Recent indictments reveal debit card fraud techniques

On May 9, 2013, Federal prosecutors issued indictments against eight individuals for hacking and theft.  The case revealed the methods used by hackers to gain access to debit card numbers that were ultimately used to withdraw $45 million.

Hackers gained unauthorized access to credit card processing companies and conducted what hackers term “unlimited operation”.  Unlimited operation is an attack where debit cards account balances and withdrawal limits are removed.  In this case, attackers performed unlimited operation on several prepaid MasterCard debit cards and then distributed the card numbers and pins to groups around the world.  These groups recoded gift cards and hotel entry cards with the stolen card numbers and then coordinated withdrawals from ATMs.

We have spoken of the increase in the coordination of cyber-attacks many times, and this is an excellent example.  In a little over two hours on December 22, 2012, the criminals were able to withdraw $400,000 from 140 ATMs across New York City.  A series of thefts in February resulted in the theft of almost $2.4 million in 10 hours, and the group is accused of stealing a total of $45 million by following this procedure for different card issuers and locations.

The banks involved in this case might have prevented the theft by monitoring for anomalous behavior such as the excessive use of a card number or the modifications required in unlimited operation attacks.  Anomalous behavior monitoring is valuable no matter where the next attack comes from, and it is useful in other industries as well.

U.S. Department of Energy suffers data breach

Two weeks ago hackers took control of 14 servers and 20 workstations at the U.S. Department of Energy (DOE), obtaining personal information including names, social security numbers, driver’s license numbers, pictures, fingerprint and handwriting samples, dates of birth and family information for hundreds of DOE employees.  The hackers did not gain access to classified information which investigators believe was the target of the attack.

Until yesterday, the hacker group Anonymous was viewed as a potential perpetrator since one of their factions, Parastoo, claimed responsibility on Pastebin.  However, the posted information was dated, and investigators believe Parastoo is not responsible for the attack.  According to an article published on February 4 in the Washington Free Beacon, unnamed government officials confirmed that the assault involved a foreign nation state.  This nation-state is most likely China based on repeated attempts by Chinese hackers to gain access to DOE information and the value such information has to Chinese efforts.  If so, this employee information will probably be used to launch further attacks and gain the confidence of DOE employees with access to sensitive information.

The DOE and FBI are still investigating the incident, but speculation abounds as to how the attack on their systems took place including weak server security configurations, inadequate user training, and an over-reliance on outdated methods.  The security of DOE systems has certainly been called into question, and some suggest that government agencies such as the DOE should rely more on the help of industry experts and security firms.

Canadian Hack Back

Back in November, I blogged about the hack back initiative here in the United States.  Well, similar debates are taking place in Canada.  In January of 2012, Public Safety Canada commissioned a report on hacking, specifically hacking related to online protesting and activism known as hacktivism.  The report recommended several exemptions to existing legislation to allow researchers, investigators, and even journalists to hack into other computers.  Some of the hack back recommendations included allowing security researchers to attack and reverse engineer software in order to determine security concerns (Montreal Gazette), investigators to take additional actions in investigating attacks such as data breaches and malware and reporters to break into private computers to obtain information in the interest of public welfare (Postmedia).

Over the past year, a discussion has taken place between Public Safety Canada and the minister’s office on this subject resulting in a decision by Public Safety Canada on January 16, 2013, to reject the recommendations.  This is by no means a complete loss for those supporting hack back since such large scale initiatives often take years to implement.  Alana Maurushat, the author of the report, wrote, “no surprise that there is no inclination to take up recommendations…these things often take decades of slow changes.”  The past year of discussion will increase awareness of the hack back initiative and we will most likely see other proposals in the future that will address the shortfalls of this proposal which Public Safety Canada has not provided.

Hack back: The latest ethical consideration in cyberspace

Like paparazzi on celebrities, hackers pound on our organizational doors almost every second of the day.  It makes us want to hack them back; take them out of the game and cease this never-ending battery of our systems.  This is especially tempting following a data breach.  Despite this temptation, most restrain themselves because of laws that prohibit the use of computer programs and systems to attack others such.  However, increases in damages and loss due to computer hacking has caused some to question this restraint.

At the 2012 RSA conference, Paul Asadoorian and John Strand proposed fighting back by frustrating hackers with systems that waste their time, tracking attackers, and then disabling them.    Unfortunately, many times attackers use other systems to perpetrate their attacks so the act of disabling their systems could take down a company that has no knowledge of the attack.

Some argue that since the systems used by attackers are vulnerable, they are contributing to the problem and that disabling those systems is simply part of the overall solution to make us safe.  The loss of availability for one company is a benefit to the community.

