On Q Professional Investigations

J. Keith Mularski’s world has expanded greatly since he stopped selling discount furniture to join the FBI in 1998. Especially since he transferred from Washington, D.C., in 2005 to fill a vacancy in the Pittsburgh field office’s cyber squad — which he now heads.

Since then, Supervisory Special Agent Mularski has been recognized as a foremost expert on cyber crime. His profile has risen even more since the Justice Department used Mularski’s sleuthing to bring two indictments with worldwide ramifications.

In May, five Chinese Army intelligence officers were charged with stealing trade secrets from major manufacturers including U.S. Steel, Alcoa and Westinghouse.

In June, a Russian man was charged with leading a ring that infected hundreds of thousands of computers with identity-thieving software, then using the stolen information to drain $100 million from bank accounts worldwide.

Mularski, 44, said in April during an oral history interview for the National Law Enforcement Museum that he became a furniture salesman out of college because jobs were hard to come by then. He spent about five years in the business before joining the FBI.

“I was in private industry beforehand. But I’ve kind of always liked computers,” Mularski told The Associated Press during a recent interview.

All 56 FBI field offices have cyber squads. Mularski chose Pittsburgh largely because of family considerations — he grew up in suburban White Oak, the son of a steelworker.

“It kind of looked like cyber was the wave of the future,” Mularski said. “The majority of all my computer training was just on-the-job training at the bureau.”

It has proved remarkably effective.

Even before the Chinese and Russian cases made worldwide headlines, Mularski was making cyber waves.

He made his reputation infiltrating Dark Market in 2006. The worldwide Internet forum allowed crooks to buy and sell stolen identity and credit card information.

Mularski infiltrated the network by pretending to be a notorious Polish computer hacker using the screen name “Master Splyntr” — a takeoff on the cartoon rat who guides the Teenage Mutant Ninja Turtles.

Mularski was inspired while watching the cartoon character with his young son: “He’s a rat that lives underground. It was perfect,” he said.

Mularski befriended the criminal mastermind behind the site and persuaded him to let Mularski move the operation onto new computer servers. The servers happened to belong to the FBI, which led to more than 60 arrests worldwide.

Misha Glenny, a British journalist who specializes in cyber crime, wrote a book about the case called “Dark Market, How Hackers Became the New Mafia.”

“Keith Mularski is not without technical ability, but his real talent lies in convincing experienced cyber criminals that he is one of them and not a law enforcement officer,” Glenny told the AP.

His aw-shucks demeanor also makes him an ideal team player.

“He has an understanding of the whole grid, and then he develops relationships, whether it’s with victims, the private sector, and our international partners,” said David Hickton, the U.S. attorney in Pittsburgh.

Those partnerships are important because the United States doesn’t have extradition treaties to bring the Chinese and Russian suspects here for prosecution. Those defendants could be arrested if they travel into areas that cooperate with the U.S., but Hickton and Mularski said that’s not the only purpose served by those indictments.

“The best result is to be able to get cuffs on a guy,” Mularski said. “But you have to measure how you can impact each (criminal) organization.”

In the Russian case, Mularski got a federal judge in Pittsburgh to allow the Justice Department to monitor some 350,000 computers infected with malicious software, so the thievery could be stopped.

The Chinese indictment, meanwhile, was a “put up” to the Chinese government’s rumblings that the U.S. government should “shut up” about ongoing cyberspying allegations unless they could be proved, Mularski said.

Some cases produce a more tangible result.

Read More

WASHINGTON — Chinese hackers in March broke into the computer networks of the United States government agency that houses the personal information of all federal employees, according to senior American officials. They appeared to be targeting the files on tens of thousands of employees who have applied for top-secret security clearances.

The hackers gained access to some of the databases of the Office of Personnel Management before the federal authorities detected the threat and blocked them from the network, according to the officials. It is not yet clear how far the hackers penetrated the agency’s systems, in which applicants for security clearances list their foreign contacts, previous jobs and personal information like past drug use.

In response to questions about the matter, a senior Department of Homeland Security official confirmed that the attack had occurred but said that “at this time,” neither the personnel agency nor Homeland Security had “identified any loss of personally identifiable information.” The official said an emergency response team was assigned “to assess and mitigate any risks identified.”

One senior American official said that the attack was traced to China, though it was not clear if the hackers were part of the government. Its disclosure comes as a delegation of senior American officials, led by Secretary of State John Kerry, are in Beijing for the annual Strategic and Economic Dialogue, the leading forum for discussion between the United States and China on their commercial relationships and their wary efforts to work together on economic and defense issues.

