moment. While it may not seem like the crime of the century, the ability to simply key in a couple of digits on a phone and be off with a handful of cash before anyone was the wiser could be very lucrative. The simplicity of this attack would also appear to transfer well to other low-tech locking systems such as internal access doors.

They always say in the investment world that cash is king. We are now seeing that in terms of cyber as well. While the numbers may be smaller, the chances of getting caught are also greatly reduced and this may encourage would-be hackers to be a bit bolder. Stealing cash, it’s even better than stealing money.

View Source

Mobile identity theft is one of the fastest growing types of identity theft due to the prevalence of mobile devices such as smartphones and tablets. With over one billion smartphones being used globally and research predicting this number will double by 2015, the soaring sales of mobile devices come at a time when identity theft is at an all-time high.

There was one victim of identity theft every three seconds in the U.S. in 2012, totaling 12.6 million consumers—an increase of over one million victims compared to the previous year and accounting for more than $21 billion, according to Javelin Strategy & Research’s 2013 Identity Fraud Report. These numbers are expected to rise, especially as our use of mobile devices continues to increase.

Preventing Mobile Identity Theft

Whether it’s for email, instant messaging, surfing the web, shopping online, paying bills, or even banking, we store and share an immense amount of personal data on our mobile devices. Unless steps are taken to protect it, this data is vulnerable to identity thieves who want to use it to create fake identities and steal money.

Other than being convenient to use everywhere we go, it’s important to remember that smartphones are no different than desktops or laptop computers when it comes to hackers, viruses, malware, and spyware. Their apps and mobile browsers enable us to store personal information such as passwords, credit card numbers, and bank account data in addition to our contacts and other sensitive information. When this data is breached, however, the resulting identity theft can have severe and long-lasting consequences.

Tip:

Make sure you are shopping on secure websites by verifying that the “s” is in the “https://” in the address bar. Websites using “http://” at the beginning of the website address are unsecure.

Fortunately, there are many actions you can take to secure your hand-held devices and avoid mobile identity theft. Here are a few tips:

-Create a strong password that is required to unlock your phone and access data. Make sure to set up the phone to automatically lock when it has not been used for a specified period of time.
-Never share sensitive data such as passwords or credit card numbers over an unsecured Wi-Fi connection. Even something as simple as purchasing movie tickets on an iPhone using a public Wi-Fi network can give a nearby hacker the opportunity to steal your data and use it to create a fake identity.
-Carefully review your phone bills for sudden increases in data usage. You also want to be on the lookout for charges from third-party content providers for services and apps you haven’t authorized. These can be signs that your phone has been hacked and puts you at risk for mobile identity theft.
-Keep your operating system and apps up-to-date. These updates are important for keeping your smartphone or tablet current with all of the latest security enhancements.
-Make sure you are shopping on secure websites by verifying that the “s” is in the “https://” in the address bar. Websites using “http://” at the beginning of the website address are unsecure.

When trusted professionals or businesses use mobile devices to share information with clients, the same types of mobile identity theft are possible. Take, for example, healthcare professionals. Over 80 percent of physicians polled in an ABA Health survey revealed that they have used personal mobile devices to access the protected health information of their patients. This puts their patients at risk for mobile medical identity theft even when patients haven’t done anything to put their own identity in jeopardy.

Healthcare professionals can help secure medical records on mobile devices by creating passwords to authenticate access to patient information, and never sharing data over an unsecured Wi-Fi connection.

Mobile Identity Theft Protection Services

In spite of all the safeguards you put in place, hackers will always try to stay one step ahead of you and the available technology. Unfortunately, it’s not a matter of “if” but “when” your identity will be compromised. When it happens to you, don’t be caught without a mobile identity theft prevention plan.

There are a number of free mobile identity theft services, such as AVG, that offer anti-virus plans for mobile devices. Phones can be locked and located remotely, suspicious calls or text messages can be blocked, and widgets can detect questionable website activity.

The best identity theft protection service on the market is ID Theft Solutions. Managed by law enforcement professionals, ID Theft Solutions is the most comprehensive way to ensure your identity is recovered when it is stolen.

