Last weekend, the New York Times website suffered a security breach through advertising. According to an article on the Times website regarding the breach, "an unknown person or group sneaked a rogue advertisement onto the web site's pages." Much like the advertisements RR mentioned in his post on September 20, these ads informed users that their computers were infested with viruses, and that they needed to purchase antivirus software to protect themselves.
According to the Times, ads on any website are generally approved either by the owner of the web site itself, or by ad networks, the middlemen of the advertising world. When the Times staff was informed of malicious pop-ups, they immediately stopped displaying ads from these ad networks, but the ad in question had in fact been approved by the advertising department of the Times itself -- by posing as a legitimate ad for Vonage. The ad even "initially appeared as real ads for Vonage" before switching to the malicious ad.
The Times does not believe at this time that the software the ad offered to install was inherently malicious, so much as a kind of snake oil. The Times also received a large number of complaints regarding the ads, implying that a large proportion of the Times's audience was internet savvy enough not to immediately install any antivirus program they are offered.
The cause of this breach is interesting. The group of hackers didn't only pose as a legitimate company, but as Vonage, a well-known company with whom the Times had a long-standing relationship. Because of this relationship, the ad was passed directly by a member of the Times' advertising staff. As a result, the ad stayed up for a few extra hours over the weekend, while the staff at the Times was occupied with the ads approved by ad networks.
The Times did a good job of responding to the breach. They did not go as far as The Register in the UK, which "took down all its ads for several days" following a similar breach. However, the Times did address the complaints of their users quickly, taking down first the ad network ads, and then the directly approved ads. The readership of the Times was informed almost immediately (the story itself was posted on the Monday following the events). The Times article also attempted to explain exactly what the software was likely to do, and what readers could do to remove it. Finally, in the article, The Times stated that it would be enforcing new advertising policies to prevent future occurrences.
Source:
http://www.nytimes.com/2009/09/15/technology/internet/15adco.html
Tuesday, September 29, 2009
Monday, September 28, 2009
Security Firms Having Trouble Detecting World’s Biggest Spam Campaign
Recently there is a huge problem for Americans who fear tax authorities. It is said that criminal gangs have been plotting particularly on these groups of people, and have been convincing them to download malicious software. This spamming campaign is currently entering its 3rd week and things seem to be only getting worse. According to some researchers this could be the most prominent spam-delivered virus in the world as of right now.
The first spotting of the spam happened to be on September 9. It was picked up by the security firm’s anti-spam vendor known as Cloudmark. Security researchers have said that Cloudmark has recently counted 11 million messages sent to the security’s nearly 2 million desktop users. What the message displays is a subject line that reads, “Notice of Underreported Income,” and it tries to encourage victims to install the Trojan virus or click on a website link in order to show their “tax statement.” The link only takes the victims to a site that is malicious.
The biggest issue with this spam is dealing with what is known as malware. Malware is software designed to infiltrate or damage a computer system without the owner’s consent. The malware involved with this spam is known as the Zeus Trojan. This type of malware is extremely hard to detect. What the software is built to do is hack into victims accounts and take as much if not all of their money out. There are estimates that criminals could be taken out as much as a million a day from victims. Recently, small businesses have been taken the biggest loss because banks are choosing not to back them up in this situation. Banks are choosing to place the blame on the small businesses for not being responsible.
There are techniques for blocking malware but the biggest issue is there isn’t a way to stop people from going to sites and downloading. Another issue is that out of the 41 anti-virus systems that the security firm has; only five have been able to detect the Zeus Trojan.
According to Paul Ferguson a researcher with Trend Micro, “It’s difficult to stay ahead of it because the Zeus binaries are changing a few times a day.” “It’s definitely a problem.”
This biggest problem in this event seems to be that people aren’t well informed enough to know not to pay attention to such spams. It seems that people generally panic when they read things that have to do with their money. Spams that deal with the loosing of money tend to work the best and have the most success. Sometimes it seems that if you create a spam that will say “Tomorrow your money will be gone if you don’t do A, B, or C,” people most likely will do it because of panic. The only way this spam can be contained is if people just delete it, and security firms get enough time to detect it more. Firm’s still need the help of the people more than anything to slow the breaching down.
Sources:
http://news.techworld.com/security/3202748/security-firms-battle-worlds-big...
