Operation WireWire – ACH Fraud Takedown

Operation WireWire – ACH Fraud Takedown

No Comments
“Operation WireWire—which also included the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Inspection Service—involved a six-month sweep that culminated in over two weeks of intensified law enforcement activity resulting in 74 arrests in the U.S. and overseas, including 42 in the U.S., 29 in Nigeria, and three in Canada, Mauritius, and Poland. The operation also resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers.” (DOJ.gov)

Business Email Compromise (BEC) is one of the scams aimed at companies that conduct wire transfers and have suppliers abroad.  Corporate or publicly available email accounts of executives and high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised, through keyloggers or phishing attacks, to make fraudulent transfers, resulting in hundreds of thousands of dollars in losses. (Trend Micro).

I’ve seen recent comments in the media about how this DOJ crackdown wouldn’t put a big dent in or even make much of an impact on BEC, given the breadth of fraud associated with this outfit. I’d imagine the analysts in these quotes are looking at aggregate totals from the mile-high perspective and not the close-up, full scale of the damage to small businesses in our country. Companies have gone out of business, and schools have been attacked by these perpetrators. Personally, I don’t agree with or support the position that it’s just another routine arrest and it should be glazed over like it was picking off a few credit card skimmers.

The economies of scale with traditional Credit Card Fraud vs. Business E-mail Compromise cannot be directly compared, given who they impact and the average losses. This issue has never been about mitigating an impact on consumers as the criminals have always been focused on attacking small to medium-sized businesses. Typically, it’s the commercial accounts that are vulnerable to this kind of wire transfer fraud, unlike consumer credit cards that have built-in fraud protection that uses randomly generated numbers and a Visa or MasterCard logo. In these cases, the wires are facilitated directly from the account number being compromised.

Criminals obviously have a lot more to gain from raiding the digital coffers of businesses that handle millions in revenue, given that the average consumer credit card limit hovers around a measly $8,000. The average per-incident loss for a successful BEC scam is around $130,000; in comparison, robbing a bank will rake in about $3,800. The losses for traditional credit card fraud reported per incidence are much lower. Take a look at “23 Frightening Credit Card Fraud Statistics,” and you’ll see that in 2014, the median loss was $300 and the average reported loss was $1,343. If you’d ask someone who was ‘crushed’ by these low numbers to compare them to high-volume fraud numbers, you’d see how it wouldn’t make a dent. The reality, however, is that many BEC scams can net over a million dollars from a single source, something that seems unfathomable to people who are still living in the world of old-fashioned credit card fraud. This isn’t like the time somebody bought a $100 pair of sneakers using my debit card.

Not sure if this is a problem yet? Just ask Google and Facebook, who were the victims of a 100 million dollar fraud perpetrated almost entirely by a single individual in Lithuania. There are Nigerian men who stole almost 4 million dollars in a short time. If you really want to know, ask Leoni AG, a company that lost 44 million dollars in a single scam just a few years back. Are these extreme examples of BEC? No, many of these scams exceed a million dollars in losses in just a single incident. I don’t need to know the exact figures to make the connection that attackers with minimal sophistication are pulling it off for piles of cash. BEC scammers were operating mostly with impunity before this crackdown effort by the DOJ. If not, how could the losses possibly add up to 3 billion dollars? DOJ has been able to lock up a few here and there, but nothing like the 71 people from this most recent sweep.

Any law enforcement action would be welcomed, as long as it protects companies from scams and sends this clear message to the criminals abroad: If your activity trends upwards, so will our efforts to capture you. Not to mention that the hands of justice are now orienting themselves on how to efficiently take down these networks, thereby opening the door for streamlined enforcement for this type of crime.

The DOJ is doing a good job, and I don’t see it as a “dog and pony show” to expose these scammers in front of the world. It’s about justice and showing people in other countries that the internet may seem like a free plane ticket to communicate overseas, but you can still get arrested where that connection lands, just like you could in an airport. You’ve got to get started sometime, and today works well for tomorrow’s potential victims.

