Monday, July 31, 2006
Google click-fraud settlement debated
Google click-fraud settlement debated
Arkansas judge hears arguments that $90M isn't enough
Juan Carlos Perez
July 24, 2006 (IDG News Service) -- An Arkansas judge is hearing arguments for and against the settlement of a click-fraud lawsuit that critics say lets Google Inc. off the hook too easily.
In April, Judge Joe Griffin, of Miller County Circuit Court, gave preliminary approval to the proposed settlement of a nationwide class-action lawsuit filed by lead plaintiff Lane's Gifts and Collectibles LLC against Google over the thorny problem of click fraud.
The problem occurs when someone clicks on a pay-per-click ad with a malicious intent. For example, a company official may click on competitors' ads to increase their ad spending, or a publisher may click on his Web site's ads to increase his commissions.
In all cases, advertisers end up paying for clicks that don't generate any business leads. Estimates about click-fraud incidence vary, with some putting it as high as 20% of all clicks.
On Monday and Tuesday of this week, Judge Griffin is holding a hearing about the settlement agreement to later decide whether or not to give it final approval.
Lane's Gifts, whose February 2005 lawsuit includes other Internet companies like Yahoo Inc. and AOL LLC, agreed to settle with Google for $90 million. A third of that amount would go to pay attorneys' fees and the rest as credits to affected advertisers.
The class includes buyers of Google online ads between Jan. 1, 2002, and the date when the agreement becomes final. Advertisers will receive credit for click-fraud instances they can certify.
In the settlement, Google denies the plaintiffs' claims and doesn't admit any wrongdoing or legal liability
However, critics say that the settlement amount is too small and that the agreement terms are too favorable to Google, whose revenue comes almost entirely from pay-per-click ads.
"This is, in our opinion, the most outrageous class settlement that we've seen," said Shawn Khorrami, an attorney based in Van Nuys, Calif., who represents advertisers in click-fraud lawsuits.
One of Khorrami's clients is Joseph Kinney, who is asking this same Arkansas court to have Lane's Gifts declared as not adequately representing the nationwide class of plaintiffs. In his lawsuit against Google and Lane's Gifts, Kinney also seeks a temporary and permanent injunction blocking their settlement. Kinney also asks the court to stay the Lane's Gifts class-action lawsuit until a decision is rendered in his case.
In a court filing Friday, Google urged Griffin to approve the settlement, saying that 51 members of the affected class have lodged objections, an objection rate which is "just a tiny fraction of a percent." Google described criticisms of the settlement terms as "egregious mischaracterizations."
As part of the settlement, Google commissioned a New York University computer science expert to conduct an independent examination of its click-fraud detection methods. In the 47-page report, the expert, Alexander Tuzhilin concluded that Google is making a "reasonable" effort to fight click fraud.
Arkansas judge hears arguments that $90M isn't enough
Juan Carlos Perez
July 24, 2006 (IDG News Service) -- An Arkansas judge is hearing arguments for and against the settlement of a click-fraud lawsuit that critics say lets Google Inc. off the hook too easily.
In April, Judge Joe Griffin, of Miller County Circuit Court, gave preliminary approval to the proposed settlement of a nationwide class-action lawsuit filed by lead plaintiff Lane's Gifts and Collectibles LLC against Google over the thorny problem of click fraud.
The problem occurs when someone clicks on a pay-per-click ad with a malicious intent. For example, a company official may click on competitors' ads to increase their ad spending, or a publisher may click on his Web site's ads to increase his commissions.
In all cases, advertisers end up paying for clicks that don't generate any business leads. Estimates about click-fraud incidence vary, with some putting it as high as 20% of all clicks.
On Monday and Tuesday of this week, Judge Griffin is holding a hearing about the settlement agreement to later decide whether or not to give it final approval.
Lane's Gifts, whose February 2005 lawsuit includes other Internet companies like Yahoo Inc. and AOL LLC, agreed to settle with Google for $90 million. A third of that amount would go to pay attorneys' fees and the rest as credits to affected advertisers.
The class includes buyers of Google online ads between Jan. 1, 2002, and the date when the agreement becomes final. Advertisers will receive credit for click-fraud instances they can certify.
In the settlement, Google denies the plaintiffs' claims and doesn't admit any wrongdoing or legal liability
However, critics say that the settlement amount is too small and that the agreement terms are too favorable to Google, whose revenue comes almost entirely from pay-per-click ads.
"This is, in our opinion, the most outrageous class settlement that we've seen," said Shawn Khorrami, an attorney based in Van Nuys, Calif., who represents advertisers in click-fraud lawsuits.
One of Khorrami's clients is Joseph Kinney, who is asking this same Arkansas court to have Lane's Gifts declared as not adequately representing the nationwide class of plaintiffs. In his lawsuit against Google and Lane's Gifts, Kinney also seeks a temporary and permanent injunction blocking their settlement. Kinney also asks the court to stay the Lane's Gifts class-action lawsuit until a decision is rendered in his case.
In a court filing Friday, Google urged Griffin to approve the settlement, saying that 51 members of the affected class have lodged objections, an objection rate which is "just a tiny fraction of a percent." Google described criticisms of the settlement terms as "egregious mischaracterizations."
As part of the settlement, Google commissioned a New York University computer science expert to conduct an independent examination of its click-fraud detection methods. In the 47-page report, the expert, Alexander Tuzhilin concluded that Google is making a "reasonable" effort to fight click fraud.