The first spotting of the spam happened to be on September 9. It was picked up by the security firm’s anti-spam vendor known as Cloudmark. Security researchers have said that Cloudmark has recently counted 11 million messages sent to the security’s nearly 2 million desktop users. What the message displays is a subject line that reads, “Notice of Underreported Income,” and it tries to encourage victims to install the Trojan virus or click on a website link in order to show their “tax statement.” The link only takes the victims to a site that is malicious.
The biggest issue with this spam is dealing with what is known as malware. Malware is software designed to infiltrate or damage a computer system without the owner’s consent. The malware involved with this spam is known as the Zeus Trojan. This type of malware is extremely hard to detect. What the software is built to do is hack into victims accounts and take as much if not all of their money out. There are estimates that criminals could be taken out as much as a million a day from victims. Recently, small businesses have been taken the biggest loss because banks are choosing not to back them up in this situation. Banks are choosing to place the blame on the small businesses for not being responsible.
There are techniques for blocking malware but the biggest issue is there isn’t a way to stop people from going to sites and downloading. Another issue is that out of the 41 anti-virus systems that the security firm has; only five have been able to detect the Zeus Trojan.
According to Paul Ferguson a researcher with Trend Micro, “It’s difficult to stay ahead of it because the Zeus binaries are changing a few times a day.” “It’s definitely a problem.”
This biggest problem in this event seems to be that people aren’t well informed enough to know not to pay attention to such spams. It seems that people generally panic when they read things that have to do with their money. Spams that deal with the loosing of money tend to work the best and have the most success. Sometimes it seems that if you create a spam that will say “Tomorrow your money will be gone if you don’t do A, B, or C,” people most likely will do it because of panic. The only way this spam can be contained is if people just delete it, and security firms get enough time to detect it more. Firm’s still need the help of the people more than anything to slow the breaching down.
Sources:
http://news.techworld.com/security/3202748/security-firms-battle-worlds-big...
Saturday, September 26, 2009
UNC Data Breach
Another article about a university's system being compromised by a malicious hacker. According to this article, released today, UNC-Chapel Hill has started informing about 163,000 women that their Social Security numbers and other personal information may have been compromised in a security breach that occurred in the University's School of Medicine server; this server was holding the records of about 236,000 women whose information was gathered as part of a federally funded mammography research project.
According to UNC's chairman, Matt Mauro, signs of the breach were first noticed in July by a researcher who had difficulty in accessing the server. Mauro also mentions that the actual breach may have occurred as far as two years back, when they had first discovered some viruses in their systems in 2007. UNC took the server offline when the breach was discovered in July, and the server has remained offline since then, while the university continues to take precautionary measures in order to avoid future breaches.
The university explains that notifications of those potentially affected by the breach have only begun now because the appropriate parties (and authorities) needed adequate time to find out how serious the breach was, as well identify the potential victims of this breach. UNC also reports that they do not believe that the attackers have "downloaded or modified the data in any way."
Fortunately. But who knows if that will remain the case for long.
I think that the breach was due to the viruses that were discovered back in 2007; this article did not address as to how or if the university had taken any action to remedy the affects of this discover -- which I certainly hope it did. Also, I have to question the security measures that the university has protecting its systems, such as the proper firewalls and antivirus soft wares, etc. Hopefully they do regular updates to make sure that they are protected, as these viruses and becoming more sophisticated everyday. Again, this article does not provide a lot of details about the nature of the breach, or the viruses, which makes me wonder if the problem came from a virus that they weren't able to clean out from the system when they first found a few of them two years ago. As for who may have wanted to break into this system, I am not sure; it really could have been anybody, and the university has not been able to track them, either.
In spite of the reasons provided by the university with regards to its delay in notifying the potential victims of this breach, I am still surprised that it took them so long to do so. While I understand that UNC wants to have a good idea as to how severe the breach may have been in order to avoid any additional and unnecessary panic or distress to any of the potential victims, they certainly knew that they had been breached and I think that they could have informed all those who had any chance of being affected in a much more timely manner. So, all those 236,000 women. This way, these women, who run a high chance of being subject to identity theft, would be aware of these dangers and could keep an eye out for anything suspicious in their financial records (for example). I think that the university has a duty to make sure that they are protecting the interests of the people whose information they are holding, and I think that informing the potential victims as soon as possible (from the time that the event of the breach was first confirmed) would have been part of that duty.
