Friday, December 17, 2010

e-card Malware

I’ve gotten some e-cards this holiday season from organizations that I know, and you might even receive one from F5.  I just wanted to post a short reminder to be careful of these, especially if you get one from someone you don’t know.  This is, and has been for several years, one of cybercriminals favorite ways of distributing malware, infecting your computer and stealing your info.  Usually, the e-card arrives in your email with a link to view it online.  Once you click that link and visit the purported e-card site, you can become infected.  In fact, if you get one and don’t know the sender at all, I’d delete it right away.  Often you don’t need to visit a site to get infected since the payload might in the email itself.

The Better Business Bureau is also warning of another phishing scam with cybercriminals masquerading as a shipping company.  You’ll get an email with a tracking number in the subject line.  The note says that the package could not be delivered and asks the user to print the attached document.  At that point, if you do open the attachment, then a virus is installed on your computer.  There have also been charitable giving scams, coupon code scams, too good to be true sale scams and other rip-offs to swindle you of your money and sensitive info.

You might be thinking, ‘ahh, geeze – not another,’ but this is the time of year those cybercriminals like to prey on people’s holiday spirit and general preoccupation with with other things festive.  Keep anti-virus updated, use a firewall, be suspicious, use common sense and enjoy the holidays.

ps

Resources:

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Technorati Tags: F5, infrastructure 2.0, integration, cloud connect, Pete Silva, security, business, education, technology, application delivery, intercloud, cloud, context-aware, infrastructure 2.0, automation, web, internet, cybercrime, security, holiday shopping, identity theft, scam, email, data breach

Wednesday, December 15, 2010

2010 Year End Security Wrap

Figured I’d write this now since many of you will be celebrating the holidays over the next couple weeks and who really wants to read a blog when you’re reveling with family and friends.  It’s been an interesting year for information security, and for me too.  I started the year with New Decade, Same Threats? and wondered if the 2010 predictions of: social media threats, smarter malware/botnets, using the cloud for crime, financial DDoS, rogue software, Mac and Mobile malware, more breaches and a whole host of others would come through.  And boy did they. 

Social media was a prime target for crooks with the top sites as top targets.  Users were tricked to accepting and sharing friends that really weren’t friendly and social networks became a new hotbed for malware distribution.  As for malware, while many botnets and spam outfits got taken down this year, Stuxnet was certainly the most sophisticated piece of malware researches have seen in a while.  Targeting industrial & utility systems along with the ability to reprogram itself, no longer was it my single laptop or a company’s system that had a bull's-eye, although the initial infection is with those systems, it was nuclear facilities, oil refineries and chemical plants that were the ultimate objective. For Cloud Computing, was it Cloud 9 or Cloud Crime when it came to using the cloud for nefarious activities?  Many people thought that with the cloud offering a slew of computing power, that it would be a prime way to initiate an attack.  We really didn’t see much pertaining to ‘cloud breaches’ even though almost every survey throughout the year indicated that security in the cloud was everyone’s ichiban concern.  I covered many of these surveys in my CloudFucius Series, now playing in a browser near you.  This article talks about that, the reason we might not have seen much in the way of cloud specific breaches is that many of the data loss repositories do not differentiate between a cloud based and non-cloud attack.  In addition, cloud providers are not that willing to spill vulnerabilities that have led to crimes.  Share please. 

Banks and financial institutions were certainly targets this year, why wouldn’t they be, that’s where all the money is.  In one incident, about $3 million was stolen from various banks around the world using viruses and more than 100 crooks suspected of running the global cybercrime ring were arrested in the US and UK this September.  A 16 year old Dutch kid was arrested last week for a Distributed Denial of Service attack on the MasterCard and Visa websites.  And, merging malware, mobile and money stores, the ZeuS Trojan could infect a desktop, capture the user’s bank credentials next time they logged in to their financial institution, popped a dialogue box for the user to ‘include’ their mobile phone for SMS payments, send the phone a fake message & certificate for acceptance and then installed another Trojan on the phone to monitor messages via SMS.  Lots of trickery and luck to be successful but still a very scary exploit.  And if you think those mobile banking apps are secure, think again.  Just last month, a number of those apps were found to have serious vulnerabilities, flaws and holes.  Many of those apps have been patched in light of the research but as with any ‘new-ish’ type technology, mobile banking must be locked down before the masses adopt.  Too late now.