Making a federal case -- how the FBI collars cybercriminals
Q&A: Making a federal case -- how the FBI collars cybercriminals
Robert Mitchell
July 28, 2006 (Computerworld) Identity theft, hacking for profit, espionage, iPod slurping -- the FBI is increasingly focused on helping organizations fight these and other cybercrimes. Computerworld's Robert L. Mitchell asked several agents what they're seeing in the field and what advice they can offer IT. Andrew G. Arena is special agent in charge of the FBI's criminal division in New York, Matt Heron is assistant special agent in charge of the transnational criminal enterprise branch in New York, and Timothy O'Brien is a special agent with the computer crimes squad in the New York office. Nenette Day, a special agent in Boston, was responsible for a sting operation that recovered the source code stolen from a major computer-aided design software vendor.
You all met recently with corporate CIOs. Why are you seeking them out?
Arena: We're trying to build a relationship with the private sector where they will trust us, where they will be comfortable coming to us if there is an intrusion.
What's on the minds of CIOs you've met?
Arena: Right now, the concern is, What is the FBI going to do? If we go to the FBI, is this going to be in the media the next day? Is our stock price going to go down? Am I going to lose my job? How will we handle it? Are we discreet?
Are you hearing about specific issues?
Arena: A lot of it was, "This is what we're seeing. ... We're getting pinged from locations in the old Soviet bloc, the Philippines."
O'Brien: They're on the front lines, dealing with the things that we're investigating. I'm seeing a lot of activity coming from overseas. That seems to be a major source of the phishing.
How big of an issue is cybercrime to the FBI?
Arena: Cybercrime is the No. 3 overall priority at the FBI, behind counterterrorism and counterintelligence.
What happened to organized crime?
Arena: It's still there. Cybercrime really overlaps every other program in the FBI. It's not just some 18-year-old kid with no social life trying to hack into the system. It's organized groups, it's state-sponsored organizations, it's terrorist organizations, for whatever purpose, trying to infiltrate our country. It's economic espionage targeting our infrastructure, trying to damage us financially. There's a lot of different reasons and a lot of different groups involved in this. That's why it's such a high priority.
From which areas overseas are most attacks originating right now?
O'Brien: Eastern Europe and Asia are two of the bigger hot spots.
The FBI has reported that some companies have been victimized by another scam, interactive voice response spoofing. How does that work?
Day: Phishers are now spoofing the phone trees of various companies, mainly banks. It sounds exactly like the phone tree that you're used to calling into where you put in your account number and PIN. You're putting in your account number and PIN, but you're actually calling a spoofed number that has been sent to you in an e-mail [saying], "There are problems with your account; we don't want you communicating over the Internet -- it's not safe -- just call this number to check in and make sure your account balance is correct." They're getting [user account and PIN] information by spoofing the phone tree of companies. It's the latest trend.
What are the top problems reported?
O'Brien: Now there is a profit motive. Take botnets, for example, [where the creator is] leasing out part of the botnet for use in some other type of crime. That's a relatively new evolution of the old crimes.
Day: Denial-of-service attacks were a problem a long time ago. Then companies got wise. They altered the network management, and it became not much of a problem. Then the botnets came on, and you've got thousands of compromised computers all over the world now attacking a site that your network isn't going to be able to handle. They're too big, and so the denial-of-service attack has once again become something that you have to be very concerned about. The botnets, where you have thousands of compromised computers, are just that powerful.
What have been your most notorious cases?
Heron: The largest consumer fraud in the U.S. was committed by the Gambino crime family. The loss was approximately $250 million dollars in an Internet fraud. They took a two-pronged approach. One was offering these free tours of adult Internet sites and then asking for a credit card for age-verification purposes. Nothing legitimate is going to come out of a question like that.
People were taking free tours, and then their credit cards were getting hit for charges over and over again. The second prong to this scheme involved telephone cramming, where they co-opted the head of a telephone company and the president of a bank in the Midwest and were going through a third-party billing provider, putting charges on peoples' telephone bills for services not provided.
The average person doesn't look too often at the individual charges on their phone bill. A small amount for this, a dollar for that ... nobody knows what they are, and no one pays much attention. That's what they were counting on. The end result was a $250 million loss to the public committed by four members and associates of one of the five La Cosa Nostra families in New York City.
Do you see a lot of organized crime involvement in stealing trade secrets?
Arena: I would call it organized groups. We see a lot of activity out of the former Soviet bloc countries of Eastern Europe. The bureau right now is kicking off an initiative where we're sending agents into those countries to work with the local law enforcement.
Do you see a lot of problems with mobile devices?
Day: Mobile computing is starting to be the big concern, with thefts of customer lists or intellectual property. The fact that laptops, PDAs and cell phones are so easily lost, the fact that they often have Bluetooth and other types of technologies, the fact that employees don't understand the risks. I could walk right by you and connect to your PDA and be reading all of your files if you don't have it locked down. It's a technology that's advancing very rapidly.
How are handhelds and cell phones compromised?
Day: You can compromise a cell phone so that you can turn it on whenever you want, and the conversations going on around you can be transmitted to whoever is controlling the cell phone. If I had your cell ... and I made a single phone call, I could download a program to the cell phone that would make the cell phone controllable.
How do you prevent that?
Day: Never let anyone use your cell phone. Honestly, you can't let people borrow your cell phone unless you know who the person is.
Should companies have policies disallowing cell phones and other mobile devices in highly sensitive meetings?
Day: I think that's a good idea. That's our policy. You shed all electronic equipment before you go into certain areas or certain meetings.
How safe are encrypted mobile devices? Is a software-based encryption program good enough?
Day: I don't know of an instance where encryption was not successful in protecting that information.
O'Brien: A number of [CIOs] have said that their most up-to-date initiative is to encrypt all of their mobile devices. That's something people seem to recognize as a potential loss problem.
What are the most common losses that could have been prevented?
Arena: One of the most common ones we've seen is the disgruntled employee who is no longer in the company but is able to gain access because their access to the network wasn't shut down in a timely fashion.
Do you see a lot of problems with stolen data leaving the premises on removable media?