I think people who work on the ground in Cyber Security know that this day is long overdue, and it’s to be celebrated, not shrugged off as a waste of time. I’d never call it a waste of time – who in my industry would?

So let’s not turn the war on BEC into the war on Credit Card Fraud. Great work out there, folks!

Recent News:

Washington Post – It’s time to stop laughing at Nigerian scammers — because they’re stealing billions of dollars

Boston Herald – Phishing theft of $93G at clean energy agency went unreported for months

Telstra – A silent cybercrime blitzkrieg as Aussie businesses robbed of millions

IC3 – 2017 Internet Crime Report featuring Business E-mail Compromise

Cyber Insecurity

Cyber Insecurity

No Comments

(Excerpt of a speech I saw in person by Dan Geer, a wizard who inspired me greatly when I saw him present at a conference. This post is meant as a tribute to his supreme wisdom as he perfectly captures the essence of the battle we face ahead. It is not my own content.)

Our society’s infrastructure can no longer function without computers and networks. The sum of the world’s networked computers is a rapidly increasing force multiplier. Today’s businesses are becoming heavily dependent on technology for integration, productivity, and organizational scalability.

Data is an increasing fraction of total corporate wealth and needs to remain secure while ensuring confidentiality, availability, and integrity.

Increasingly, organizations require communications to provide rapid and agile collaboration, information sharing, and connectivity to data sources. Technology enables employees and partners to work and access systems anywhere, anytime – also placing systems at an increased risk by the same token of availability. The protection of digital assets during transport, and at rest on storage devices is essential to the life cycle of information, as it transcends the border of physical and logical controls.

The world of security is becoming more complex and threatening every day. This increasing complexity embeds dependencies in a manner that may diminish the frequency of surprises; however, the surprises will be all the more unexpected when they inevitably occur.

Security is becoming a means and not an end; modern protection strategies are quickly shifting toward risk absorption rather than risk avoidance. Service orientated architectures and Web 2.0 technologies are fueling the internet revolution while at the same time rapidly deteriorating the security situation. That deterioration compounds when nearly all individuals and businesses are establishing dependencies on computer and communications systems. It is thus obvious that increasing dependence means ever more difficulty in crafting protections against known and unknown threats to systems.

The traditional network barriers that separated trusted from untrusted and “inside” from “outside” are now disappearing. As more applications become directly accessible to remote users and systems, the concept of the network perimeter becomes increasingly vague and more difficult to protect. Attacks are no longer confined to lower areas of the network stack and target widely adopted systems and software programs, having major implications globally, in all sectors.

Threats and risk are chiefly growing amongst the poorly coded applications, and unsophisticated end-users. Modern day security has become architecture of devices, people and software that work towards providing the best possible layered defense against attacks.

We now know that protections need to work together in a concerted effort to reduce risk, and mitigate known these unknown threats to our infrastructure.

Those with either an engineering or management background are aware that one cannot optimize everything at once, and that requirements are balanced by constraints. In engineering, this is said as “Fast, Cheap, Reliable: Choose Two.”. In the public policy arena, we must first remember that the definition of a free country: a place where that which is not forbidden is permitted.

No society needs rules against impossibilities and I believe that we are now faced with “Freedom, Security, Convenience: Choose Two.”

For me, I will take freedom over security and I will take security over convenience, and I will do so because I know that a world without failure is a world without freedom. A world without the possibility of sin is a world without the possibility of righteousness. A world without the possibility of crime is a world where you cannot prove you are not a criminal. A technology that can give you everything you want is a technology that can take away everything that you have.

After 15 years of analyzing the playing field, I am convinced that at some point, in the near future, one of us security geeks will have to say that there comes a point at which safety is not safe.