I wrote about corporate espionage both in Today’s Target: Corporate Secrets (2010) and The Threat Behind the Firewall (2009) and this year did not disappoint.  Social engineering or convincing someone to give up their info is alive and well but throughout 2010, employees stole secrets from the companies they worked for: Former Goldman Programmer Found Guilty of Code Theft, Greenback engineers guilty of corporate espionage, Ford secrets thief caught red handed with stolen blueprints, and SEC Bares Text of Inept Suspects As They Sold Disney Earnings Info To FBI AgentsThese insider events can often be more costly than an external breach.

This is by no means an exhaustive list of the breaches, attacks, vulnerabilities, hijacks, frauds, or other cybercriminal activities from 2010.  I’d probably be writing through the holidays to get them all.  These were just some of the things I found interesting when looking back at my initial blog entry for the year.  With 2011 being the Year of the Rabbit, just how much will cybercrimes multiply?

ps

Resources:

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1]  o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Technorati Tags: F5, infrastructure 2.0, integration, cloud connect, Pete Silva, security, business, education, technology, application delivery, intercloud, cloud, context-aware, infrastructure 2.0, automation, web, internet, cybercrime, security, holiday shopping, identity theft, scam, email, data breach

Thursday, December 9, 2010

Identity Theft Roundup

I’m on a ID fraud kick lately and there are quite a few stories of late about identity theft.  Here are just a few:

House Approves Red Flags Exemptions – In January 2008, the Red Flag Rule went into existence which said that organizations (mainly banks and financial institutions) that extend credit to have a written Identity Theft Prevention Program designed to detect identity fraud on a day to day basis.  This new bill would except certain businesses like physicians and hospitals from having to abide by the rule.  Sen. Dodd (D-Conn) said that the bill, ‘makes clear that lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of healthcare providers and other service providers will no longer be classified as 'creditors' for the purposes of the Red Flags Rule just because they do not receive payment in full from their clients at the time they provide their services, when they don't offer or maintain accounts that pose a reasonably foreseeable risk of identity theft.’  So if you don’t have a foreseeable risk of ID theft, I guess you don’t have to pay attention.

Minn. man pleads guilty in ND identity-theft case – 20 felonies, 19 counts of ID theft, 1 theft charge and a 28 year old only gets a year in jail and 5 years probation.  He stole the SSN and names of 49 people.
Military at high risk for identity theft – Did you know that military personnel are required to use their SSN for silly things like checking out a basketball at a gym or to identify their laundry bag?  I didn’t and it is becoming a problem since most locations do not take ‘care’ of that personal info.

Fla woman stole identity, paid for breast implants – You might remember this one where a woman in Miami stole someone’s identity and used fake credit cards to get her fake, well, you know.  She also racked up $20,000 in new furniture.  She got 30 months in a federal pen for that one.  If you were wondering, she said she needed them since her old ones were giving her breathing problems.

Kent couple arrested for identity theft, prescription forgeries – While investigating a prescription forgery ring, Kent Police uncovered a nice little counterfeiting operation run out of an apartment building.  Since the suspect was a convicted felon with a firearm, SWAT arrived and took the couple without incident.  Wait, fake prescriptions here and a new law that says medical facilities can pass on Red Flag?  Hum.

Man arrested in financial identity theft – It’s not just strangers getting hit – here a 20 year old opened a credit card account in his grandparent’s names and just added himself as an authorized user.  $4000 worth of cigs, alcohol and electronic equipment later, he was in jail.

Queens D.A. Warns: Beware New ID Theft – At least in New York, thieves are using what’s called a ‘spoof card’ to get personal information.  Spoof cards are like calling cards but allows the caller to enter whatever number they want on the receiver’s caller ID.  Oh, a call from the bank.  They act/sound all authoritative on the phone and people spill the info.  This is a great opportunity to turn the tables – ask the caller to validate a piece of information.  To validate the caller, ask a couple questions that the bank usually asks you like, last transaction or first dog’s name.  Or, just say, ‘I’ll call you back at the number on your web site.’

