Incident of the Week: Social Networking Sites Used as Command and Control Structure for BotNets

Posted on August 28, 2009 by Gabriel M. Helmer

Are you having trouble making sense of social networking sites like Twitter?  It may be because you are trying to read an encoded command to a malware-infected computer.  Security consultant Jose Nazario at Arbor Networks has discovered that popular social networking sites like Twitter and Jaiku are being used to control botnets, armies of computers that have infected with malware enabling the individual controlling the botnet to steal user information and direct the computers to attack others.  Botnet commanders often use IRC (Internet Relay Chat) messages to control the "slave" computers, but Nazario discovered encoded gibberish in a user's tweets and decoded them to find that the messages directed infected computers to download additional payloads of malware.  According to Nazario's post on the Arbor Networks blog, the original botnet commands appear to have been used to steal user information.

This raises a number of concerns for any website that permits users to generate content. In addition to copyright infringement and other abuse concerns, clearly this highlights another type of content that website administrators should be policing. Also, as companies and institutions begin to view particular websites as being involved in botnet infections, even inadvertently, system administrators may begin blocking access to these sites. As a result, this is a concern both for companies that maintain social networking sites, blogs and other user-generated content, as well as employers and other companies that provide access to those sites.

Tags: , , , , , ,

ABA Sues FTC To Stop Application of Red Flag Rules to Lawyers

Posted on August 27, 2009 by Colin J. Zick

In a move threatened but not expected this soon, the American Bar Association today sued the Federal Trade Commission, in an effort to stop the application of the Red Flags Rule to lawyers.  The Red Flags Rule is scheduled to go into effect on November 1, 2009. 

The complaint (.pdf), which was filed in federal district court in Washington, D.C., seeks declaratory and injunctive relief, with the goal of making clear that lawyers are not "creditors" required to comply with the Red Flags Rule.  Interestingly, nowhere does the complaint suggest that lawyers are not just as vulnerable to identify theft as other professionals.  Rather, the complaint argues that lawyers are regulated at the state level, not by the federal government, and that the FTC has not been given the necessary authority by Congress to change this state of affairs.

The FTC had already delayed its planned enforcement of these rules from August 1 to November 1, in response to the ABA's objection (see our prior post on the back and forth between the FTC and ABA).  Whether there will be further delays in the Red Flags Rule implementation date or further talks to discuss carving out lawyers, is not yet known.

Links:

Tags: , , , , ,

Federal Judge Prevents Sale of CLEAR Customers' Personal Data

Posted on August 25, 2009 by Stacy Anderson

On August 18, a federal judge in the Southern District of New York entered an injunction forbidding Verified Identity Pass, Inc. (VIP) to sell or transfer any of the confidential customer information it compiled while operating the CLEAR express airport check-in program.  The CLEAR program collected a range of customer biographic information (e.g., name, address, etc.) as well as biometric information, including the customer's fingerprints and iris scan.  This information was used to expedite the airport check-in process.

In June, VIP announced that it would be discontinuing the program due to its inability to “negotiate a settlement” with its creditor.  At the time, VIP assured its customers that “[t]he personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider. Any new service provider would need to maintain personally identifiable information in accordance with the Transportation Security Administration’s privacy and security requirements for Registered Traveler programs. If the information is not used for a Registered Traveler program, it will be deleted.”

Despite this assurance from VIP, many customers expressed concern over the handling of the personal data they had provided to CLEAR.  In addition, customers objected to VIP's statement that it would not issue refunds to customers, some of whom had paid in advance for years of service.

A week after VIP’s announcement of its discontinuation of the program, CLEAR customers brought a putative class action against VIP in the Southern District of New York.  As amended, plaintiffs’ claims include breach of contract, negligence, and unjust enrichment.  Plaintiffs also sought a preliminary injunction,  explaining that "VIP’s cessation of the CLEAR program and other factors indicate a significant risk that the confidential information of Plaintiffs . . . will be compromised.”  Plaintiffs expressed concern that VIP would not honor its contractual obligation not to disclose or sell its customers’ data. In the same motion, plaintiffs also sought an order requiring the preservation of evidence.

Judge Holwell agreed, and issued an order enjoining VIP from 1) selling any confidential information obtained from Clear members of applicants, 2) disclosing any such information to any other entity, and 3) maintaining or storing information in a manner that permits disclosure of the information.   Judge Holwell also ordered that VIP take all necessary steps to preserve evidence relevant to the case. As news outlets have reported, however, VIP’s lawyers may challenge the order on the grounds that the judge failed to give them an opportunity to respond to plaintiff’s motion.

Regardless of whether this particular order remains in place, the controversy surrounding VIP’s cessation of CLEAR service underscores the security and privacy issues that arise when companies entrusted with customers’ personal information are no longer financial viable.  