Day: That problem has always existed. It's just that now you can carry out a lot more information. The iPod is the [newest] thing. Podslurping ... has turned the iPod into exactly the thing we never wanted to see on a 60GB storage device that's that tiny. [It runs] a program that can connect [an iPod] via the USB port and without access to a keyboard actually go through and suck up to 60GB of information in a very short period.
How can companies protect themselves from coordinated efforts to steal secrets?
Arena: You've got to put the time, the money, the effort into not only setting up your security system but [also] in updating it. You can't just say, "OK, we're secure; that's it." You've got to work every day; you've got to come to conferences and find out what's going on. Because the bad guys, they're not taking any days off. Their research and development far surpasses the private sector's. They're doing it. You've got to be doing it. Otherwise, they're going to break your system.
Robert Mitchell
July 28, 2006 (Computerworld) Identity theft, hacking for profit, espionage, iPod slurping -- the FBI is increasingly focused on helping organizations fight these and other cybercrimes. Computerworld's Robert L. Mitchell asked several agents what they're seeing in the field and what advice they can offer IT. Andrew G. Arena is special agent in charge of the FBI's criminal division in New York, Matt Heron is assistant special agent in charge of the transnational criminal enterprise branch in New York, and Timothy O'Brien is a special agent with the computer crimes squad in the New York office. Nenette Day, a special agent in Boston, was responsible for a sting operation that recovered the source code stolen from a major computer-aided design software vendor.
You all met recently with corporate CIOs. Why are you seeking them out?
Arena: We're trying to build a relationship with the private sector where they will trust us, where they will be comfortable coming to us if there is an intrusion.
What's on the minds of CIOs you've met?
Arena: Right now, the concern is, What is the FBI going to do? If we go to the FBI, is this going to be in the media the next day? Is our stock price going to go down? Am I going to lose my job? How will we handle it? Are we discreet?
Are you hearing about specific issues?
Arena: A lot of it was, "This is what we're seeing. ... We're getting pinged from locations in the old Soviet bloc, the Philippines."
O'Brien: They're on the front lines, dealing with the things that we're investigating. I'm seeing a lot of activity coming from overseas. That seems to be a major source of the phishing.
How big of an issue is cybercrime to the FBI?
Arena: Cybercrime is the No. 3 overall priority at the FBI, behind counterterrorism and counterintelligence.
What happened to organized crime?
Arena: It's still there. Cybercrime really overlaps every other program in the FBI. It's not just some 18-year-old kid with no social life trying to hack into the system. It's organized groups, it's state-sponsored organizations, it's terrorist organizations, for whatever purpose, trying to infiltrate our country. It's economic espionage targeting our infrastructure, trying to damage us financially. There's a lot of different reasons and a lot of different groups involved in this. That's why it's such a high priority.
From which areas overseas are most attacks originating right now?
O'Brien: Eastern Europe and Asia are two of the bigger hot spots.
The FBI has reported that some companies have been victimized by another scam, interactive voice response spoofing. How does that work?
Day: Phishers are now spoofing the phone trees of various companies, mainly banks. It sounds exactly like the phone tree that you're used to calling into where you put in your account number and PIN. You're putting in your account number and PIN, but you're actually calling a spoofed number that has been sent to you in an e-mail [saying], "There are problems with your account; we don't want you communicating over the Internet -- it's not safe -- just call this number to check in and make sure your account balance is correct." They're getting [user account and PIN] information by spoofing the phone tree of companies. It's the latest trend.
What are the top problems reported?
O'Brien: Now there is a profit motive. Take botnets, for example, [where the creator is] leasing out part of the botnet for use in some other type of crime. That's a relatively new evolution of the old crimes.
Day: Denial-of-service attacks were a problem a long time ago. Then companies got wise. They altered the network management, and it became not much of a problem. Then the botnets came on, and you've got thousands of compromised computers all over the world now attacking a site that your network isn't going to be able to handle. They're too big, and so the denial-of-service attack has once again become something that you have to be very concerned about. The botnets, where you have thousands of compromised computers, are just that powerful.
What have been your most notorious cases?
Heron: The largest consumer fraud in the U.S. was committed by the Gambino crime family. The loss was approximately $250 million dollars in an Internet fraud. They took a two-pronged approach. One was offering these free tours of adult Internet sites and then asking for a credit card for age-verification purposes. Nothing legitimate is going to come out of a question like that.
People were taking free tours, and then their credit cards were getting hit for charges over and over again. The second prong to this scheme involved telephone cramming, where they co-opted the head of a telephone company and the president of a bank in the Midwest and were going through a third-party billing provider, putting charges on peoples' telephone bills for services not provided.
The average person doesn't look too often at the individual charges on their phone bill. A small amount for this, a dollar for that ... nobody knows what they are, and no one pays much attention. That's what they were counting on. The end result was a $250 million loss to the public committed by four members and associates of one of the five La Cosa Nostra families in New York City.
Do you see a lot of organized crime involvement in stealing trade secrets?
Arena: I would call it organized groups. We see a lot of activity out of the former Soviet bloc countries of Eastern Europe. The bureau right now is kicking off an initiative where we're sending agents into those countries to work with the local law enforcement.
Do you see a lot of problems with mobile devices?
Day: Mobile computing is starting to be the big concern, with thefts of customer lists or intellectual property. The fact that laptops, PDAs and cell phones are so easily lost, the fact that they often have Bluetooth and other types of technologies, the fact that employees don't understand the risks. I could walk right by you and connect to your PDA and be reading all of your files if you don't have it locked down. It's a technology that's advancing very rapidly.
How are handhelds and cell phones compromised?
Day: You can compromise a cell phone so that you can turn it on whenever you want, and the conversations going on around you can be transmitted to whoever is controlling the cell phone. If I had your cell ... and I made a single phone call, I could download a program to the cell phone that would make the cell phone controllable.