Dan Geer / In-Q-Tel / Infragard

Key drivers of Hacking/Security:

The emergence of internet-based criminal black market

The sophistication of attack tools and methods used by hackers

Markets for Cybercrime Tools and Stolen Data Software

Monocultures facilitating mass hacking and botnet control


A proud member of: The InfraGard program is a public/private cooperative effort dedicated to improving our national security. InfraGard consists of Chapters throughout the United States. The FBI leads the U.S. Government side of InfraGard. Infragard provides a trusted forum for the exchange and channeling of information and subject matter expertise related to the protection of our nation’s critical infrastrcuture from physical and cyber threats.

FBI Memo: Hackers Breached Heating System via Backdoor

FBI Memo: Hackers Breached Heating System via Backdoor

Tridium ICS diagram of HVAC network.Tridium ICS diagram of HVAC network.

Hackers broke into the industrial control system of a New Jersey air conditioning company earlier this year, using a backdoor vulnerability in the system, according to an FBI memo made public this week.

The intruders first breached the company’s ICS network through a backdoor in its Niagara AX ICS system, made by Tridium. This gave them access to the mechanism controlling the company’s own heating and air conditioning, according to a memo prepared by the FBI’s office in Newark (.pdf), which was published on Saturday by the website Public Intelligence. News about the memo was first reported by Ars Technica.

The breach occurred in February and March of this year, several weeks after someone using the Twitter moniker @ntisec posted a message online indicating that hackers were targeting SCADA systems, and that something had to be done to address SCADA vulnerabilities.

The individual had used the Shodan search engine to locate Tridium Niagara systems that were connected to the internet and posted a list of URLs for the systems online. One of the IP addresses posted led to the New Jersey company’s heating and air conditioning control system.

The company used the Niagara system not only for its own HVAC system, but also installed it for customers, which included banking institutions and other commercial entities, the memo noted. An IT contractor who worked for the company told the FBI that the company had installed its own control system directly connected to the internet with no firewall in place to protect it.

Although the system was password protected in general, the backdoor through the IP address apparently required no password and allowed direct access to the control system. “[Th]e published backdoor URL provided the same level of access to the company’s control system as the password-protected administrator login,” said the memo.

The backdoor URL gave access to a Graphical User Interface (GUI), “which provided a floor plan layout of the office, with control fields and feedback for each office and shop area,” according to the FBI. “All areas of the office were clearly labeled with employee names or area names.”

Forensic logs showed that intruders had gained access to the system from multiple IP addresses in and outside the U.S. The memo does not indicate if the intruders manipulated the system after obtaining access to it.

Five months after the breaches first began, Tridium and the Department of Homeland Security’s ICS-CERT division published alerts disclosing a directory traversal and weak credential storage vulnerability (.pdf) in the Niagara AX Framework system. Security researchers Billy Rios and Terry McCorkle were credited with disclosing the vulnerability to ICS-CERT.

More than 300,000 Tridium Niagara AX Framework systems are installed worldwide, according to the Tridium web site, and are used in energy management, building automation, telecommunications, security automation and lighting control.

According to Ars Technica, a search of Shodan earlier this year by Rios uncovered more than 20,000 of the Niagara systems connected to the internet.


Dexter Malware attacks POS

POS Malware Dexter

Dexter Malware attacks POS

Dexter Malware (POS Systems Attack)


In an article titled “Dexter – Draining blood out of Point of Sales” an Israel-based security firm Seculert has identified Malware programmed to attack POS systems. The targeting of POS systems appears to help attackers extract card data from aggregation points versus targeting end-user machines or physically installing a skimmer.

Dexter has reportedly targeted systems in 40 countries over the past 2-3 months.

According to Spiderlabs, a team of ethical hackers working for security-software analysis firm Trustwave, Dexter has an unusual nature. Spiderlabs blogger Josh Grunzweig noted: “I can’t remember the last time I saw a piece of malware that targeted Point of Sale systems that had a nice C&C structure to it.”