Source: http://news.idg.no/cw/art.cfm?id=F5CF8FE9-1A64-6A71-CE25FB1B13C666EE
According to UNC's chairman, Matt Mauro, signs of the breach were first noticed in July by a researcher who had difficulty in accessing the server. Mauro also mentions that the actual breach may have occurred as far as two years back, when they had first discovered some viruses in their systems in 2007. UNC took the server offline when the breach was discovered in July, and the server has remained offline since then, while the university continues to take precautionary measures in order to avoid future breaches.
The university explains that notifications of those potentially affected by the breach have only begun now because the appropriate parties (and authorities) needed adequate time to find out how serious the breach was, as well identify the potential victims of this breach. UNC also reports that they do not believe that the attackers have "downloaded or modified the data in any way."
Fortunately. But who knows if that will remain the case for long.
I think that the breach was due to the viruses that were discovered back in 2007; this article did not address as to how or if the university had taken any action to remedy the affects of this discover -- which I certainly hope it did. Also, I have to question the security measures that the university has protecting its systems, such as the proper firewalls and antivirus soft wares, etc. Hopefully they do regular updates to make sure that they are protected, as these viruses and becoming more sophisticated everyday. Again, this article does not provide a lot of details about the nature of the breach, or the viruses, which makes me wonder if the problem came from a virus that they weren't able to clean out from the system when they first found a few of them two years ago. As for who may have wanted to break into this system, I am not sure; it really could have been anybody, and the university has not been able to track them, either.
In spite of the reasons provided by the university with regards to its delay in notifying the potential victims of this breach, I am still surprised that it took them so long to do so. While I understand that UNC wants to have a good idea as to how severe the breach may have been in order to avoid any additional and unnecessary panic or distress to any of the potential victims, they certainly knew that they had been breached and I think that they could have informed all those who had any chance of being affected in a much more timely manner. So, all those 236,000 women. This way, these women, who run a high chance of being subject to identity theft, would be aware of these dangers and could keep an eye out for anything suspicious in their financial records (for example). I think that the university has a duty to make sure that they are protecting the interests of the people whose information they are holding, and I think that informing the potential victims as soon as possible (from the time that the event of the breach was first confirmed) would have been part of that duty.
Source: http://news.idg.no/cw/art.cfm?id=F5CF8FE9-1A64-6A71-CE25FB1B13C666EE
Friday, September 25, 2009
Texas Instruments Signing Keys Broken
In class we have been discussing asymmetric cryptography and the importance of digital signatures to prove who the person sending a message. Texas Instrument uses RSA digital signatures to authenticate any updates to the operating systems on their calculators. Since their signing keys are two short (512-bits) a community of hackers were able to factor the moduli and publish the private keys. Although TI sent out a DMCA notice to the community of hackers to take down the keys from the public websites, it is too late now. Too many people know what they are.
In the case of this event TI felt that there was no obvious financial incentive for cracking their private key. However they should have expected that if they used too-short keys that their cryptography would be broken. There are hackers out there that do it just for the fun of it, even if there is no incentive. A consequence of this may be that customers will be more skeptical when downloading updates for their calculators.
Although this event will not affect the copyrights held by TI, they should change their signing keys to be longer so that an event like this does not occur again. This event shows that RSA 512-bit keys are too short and ineffective. Any company that does not want their cryptography to be broken should not use one.
Source: http://www.schneier.com/blog/archives/2009/09/texas_instrumen.html
Tuesday, September 22, 2009
Monday, September 21, 2009
Man Finds Innovative Way to Get Back Stolen Laptops
Remote tracking software can now be used to help locate stolen computers. In Miami Beach, Florida a man was at a business meeting when someone broke into his car and stole two laptop computers. The man reported the crime to the police, who were pessimistic about finding the computers. Discouraged but dedicated to getting his computer back, the man returned home and remembered he had downloaded remote access software called LogMeIn. The software allows users to access their computer and files on computers other than their own. The man logged onto his account and for three hours watched his laptop's screen go on Facebook, check email, post on Craigslist, and go on pornographic sites. The man even watched the person taking a video of himself with the camera on the computer. The man used a video camera to tape the evidence in order to prove what he had seen to the police and after paying a website $10 he even had the person’s address that had his computer. The man went back to the police with the evidence then the police went to the home of the man who had one of the stolen computers. The person the police visited ended up not being the thief and was actually someone who had bought the computer at a barbershop. A month and a half later police caught the thief but were unable to prosecute the thief because there was not sufficient evidence.
The man did not take security precautions with either of the laptops. He did not use passwords on his username and log on. An appropriate risk management strategy for a laptop should include a password with at least one lowercase letter, one uppercase letter, one digit, and is at least eight characters long.