View Source

The National Security Agency leaks by Edward Snowden will easily go down as one of the biggest revelations of the year, if not the decade. But the episode also raises new questions about the risk that insiders pose to government and corporate cybersecurity, in spite of the attention lavished on foreign hackers.

Snowden’s case is unique in that it uncovered a previously unknown surveillance apparatus that’s massive in size and scope.The way the whistle-blower did his deed, however, is not unique. Two-thirds of all reported data breaches involve internal actors wittingly or unwittingly bringing sensitive information to outsiders, according to industry analysts.

“It’s not an either-or proposition,” said Mike DuBose, a former Justice Department official who led the agency’s efforts on trade-secret theft. “But amidst all the concern and discussion over foreign hacking, what gets lost is the fact that the vast majority of serious breaches involving trade secrets or other proprietary or classified information are still being committed by insiders.”

DuBose is now the head of the cyber investigations unit at the risk-management firm Kroll Advisory Solutions. In February, his team authored a report warning that contractors, information-technology personnel, and disgruntled employees—all descriptors that fit Snowden pretty well—pose a greater threat than hackers, “both in frequency and in damage caused.”

Not everyone agrees. Even though insiders generally play an outsized role across all reported data breaches, their role in confirmed data breaches is rather small, according to an annual study by Verizon. In 2012, specifically, internal actors accounted for 14 percent of confirmed data breaches. Of those, system administrators were responsible for 16 percent.

“Our findings consistently show,” the Verizon report read, “that external actors rule.”

However common they are, cases like Snowden’s show how devastating one insider can be. The extent of the damage depends on what’s being exfiltrated and from where, and there aren’t many standards for calculating losses. Most companies estimate the value of their trade secrets based on how much money they sank into the research and development of that knowledge. But for the government, it’s the potential security impact that takes precedence—and that turns the question into a matter of subjective debate.

Last month, The Washington Post reported that Chinese spies compromised the designs for some of the Pentagon’s most sensitive weapons systems, including the F-35 Joint Strike Fighter, the V-22 Osprey tiltrotor aircraft, and the Navy’s new Littoral Combat Ship.

If true, the report could have major consequences for national security. But Snowden’s case is equally consequential, if for different reasons, and it bolsters DuBose’s point about the relevance of insiders. Snowden may have rightfully uncovered evidence of government overreach, but if a mid-level contractor can steal top-secret information about the NSA and give it to the public in a gesture of self-sacrifice, someone else could do the same—but hand the intelligence to more nefarious actors.

View Source

It was a brazen bank heist, but a 21st-century version in which the criminals never wore ski masks, threatened a teller or set foot in a vault.

In two precision operations that involved people in more than two dozen countries acting in close coordination and with surgical precision, thieves stole $45 million from thousands of A.T.M.’s in a matter of hours.

In New York City alone, the thieves responsible for A.T.M. withdrawals struck 2,904 machines over 10 hours starting on Feb. 19, withdrawing $2.4 million.

The operation included sophisticated computer experts operating in the shadowy world of Internet hacking, manipulating financial information with the stroke of a few keys, as well as common street criminals, who used that information to loot the automated teller machines.

The first to be caught was a street crew operating in New York, their pictures captured as, prosecutors said, they traveled the city withdrawing money and stuffing backpacks with cash.

On Thursday, federal prosecutors in Brooklyn unsealed an indictment charging eight men — including their suspected ringleader, who was found dead in the Dominican Republic last month. The indictment and criminal complaints in the case offer a glimpse into what the authorities said was one of the most sophisticated and effective cybercrime attacks ever uncovered.

It was, prosecutors said, one of the largest heists in New York City history, rivaling the 1978 Lufthansa robbery, which inspired a scene in the movie “Goodfellas.”

Beyond the sheer amount of money involved, law enforcement officials said, the thefts underscored the vulnerability of financial institutions around the world to clever criminals working to stay a step ahead of the latest technologies designed to thwart them.

“In the place of guns and masks, this cybercrime organization used laptops and the Internet,” said Loretta E. Lynch, the United States attorney in Brooklyn. “Moving as swiftly as data over the Internet, the organization worked its way from the computer systems of international corporations to the streets of New York City, with the defendants fanning out across Manhattan to steal millions of dollars from hundreds of A.T.M.’s in a matter of hours.”