Bank Fraud had evolved to a billion dollar industry world wide and Dexter is just another example of how attackers are choosing the targets with the most lucrative cyber bounty.

Digital bank robbers make off with $6.7 million

Digital bank robbers make off with $6.7 million

No Comments

During the holidays cybercriminals kept themselves busy, hacking websites and stealing all the data they could find. South African Postbank, a financial institution owned by SA Post Office, is one of the victims.


South African bank Postbank was robbed of $6.7 million earlier this month. But the thieves didn’t need masks and guns to pull off the job — just computers.


To pull off the heist, the hackers created a backdoor into one of the bank’s computers. From that hacked computer, they were able to access the rest of the network and issue the commands to distribute the $6.7 million to different accounts owned by the thieves. Those accounts were promptly emptied via ATM visits. Preliminary reports revealed that the cybercrime ring responsible for the theft opened a number of Postbank accounts all across the country and then, in the period between January 1 and January 3, they managed to access a Post Office employee’s computer from where they deposited money from other accounts into their own.

Since the crime didn’t raise any red flags with its automated fraud-detection programs, bank employees failed to notice the money was missing until the bank re-opened after the New Year’s holiday.

The irony is that 3 years ago the institution invested a large amount of money in their anti-fraud systems. However, as we can clearly see, anti-fraud systems aren’t worth much if the company doesn’t have a strict policy for the way their employees handle computers.

If the reports are true, then it is very likely that an employee with privileged rights must have fallen victim to a scam email designed to spread a malicious Trojan.

Fin24 reports that the National Intelligence Agency, which offers assistance when a government institution is compromised, has launched an investigation to precisely determine the causes that allowed for the incident to occur.

Bank representatives state that none of their customers are affected by the breach, but security experts believe that Postbank’s systems desperately need an upgrade.

Crooks don’t necessarily have to hack into a bank’s systems to gain access as it may be much easier to manipulate someone into handing over some information that can be utilized to just waltz in without being detected.

Lately, we’re presented with many cases in which a little bit of social engineering can perform much more efficiently than even the most sophisticated piece of malware. Take the thieves who stole 9 million dollars from payroll debit cards issued by RBS Worldpay.

AT&T iPad site hacker to fight on in court

AT&T iPad site hacker to fight on in court



A hacker facing trial on charges that he and a cohort conspired to break into an AT&T Web site for 3G iPad users told CNET today that he will fight the charges “to the end.”

Andrew “Escher” Auernheimer, 26, was indicted several months ago on one count of conspiracy to gain unauthorized access to computers and one count of identity theft. He faces up to 10 years in prison and $500,000 in fines. Co-defendant Daniel Spitler pleaded guilty in June and a judge put the case on hold, reportedly because of plea negotiations.

But Auernheimer, whose hacker handle is “weev,” says he’s not going to cop a plea.

“I did not fold the two previous times when the FBI tried to frame me as a terrorist” for allegedly calling in a bomb threat to a synagogue, which he denies, he said in an e-mail. “I will not fold now when they try to libel me as a thief. My indictment conveys a message that I am some sort of identity thief.”

In a follow-up phone interview, Auernheimer said he has done “nothing ethically wrong” and is being persecuted for “telling the truth” by exposing a security hole in AT&T’s Web site that was leaking e-mail addresses and unique device numbers for about 120,000 3G iPad users last year, including government and high-profile corporate customers.


Andrew Auernheimer, aka “Weev,” in a photo from earlier this year.(Credit: Anonymous)

“I contend there is no crime in telling the truth or using AT&T’s, or anybody’s, publicly accessible data, to cite it to talk about how they made people’s data public,” he said. “There’s a continuance until January. There may be a trial then…I just want to fight this thing to the end.”

A Department of Justice spokesman declined to comment because the court case is pending.