How do you prevent that?
Day: Never let anyone use your cell phone. Honestly, you can't let people borrow your cell phone unless you know who the person is.
Should companies have policies disallowing cell phones and other mobile devices in highly sensitive meetings?
Day: I think that's a good idea. That's our policy. You shed all electronic equipment before you go into certain areas or certain meetings.
How safe are encrypted mobile devices? Is a software-based encryption program good enough?
Day: I don't know of an instance where encryption was not successful in protecting that information.
O'Brien: A number of [CIOs] have said that their most up-to-date initiative is to encrypt all of their mobile devices. That's something people seem to recognize as a potential loss problem.
What are the most common losses that could have been prevented?
Arena: One of the most common ones we've seen is the disgruntled employee who is no longer in the company but is able to gain access because their access to the network wasn't shut down in a timely fashion.
Do you see a lot of problems with stolen data leaving the premises on removable media?
Day: That problem has always existed. It's just that now you can carry out a lot more information. The iPod is the [newest] thing. Podslurping ... has turned the iPod into exactly the thing we never wanted to see on a 60GB storage device that's that tiny. [It runs] a program that can connect [an iPod] via the USB port and without access to a keyboard actually go through and suck up to 60GB of information in a very short period.
How can companies protect themselves from coordinated efforts to steal secrets?
Arena: You've got to put the time, the money, the effort into not only setting up your security system but [also] in updating it. You can't just say, "OK, we're secure; that's it." You've got to work every day; you've got to come to conferences and find out what's going on. Because the bad guys, they're not taking any days off. Their research and development far surpasses the private sector's. They're doing it. You've got to be doing it. Otherwise, they're going to break your system.
Cybercrime: When to call in the FBI
Cybercrime: When to call in the FBI
Robert Mitchell
July 28, 2006 (Computerworld) When a company thinks it might have been the victim of a cybercrime, it's not always easy to figure out when to call in the feds for help. FBI agents Nenette Day and Andrew G. Arena answered some frequently asked questions about how companies can get help in the struggle with cybercrime.
If I have a problem, when should I come to the FBI versus a state or local law enforcement agency?
Arena: Most of this stuff is going to be interstate, if not international. We have a legal attache system. ... Between our relationships with our international partners with our legal attache offices, we hope to reach into those countries. We can hopefully have the wherewithal to reach into the country to try to get action quicker.
If my company is a victim and I go to the FBI, how do I know that the information isn't going to get out and embarrass my company?
Arena: It's not in our interest for that information to get out before our investigation is completed. Most times, it's somebody inside the company \[who\] for whatever reason puts that information out. When the investigation is completed and we begin the prosecution, obviously there is going to be publicity, and there's nothing we can do. At that point, you have to put the best spin on it you can. Any company that comes forward and assists law enforcement in stopping this problem, I think that will be seen as a positive.
If the damage is already done, what is the benefit of contacting the FBI, especially if I want to keep it as quiet as possible?
Arena: You'll probably get hit again. The only way to stop this is to get these people off the streets.
Day: Also, it shows a lot of social conscience for the company to try to get them off the street rather than letting them hit the next company. That they are trying to get the people convicted, that not only sends a message to criminals who want to try that in the future, but also gets these people off the streets so they don't hit the next company.
What programs do you offer to support businesses?
Arena: We have the InfraGard program. It's a public/private partnership that was first formed by the FBI in 1997, and now we're throughout the country. It brings together the financial community, the banking community, the gas companies, the phone companies -- basically, what we consider the critical infrastructure of this country -- and opens up communications. At every chapter meeting, we pass along trends \[and\] they learn from each other.
Robert Mitchell
July 28, 2006 (Computerworld) When a company thinks it might have been the victim of a cybercrime, it's not always easy to figure out when to call in the feds for help. FBI agents Nenette Day and Andrew G. Arena answered some frequently asked questions about how companies can get help in the struggle with cybercrime.
If I have a problem, when should I come to the FBI versus a state or local law enforcement agency?
Arena: Most of this stuff is going to be interstate, if not international. We have a legal attache system. ... Between our relationships with our international partners with our legal attache offices, we hope to reach into those countries. We can hopefully have the wherewithal to reach into the country to try to get action quicker.
If my company is a victim and I go to the FBI, how do I know that the information isn't going to get out and embarrass my company?
Arena: It's not in our interest for that information to get out before our investigation is completed. Most times, it's somebody inside the company \[who\] for whatever reason puts that information out. When the investigation is completed and we begin the prosecution, obviously there is going to be publicity, and there's nothing we can do. At that point, you have to put the best spin on it you can. Any company that comes forward and assists law enforcement in stopping this problem, I think that will be seen as a positive.
If the damage is already done, what is the benefit of contacting the FBI, especially if I want to keep it as quiet as possible?
Arena: You'll probably get hit again. The only way to stop this is to get these people off the streets.
Day: Also, it shows a lot of social conscience for the company to try to get them off the street rather than letting them hit the next company. That they are trying to get the people convicted, that not only sends a message to criminals who want to try that in the future, but also gets these people off the streets so they don't hit the next company.
What programs do you offer to support businesses?
Arena: We have the InfraGard program. It's a public/private partnership that was first formed by the FBI in 1997, and now we're throughout the country. It brings together the financial community, the banking community, the gas companies, the phone companies -- basically, what we consider the critical infrastructure of this country -- and opens up communications. At every chapter meeting, we pass along trends \[and\] they learn from each other.
Throngs gather to restore HOPE
Throngs gather to restore HOPE
Geeta Dayal
July 22, 2006 (Computerworld) The sixth Hackers on Planet Earth (HOPE) hacking convention got to a rolling start Friday in New York. Thousands of mostly black-clad attendees thronged the Hotel Pennsylvania in midtown Manhattan for a three-day smorgasbord of workshops, panels and lectures on network security, activism, do-it-yourself tech and hacking in all its forms.