Computer intrusions have been a major source of discussion and disagreement between the two countries, and the Chinese can point to evidence, revealed by Edward J. Snowden, that the National Security Agency went deep into the computer systems of Huawei, a major maker of computer network equipment, and ran many programs to intercept the conversations of Chinese leaders and the military.

American officials say the attack on the Office of Personnel Management was notable because while hackers try to breach United States government servers nearly every day, they rarely succeed. One of the last attacks the government acknowledged occurred last year at the Department of Energy. In that case, hackers successfully made off with employee and contractors’ personal data. The agency was forced to reveal the attack because state disclosure laws force entities to report breaches in cases where personally identifiable information is compromised. Government agencies do not have to disclose breaches in which sensitive government secrets, but no personally identifiable information, has been stolen.

Read More

If you’re a Comcast cable customer, your home’s private Wi-Fi router is being turned into a public hotspot.

It’s been one year since Comcast (CMCSA) started its monster project to blanket residential and commercial areas with continuous Wi-Fi coverage. Imagine waves of wireless Internet emitting from every home, business and public waiting area.

Comcast has been swapping out customers’ old routers with new ones capable of doubling as public hotspots. So far, the company has turned 3 million home devices into public ones. By year’s end it plans to activate that feature on the other 5 million already installed.

Anyone with an Xfinity account can register their devices (laptop, tablet, phone) and the public network will always keep them registered — at a friend’s home, coffee shop or bus stop. No more asking for your cousin’s Wi-Fi network password.

But what about privacy? It seems like Comcast did this the right way.t’s potentially creepy and annoying. But the upside is Internet everywhere.

Outsiders never get access to your private, password-protected home network. Each box has two separate antennae, Comcast explained. That means criminals can’t jump from the public channel into your network and spy on you.

And don’t expect every passing stranger to get access. The Wi-Fi signal is no stronger than it is now, so anyone camped in your front yard will have a difficult time tapping into the public network. This system was meant for guests at home, not on the street.

As for strangers tapping your router for illegal activity: Comcast said you’ll be guilt-free if the FBI comes knocking. Anyone hooking up to the “Xfinity Wi-Fi” public network must sign in with their own traceable, Comcast customer credentials.

Still, no system is foolproof, and this could be unnecessary exposure to potential harm. Craig Young, a computer security researcher at Tripwire, has tested the top 50 routers on the market right now. He found that two-thirds of them have serious weaknesses. If a hacker finds one in this Comcast box, all bets are off.

“If you’re opening up another access point, it increases the likelihood that someone can tamper with your router,” he said.

Read More

But this time he’s wearing Google Glass — and he’s after your iPad PIN.

Cyber forensics experts at the University of Massachusetts in Lowell have developed a way to steal passwords entered on a smartphone or tablet using video from Google’s face-mounted gadget and other video-capturing devices. The thief can be nearly ten feet away and doesn’t even need to be able to read the screen — meaning glare is not an antidote.

The security researchers created software that maps the shadows from fingertips typing on a tablet or smartphone. Their algorithm then converts those touch points into the actual keys they were touching, enabling the researchers to crack the passcode.

They tested the algorithm on passwords entered on an Apple (AAPL, Tech30) iPad, Google’s (GOOGL, Tech30) Nexus 7 tablet, and an iPhone 5.

Why should you be worried?

“We could get your bank account password,” researcher Xinwen Fu said.

The software can be applied to video taken on a variety of devices: Fu and his team experimented with Google Glass, cell phone video, a webcam and a camcorder. The software worked on camcorder video taken at a distance of over 140 feet.

Of course, pointing a camcorder in a stranger’s face might yield some suspicion. The rise of wearable technology is what makes this approach actually viable. For example, a smartwatch could stealthily record a target typing on his phone at a coffee shop without drawing much attention.

Fu says Google Glass is a game-changer for this kind of vulnerability.

“The major thing here is the angle. To make this attack successful the attacker must be able to adjust the angle to take a better video … they see your finger, the password is stolen,” Fu said.

Google says that it designed Glass with privacy in mind, and it gives clear signals when it is being used to capture video.

“Unfortunately, stealing passwords by watching people as they type them into ATMs and laptops is nothing new,” said Google spokesman Chris Dale. “The fact that Glass is worn above the eyes and the screen lights up whenever it’s activated clearly signals it’s in use and makes it a fairly lousy surveillance device.”

Read More

Computerworld – A Missouri escrow firm that lost $440,000 in a 2010 cyberheist cannot hold its bank responsible, an appeals court ruled this week.

The Court of Appeals for the Eighth Circuit’s decision this month affirmed a lower court ruling in the case.

The appeals court also held that the escrow firm can be held responsible for the bank’s attorney fees in the case.