Asked his thoughts on Spitler’s guilty plea, Auernheimer said he was sure that Spitler would “cooperate in some way.” “I don’t blame him. He’s a good guy,” he said of his former hacking partner. “It’s probably terrifying for most people to go through this process. I’ve been fighting ‘The Man’ for years.”

Spitler wrote a script called the “iPad 3G Account Slurper” and used it against AT&T servers to harvest the iPad user data. The Justice Department contends that he and Auernheimer plotted on how to take advantage of the security hole for profit, but Auernheimer claims they were merely trying to protect consumers and waited until AT&T knew about the hole and fixed it before allowing Gawker to publish the details.

“I’ve never once made a dime off embarrassing a large corporation. I’ve never attempted to make a dime and AT&T is basically a public figure that is open to criticism. I think it’s fair,” he said. “Embarrassing somebody by telling the truth is not malice. It’s necessary speech.”

The Justice Department has released excerpts of Internet Relay Chat (IRC) logs in which the hackers discussed selling the e-mail addresses to spammers, shorting AT&T stock before releasing details of the breach, and destroying evidence.

In one exchange, Auernheimer writes: “This could be like, a future massive phishing operation serious like this is valuable data we have a list a potential complete list of AT&T iphone subscriber emails,” to which Spitler responds: “ipad but yeah.” Asked to comment about statements from the logs that would appear to be damaging to his case, Auernheimer said “It’s easy to misconstrue a true statement as evidence of malice…our acts reveal no malice. I went straight to the press and I told exactly what needed to be told.”

When asked why he didn’t go directly to AT&T first, he said: “AT&T has a commercial interest in not having their negligence with consumer data spoken about, ever…I used the press as a proxy and I waited for (AT&T) to patch before going public.”

Auernheimer, 26, said he is barred from using IRC, communicating with anyone in his hacking group or any potential witnesses or co-defendants, and doing random Web browsing, but can use the Internet for “commerce.”

He was forced to leave his Fayetteville, Ark., home because of a bail condition requiring him to stay in the jurisdiction, he added, and as a result, he is living in Jersey City, N.J. (Meanwhile, drug charges he was arrested on last year after an FBI sweep of his home in the AT&T case have been dropped, he said.)

He has a public defender and has raised about $10,000 for his legal defense fund, he said. While he waits for trial, he is learning the Erlang programming language and is “open to security work.”

“I definitely have a habit of pissing people off. I’m not apologetic for that,” said the self-described Internet “troll.” “I think that the people that get pissed off probably deserve it. It serves a social function.”

I have known and spoken with Andrew over a number of years in the hacking scene. Hopefully this one works out for him!

Read more:

Anti-Sec is not a cause, it’s an excuse.

Anti-Sec is not a cause, it’s an excuse.

No Comments

The Antisec Movement

In a move clearly inspired by LulzSec, an Italian hacker recently uploaded a torrent containing personal information of thousands of Italian university students. This information was stolen from a slew of Italian university websites. According to the press release posted by Lulzstorm this was done “to tell every Italian student how little secure their personal data are”. I can think of better ways…

The spate of recent data thefts and subsequent publication, in the name of Anonymous, Lulz Sec, LulzStorm or the umbrella movement Anti-Sec has had a tangible impact on the safety and security of thousands of innocent internet users.

While there may be sympathy in some quarters for attacks on security contractors such as HB Gary and Infraguard or government websites in oppressive states; that sympathy rapidly evaporates when the result of publishing stolen material endangers the lives of serving police officers. Or when it compromises the privacy and safety of hundreds of thousands of innocent customers of online portals or gaming services.

The call to arms to the disparate hacker community that is represented by Operation AntiSec might read like something from a cyberpunk novel but in reality it is being used by far too many to lay a thin veneer of altruism over something entirely selfish. At least LulzSec had the decency to be honest in their manifesto, they were simply courting chaos.