Going back to the first assignment, if the Veterans Affairs employee had downloaded this software there would be a chance that they got it back. It is interesting how remote tracking software was used for a reason other than its intended purpose in order to track down stolen computers.
Source: http://www.pcworld.com/article/172093/an_amazing_laptop_recovery_story.html
The man did not take security precautions with either of the laptops. He did not use passwords on his username and log on. An appropriate risk management strategy for a laptop should include a password with at least one lowercase letter, one uppercase letter, one digit, and is at least eight characters long.
Going back to the first assignment, if the Veterans Affairs employee had downloaded this software there would be a chance that they got it back. It is interesting how remote tracking software was used for a reason other than its intended purpose in order to track down stolen computers.
Source: http://www.pcworld.com/article/172093/an_amazing_laptop_recovery_story.html
Sunday, September 20, 2009
E-Trade Skimming Scam
Another interesting article for someone looking for a case study. First come, first served...
Man Gets 15 Months for E-Trade Skimming Scam
Man Gets 15 Months for E-Trade Skimming Scam
Internet Scammers Leap on Patrick Swayze's Death
After hearing the news of famous actor Patrick Swayze's death, many turned to the Internet to find details pertaining to the circumstances surrounding this tragic event. While most turned to reputable media websites, such as television news channels and print newspapers, some simply went to search engines and typed in several keywords. A few unknowingly stumbled upon a fake news report which contains a pop up stating that the individual's computer needs to have an anti-virus scan performed immediately. Unfortunately, the creators of this site are not benevolent programmers concerned with the well being of the computes of the site's visitors. The program is malware and can have a detrimental effect on the computer's performance. The biggest catch to this program is that one need not even click on the pop up to download the malware. It has been programmed in such a way that only moving the cursor over the box initiates the download.
The most obvious reason hackers would do this is because after the actor's death, it would only seem logical that people would get on their computers to try and find out what happened. Even as soon as people figure out this report is a fake, the pop up has already been activated. The most rational response to a pop up is to exit out, which in the process could accidentally trigger the download. In order to avoid being infected by this malware, one should avoid using rouge news outlets for information and stick to trusted news outlets. If one does become infected, they should immediately perform a legitimate virus scan on their system.
Greene, Tim. "Internet Scammers Leap on Patrick Swayze's Death." PC World. 16 Sept. 2009. Web. 20 Sept. 2009.
The most obvious reason hackers would do this is because after the actor's death, it would only seem logical that people would get on their computers to try and find out what happened. Even as soon as people figure out this report is a fake, the pop up has already been activated. The most rational response to a pop up is to exit out, which in the process could accidentally trigger the download. In order to avoid being infected by this malware, one should avoid using rouge news outlets for information and stick to trusted news outlets. If one does become infected, they should immediately perform a legitimate virus scan on their system.
Greene, Tim. "Internet Scammers Leap on Patrick Swayze's Death." PC World. 16 Sept. 2009. Web. 20 Sept. 2009.
Friday, September 18, 2009
A Victim of Information Insecurity
It's interesting how sometimes things in life make a lot more sense once you learn about them. And, when they make more sense, you think about them differently.
Take this example from me:
We've been talking about information security since the class started. One of the topics that we've talked about and discussed is letting people know if their information has been compromised. I recently got a letter from the Notre Dame Federal Credit Union telling me that in fact my information HAS been compromised. That information might have included my debit card number. Now, before learning about this, I would have been like "Hmm that's weird. I don't really know how seriously I need to look into this. They give me the option of canceling my current card until they send me a new one. Should I do that?" Now, my thought process has been much different. "I wonder what happened that caused them to compromise my information. Did someone misplace a laptop? Did a computer get infected with a virus? I wonder how many different people had their information compromised. How many people are they automatically sending out new cards to? It says that they were notified that my information may have been compromised... does that mean that it was compromised by some other company? Maybe somebody I purchased from? It must have been somewhat serious for theme to already be sending me a new card." Along with giving me the number to call in case I decide to cancel it, they also inform me about VISA's Zero Liability policy, which is nice to know. Overall, I'm just glad they let me know. I'm appreciative of their responsibility.