So far these arguments have focused on reacting to an attack but Symantec proposed taking it a step further in their article Malicious Malware: attacking the attackers.  They suggested stopping attackers before they issue an attack.  Some methods including distributing hacker tools that track the attacker to taking control of hacker botnets would put the hackers on the defensive.

There are people on both sides of the fence such some such as John Pescatore, head of Gartner’s Internet security practice and former NSA and Secret Service agent, doubting whether it can really help.  Pescatore says “There is no business case for it and no positive outcome.”  Others like cyberwar researcher Sandro Gaycken, believe that governments who have the sanction to attack back, have not been doing enough.  He believes hacking back can help and that it is justified.   Gaycken says, “Vigilantism could seem justified. It’s that way with self-defense: if the state is not there, and I’m attacked, I can hit back.”

In response to concerns about legality, Asadoorian and Strand recommended modifying system banners and warnings to include a statement that by accessing this system you agree that information such as location would be collected on those and that your system will be subject to a security check.  In this way, attackers would be allowing you to collect information on them and to run tools to analyze their systems.  However, attackers are not authorized to make such a decision on behalf of those whose systems he or she has compromised so statements like this may be of little value.

The debate is going on right now with serious cyber security discussions on whether hacking back should be officially allowed in the United States.  What are your thoughts?

The Latest Cyber Attacks Against US Banks

Did you know that computers often become infected with virus-like programs called “bots” causing “denial of service” incidents on websites? Similar to the large data centers that comprise cloud computing services, hackers have been creating botnets, large networks of infected computers that can operate collectively to perform malicious tasks. Portions of these networks are leased out to others who use them to launch attacks against web sites, among other things.

The recent bank attacks are examples of what can be done easily with the power of a botnet and nefarious schemes. For more information on the recent incidents, read my quotes from the article, “KeyCorp, U.S. Bank web sites hit in the latest cyber attack against nation’s largest banks.”

For more information about how to know if your computers and information are secure, call me at 216-664-1100.

A Certified Lack of Confidence: The Threat of Rogue Certificate Authorities

For more than a decade, computer generated digital certificates have made it possible to authenticate the identity of computer systems, data, and web sites by connecting a public key with an identity such as an owner’s name.  The process relies on trust.  “Secure” websites utilize such a certificate to validate their identity.  This digital certificate is usually procured from a company that will verify the identity of the company administrating the site.  The digital certificate issued to them will be validated by a trusted root certificate authority or by a server that is trusted by the trusted root.  This chain of certificates is called a certificate hierarchy.  A small group of trusted certificate authorities is installed on computers within the operating system.  These authorities include such names as Equifax, VeriSign, and Thawte.  So what happens when the system breaks down?

Last year a series of attacks took place against certificate authorities resulting in the issuance of many rogue certificates. These attacks began with an SQL injection attack against Comodo’s GlobalTrust and InstantSSL databases leading to the issuance of rogue certificates for,,,,, and  This was followed by an attack on DigiNotar where over 500 rogue certificates were issued including some wildcard certificates such as * which allowed the certificate to be used for any site.  In response, DigiNotar was removed from the trusted list so that all the certificates it had issued were no longer valid.

Rogue certificates allow attackers to create illegitimate sites that are indistinguishable from real sites like eBay, Google or PNC because their certificate hierarchy can be validated.  Users then will be redirected to such sites through phishing or ‘”crucial  that man in the middle” attacks where a compromised host in-between the user and a legitimate site sends traffic to an illegitimate site instead.

Some viruses have used rogue certificates to make their content seem legitimate.  For example, fake AV, some Zeus variants, Conficker and more recently, Stuxnet and Duqu have used rogue certificates.  The threat of rogue certificates that McAfee lists rogue certificates as one of their ten threat predictions for 2012.

In the wake of attacks on certificate authorities, security professionals are speculating whether there are other certificate authorities that are compromised but do not yet know it.  The containment action against DigiNotar was extreme but necessary given the scope of the compromised certificates.  A significant disruption of e-commerce could result if other root certificate authorities need to be similarly revoked.

There are several ways companies can protect their users from the damage caused by the use of rogue certificates.  The most important action that can be taken is to install browser patches as soon as they are released because updates to root certificate authorities will be distributed through these patches.  To do this, revisit your patch management policy to determine optimal patch deployment intervals and minimize the number of time that machines are vulnerable to attacks.

Similar to server hardening and other security techniques that limit asset exposure, an examination and subsequent reduction of the number of trusted certificate authorities is important in assuring safe computer usage.  Some certificate authorities are region specific. Thus, they can be removed if sites in those countries are not utilized.

It is important to configure the Internet browser to check for certificate revocations.  Certificate revocation lists are maintained by certificate authorities who list the certificates that should not be trusted anymore.  Depending on the browser’s settings, it may be accepting revoked certificates.  Make sure the browser is set to treat certificates as invalid if the Online Certificate Status Protocol (OCSP) connection fails.