The truth is that the majority of people now assembling under the Anti-Sec banner are doing this simply because they can. The convenience of having a “cause” somehow making it laudable. It is true that there are far too many poorly secured and configured web-sites out there. It is also true that the customers of those websites deserve a higher degree of care than they currently receive. It is manifestly not true to say that the interests of those people are best served by pasting their personal data all over the internet.

In the ultimate irony, the original AntiSec manifesto from back in 2001 was all about the irresponsibility of full disclosure. That same manifesto was reposted when Imageshack was compromised 8 years later. The manifesto criticised the “security industry” for using full-disclosure to develop “scare tactics” to convince people into by security. Are you listening Operation AntiSec?

This is a call for responsible disclosure in the Anti-Sec community, find the flaws, publish your successes if you must, but have the decency to spare the innocent victims of your crimes.

Obscure personal data before you publish; otherwise you are considerably worse than those you are attempting to shame.

The New Reality of Stealth Crimeware

The New Reality of Stealth Crimeware

No Comments

Anyone who has been in information security recently knows that it has gotten easier for cybercriminals to build stealth crimeware. The malware we deal with on a regular basis grows ever more difficult to find, while high-end targeted attacks such as Stuxnet and other advanced persistent threats (APTs, the abbreviation I hate) are using ever more advanced rootkit techniques to avoid detection.

Cybercriminals use clever stealth techniques to evade detection because it allows their malware to be more effective, live on a machine or network longer, and thus maximize the compromise. McAfee Labs is now at the point where we detect more than 110,000 new unique rootkits per quarter.

To make matters worse, there is another issue that many fail to recognize:

Today’s current OS-based security model is not adequate; cybercriminals know how to get past these defenses every time.

The security industry has to find a new vantage point on cybercriminal behavior to stop and uncover their stealth techniques. It is time for our industry to start looking at security beyond the operating system to gain a more effective view of how cybercriminals operate.

We delve into these and many other issues in our latest report: “The New Reality of Stealth Crimeware,” written by myself and Thom Sawicki of Intel. Download it here.

[wp-pdf-view swf=”https://www.infostruction.com/wp-content/uploads/2011/07/wp-reality-of-stealth-crimeware.pdf” width=”500″ height=”400″ /]


Stealth is the art of travelling undetected, of being invisible. Stealth technology allows military aircraft,
Ninjas, and malware to sneak up on the enemy to launch an attack, gain intelligence, or take over
systems and data.

Although stealth techniques are used in sophisticated attacks like Conficker and Operation Aurora, the
Stuxnet attack offers a new blueprint—and benchmark—for how committed criminals can use stealth
techniques to steal data or target computing systems. Stuxnet innovations included a combination of
five zero-day vulnerabilities, three rootkits, and two stolen digital certificates. Powerful toolkits, like what is available in the Zeus Crimeware Toolkit, make stealth malware development a “point- and-click” endeavor, no longer restricted to the most knowledgeable programmers. While there are no definitive industry figures, McAfee Labs estimates that about 15 percent of malware uses sophisticated stealth technique to hide and spread malicious threats that can cause significant damage.1 These attacks form the cornerstone—the “persistent” part—of advanced persistent threats (APTs).

Data Privacy Weather Report – News Roundup for 2011

Data Privacy Weather Report – News Roundup for 2011

No Comments

Data privacy is on the firing line this year with Fortune 500 companies in the scope. It’s been a long shot year with the proliferation of organized crime, its merger with global communications, and further development of horizontal markets to sustain profitability.

Data Loss DB tells us that many of this years 197 issues were clearly involving third parties. Just ask Epsilion about hot water, with a media campaign that could ruin any Fortune company. It might be tough to recover from that hit, especially with a smeared web presence.