Take this example from me:
We've been talking about information security since the class started. One of the topics that we've talked about and discussed is letting people know if their information has been compromised. I recently got a letter from the Notre Dame Federal Credit Union telling me that in fact my information HAS been compromised. That information might have included my debit card number. Now, before learning about this, I would have been like "Hmm that's weird. I don't really know how seriously I need to look into this. They give me the option of canceling my current card until they send me a new one. Should I do that?" Now, my thought process has been much different. "I wonder what happened that caused them to compromise my information. Did someone misplace a laptop? Did a computer get infected with a virus? I wonder how many different people had their information compromised. How many people are they automatically sending out new cards to? It says that they were notified that my information may have been compromised... does that mean that it was compromised by some other company? Maybe somebody I purchased from? It must have been somewhat serious for theme to already be sending me a new card." Along with giving me the number to call in case I decide to cancel it, they also inform me about VISA's Zero Liability policy, which is nice to know. Overall, I'm just glad they let me know. I'm appreciative of their responsibility.
The Koobfaces of Facebook
Have you ever gotten a weird message from your Facebook friend asking you to view their cool new video? Then once you click on it you are directed to one of those File>run screens? If you proceeded with those directions, there is a good chance that you were exposed to the Koobface worm. This is a virus that has the ability to access Facebook log-in credentials in order to assume the identity of a Facebook user. It then sends a message to all of the users’ friends asking them to click a link leading to their new video which in actuality a link to download malicious software to your computer.
Facebook CEO reported in March of 2009 that only a small number of users have been affected by this virus but it is not the first of its kind to infiltrate the site. Therefore Facebook has taken new security precautions in the last year to better screen invalid users and applications. They also implemented a way for users to verify Facebook approved applications by looking for the Facebook validation badge [seen below.] Facebook says that many of the applications are not intentionally vicious but were improperly setup by the application creator.
This leads me to the central problem which is Facebook’s blanket acceptance of Facebook applications with not enough attention given to the intentions or abilities of the creator to form a secure product. Facebook concedes that they “err on the side of permissiveness” in order to promote growth of the site but this is at the risk of the users and their personal information. Many viruses target such social-networking sites due to this same fact of popularity that Facebook strives for. For this reason, Facebook must establish a list of priorities in that the safety and security of their users comes before marketing and site expansion.
Facebook should be more critical when deciding which application is able to be circulated on the site and should also test these applications before exposing them to the users. In turn, users [such as ourselves] should be more mindful of the possible threat that applications may carry and always check for the new Facebook validation badge before allowing an application access to your profile and its contents. These measures may not eliminate the possibility of exposure to malicious material, but it may reduce Facebook’s attractiveness and popularity in the world of viruses; and send worms like “Koobface” somewhere else.
Sources:
Sunday, September 13, 2009
Geographic Privacy
Philippe Golle and Kurt Partridge from Xerox PARC wrote an interesting article recently called "On the Anonymity of Home/Work Location Pairs".
This would make a great case study topic for someone who is still looking...
This would make a great case study topic for someone who is still looking...
Friday, September 11, 2009
The IRS wants my computer too?!
After seeing in class today just how convincing phishing scams can be, it was interesting to find another one that sets its sight even higher than a court subpoena. This one uses the IRS as its fraudulent cover. The spam email that is going around says that the U.S. Internal Revenue Service wants to contact the recipient over their own fraud. About 90,000 emails are being sent each hour trying to spread Cutwail, which is described as "the world's highest-volume spam-sending botnet". The recipients are being blamed for under reporting their income. In the body of the email there's a link encouraging people to click on it to view their tax statement. When they click on the link, users are directed to a mock website containing links that download a trojan.
This is not a spear phishing attack meant to target any particular business or group of people. The IRS had also been used in a phishing scam in February involving stimulus package payments. The IRS, however, doesn't even know your email address and will never contact you with official business over email according to Sam Masiello, vice president of information security at MX Logic. Reipients are advised by the IRS to forward the emails to phishing@irs.gov.
You can see a sample of the email and fraudulent link here: http://www.mxlogic.com/itsecurityblog/1/2009/09/5E.New-Malware-Campaign-Spoofs-the-IRS.cfm
This is just another example of what people are going to attempt to do in order to scam people. They are willing to impersonate something such as the IRS. The email even appears from no-reply@irs.gov which gives the email another item to try and prove its legitimacy.
People need to always continue to be wary of email that comes from distant sources. People even need to be always on the alert even with people they know. People who end up getting the trojan need to get that taken car of as soon as possible. Having a trojan on your computer just leads to more and more problems (I know from past personal experience). So, be diligent, and when it comes to email, it almost seems like you actually shouldn't ever trust the government, just like so many people say.