Links:

Tags: , , , , , , , ,

Incident of the Week (Year?): Hacker Responsible for Largest Data Breach in U.S. History Indicted

Posted on August 18, 2009 by Jeff Bone

According to a press release from the United States Attorney's Office for the District of New Jersey, yesterday an "indictment was returned against three individuals who are charged with being responsible for five corporate data breaches, including the single largest reported data breach in U.S. history."  According to the press release, the indictment describes a scheme whereby Albert "Segvec" Gonzalez and two unnamed Russian defendants (identified as "Hacker 1" and "Hacker 2") stole "more than 130 million credit and debit card numbers together with account information" from Heartland Payment Systems, 7-Eleven, Inc., and Hannaford Brothers Co.," and also hacked into two unidentified corporate victims.

Note that this is the same Albert Gonzalez that is awaiting trial for his role in the notable attack suffered by TJX that is now only the second largest known breach of its kind.

The indictment alleges that, between October 2006 and May 2008, Gonzales and an uncharged co-conspirator named "P.T." identified potential corporate victims by, among other things, reviewing a list of Fortune 500 companies.  They would then travel to retail stores of potential victims to identify point of sale terminals (checkout machines) and learn about potential vulnerabilities of those systems.  P.T. would visit the corporate websites of potential victims to identify vulnerabilities in the payment processing systems the victims used.  According to the indictment, the conspirators maintained computers in New Jersey and around the world that stored malware and other information critical to the hack.  Gonzalez, P.T. and Hackers 1 and 2 then hacked into the victims' networks using various methods, including SQL injection attacks, which is a well-known attack that exploits security vulnerabilities between an online interface and the back-end customer database.

Once they had hacked into the computer networks, the conspirators placed malware on the victims' networks that enabled them to access the networks at a later date.  They would then find credit and debit card data and transmit it to servers they controlled.  At the same time, they installed "sniffer" programs, which would conduct real-time interception of data being processed by the victims and periodically transfer this data to the conspirators.  The indictment alleges that the conspirators often worked together on a real-time basis via instant messaging to advise each other how to navigate the victims' networks.  The conspirators concealed their actions in numerous ways, including disguising the IP addresses of their computers through intermediary (or "proxy") servers, and by placing additional malware on the victims' networks that could evade anti-virus software and would erase traces of the malware's presence on the networks.

Each defendant faces a maximum of 35 years in prison and more than $1 million in fines or twice the gain from the crimes, whichever is greater.  According to the press release, Gonzalez is currently in jail in Brooklyn, New York and awaiting trial in New York and Massachusetts related to prior instances of data theft. 

While it is certainly good to know that the Department of Justice continues to take an active role in large-scale incidents, the description of the scheme in the indictment should give retailers and other institutions pause and perhaps a reason to review information security measures.  While the perpetrators in this case are obviously skilled programmers, it appears that they obtained some of the information essential to executing their scheme simply by observing check out registers and visiting corporate websites.  [Editor's note: the FTC has considered SQL injection attacks to be "commonly known or reasonably foreseeable" since at least 2000, see FTC's enforcement action against Guess? and comments by the FTC's chief privacy officer. If your company has not hardened its website to these attacks, it may be assuming an undue risk.]  Moreover, it appears from the indictment that three of the four individuals are still at large, and of course there are likely numerous individuals out there with both the means and the motive to perpetrate similar schemes.  Because the indictment is fairly general in the details of the mechanics of the hacks, it will be interesting to see what details come out in the prosecution of the case and what lessons, if any, companies can learn from those details.

Links:

 

Tags: , , , , , , , , , , , ,

ALERT: Massachusetts Proposes Revised Information Security Regulations, Delays Enforcement Until March 1, 2010

Posted on August 17, 2009 by Gabriel M. Helmer

Today, the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) issued proposed amendments to the Massachusetts information security regulations, 201 CMR 17.00 to 17.05 (.doc). The highlights of the proposed regulations include the following:

  • Enforcement of the regulations is postponed until March 1, 2010. 
     
  • Businesses affected by the regulations include anyone that "receives, maintains or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment."
     
  • The written information security program required by the regulations should be appropriate to the size and scope of the business, the resources available to the business and the need for security.
     
  • The revised regulations require that businesses enter into written contracts with service providers that require that service providers to adopt appropriate security measures.  There is a grandfather provision that deems any contract entered into before March 1, 2010 to be in complaince with this aspect of the regulations.
     
  • All technical (i.e., computer, network and electronic) security measures are only required "to the extent technically feasible."  The FAQ accompanying the revised regulations has this to say about what is technically feasible: "if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used."