Several of the attendees were veterans of previous incarnations of the biannual HOPE, and of other popular hacker conventions such as Def Con in Las Vegas and ShmooCon in Washington. Several speakers, too, are conference stalwarts, such as long-imprisoned hacker Kevin Mitnick (whose social-engineering presentation was a highlight of the last HOPE, held in 2004), free-software pioneer Richard Stallman and punk-rock provocateur Jello Biafra.
Friday was big on topics heavy with political overtones, such as "Building the Anti-Big Brother Databases" and "Bin Laden, National Intelligence, and More". More lighthearted events, such as a new version of the popular panel devoted to the art of lockpicking and an LED art-making workshop run by New York’s Graffiti Research Lab, helped keep the mood buoyant throughout the day.
The clear highlight of Friday's proceedings was an impassioned keynote address by Stallman, who lashed out against spyware and DRM, or digital rights management -- which Stallman is fond of calling "digital restriction management" or "digital handcuffs."
"Lots of proprietary software has malicious features," Stallman said. "They put in spy features, features designed to restrict the user, and back doors. One proprietary program you may have heard of that spies on the user is Windows XP," he said to laughter and boisterous applause. He also criticized TiVo, which he said collects data on user preferences.
During a lull in his presentation, Stallman donned a black flowing robe and a red halo crafted out of a vintage computer disk, and reappeared on stage as his alter ego, "Saint IGNUsius of the Church of Emacs." "Install a holy free operating system and only install free software on top of that," he instructed the packed hall. "If you make this vow and live by it, you can be a saint."
Stallman preached the exclusive use of free software as an antidote to potential DRM issues. "All proprietary software is 'just trust me' software, where you surrender to the blind faith of a developer who might not deserve it," he said. "The use of nonfree programs is a prisoner of his software." He also criticized the notion that in the future, most applications will be run online. "You simply can’t have control over what a program does unless you’re running your copy. ... If everyone’s running Google’s copy of a program, we can’t all have control over what Google’s copy does," he said.
A later panel titled "The Future of Wireless Pen Testing" came out swinging against holes in several methods for 802.11 wireless security. "Remember WEP?" Frank Thornton, an expert on wireless security and one of the speakers on the panel, said to peals of laughter from the audience. "Or even MD5?" The panelists discussed the urgent need for a more bulletproof way to secure wireless networks; the standard 64-bit and even 128-bit encryption provided by WEP has long been shown to have serious weaknesses, and newer schemes such as WPA, they said, have some flaws. A wireless security panel on Saturday's HOPE schedule is set to explore this further.
Later panels varied broadly in scope. A panel on the European hacking community, including representatives from Germany’s notorious Chaos Computer Club, discussed cultural differences between Europe and the U.S. An intriguing evening presentation on "Hacking the Mind," which drew eerie similarities between buffer overflows, shell code and hypnotism, attracted crowds.
Geeta Dayal
July 22, 2006 (Computerworld) The sixth Hackers on Planet Earth (HOPE) hacking convention got to a rolling start Friday in New York. Thousands of mostly black-clad attendees thronged the Hotel Pennsylvania in midtown Manhattan for a three-day smorgasbord of workshops, panels and lectures on network security, activism, do-it-yourself tech and hacking in all its forms.
Several of the attendees were veterans of previous incarnations of the biannual HOPE, and of other popular hacker conventions such as Def Con in Las Vegas and ShmooCon in Washington. Several speakers, too, are conference stalwarts, such as long-imprisoned hacker Kevin Mitnick (whose social-engineering presentation was a highlight of the last HOPE, held in 2004), free-software pioneer Richard Stallman and punk-rock provocateur Jello Biafra.
Friday was big on topics heavy with political overtones, such as "Building the Anti-Big Brother Databases" and "Bin Laden, National Intelligence, and More". More lighthearted events, such as a new version of the popular panel devoted to the art of lockpicking and an LED art-making workshop run by New York’s Graffiti Research Lab, helped keep the mood buoyant throughout the day.
The clear highlight of Friday's proceedings was an impassioned keynote address by Stallman, who lashed out against spyware and DRM, or digital rights management -- which Stallman is fond of calling "digital restriction management" or "digital handcuffs."
"Lots of proprietary software has malicious features," Stallman said. "They put in spy features, features designed to restrict the user, and back doors. One proprietary program you may have heard of that spies on the user is Windows XP," he said to laughter and boisterous applause. He also criticized TiVo, which he said collects data on user preferences.
During a lull in his presentation, Stallman donned a black flowing robe and a red halo crafted out of a vintage computer disk, and reappeared on stage as his alter ego, "Saint IGNUsius of the Church of Emacs." "Install a holy free operating system and only install free software on top of that," he instructed the packed hall. "If you make this vow and live by it, you can be a saint."
Stallman preached the exclusive use of free software as an antidote to potential DRM issues. "All proprietary software is 'just trust me' software, where you surrender to the blind faith of a developer who might not deserve it," he said. "The use of nonfree programs is a prisoner of his software." He also criticized the notion that in the future, most applications will be run online. "You simply can’t have control over what a program does unless you’re running your copy. ... If everyone’s running Google’s copy of a program, we can’t all have control over what Google’s copy does," he said.
A later panel titled "The Future of Wireless Pen Testing" came out swinging against holes in several methods for 802.11 wireless security. "Remember WEP?" Frank Thornton, an expert on wireless security and one of the speakers on the panel, said to peals of laughter from the audience. "Or even MD5?" The panelists discussed the urgent need for a more bulletproof way to secure wireless networks; the standard 64-bit and even 128-bit encryption provided by WEP has long been shown to have serious weaknesses, and newer schemes such as WPA, they said, have some flaws. A wireless security panel on Saturday's HOPE schedule is set to explore this further.