Dropbox is under the scope of Christopher Soghoian, a very noteworthy privacy advocate. He is closely associated with the FTC, hence the “Request for Investigation and Complaint for Injunctive Relief”. Dropbox tried to patch the hole by modifying its terms of services and I feel strongly about what they have reinforced. The service is primarily one that allows for online storage of data with a benefit to interact with it. How can the service preserve encryption but allow you to interact with it for core features and functionality. Chris basically points out that file deduplication and specific aspects of SAN storage expose data to perceivable forms of less secure conditions.

Round 1 is from Chris, with his Blog posting titled “How Dropbox sacrifices user privacy for Cost Savings”. Chris did make an effort to use Marcia Hoffman to notify Dropbox that a disclosure would take place in 11 days on April 12th. The day before on April 11th, an Attorney called to report that the Privacy terms were under reconstruction, which seems reasonable. The University of Indiana (Soghoian’s School) has quite a bit of Research that I’m fond of, check it out.

Round 2 is from Dropbox, A company founded by two MIT Grads named Drew Houston and Arash Ferdowsi.

We believe that storing data in Dropbox is far more safe than the
alternatives. We’ve designed Dropbox to protect user data against
threats of all kinds, but we’ve focused on helping users avoid the most
common threats: not having current backups, not having any backups at
all, accidentally deleting or overwriting files, losing USB drives with
sensitive information, leaving files on the wrong computer, etc.”

All I know if that people are bloodthirsty for Data Leaks, and the blows are being thrown by Anonymous entities, and PHD Students with nothing but a blog.

If there is such great concern about Privacy and Standards, why did HR2221 fail to get voted on by the senate? This act would have standardized privacy accross all 50 states and allowed for Attorney Generals to enforce the penalties, just as always. Not all of the folks up at the Federal level are useless in the privacy effort. Just ask Circuit Chief Judge Alex Kozinski who did the coolest thing, pretty much ever. He openly accused his collegues of of being insensitive to the lives of the poor.

Kozinski’s latest salvos came in a dissent Thursday lamenting his court’s refusal to grant en banc review of an opinion finding that police did not violate the Fourth Amendment by sneaking into a suspect’s yard and planting a GPS tracking device on his car. Kozinski’s views on the issues and the vigor with which he expresses them are unusual for a judge who worked in President Ronald Reagan’s White House and was appointed to the court by Reagan as well. However, Kozinski is well known for his libertarian leanings.

Thats just part of his filing with the Ninth Circuit of Appeals which says things that I abosolutely love such as:

When you glide your BMW into your underground garage
or behind an electric gate, you don’t need to worry that somebody
might attach a tracking device to it while you sleep. But
the Constitution doesn’t prefer the rich over the poor; the man
who parks his car next to his trailer is entitled to the same privacy
and peace of mind as the man whose urban fortress is
guarded by the Bel Air Patrol. The panel’s breezy opinion is
troubling on a number of grounds, not least among them its
unselfconscious cultural elitism (shwing!).

Chris wins the award this week for unleashing this war on DropBox. I sincerely hope he is not associated with any large Remote Backup providers like Mozy, that would be spicy. I feel like we still owe him a pat on the back for his uncovering of a sliver of the Governments spying operations with US Cellular Phone Providers like Sprint PCS. At the government’s request, the phone company will send out a signal to any cell phone connected to its network, and give the police its location. Last year, law enforcement agents pinged users of just one service provider—Sprint—over eight million times.

See Christopher Soghoian, 8 Million Reasons for Real Surveillance Oversight, Slight Paranoia (Dec. 1, 2009). The volume of requests grew so large that the 110-member electronic surveillance team couldn’t keep up, so Sprint automated the process by developing a web interface that gives agents direct access to users’ location data.

Who’s next?……

2011 Guardian Analytics – Commercial Banking Fraud (SMB)

2011 Guardian Analytics – Commercial Banking Fraud (SMB)

No Comments

Online Bank Fraud Continues To Plague Small Businesses, Study Says

Responses to the February 2011 survey from more than 533 SMBs indicate that money continues to be siphoned unnoticed from business accounts at an alarming rate and SMBs are leaving their institutions at alarming pace because of it. This means financial institutions are facing a lose-lose proposition: losing money and losing customers.