OCABR also issued a useful FAQ on the proposed amendments (.doc) that takes on questions such as "Do all portable devices have to be encrypted?" (Answer: no, only the ones that contain personal information) and "Must I encrypt my backup tapes?" (Answer: yes, on a going forward basis). In OCABR's press release (.doc), Undersecretary Barbara Anthony states that the amended regulations reinforce that "technical feasibility plays a role in what many businesses, especially small businesses can do to protect data."  OCABR will hold a public hearing on the proposed rules at 10:00 a.m. on September 22, 2009 (see OCABR's notice of public hearing (.pdf)).

These regulations ignited a storm of controversy begining in late 2008 and the deadline has been progressively postponed from January 1, 2009, to May 1, 2009, then to January 1, 2010, and finally to March 1, 2010.  In May,  Massachusetts State Senate Chairman Michael Morrissey criticized the regulations as "beyond [the law's] intent" at a public hearing on proposed Senate Bill 173 (.pdf), a bill to substantially revise the Massachusetts law and scale back OCABR's onerous information security regulations.  Progress on the bill stalled when newly-appointed OCABR Undersecretary Anthony agreed to issue amended regulations to bring the regulations closer to the legislative intent and respond to the concerns voiced by the small business community.

Tags: , , , ,

Incident of the Week: Seattle Man Sentenced To Three Years In Prison For Using Peer-To-Peer Software To Steal Financial Records, Commit Identity Theft

Posted on August 13, 2009 by Gabriel M. Helmer

Yesterday, Frederick Eugene Wood of Seattle was sentenced to 39 months in prison for using LimeWire peer-to-peer (P2P) software to obtain Social Security numbers, bank and financial records and tax returns, which he then used to commit identity theft.  The complaint (.pdf) filed in federal court for the Western District of Washington in March alleged that Wood took advantage of the fact that users sometime install LimeWire or other peer-to-peer software on computers without limiting the directories and files made available to the peer-to-peer network. 

Especially when a household computer is shared between parents and children, the installation of peer-to-peer software may make tax returns, bank statements and other personal information saved on that computer available to everyone else on the peer-to-peer network.  During questioning by state and federal investigators, Wood explained that "kids put Limewire on the computer and the parents don't know."  As a result, Wood was able to obtain personal information from approximately 120 different individuals from Massachusetts, New York, Georgia, Florida, Ohio, Iowa, Louisiana, Oregon and California.  He then used this information to create counterfeit checks and driver's licenses and to open credit accounts in the victim's names.

Note that failing to limit the files shared by peer-to-peer software is not just a problem for household computers. In an earlier post, we discussed the problems caused when an employee installed LimeWire at work.  Also note that LimeWire's user guide and FAQ provide directions on how to make sure you are not sharing personal or sensitive information with the world.

Wood's scheme was discovered after he posted an ad on Craigslist.com purporting to sell a "brand new" Apple MacBook Pro for $1,500 and instead shipped a box containing a book and a glass vase instead of a computer.  Working with Seattle Police, the victim set up a meeting with Wood and he was arrested.  Upon investigation, Seattle Police discovered that Wood possessed a number of counterfeit driver's licenses and sought the assistance of the Social Security Administration's Office of Inspector General.  The Kings County Sherriff's Office, FBI, U.S. Postal Inspection Service and U.S. Secret Service's Electronic Crimes Unit also assisted in the investigation. 

Wood pled guilty to violations of federal laws governing identity theft (18 U.S.C. sec. 1038(A)), wire fraud (18 U.S.C. sec. 1343) and the Computer Fraud and Abuse Act (18 U.S.C. sec. 1030(a)(4)).  He is also required to pay over $25,000 in restitution to a number of parties, including Bank of America, American Express and other financial institutions (for the complete list, see the judgment filed in court earlier this week (.pdf)).

Tags: , , , , , , , , , , , ,

Facebook Changes User Privacy Controls

Posted on August 13, 2009 by Stacy Anderson

Last month, Facebook announced plans to simplify its users' ability to control privacy settings. Facebook will standardize privacy settings, remove overlapping settings, and put all settings on the same page. In an effort to give users more control over how their information is shared, Facebook will allow users to decide, on a post-by-post basis, with whom to share their content. Users will have the option of sharing their posts with: 1) only specific friends, 2) all friends, 3) friends and people in the user’s network, 4) friends of friends, or 5) everyone. According to media reports, the "everyone" option will soon expand to include anyone on the internet – a move widely seen as an attempt to compete with Twitter. Facebook will launch a Transition Tool that will prompt users to set their level of sharing, and will carry over previous privacy settings.  