Later panels varied broadly in scope. A panel on the European hacking community, including representatives from Germany’s notorious Chaos Computer Club, discussed cultural differences between Europe and the U.S. An intriguing evening presentation on "Hacking the Mind," which drew eerie similarities between buffer overflows, shell code and hypnotism, attracted crowds.
McAfee: Trojan horse cloaks itself as Firefox extension
McAfee: Trojan horse cloaks itself as Firefox extension
Jeremy Kirk
July 26, 2006 (IDG News Service) Security vendor McAfee Inc. has detected a new piece of malicious software that masquerades as part of the Firefox Web browser.
McAfee calls the Trojan horse "FormSpy." Trojan horses are programs, often attached to spam e-mail, that appear innocuous but are harmful to a computer.
FormSpy is downloaded to a computer that is already infected with another Trojan horse called "Downloader-AXM," McAfee said. That Trojan was recently detected in e-mail spam messages.
Downloader-AXM contacts servers to download other malicious programs to a computer without a user's knowledge, according to McAfee. Once downloaded, FormSpy installs itself as a Firefox extension.
The program appears as "NumberedLinks 0.9" extension, McAfee said. The extension normally would allow a user to navigate links by numbers using the keyboard rather than a mouse.
Once installed, FormSpy can transmit information in a Web browser, which could include credit card numbers, passwords and electronic banking pin numbers, to another Web site, according to McAfee. FormSpy can also steal passwords for e-mail, ICQ instant messaging services and file transfer protocol programs, the company said.
Jeremy Kirk
July 26, 2006 (IDG News Service) Security vendor McAfee Inc. has detected a new piece of malicious software that masquerades as part of the Firefox Web browser.
McAfee calls the Trojan horse "FormSpy." Trojan horses are programs, often attached to spam e-mail, that appear innocuous but are harmful to a computer.
FormSpy is downloaded to a computer that is already infected with another Trojan horse called "Downloader-AXM," McAfee said. That Trojan was recently detected in e-mail spam messages.
Downloader-AXM contacts servers to download other malicious programs to a computer without a user's knowledge, according to McAfee. Once downloaded, FormSpy installs itself as a Firefox extension.
The program appears as "NumberedLinks 0.9" extension, McAfee said. The extension normally would allow a user to navigate links by numbers using the keyboard rather than a mouse.
Once installed, FormSpy can transmit information in a Web browser, which could include credit card numbers, passwords and electronic banking pin numbers, to another Web site, according to McAfee. FormSpy can also steal passwords for e-mail, ICQ instant messaging services and file transfer protocol programs, the company said.
IRS Warns of New E-mail Scam
IRS warns of new e-mail scam
Linda Rosencrance
July 24, 2006 (Computerworld) The Internal Revenue Service (IRS) is warning taxpayers of an e-mail scam that uses the U.S. Department of the Treasury's Electronic Federal Tax Payment System (EFTPS) to lure them into disclosing personal information.
The IRS said the e-mail scam is the first to target the EFTPS, which allows businesses and individuals to pay their federal taxes online or via telephone.
The fake e-mail, which contains numerous grammatical and typographical errors, looks like a page from the IRS Web site and claims to be from the "IRS Antifraud Comission" (sic), a fictitious group. The e-mail claims that someone has enrolled the taxpayer's credit card in EFTPS and has tried to pay taxes with it. It also says that there has been fraudulent activity involving the taxpayer's bank account. In addition, the e-mail says money was lost and "remaining founds" (sic) are blocked.
Recipients are asked to click on a link that purports to help them recover their money, but the link takes them to a fake IRS site where they are asked to divulge personal information -- data that the scammers could use to steal the taxpayer's identity, the IRS said.
The IRS said it never asks people for personal identification numbers, passwords or similar secret access information associated with their credit cards, banks or other financial accounts.
The IRS said it has seen a recent increase in such scams. Since November, 104 different scams have been identified -- 22 of them in June alone -- the most since 40 were identified in March, at the height of the tax filing season. More than 8,000 bogus e-mails have been forwarded to the IRS to date -- including nearly 1,300 that were forwarded last month, the IRS said.
Investigations by the Treasury inspector general for tax administration have identified sites hosting more than two-dozen IRS-related phishing scams in a number of countries, including Argentina, Aruba, Australia, Austria, Canada, Chile, China, England, Germany, Indonesia, Italy, Japan, Korea, Malaysia, Mexico, Poland, Singapore and Slovakia, as well as in the U.S.
Other IRS-related scams tell recipients that they are due a federal tax refund and direct them to a Web site that appears to be a real IRS site. These bogus sites contain forms or interactive Web pages similar to IRS forms or Web pages, but which have been modified to request detailed personal and financial information from the e-mail recipients -- information that goes directly to the cyberthieves.
"The IRS does not send out unsolicited e-mails asking for personal information," said IRS Commissioner Mark Everson in a statement. "Don't be taken in by these criminals."
Linda Rosencrance
July 24, 2006 (Computerworld) The Internal Revenue Service (IRS) is warning taxpayers of an e-mail scam that uses the U.S. Department of the Treasury's Electronic Federal Tax Payment System (EFTPS) to lure them into disclosing personal information.
The IRS said the e-mail scam is the first to target the EFTPS, which allows businesses and individuals to pay their federal taxes online or via telephone.
The fake e-mail, which contains numerous grammatical and typographical errors, looks like a page from the IRS Web site and claims to be from the "IRS Antifraud Comission" (sic), a fictitious group. The e-mail claims that someone has enrolled the taxpayer's credit card in EFTPS and has tried to pay taxes with it. It also says that there has been fraudulent activity involving the taxpayer's bank account. In addition, the e-mail says money was lost and "remaining founds" (sic) are blocked.