ID theft alleged at Libertyville driver's license facility – A 22 year employee at an Illinois driver’s license facility gets caught giving other’s personal information to thieves.  Those thieves then opened credit card accounts with the info.  He’s facing 3 years in prison but shows just how slippery your personal info is in the hands of others.

More to come…

ps

Related:
twitter: @psilvas

Technorati Tags: F5, infrastructure 2.0, integration, cloud connect, Pete Silva, security, business, education, technology, application delivery, intercloud, cloud, context-aware, infrastructure 2.0, automation, web, internet, cybercrime, security, holiday shopping, identity theft, scam, email, data breach

Friday, December 3, 2010

Synthetic Identity Theft: The Silent Swindler

As a brief follow up to yesterday’s Got a SSN I Can Borrow, I came across this story from The Red Tape Chronicles saying the odds that someone else has used your Social Security Number is One in 7.  ID Analytics, a data collection and customer behavior analytics firm, works with organizations, including the US Social Security Administration, to detect Identity-Based fraud; separating the true customers from the impostors.  They’ve analyzed 290 million Social Security numbers and found that 40 million of those numbers have been connected to more than one name; basically, 40 million of us are sharing identities with someone else.  They also indicated that 6% of the total population, or 20 million Americans, have multiple SSNs associated with their name.  Often, it might just be an incorrect entry or typo into a system, but it can also be when criminals apply for credit at multiple banks changing 1 digit with each application – around 20% are deliberate misrepresentations.  When the system propagates either the error or intentional entry, that second SSN is forever associated with the individual and thus Synthetic.  Synthetic Identities are created when an unassigned number gets attached to someone and a new entity is created within the credit system.  Some people have 4-5 SSNs connected to their name and 5 million SSNs are connected to three or more people. 

Synthetic Identity Theft is typically when a criminal uses either totally fake or a mixture of fake and real information to create a new identity.  Usually, a fraudster will use a real SSN with a fake or different name that is associated with that number.  Synthetic Identity Theft is difficult to track, detect and report since individuals are usually not aware it is occurring since it doesn’t appear on a credit report and because a combination of names, addresses, SSNs and so forth are used, it is usually does not match up with a single, individual consumer to claim fraud.  Most go unreported and become ‘charge-offs’ within the financial institution well before anyone is aware of the problem.

Protect yourself by shredding mail and sensitive documents since thieves will dig through trash to find pieces of information they can use; review your Social Security benefits booklet every year to check if the income reported is actually what you made; and stay on top of your credit, reporting any discrepancies.  The free AnnualCreditReport.com is the official site to help consumers to obtain their free credit report each year.  I tend to grab all three at once since I subscribe to a credit monitoring service, but if you don’t – stagger each of three reporting agencies reports throughout the year to see any changes since the last credit file disclosure.  If necessary, you can also put a Security Freeze on your credit report.  Finally, don’t give out your Social Security number if you don’t have to – if someone asks, like a doctor’s office, just respectfully decline.  I have never had a problem telling someone that I prefer not to give out that sensitive information.  Heck, you could probably even say you’ve been a victim of Synthetic Identity Theft.

ps

Related:
twitter: @psilvas

Technorati Tags: F5, infrastructure 2.0, integration, cloud connect, Pete Silva, security, business, education, technology, application delivery, intercloud, cloud, context-aware, infrastructure 2.0, automation, web, internet, cybercrime, security, holiday shopping, identity theft, scam, email, data breach

Thursday, December 2, 2010

Got a SSN I can Borrow?

Apparently, I can use my own name and your Social Security Number to get a job or buy a car and it is not an identity theft crime.  Really.  This is according to a recent Colorado Supreme Court ruling.  They ruled that, ‘that using someone else’s Social Security number is not identity theft as long as you use your own name with it.’  Seriously.  The case in question involved a man who used his real name but someone else’s Social Security number to obtain a car loan.  The court said that since he used his real name, along with other identifiable pieces of information, he wasn’t trying to impersonate someone else.  The SSN info was just the ‘lender’s’ requirement and not a ‘legal’ requirement.  The defendant said that he fully intended to pay the loan back and wasn’t trying to avoid the bills.  There was another case where a man used a fake SSN to get a job at a steel plant in Illinois.  He presented a Social Security card with his name but a fake SSN.  Since he didn’t know that the number was fake and belonged to another person, the US Supreme Court ruled that he also didn’t break any federal ID theft laws since he did not ‘knowingly’ use another person’s number.  He just ‘borrowed’ it.  He could have just written 9 random numbers that may or may not have been tied to someone’s identity or he could have bought it from a broker, not knowing it was either fake or stolen.