Sources:
Kaplan, Dan. "Cutwail botnet authors behind wave of malicious IRS spam." SC Magazine. Sept. 09, 2009. Web accessed: Sept. 11, 2009. http://www.scmagazineus.com/Cutwail-botnet-authors-behind-wave-of-malicious-IRS-spam/article/148474/
This is not a spear phishing attack meant to target any particular business or group of people. The IRS had also been used in a phishing scam in February involving stimulus package payments. The IRS, however, doesn't even know your email address and will never contact you with official business over email according to Sam Masiello, vice president of information security at MX Logic. Reipients are advised by the IRS to forward the emails to phishing@irs.gov.
You can see a sample of the email and fraudulent link here: http://www.mxlogic.com/itsecurityblog/1/2009/09/5E.New-Malware-Campaign-Spoofs-the-IRS.cfm
This is just another example of what people are going to attempt to do in order to scam people. They are willing to impersonate something such as the IRS. The email even appears from no-reply@irs.gov which gives the email another item to try and prove its legitimacy.
People need to always continue to be wary of email that comes from distant sources. People even need to be always on the alert even with people they know. People who end up getting the trojan need to get that taken car of as soon as possible. Having a trojan on your computer just leads to more and more problems (I know from past personal experience). So, be diligent, and when it comes to email, it almost seems like you actually shouldn't ever trust the government, just like so many people say.
Sources:
Kaplan, Dan. "Cutwail botnet authors behind wave of malicious IRS spam." SC Magazine. Sept. 09, 2009. Web accessed: Sept. 11, 2009. http://www.scmagazineus.com/Cutwail-botnet-authors-behind-wave-of-malicious-IRS-spam/article/148474/
Thursday, September 10, 2009
Guessing Social Security Numbers
Your social security number is the key to your identity. Its confidentiality is of the utmost importance, and individuals take intensive measures to protect the confidentiality of their social security numbers, especially as recent information security failures have compromised numerous identities in online scams. But what if no one even needed to hack into your bank information or send you a phishing email to steal your social security number?
Recently, a team of computer scientists from Carnegie Mellon University discovered that using select public information they can actually guess a person's social security number. They concluded that there are “distinct patterns in how the numbers are assigned” that correlate to an individual’s date of birth and state that they were born in. The computer scientists used information from the “Death Master File” from 1989 to 2003 to conduct an experiment to see how accurately they could predict the nine digit numbers. They were able to successfully predict the social security numbers of 8.5 percent of the 1000 records that were used in the experiment. The frightening factor in this experiment is that this process is legal. The information that the Carnegie Mellon computer scientists used was public information to which almost anyone could gain legitimate access. Personal profile sites like facebook.com make this information even more accessible as most individuals have their date of birth and home state on their profiles.
Privacy expert Alessandro Acquisti said that this is a matter of policy, not of personal protection. He stated that information like names and birth dates are already on the web. Because it is becoming nearly impossible to absolutely protect social security numbers, policy makers are reconsidering the use of social security numbers as personal identifiers. The Washington Post quoted Alessandro Acquisti as saying, "Our work shows that Social Security numbers are compromised as authentication devices, because if they are predictable from public data, then they cannot be considered sensitive." The issue has recently been pushed into the spotlight as Washington lawmakers are attempting to prevent businesses from asking new employees for their social security numbers because the routine use of social security numbers is contributing to the problem.
Sources:
Krebs, Brian. "Researchers: Social Security Numbers Can Be Guessed." The Washington Post. 6 July 2009. Web. 10 Sept. 2009. http://www.washingtonpost.com
Leggett, Haddley. "Social Security Numbers Deduced from Public Data." Wired. 6 July 2009. Web. 10 Sept. 2009. http://www.wired.com
Recently, a team of computer scientists from Carnegie Mellon University discovered that using select public information they can actually guess a person's social security number. They concluded that there are “distinct patterns in how the numbers are assigned” that correlate to an individual’s date of birth and state that they were born in. The computer scientists used information from the “Death Master File” from 1989 to 2003 to conduct an experiment to see how accurately they could predict the nine digit numbers. They were able to successfully predict the social security numbers of 8.5 percent of the 1000 records that were used in the experiment. The frightening factor in this experiment is that this process is legal. The information that the Carnegie Mellon computer scientists used was public information to which almost anyone could gain legitimate access. Personal profile sites like facebook.com make this information even more accessible as most individuals have their date of birth and home state on their profiles.