In a 25-page ruling, the appeals courts agreed with a Missouri district court ruling in March 2013 that blamed Choice Escrow and Title LLC for the loss because it failed to follow the bank’s recommended security precautions.

Choice Escrow filed the lawsuit against BancorpSouth Bank in November 2010 after unknown attackers stole the username and password to the company’s online bank account and used the credentials to transfer $440,000 to an account in Cyprus.

Choice Escrow claimed that the theft occurred because the bank failed to implement commercially reasonable security measures as defined in the Funds Transfer Act provisions of the Uniform Commercial Code (UCC). Choice Escrow maintained that BancorpSouth should have known the wire transfer request was fraudulent because it was initiated from outside the U.S — something that had never happened before with its account.

BancorpSouth countered by saying that the loss resulted from Choice Escrow’s failure to implement the bank’s recommended security precautions for wire transfers.

The bank pointed to several controls it had in place for wire transfers. The bank said it had urged Choice Escrow to use the controls. For instance, the bank said it requested that Choice Escrow adopt a dual-control process that would rquire two people to sign all wire transfer requests. BancorpSouth also asked officials at Choice Escrow to put an upper limit on wire transfers.

Choice Escrow chose not to follow either recommendation, the bank said.

BankcorpSouth noted that the fraudulent wire transfer was initiated by someone using Choice Escrow’s legitimate banking credentials and a computer that appeared to belong to the company. The bank claimed it had acted in good faith when it executed the wire transfer request because there was nothing to indicate it was fraudulent.

The Missouri district court agreed that BankcorpSouth had taken reasonable measures to protect against illegal wire transfers, and faulted Choice Escrow for not following the bank’s recommendations. The court ruled the fraud may not have occurred if the company had followed the instructions.

The appeals court’s ruling went one step further by holding that BancorpSouth can seek to recover it’s attorney’s fees from Choice Escrow.

Choice Escrow is one of numerous companies, municipal governments and school districts that have been victimized by similar online heists in recent years.

Read More

(CNN) – A large number of people, mostly located in Australia, are reporting they have come under an unexplained attack that holds their iPhones and iPads hostage and demands they pay a $100 ransom.

The attack appears to work by compromising iCloud accounts associated with the disabled devices, according to an Apple support forum discussion that started Sunday morning and quickly accumulated several hundred posts.

Commandeered devices typically emit a loud tone that’s associated with a feature that helps users locate lost or stolen devices. iPhones and iPads also display the message: “Device hacked by Oleg Pliss. For unlock device, you need send voucher code by 100 usd/eur (Moneypack/Ukash/PaySafeCard) to email:lock404@hotmail.com for unlock.”

In some cases—specifically, when a user hasn’t assigned a strong passcode to a locked device—it can only be unlocked by performing a factory reset, which completely wipes all previously stored data and apps.

The mass compromise is a variation on so-called ransomware scams, which initially targeted Windows PC users and earlier this month were found targeting smartphone users running Google’s Android OS.

The forum accounts provide strong evidence that victims’ Apple IDs and passwords have been compromised so that attackers can remotely lock connected devices using Apple’s Find My iPhone service.

But so far it remains unclear exactly how the attackers are compromising the iCloud accounts.

While it’s possible the hijackers used phishing attacks or hacked password databases to obtain the credentials, those explanations are undermined by the observation that the vast majority of victims were located in Australia and reported using a variety of e-mail providers. Typically, phishing campaigns and database compromises involving multiple providers affect users from more geographic regions.

Read More

A 19-year-old Canadian man has become the first person arrested in relation to the Heartbleed security vulnerability, which he used to steal taxpayer information.

Royal Canadian Mounted Police (RCMP) is accusing Stephen Arthuro Solis-Reyes of hacking into the Canadian Revenue Agency’s (CRA) website late last week.

Solis-Reyes, of London, Ontario, is suspected of stealing around 900 Social Insurance Numbers.

“It is believed that [Mr] Solis-Reyes was able to extract private information held by CRA by exploiting the vulnerability known as the Heartbleed bug,” the RCMP said in a statement.

“The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible,” RCMP assistant commissioner Gilles Michaud said. “Investigators from National Division, along with our counterparts in ‘O’ Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners.”

Solis-Reyes has been charged with “unauthorized use of a computer” and “mischief in relation to data.” He is scheduled to appear in court on July 17.

The 19-year-old is a second-year student at Western University, located in his hometown. In high school, he was on a team that won first place in a programming competition at the London District Catholic School Board. He has also authored a BlackBerry phone app that solves Sukoku puzzles, according to The Globe and Mail.