Business banking fraud — particularly in small and midsize companies — is still causing major problems for both the businesses and the banks that serve them, according to a study published today.

The “2011 Business Banking Trust Study,” a follow-up to a similar study conducted last year, was written by Ponemon Institute and sponsored by Guardian Analytics. This year’s numbers suggest that the banking fraud situation has not improved since 2010.

“The industry has not moved the needle in addressing the corporate account takeover and fraud plaguing SMBs and their financial institutions,” the report states. “The data shows that fraud is still pervasive, money is leaving accounts unnoticed at an alarming rate, and businesses will leave their banks because of it.”

Fifty-six percent of businesses experienced fraud in the past 12 months, according to the study. Of those that experienced fraud, 61 percent were victimized more than once. Seventy-five percent of the victims experienced online account takeover and/or online fraud. These figures are nearly the same as last year’s, the researchers say.

In 78 percent of fraud cases, banks failed to catch fraud before funds were transferred out, according to the study. Banks were able to keep money from leaving the bank in 22 percent of the cases and fully recover fraudulently transferred funds for 10 percent of businesses.

Banks were unable to recover funds in 68 percent of cases, leading to losses for both business and banks, Ponemon says. Banks took the losses in 37 percent of cases by reimbursing businesses for unrecovered funds; businesses took losses in 60 percent of cases.

Forty-two percent of respondents in the study said they do not believe the bank would cover any losses if their companies’ assets were stolen and not recovered. Despite this attitude, 70 percent of businesses still think their institution should be ultimately responsible for securing online accounts.

Forty-three percent of businesses said they have moved their banking activities elsewhere after a fraud incident. Ten percent of businesses that have experienced fraud have terminated their banking relationships following fraud attacks. Thirty-three percent said they did not fully terminate their relationship, but moved their primary cash management services to another institution.

2011 Business Banking Trust Study (PDF)

2011 Verizon Data Breach Report

2011 Verizon Data Breach Report

No Comments

Verizon’s 2011 Data Breach Investigations, a study conducted by the Verizon RISK Team with cooperation from the U.S. Secret Service and the Dutch High Tech Crime Unit.





Verizon’s 2010 Data Breach Report found that the number of data breaches quintupled from 2009, highlighting the shift as cyber-criminals target smaller businesses.

While the number of data breaches soared in 2010, the amount of information lost has dropped dramatically, according to Verizon’s latest data breach survey. The contradiction underscores what some security experts have been saying: attackers are increasingly targeting smaller companies because it’s easier.

Released April 19, the latest “2011 Verizon Data Breach Investigations Report” from Verizon Business counted 760 data breaches in 2010, compared to only 141 data breaches in 2009. Verizon noted a dramatic decline of 97 percent in the number of compromised records in 2010, as compared to 2009.

Among some of the report’s key findings:

  • Hacking, at 50 percent, and malware, at 49 percent, are the most prominent types of attack, with many incidents involving weak or stolen credentials and passwords;
  • Physical attacks, such as skimming at ATMs, pay-at-the-pump gas terminals and POS systems, for the first time rank among the three most common ways to steal information, comprising 29 percent of all investigated cases;
  • Outsiders are responsible for 92 percent of breaches, while the percentage of insider attacks dropped from 49 percent in 2009 to 16 percent in 2010.

Attacks Remain Easy
According to the report, 83 percent of the databases hit in 2010 were targets of opportunity; 92 percent of the attacks were classified as “not highly difficult.”

  • 86 percent of the year’s breaches were discovered by third parties;
  • 97 percent were avoidable through simple or intermediate controls;
  • 89 percent of the corporate or organizational victims were not compliant with the Payment Card Industry Data Security Standard at the time of the hack.

Download the 2011 Data Breach.