Privacy expert Alessandro Acquisti said that this is a matter of policy, not of personal protection. He stated that information like names and birth dates are already on the web. Because it is becoming nearly impossible to absolutely protect social security numbers, policy makers are reconsidering the use of social security numbers as personal identifiers. The Washington Post quoted Alessandro Acquisti as saying, "Our work shows that Social Security numbers are compromised as authentication devices, because if they are predictable from public data, then they cannot be considered sensitive." The issue has recently been pushed into the spotlight as Washington lawmakers are attempting to prevent businesses from asking new employees for their social security numbers because the routine use of social security numbers is contributing to the problem.
Sources:
Krebs, Brian. "Researchers: Social Security Numbers Can Be Guessed." The Washington Post. 6 July 2009. Web. 10 Sept. 2009. http://www.washingtonpost.com
Leggett, Haddley. "Social Security Numbers Deduced from Public Data." Wired. 6 July 2009. Web. 10 Sept. 2009. http://www.wired.com
Wednesday, September 9, 2009
Wal-Mart Card Phishing Scheme
A recent article detailed how a phishing scam was being used in order to set up Wal-Mart credit cards. Tien Truong Nguyen and his accomplices worked out of Romania to set up fake phishing websites to steal peoples' information. After getting the information, they would set up instant credit accounts at kiosks in different Wal-Marts in northern California. The offenders could typically print out credit coupons valued between $1000 and $2000 to then use in the stores.
The scariest part about this story is that, when asked why he chose to perform identity theft, Nguyen's response was "because it was so easy." In fact, he had tried to "quit" identity theft before, but had found it to be the easiest way for him to fund his methamphetamine addiction. When arrested, Nguyen had possession of tens of thousands of peoples' credit card numbers, bank account numbers, and other sensitive information. He primarily gained this information by either sending e-mails or pop-up windows from the popular site paypal.com asking people for their information. However, he had branched off into also creating fake websites for smaller institutions such as Fairwinds Credit Union,Heritage Bank and the Honolulu City and County Employee's Credit Union.
The main takeaway from this article was how easy it is for someone to willingly give away their sensitive information. Just because a site looks legitimate, which all of Nguyen's reportedly did, does not mean that it is safe. For this reason we all need to remember to be on the lookout for ways we may compromise our own information security.
Source:
McMillan, Robert. "Man Pleads Guilty in Wal-Mart Card Phishing Scheme" September 9, 2009.
The scariest part about this story is that, when asked why he chose to perform identity theft, Nguyen's response was "because it was so easy." In fact, he had tried to "quit" identity theft before, but had found it to be the easiest way for him to fund his methamphetamine addiction. When arrested, Nguyen had possession of tens of thousands of peoples' credit card numbers, bank account numbers, and other sensitive information. He primarily gained this information by either sending e-mails or pop-up windows from the popular site paypal.com asking people for their information. However, he had branched off into also creating fake websites for smaller institutions such as Fairwinds Credit Union,Heritage Bank and the Honolulu City and County Employee's Credit Union.
The main takeaway from this article was how easy it is for someone to willingly give away their sensitive information. Just because a site looks legitimate, which all of Nguyen's reportedly did, does not mean that it is safe. For this reason we all need to remember to be on the lookout for ways we may compromise our own information security.
Source:
McMillan, Robert. "Man Pleads Guilty in Wal-Mart Card Phishing Scheme" September 9, 2009.
Monday, September 7, 2009
Rise in ATM Crime in Europe
Two recent articles from pcworld.com and guardian.co.uk detail the rise of ATM fraud and theft in Europe. The articles report that €485m (£423m) was stolen in 2008, a 149 percent increase from ATM crime in 2007. Those perpetrating these crimes and fraud utilize various techniques to obtain valuable financial information. The customary method used by offenders is known as "skimming": the attaching of false equipment to existing ATMs which records a card's magnetic strip. Following this, offenders use various covert means to capture a person's PIN number. Other techniques involve the use of Bluetooth technology and nearby laptops, entirely fake machines, malware and other malicious software, physical attacks, and so on.
There are a number of reasons for the susceptibility of ATMs. One of the primary causes is that ATMs do not implement specific, unique software. Most use "publicly available operating systems and off-the-shelf hardware." (pcworld.com) As a result, criminals can easily construct their false machines and card swipers, and can work to find methods for infecting machines with malicious software. Another reason is cash machines around the world do not have the same safety measures; this is a likely reason crime across the many countries of Europe is prevalent. ATM users may be used to the security of specific machines and be unaware of the risks of strange machines. The fact that tampering occurs is also evidence that ATMs are not monitored carefully enough. Obviously the purpose of an automated machine is that it does not require non-machine supervision, but the use of security cameras and other monitoring techniques could prove a successful deterrent to these crimes.