The indictment outlined how the criminals were able to steal data from banks, relay that information to a far-flung network of so-called cashing crews, and then have the stolen money laundered in purchases of luxury items like Rolex watches and expensive cars.

In the first operation, hackers infiltrated the system of an unnamed Indian credit-card processing company that handles Visa and MasterCard prepaid debit cards. Such companies are attractive to cybercriminals because they are considered less secure than financial institutions, computer security experts say.

The hackers, who are not named in the indictment, then raised the withdrawal limits on prepaid MasterCard debit accounts issued by the National Bank of Ras Al-Khaimah, also known as RakBank, which is in United Arab Emirates.

Once the withdrawal limits have been eliminated, “even a few compromised bank account numbers can result in tremendous financial loss to the victim financial institution,” the indictment states. And by using prepaid cards, the thieves were able to take money without draining the bank accounts of individuals, which might have set off alarms more quickly.

With five account numbers in hand, the hackers distributed the information to individuals in 20 countries who then encoded the information on magnetic-stripe cards. On Dec. 21, the cashing crews made 4,500 A.T.M. transactions worldwide, stealing $5 million, according to the indictment.

While the street crews were taking money out of bank machines, the computer experts were watching the financial transactions from afar, ensuring that they would not be shortchanged on their cut, according to court documents.

Read More

JP Morgan Chase denied this evening that it had suffered a hack that many customers claimed had suddenly reduced their checking account balances to zero.

After discovering the apparently empty accounts via the Internet or mobile devices, many Chase banking customers turned to Twitter to express their frustration and show screen shots of zero balances. Other users were greeted with messages that their bank account balances were unavailable.

But a spokesperson for the bank told CNET this evening that the problem was related to an internal issue and not a security breach.

“We have a technology problem regarding customers’ balance information that we are working to resolve,” the spokesperson said. “It has nothing cyberthreats; it’s an internal issue. We are very sorry to our customers for the inconvenience.”

The representative said credit card and mortgage accounts were unaffected by the issue. She did not say how many customers were affected or when it expected to have the issue resolved.

Chase issued a statement on its support account on Twitter a couple of hours later indicating it had resolved the issue:

“*UPDATE* We’re back to business as usual on http://Chase.com & Mobile. Apologies again for the trouble & thank you for your patience.”

Customers’ suspicions about a possible security breach are natural, with the zero balances appearing less than a week after a massive distributed-denial-of-service attack rendered Chase’s Web sites useless for many hours. Customers trying to use the site’s tools were instead greeted with a note that the site was “temporarily down.”

Hackers have ratcheted up their assaults on financial institutions in recent months, using DDoS attacks to take down Wells Fargo, Bank of America, Chase, Citigroup, HSBC, and others. Though initially it was unclear who was behind the attacks, government officials and security researchers said in January that Iran was responsible for these cyberattacks.

In its December report, security company McAfee said that attacks on U.S. financial institutions are only going to increase in 2013. The firm said that this isn’t just a possibility; it’s a “credible threat.” Anonymous has also threatened to increase its activity in 2013.

View Source

Two California men have been indicted for allegedly hacking point-of-sale terminals at Subway shops to steal at least $40,000.

Prosecutors accused Shahin Abdollahi, aka “Sean Holdt,” and Jeffrey Thomas Wilkinson of hacking at least 13 point-of-sale (POS) terminals to install software that fraudulently loaded at least $40,000 onto Subway gift cards, according to an indictment unsealed in Boston on Friday (see below). The pair then allegedly used the cards to make purchases at Subway shops and sold them on eBay and Craigslist.

Abdollahi owned a Subway franchise in Southern California from 2005 to 2008 and later ran a business called POS Doctor that sold POS terminals to Subways across the country, according to the Justice Department. Around 2011, Abdollahi allegedly sold terminals to Subway franchises in California, Massachusetts, and Wyoming that were loaded with LogMeIn, a remote desktop tool.

Both defendants were charged with one count of conspiracy to commit computer intrusion and wire fraud, as well as with a separate count of wire fraud.

This isn’t the first time Subway POS terminals have fallen victim to intrusion. Last year, two Romanian men pled guilty to hacking point-of-sale terminals at hundreds of Subway sandwich stores in the U.S. to steal credit card data from more than 146,000 accounts.