His father is a Western computer science professor. The family lived in Lafayette, Indiana before moving to Ontario.

Early last week, the open-source OpenSSL project released an emergency security advisory warning of Heartbleed, a bug that pulls in private keys to a server using vulnerable software, allowing operators to suck in data traffic and even impersonate the server. Heartbleed was first noticed by a Google researcher and Codenomicon, a Finnish security firm.

The Canada Revenue Agency (CRA) reported that the private information of about 900 people was stolen thanks to Heartbleed’s impact. CRA became one of the first major organizations to curtail services as a result of the vulnerability.

“Regrettably, the CRA has been notified by the government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period” last week, CRA said on Monday.

Private firms and governments are working to patch their vulnerabilities to the bug, yet more breaches are expected.

The Canadian government “was really slow on this,” Christopher Parsons from the Citizen Lab at the Munk School of Global Affairs at the University of Toronto told CBC.

Yahoo was one major private entity to immediately address its exposure to Heartbleed, claiming it had successfully updated its servers after hearing of the bug.

“If you look at Yahoo, it had begun updating its security practices prior to the CRA fully taking action,” Parsons said. “The same thing with other larger companies. As soon as they saw what was going on, they immediately reacted and issued public statements.”

View Source

Dramatic changes are needed in multiple fronts if the security industry hopes to move ahead of cybercriminals, who are continuously finding new ways to breach corporate systems, experts say.

Some technology pros say the industry needs to develop new technologies and architectures that send hackers back to the drawing boards.

“I think we’re in a security rut right now,” Ed Amoroso, chief security officer for AT&T, said, ThreatPost reports. Amoroso made the remarks this week during a panel discussion at the Billington Cybersecurity Summit.

While other experts agree hackers are winning, they are hesitant to blame it on a lack of new technology.

“The call for more innovation is only focusing on the technology aspect,” Murray Jennex, a professor of computer science at San Diego State University, told CSOonline. “I agree we need more innovation, but that innovation by itself will not give us better security.”

What else is needed is more effective sharing of attack data between security professionals working for vendors and corporations.

“My research has found it takes much less knowledge to use existing technologies to attack than it is to defend,” Jennex said. “Security professionals need more knowledge to do their job than attackers do.”

However, the attackers are the ones who are faster at sharing exploits for the latest products, Jennex said.

On the white hat side, security professionals get paid for how they defend, not what they share, and companies view knowledge as a competitive advantage. In addition, companies fear being sued by customers or partners, if the data shared relates to them.

[Also see: Unisys survey finds majority of industry leaders believe clients fear data breaches]

Also giving hackers a leg up is manufacturers failing to make security a priority in the design process. This is particularly true with industrial control systems (ICS).

“If we can build in immunity from attack, then we don’ have to defend against it,” said Eric Cosman, a member of the ICS Joint Working Group at the International Society of Automation.

The blame for not having more products secure by design lies as much with the buyer as the manufacturer, said Paul Rivers, Manager of System and Network Security at the University of California, Berkeley.

This is particularly true with mobile devices. Security is not a high priority with consumers, so manufacturers turn their attention to more desirable features, such as ease of use, music, video and voice recognition.

“Until that changes, I don’t think you’re going to see some new Silicon Valley startup with the first feature on their feature list being security related,” Rivers said.

Marc Hoit, vice chancellor for information technology at North Carolina State University, said ignorance on the part of technology users also contributes to the number of security breaches, which makes it seem that defensive technology isn’t working.

“Most of the infections come from poor user behavior and unpatched systems,” Hoit said.

People are too quick to click on attachments and companies have a lot of difficulty keeping software up-to-date, which leaves known vulnerabilities unpatched, experts say.

On the research side, Hoit said a lot of work is being done at NCSU and other universities in spotting abnormalities in a network through better algorithms for analyzing massive amounts of data from hardware, software and network traffic.

Internet2, a nonprofit research organization comprised of more than 450 universities, businesses and government agencies, is conducting a lot of security research, Hoit said. However, researchers often have difficulty getting access to the Internet traffic needed for their work.

“It’s a privacy and security issue,” Hoit said. “I don’t know any open network providers that will give you their traffic flow.”

So while the industry struggles with multiple issues, hackers operate in a simpler world where the only focus is on breaking into systems.

View Source

Federal prosecutors in New Jersey say they’ve busted what could be the biggest credit card hacking fraud in US history, with companies such as NASDAQ, 7-Eleven, and Dow Jones falling prey to an Eastern European criminal gang.

According to the indictment, the gang stole data on up to 160 million credit cards and then sold them on in underground forums so that they could be written onto blank cards and be used to withdraw funds. The losses for just three of the many companies they targeted came to over $300m, according to the authorities.