These decisions contradicted previous rulings in Missouri, California, the Midwest, the Southeast and many other regions.  It also left folks scratching their heads wondering just what were the courts thinking.  Their logic is that, ‘(The suspect) claimed that the government could not prove that he knew that the numbers on the counterfeit documents were numbers assigned to other people….The question is whether the statute requires the government to show that the defendant knew that the ‘means of identification’ he or she unlawfully transferred, possessed, or used, in fact, belonged to ‘another person.’ We conclude that it does.’  I understand that there is a fine legal line between malicious intent and an uninformed accident but if you make up a number or obtain it by improper means, it’s still fake, false and fraudulent.  I also understand that there are criminal organizations that prey on immigrants who might not fully understand the ramifications and are told that it is legitimate.  We’ve all, at some point, been lured, duped or convinced that something we were obtaining was the real thing.  We’re told with great conviction that it is authentic and because we want to believe, we do.  When the truth is exposed, the ‘I didn’t know’ defense is obviously the most common and very well might be the honest answer.  Maybe because I focus on Information Security and a bit skeptical myself, I also gotta believe that there’s that little nudge, intuition or feeling in your belly telling you that something isn’t right.  I know because I’ve ignored that gut-check and got burned.  Just because something is ‘not-illegal’ does not make it the right thing to do. 

I’m not claiming to be a Mr. Goody-Two-Shoes and have certainly made my fair share of mistakes along with doing things I know to be wrong, legal or not.  I also know that always acting in the ‘proper’ way or doing the ‘right’ thing is difficult sometimes.  That’s what makes us human.  We might seek the easiest, least complicated and sometimes slightly unethical way of accomplishing something.  Sometimes we have to break the law to ensure the safety of others – like speeding to the Emergency Room if your wife is giving birth or a person is bleeding to death – but those are extenuating circumstances and doesn’t necessarily cause harm to others; unless, of course, you run somebody over on the way to the hospital.  There are victims with this SSN borrowing since the real person may not ever know that their information was used since it won’t show up on a credit report.  The trouble starts when a loan or tax payment is missed and by then, it’s too late.  The courts have had difficulty over the years trying to interpret certain laws as technology whizzes by but, at least in the States, our Social Security Number is one of our unique, primary identifiers and should be protected.  Incidentally, BIG-IP ASM does have a cool feature called Data Guard that can mask sensitive data from being leaked from the web application.  Data Guard helps protect against information leakage like the leakage of credit card or Social Security numbers.  Instead of sending the actual data to the client, ASM can respond by replacing the sensitive data with asterisks, or block the response and sending out an alert.  You can also decide what ASM should consider as sensitive: credit card numbers, Social Security numbers, or responses that contain a specific pattern.

ps

Related:

twitter: @psilvas

Technorati Tags: F5, infrastructure 2.0, integration, cloud connect, Pete Silva, security, business, education, technology, application delivery, intercloud, cloud, context-aware, infrastructure 2.0, automation, web, internet, cybercrime, security, holiday shopping, identity theft, scam, email, data breach

Wednesday, December 1, 2010

Audio White Paper: Data Center Consolidation: Know Where You’re Going and Why

Effective consolidation means more than simply reducing the number of boxes your company has in outlying offices and data centers.  Efforts to reduce hardware infrastructure often result in degraded application performance—and thus unplanned expenditure—as it becomes necessary to optimize the infrastructure. F5’s open architectural framework allows real control over your network to ensure applications are delivered exactly as intended.  Running Time: 25:04  Read full white paper here.  And click here for more F5 Audio.

ps
twitter: @psilvas
Technorati Tags: F5, infrastructure 2.0, integration, cloud connect, Pete Silva, security, business, education, technology, application delivery, intercloud, cloud, context-aware, infrastructure 2.0, automation, web, internet, data center