Awareness is key in addressing these situations; customers must be aware that these crimes occur and take precaution against the most basic attacks at the very least. This involves taking care when entering one's PIN, only using machines in areas where it is fitting for machines to exist, checking what one is swiping one's card through, regular changing of PIN numbers, and so on. I think it would also believe it would be beneficial for European banking companies to create standards in regard to their ATMs. This could include machine appearance, safety/security measures, machine-monitoring techniques, etc. Overall, awareness is essential for both the company and the customer.
Sources:
Kirk, Jeremy. "European Banks Warned: Brace for Rise in Cash Machine Fraud" September 7, 2009. http://www.pcworld.com/businesscenter/article/171542/european_banks_warned_brace_for_rise_in_cash_machine_fraud.html
Collinson, Patrick. "Huge rise in cash-machine crime, watchdog warns" September 7, 2009. http://www.guardian.co.uk/uk/2009/sep/07/cash-machine-crime-increase-fraud
There are a number of reasons for the susceptibility of ATMs. One of the primary causes is that ATMs do not implement specific, unique software. Most use "publicly available operating systems and off-the-shelf hardware." (pcworld.com) As a result, criminals can easily construct their false machines and card swipers, and can work to find methods for infecting machines with malicious software. Another reason is cash machines around the world do not have the same safety measures; this is a likely reason crime across the many countries of Europe is prevalent. ATM users may be used to the security of specific machines and be unaware of the risks of strange machines. The fact that tampering occurs is also evidence that ATMs are not monitored carefully enough. Obviously the purpose of an automated machine is that it does not require non-machine supervision, but the use of security cameras and other monitoring techniques could prove a successful deterrent to these crimes.
Awareness is key in addressing these situations; customers must be aware that these crimes occur and take precaution against the most basic attacks at the very least. This involves taking care when entering one's PIN, only using machines in areas where it is fitting for machines to exist, checking what one is swiping one's card through, regular changing of PIN numbers, and so on. I think it would also believe it would be beneficial for European banking companies to create standards in regard to their ATMs. This could include machine appearance, safety/security measures, machine-monitoring techniques, etc. Overall, awareness is essential for both the company and the customer.
Sources:
Kirk, Jeremy. "European Banks Warned: Brace for Rise in Cash Machine Fraud" September 7, 2009. http://www.pcworld.com/businesscenter/article/171542/european_banks_warned_brace_for_rise_in_cash_machine_fraud.html
Collinson, Patrick. "Huge rise in cash-machine crime, watchdog warns" September 7, 2009. http://www.guardian.co.uk/uk/2009/sep/07/cash-machine-crime-increase-fraud
Password Hackers are Slippery to Collar
Here's an interesting article in this morning's Washington Post:
Password Hackers are Slippery to Collar.
It relates to the conversation we had in class on Thursday regarding password security. As you'll read in the story, there are firms out there that as their "business" will hack into web-based e-mail accounts and provide the customer with the password.
Obviously, this is illegal, but it is also very difficult to track. We'll discuss the reasons why in more detail when we cover incident handling toward the end of the semester, but most of these companies are located in other countries where authorities do not have good working relationships with the United States.
Despite being profiled in the newspaper, this website is still in business today. They boast:
"We Hack Passwords for $100 USD
We Crack all major web based emails
This include Hotmail, Yahoo! AOL and Gmail
We Provide Proofs Before payment."
Interesting. What are your thoughts?
Password Hackers are Slippery to Collar.
It relates to the conversation we had in class on Thursday regarding password security. As you'll read in the story, there are firms out there that as their "business" will hack into web-based e-mail accounts and provide the customer with the password.
Obviously, this is illegal, but it is also very difficult to track. We'll discuss the reasons why in more detail when we cover incident handling toward the end of the semester, but most of these companies are located in other countries where authorities do not have good working relationships with the United States.
Despite being profiled in the newspaper, this website is still in business today. They boast:
"We Hack Passwords for $100 USD
We Crack all major web based emails
This include Hotmail, Yahoo! AOL and Gmail
We Provide Proofs Before payment."
Interesting. What are your thoughts?
Subscribe to:
Posts (Atom)
Posts