“This type of crime is the cutting edge. Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security,” said US Attorney Paul Fishman in a statement.

“This case shows there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day. We cannot be too vigilant and we cannot be too careful.”

The five men – four Russians and a Ukrainian national – were charged with conspiracy to gain unauthorized access to computers and wire fraud, with additional charges that could see four of the five each facing an extra 120 years in prison.

The government alleges that two of the Russians, Vladimir Drinkman, 32, and Alexandr Kalinin, 26, were the group’s hacking team who carried out the penetration of target firms, usually exploiting SQL attacks and then installing trojan software to harvest credit card and personal information from corporate servers.

The two are well known to prosecutors as former associates of cybercrime-kingpin-turned-US-Secret-Service-snitch-turned-recidivist-cyberblagger Albert Gonzalez and are thought to have been the duo behind the successful 2009 hacking of Heartland Payment Systems.

Once the data had been slurped it was passed over to the team’s Russian analyst Roman Kotov, 32, who identified the most valuable credit cards and the ancillary information needed to use the numbers for fraudulent traffic, the government claims.

This was then passed on to Muscovite Dmitriy Smilianets, 29, for resale on undergrounds message boards, with the Ukrainian Mikhail Rytikov, 26, providing the anonymous ISP services to enable the sale.

The gang sold US credit-card data ready to be slapped onto a blank card for around $10 per number, while Canadian cards went for $15, and European cards for $50 per user. The gang sold only to credentialed underground buyers, and offered volume discounts for larger buyers.

Drinkman and Smilianets were arrested in the Netherlands in June 2012 after the Dutch police were tipped off by the US authorities and are currently being extradited to the US for trial. Kalinin, Kotov, and Rytikov are still at large.

“As is evident by this indictment, the Secret Service will continue to apply innovative techniques to successfully investigate and arrest transnational cyber criminals,” said Special Agent in Charge Mottola of the Newark, New Jersey, Field Office.

“While the global nature of cyber-crime continues to have a profound impact on our financial institutions, this case demonstrates the global investigative steps that U.S. Secret Service Special Agents are taking to ensure that criminals will be pursued and prosecuted no matter where they reside.”

View Source

SEATTLE — Disclosures last week about network intrusions at the New York Times and the Federal Reserve demonstrate that some companies have begun taking progressive steps to detect – and limit damage – from persistent cyberintruders.

Thieves and spies are hacking into company networks as intensively as ever. But some large organizations are starting to limit the damage they can do, once inside. Information about successful defense strategies are being more widely shared for the greater good.

“If you stop the bad actor from taking action on his or her objective, you win,” says Steve Adegbite, director of cybersecurity at defense giant Lockheed Martin.

In the past 18 months, U.S. companies and agencies have more readily acknowledged that breaches are occurring daily and have moved to update systems for detecting persistent intruders and limiting the damage they can do, security experts say.

The New York Times hired forensics firm Mandiant, which used military-style counter-intelligence tactics to detect and cripple intruders, who appeared to be based in China. The paper then surprised many in the security community by sharing details of Mandiant’s findings.

“It’s turning a page,” says Kurt Baumgartner, senior security analyst at Kaspersky Lab. “They immediately disclosed what the attackers were looking for, down to the reporters’ material the attackers were hunting.”

A day after the Times disclosure, The Wall Street Journal announced that it, too, detected and blocked network intruders, who also appeared to originate from China. Last Thursday, the Federal Reserve disclosed a breach of one of its internal websites. The hacking collective Anonymous claimed responsibility for the hack. The intruders got access to emergency contact information for 4,000 banking executives. But the agency said no critical operations were affected.

Those cases illustrate how companies and agencies are focusing on tactics to flush out intrusions in progress and prevent attackers from accessing the most valuable intellectual property, says Eddie Schwartz, chief information security officer at security firm RSA.

“There is a growing awareness that organizations are under constant attack in terms of nation-state espionage, organized criminal theft and hacktivist action and that they must implement equally advanced and committed defenses,” says Schwartz.

Security analysts hope that other breached organizations, led by the Times’ example, share detailed intelligence about both successes and failures in defending against cyberintruders.

“It’s like being at an Alcoholics Anonymous meeting — first you have to acknowledge you have a problem,” says Gunter Ollmann, chief technology officer at security consultancy IOActive.

Chris Petersen, chief technology officer at tech systems provider LogRhythm, cautions that cybercrime has become a rich and resilient global industry that won’t soon relent. “The motivations driving malicious cyberactivities continue to rise,” he says. “There is money to be made, points to get across and war to wage.”

View Source