Recipients are asked to click on a link that purports to help them recover their money, but the link takes them to a fake IRS site where they are asked to divulge personal information -- data that the scammers could use to steal the taxpayer's identity, the IRS said.
The IRS said it never asks people for personal identification numbers, passwords or similar secret access information associated with their credit cards, banks or other financial accounts.
The IRS said it has seen a recent increase in such scams. Since November, 104 different scams have been identified -- 22 of them in June alone -- the most since 40 were identified in March, at the height of the tax filing season. More than 8,000 bogus e-mails have been forwarded to the IRS to date -- including nearly 1,300 that were forwarded last month, the IRS said.
Investigations by the Treasury inspector general for tax administration have identified sites hosting more than two-dozen IRS-related phishing scams in a number of countries, including Argentina, Aruba, Australia, Austria, Canada, Chile, China, England, Germany, Indonesia, Italy, Japan, Korea, Malaysia, Mexico, Poland, Singapore and Slovakia, as well as in the U.S.
Other IRS-related scams tell recipients that they are due a federal tax refund and direct them to a Web site that appears to be a real IRS site. These bogus sites contain forms or interactive Web pages similar to IRS forms or Web pages, but which have been modified to request detailed personal and financial information from the e-mail recipients -- information that goes directly to the cyberthieves.
"The IRS does not send out unsolicited e-mails asking for personal information," said IRS Commissioner Mark Everson in a statement. "Don't be taken in by these criminals."
Thursday, July 20, 2006
State Dept. Probes Possible Computer Hack
State Dept. probes possible computer hack
The hardware was in offices that deal with China and North Korea
Reuters July 12, 2006 - The U.S. Department of State said yesterday that it is investigating "anomalies" in its unclassified computer system, but officials declined to comment on a report that agency computers had been hacked.
The Associated Press said the State Department detected large-scale break-ins of its computers last month in its headquarters and offices that deal with China and North Korea.
State Department spokeswoman Nancy Beck confirmed only that the problem was not a computer virus and that an investigation is now under way.
"While our investigation continues, there is no indication that any sensitive U.S. government information was compromised," Beck said. "The department detected anomalies in network traffic, and we felt it prudent to take measures to ensure our system's integrity.
"We take each and every potential threat very seriously," she said. "Cybersecurity contingency plans were in place, and we activated them immediately."
Beck said the case represents a "textbook example" of the department's ability to detect and defeat a threat before it could do any damage. Like the private sector and other government agencies, the State Department constantly battles attempts from multiple sources to penetrate its computer system, she said.
According to AP's sources, investigators believe that hackers may have stolen sensitive information and passwords and installed "back doors" that would allow them to return to unclassified government computers.
The hardware was in offices that deal with China and North Korea
Reuters July 12, 2006 - The U.S. Department of State said yesterday that it is investigating "anomalies" in its unclassified computer system, but officials declined to comment on a report that agency computers had been hacked.
The Associated Press said the State Department detected large-scale break-ins of its computers last month in its headquarters and offices that deal with China and North Korea.
State Department spokeswoman Nancy Beck confirmed only that the problem was not a computer virus and that an investigation is now under way.
"While our investigation continues, there is no indication that any sensitive U.S. government information was compromised," Beck said. "The department detected anomalies in network traffic, and we felt it prudent to take measures to ensure our system's integrity.
"We take each and every potential threat very seriously," she said. "Cybersecurity contingency plans were in place, and we activated them immediately."
Beck said the case represents a "textbook example" of the department's ability to detect and defeat a threat before it could do any damage. Like the private sector and other government agencies, the State Department constantly battles attempts from multiple sources to penetrate its computer system, she said.
According to AP's sources, investigators believe that hackers may have stolen sensitive information and passwords and installed "back doors" that would allow them to return to unclassified government computers.
Labels: US Dept. of State
New PowerPoint Flaw Used In Attacks
New PowerPoint flaw used in attacks
Now presenting: A security hole with an e-mail hook
Robert McMillan July 13, 2006 (IDG News Service) --
Attackers have found another hole in Microsoft Corp.'s Office products. On Thursday, Symantec Corp. reported that it has discovered a targeted attack that takes advantage of an unpatched vulnerability in Microsoft's PowerPoint software.
The hackers behind this attack are using the same techniques that were used in previously reported Word and Excel attacks, said Dave Cole, a director at Symantec Security Response. "It's similar to the pattern we've seen over the past few months where they're using a previously unknown Microsoft vulnerability and an e-mail enticement to get a back door on someone's machine," he said.
Cole said he believes that the same hackers may be behind all three attacks. "It looks like it may be the same group just based on the similarly of attacks," he said.
As with the Word and Excel attacks, this latest malware is not widespread.
This PowerPoint attack was discovered late Wednesday by a Symantec customer, who received a Chinese-character e-mail from a Gmail account. The e-mail contained a PowerPoint attachment that installed two pieces of malicious code when opened: a Trojan horse program called Trojan.PPDDropper.B and a backdoor program called Backdoor.Bifrose.E.
The backdoor program tries to cover its tracks by writing over the original PowerPoint document. It then awaits instructions from the attackers, who can use it to control the infected system.
Office is fast becoming the target of choice for hackers.
Microsoft patched a total of 12 Office vulnerabilities on Tuesday, but the PowerPoint bug used by this latest malware was not one of them, according to Cole.
Microsoft is investigating the vulnerability, said Stephen Toulouse, a security program manager at Microsoft's security response center.
Symantec is studying it as well. The security vendor said it does not yet know if the attack is specific to PowerPoint or whether it affects all Office products.