Interestingly, the indictments were announced by Carmen Ortiz, the U.S. attorney for Massachusetts, who oversaw the criminal case of Aaron Swartz before the Internet activist’s suicide in January.

View Source

Days after Anonymous claimed to have stolen and published private information from more than 4,000 bank executives, the Fed says its system was attacked.

The wave of high-level cyberattacks continues as the Federal Reserve confirmed that one of its internal Web sites was hacked into today, according to Reuters.

“The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product,” a Fed spokeswoman told Reuters. “Exposure was fixed shortly after discovery and is no longer an issue. This incident did not affect critical operations of the Federal Reserve system.”

Apparently the hackers accessed data associated with specific individuals, according to Reuters.

This attack comes on the heels of the hacking group Anonymous claiming on Sunday to have published login and private information from more than 4,000 U.S. bank executive accounts. The group may have gotten this data from the Federal Reserve’s computers.

It’s unclear if the two breaches are connected. Government officials did not say which of its Web sites were hacked. However, according to Reuters, it was most likely an internal contact database for banks to use during natural disasters.

The cyberattack on the Federal Reserve comes after a slew of continuous hacks in the U.S. The Department of Energy confirmed yesterday that its internal system was breached and employee data was stolen; and last week, hackers hit several U.S. media outlets.

Read More

Unusual activity was seen in the paper’s computer systems during a probe on China’s prime minister. The Times then discovered that the corporate passwords for every employee had been stolen.

After a lengthy newspaper investigation on China’s prime minister, The New York Times claims, the newspaper’s computer systems were infiltrated and attacked by Chinese hackers.

The attacks began four months ago and culminated with hackers stealing the corporate password for every Times employee, according to the paper. The personal computers of 53 of these employees were also broken into and spied on.

The Times discovered the attacks after observing “unusual activity” in its computer system. Security investigators were then able to get into the system and track the hackers’ movements, see what the infiltrators were after, and eventually “expel them.”

Hackers penetrated the newspaper’s computers as one of its reporters, David Barboza, was wrapping up an investigation into the family wealth of Chinese
Prime Minister Wen Jiabao. Once the story published in October, the hackers’ activity intensified. According to The New York Times, they were after information on the sources and contacts for Barboza’s story.

In order to find out more of who was behind the cyberattacks, The Times hired computer security firm Mandiant. Experts from this firm were able to detect and block the attacks, while watching the hackers’ every move, the paper said.

The newspaper’s executive editor, Jill Abramson, said, “no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded, or copied.”

According to the Times, the methods these hackers used were similar to past attacks by the Chinese military. These methods include routing attacks through U.S. university computers, constantly changing IP addresses, using e-mail malware to get into the computer system, and installing custom software to target specific individuals and documents.

China’s Ministry of National Defense has denied that the government had anything to do with the hacking spree. “Chinese laws prohibit any action including hacking that damages Internet security,” the Ministry told the Times. “To accuse the Chinese military of launching cyberattacks without solid proof is unprofessional and baseless.”

It’s not unusual for governments to wage cyberattacks against other country’s media, agencies, and facilities. Iran allegedly waged an attack on the U.K.’s BBC News last March; and earlier this month, the U.S. government claimed Iran was responsible for a massive wave of cyberattacks on U.S. banks.

The U.S. has also allegedly waged its own hacking war against Iranian power plants, oil companies, and nuclear facilities with three viruses called Flame, Stuxnet, and Duqu.

Chinese cyberespionage against the U.S. has reportedly been a growing threat for some years now. The U.S. Economic and Security Review Commission on China sent a report to Congress in November that urged lawmakers to take preventative action. The report called China the “most threatening actor in cyberspace” and found that in 2012, Chinese state-sponsored hackers continued to target computer systems run by the U.S. government and military, as well as the private sector.

Despite the Times being able to shut out the hackers for now, it doesn’t mean the newspaper won’t become the target of another attack.

“This is not the end of the story,” Mandiant’s chief security officer, Richard Bejtlich, told the Times. “Once they take a liking to a victim, they tend to come back. It’s not like a digital crime case where the intruders steal stuff and then they’re gone. This requires an internal vigilance model.”

View Source