Firefox addons such as CertPatrol, Convergence or Perspectives routinely check certificates against a collection of network notaries or against a locally stored database of certificates to further validate certificate credibility.  These add-ons warn users when the certificates are different from those recorded elsewhere.  A change in a certificate is no guarantee that the certificate is a rogue certificate, but it is a warning sign that the certificate is potentially rogue.

Attacks in recent years have shown that the certificate trust relationship can be exploited to be used to impersonate legitimate sites and services.  The best way to assure actual service is to maintain current computer browser and operating system patches.  In addition to keeping patches current, reduce your potential exposure to rogue certificates by limiting the number of certificate authorities you trust and enforce certificate revocation checking.



Is Your TV a Security Risk? Embedded Devices May be the Next Target.

The latest televisions and Blu-Ray players come equipped with more than HD video and audio.  Internet access and a host of new applications are being built in to run directly on these “smart” TVs and DVD players.  A popular built-in feature is wireless access which enables the user to avoid plugging in an Ethernet cable.  Accessing the internet and your favorite apps directly from your TV is convenient.  However, what security risk does it pose?

Are Smart TVs and Blue Ray Players a Security Risk?

The primary question is, “Are these devices a security risk?” Examining the features of smart TVs and Blu-Ray players and comparing them to existing systems that already have a risk profile will help answer this question.

To access the Internet, a device needs an Internet browser. Currently, manufacturers have decided not to develop their browsers but to use existing products that have proven effective on other platforms.  Some devices come equipped with a version of Opera while others utilize Google’s Chrome browser. Both browsers have been reasonably responsive in addressing security vulnerabilities and supporting the latest security standards.

Another feature offered by some devices is the ability to retrieve pictures, movies and music from networked computers by using Microsoft’s Windows “media extender technology.”  The default installation of the press center extender provides full access to most of the shared media on the network. This access could allow a compromised television or Blu-ray player to give access to files on the home network or office network.

Another consideration is the type of content that will be available on these devices.  In the past year, a significant number of exploits focused on Adobe Flash or Java.  Blu-ray players currently support Java to display content often included on Blu-ray disks, while some of the TV browsers support flash content.  Additionally, many of the applications available for these devices (like Hulu Plus) use Flash.

Smart TVs and Blu-Ray players are typically connected to the network for extended periods of time. This long-term connection poses another risk. These devices may be configured to automatically download or index programs for future use. Since these devices are rarely monitored and typically used throughout the day, a security breach may go unnoticed for an extended period of time.  The longer a security breach goes unnoticed, the more damage and harm are typically caused.

Although there have not been any reported vulnerabilities for televisions and Blu-ray players yet, do not expect it to remain this way for long.  (Update: A security firm did recently find a weakness in a Samsung TV.  For more information, click here.)  It did not take long for cell phones to be exploited after internet access and applications were ported to them. Similarly, as the internet capable televisions and Blu-ray players grow in popularity, they will become a more sought after target of hackers.

So What Can You Do? 

Since no vulnerabilities have been published, companies have not developed security patches to prevent unwanted breaches. In reviewing recent firmware update release notes from mainstream television and Blu-ray manufacturers, none of the release notes documented fixes for security vulnerabilities.   These updates only enhanced functionality, not security.

Companies who have adopted Internet capable devices should consider keeping them on a separate network segment.  Both home and business users can disconnect devices from the network if internet features are not needed.  By staying up to date on new vulnerabilities, corrective action can be taken when needed.

For added security, also consider turning off features that automatically index or download content.  This, combined with setting the device to turn fully off, will reduce the amount of time the device is potentially vulnerable each day.  When using the media center extender, consider cutting access from the default of full access to read only.  See this article for details on configuring tightened security for media center extenders (please be aware the article is rather technical).   Eventually, security patches for these internet capable devices will be released just like security patches are released for software applications and operating systems.  However, unlike computers, users are not familiar with the firmware update process, and not all companies make it easy to upgrade their products. In the future, companies will need to develop procedures for regularly updating devices.

In conclusion, a smart TV or Blue-ray player could be vulnerable once exploits are designed for these devices.  As the consumer usage for these devices increases, the likelihood of malicious code being developed will likewise increase.  The firmware on these devices can be upgraded, but manufacturers have not released any security updates for their devices. Until manufacturers address the invasions as they occur, the three best ways to protect a device from undisclosed vulnerabilities are:

  1. Disconnect the device from the network unless it is needed to use specific Internet features
  2. Allow the device to turn off and not download content automatically
  3. Configure tighter security on Windows media extenders.