The announcement carefully explained that the changes would not affect the information Facebook provides to its advertisers – a topic related to the controversy earlier this year surrounding proposed revisions to the Facebook terms of service.  Instead, Facebook will continue to provide advertisers with only that information that users have authorized.

 With the changes, Facebook will provide users with more options for controlling access to their content.  As one might predict given the current climate favoring increased user control over privacy, Facebook's proposed changes have largely been well received. Only time will tell whether most users will exercise this control to share their data or whether they will favor keeping their information private.

Links:

Tags: , ,

Incident of the Week: Lativan Internet Service Provider Shut Down After Being Linked to Cybercrime Ring

Posted on August 6, 2009 by Gabriel M. Helmer

Earlier this week, Latvian internet service provider Real Host was shut down by its upstream providers Junik and TeliaSonera after security experts linked Real Host to a number of criminal activities.  Among the many activies allegedly conducted through Real Host were the use of malware to steal banking credentials, SPAM email campaigns and the service provider was running command and control servers for the Zeus botnet (i.e., millions of infected computer slaves or "bots" used by cybercriminals to steal information and attack other computers).  The expert who linked Real Host to these activites and who goes by the pseudonym "Jart Armin," told Network World in an interview that Real Host may be "one of the top European centers of crap."  Armin's site, HostExploit.com, has published a report on the rogue ISP (requires registration) and even has an abstract video of the take-down occuring.

The take-down of rogue ISPs by upstream service providers has become more common in the United States with the removal of Atrivo and McColo, two service providers shut down at the end 2008.  Where service providers did not take action, the Federal Trade Commission filed suit in federal court in California in June of this year to remove the rogue ISP Pricewert/3FN.  The complaint filed by the FTC (.pdf) alleged that, in becoming an active participant in a range of cybercrimes, the ISP committed unfair or deceptive acts or practices in violation of the FTC Act, 15 U.S.C. sec. 45(a). (Note also that the temporary restraining order and preliminary injunction entered in that action not only shut down the ISP, but also ordered the seizure of assets and a number of other extraordinary protections.)

Links:

 

Tags: , , , , , , , , , , , ,

IRS In Discussions With Swiss Bank UBS Over Identification of Bank Clients Suspected of Tax Evasion

Posted on August 5, 2009 by Jeff Bone

On July 13, a federal judge in Miami granted a joint motion to stay an evidentiary hearing that was to be held as a result of a petition from the United States that the Swiss bank UBS be compelled to disclose the names of 52,000 American clients who were suspected of tax evasion.  The case has raised concerns about the effects of privacy laws in other nations on the ability of the federal government to enforce its own laws and created tension between the Justice Department, which had said it might fine, or even indict, UBS if the judge ordered it to disclose the names and it continued to refuse to do so, and the Swiss government, which has said it would not allow UBS to disclose any names.

The case began on February 19, 2009, when the United States filed a petition (.pdf) in the U.S. District Court for the Southern District of Florida, asking the court to enforce an IRS "John Doe" summons to UBS.  The IRS served the summons in furtherance of an investigation it was conducting to determine the identities of U.S. taxpayers who had allegedly failed to report the existence of, and income earned in, undeclared Swiss accounts with UBS.  On February 20, UBS filed a document containing what it termed "background information for the court's consideration" (.pdf).  In this filing, UBS argued that the IRS was essentially asking it to violate Swiss privacy laws, thereby exposing its employees and the bank to criminal and civil penalties.  UBS argued that the petition raised serious issues of international comity due to Swiss financial privacy laws, violated treaties between the United States and Switzerland and violated a prior agreement between the United States and UBS.  That same day, the United States filed a response (.pdf) that disputed the arguments made by UBS.

On April 30, UBS then filed a brief (.pdf) that expounded on its arguments against disclosure.  In support of UBS, the Swiss government filed an amicus brief (.pdf).  On June 30, the United States then filed its response (.pdf).  The federal judge had scheduled a hearing for July 13, 2009, to hear arguments on the petition.  On July 12, 2009, however, the parties filed a joint motion to stay the hearing, so they could continue to discuss settlement.  The judge granted the motion and re-set the hearing to August 3, in the event the parties could not reach a resolution.

The dispute between the IRS and UBS is also having effects on third parties.  The Wall Street Journal reported on Monday that Swiss banks are curbing or eliminating business with U.S. customers for fear of future action by U.S. authorities.  While it is probable that the U.S. and UBS will reach some sort of settlement (likely involving a payment by UBS to the U.S.), if the case goes forward it will interesting to see what future effects the outcome could have, not just on financial transactions between American citizens and Swiss banks, but on transactions between American citizens and any other international bank, as well as on the federal government's ability to enforce tax laws beyond its borders.

Links:

 

Tags: , , , , , ,