Now presenting: A security hole with an e-mail hook
Robert McMillan July 13, 2006 (IDG News Service) --
Attackers have found another hole in Microsoft Corp.'s Office products. On Thursday, Symantec Corp. reported that it has discovered a targeted attack that takes advantage of an unpatched vulnerability in Microsoft's PowerPoint software.
The hackers behind this attack are using the same techniques that were used in previously reported Word and Excel attacks, said Dave Cole, a director at Symantec Security Response. "It's similar to the pattern we've seen over the past few months where they're using a previously unknown Microsoft vulnerability and an e-mail enticement to get a back door on someone's machine," he said.
Cole said he believes that the same hackers may be behind all three attacks. "It looks like it may be the same group just based on the similarly of attacks," he said.
As with the Word and Excel attacks, this latest malware is not widespread.
This PowerPoint attack was discovered late Wednesday by a Symantec customer, who received a Chinese-character e-mail from a Gmail account. The e-mail contained a PowerPoint attachment that installed two pieces of malicious code when opened: a Trojan horse program called Trojan.PPDDropper.B and a backdoor program called Backdoor.Bifrose.E.
The backdoor program tries to cover its tracks by writing over the original PowerPoint document. It then awaits instructions from the attackers, who can use it to control the infected system.
Office is fast becoming the target of choice for hackers.
Microsoft patched a total of 12 Office vulnerabilities on Tuesday, but the PowerPoint bug used by this latest malware was not one of them, according to Cole.
Microsoft is investigating the vulnerability, said Stephen Toulouse, a security program manager at Microsoft's security response center.
Symantec is studying it as well. The security vendor said it does not yet know if the attack is specific to PowerPoint or whether it affects all Office products.
IBM Sued Over Hacked E-Mail Server
IBM sued over hacked e-mail server
Law firm says IBM employee attempted to attack its e-mail
Robert McMillan July 12, 2006 (IDG News Service) -- A Washington law firm has sued IBM, claiming that the computing giant is responsible for a 2005 attack on its e-mail server.
Butera & Andrews claims that an unknown IBM employee attempted to attack its e-mail server in November of last year, shortly after the law firm discovered that its computer had been taken over by an unknown attacker. Security investigators traced the source of the attack to a computer within IBM's Cornwallis Road facility in Durham, N.C., the law firm alleges.
The lawsuit was filed April 7 in the U.S. District Court for the District of Washington.
An analysis of computer logs revealed "over 42,000" attempts by IBM-controlled machines to attack Butera & Andrews servers during 2005, the lawsuit claims.
Butera & Andrews is asking the court to force IBM to disclose information related to the attacks, and to award it damages, including the $61,000 it spent investigating the matter.
IBM has asked for the case to be dismissed, saying that Butera & Andrews "alleges no facts to justify its supposition that its systems were attacked by an IBM employee, as opposed to a computer hacker."
The law firm may have a hard time proving that IBM is to blame for this attack, according to a computer security expert.
Though Butera & Andrews may have traced their attack to an IP address controlled by IBM [170.224.68.57, according to court filings], that address may have been spoofed, or IBM's servers themselves may have been taken over by outside attackers, said Russ Cooper, a senior information security analyst at Cybertrust Inc. "There are lots of possibilities."
Butera & Andrews senior partner James Butera declined to comment on the matter, except to point out that IBM had not denied that its computers were involved in the attack.
IBM representatives were not immediately available to comment for this story.
Law firm says IBM employee attempted to attack its e-mail
Robert McMillan July 12, 2006 (IDG News Service) -- A Washington law firm has sued IBM, claiming that the computing giant is responsible for a 2005 attack on its e-mail server.
Butera & Andrews claims that an unknown IBM employee attempted to attack its e-mail server in November of last year, shortly after the law firm discovered that its computer had been taken over by an unknown attacker. Security investigators traced the source of the attack to a computer within IBM's Cornwallis Road facility in Durham, N.C., the law firm alleges.
The lawsuit was filed April 7 in the U.S. District Court for the District of Washington.
An analysis of computer logs revealed "over 42,000" attempts by IBM-controlled machines to attack Butera & Andrews servers during 2005, the lawsuit claims.
Butera & Andrews is asking the court to force IBM to disclose information related to the attacks, and to award it damages, including the $61,000 it spent investigating the matter.
IBM has asked for the case to be dismissed, saying that Butera & Andrews "alleges no facts to justify its supposition that its systems were attacked by an IBM employee, as opposed to a computer hacker."
The law firm may have a hard time proving that IBM is to blame for this attack, according to a computer security expert.
Though Butera & Andrews may have traced their attack to an IP address controlled by IBM [170.224.68.57, according to court filings], that address may have been spoofed, or IBM's servers themselves may have been taken over by outside attackers, said Russ Cooper, a senior information security analyst at Cybertrust Inc. "There are lots of possibilities."
Butera & Andrews senior partner James Butera declined to comment on the matter, except to point out that IBM had not denied that its computers were involved in the attack.
IBM representatives were not immediately available to comment for this story.
Labels: Butera and Andrews
Bot Masters Fool With Paris Hilton
Bot masters fool with Paris Hilton
The simple life, unless you're the one battling the malware
Darren Pauli
July 18, 2006 (Computerworld Australia) -- Paris Hilton being exploited? It's hard to believe. But virus writers are becoming more sophisticated in their use of celebrities such as Hilton to entice users to unknowingly install malware.
It may be hard to understand how any reasonable user could believe that Paris Hilton is inviting him to chat on instant messaging or to receive a copy of that video via e-mail, but they do -- or maybe they're just hopeful.
The IRCbot and IM-Worm-based Kelvir families, made famous by the use of videos and images of Hilton, are becoming more sophisticated, according to antivirus vendor Kaspersky Labs.
To date, celebrities, security and law enforcement agencies and politicians have been used to create fast, high-profile infections in devices using IM programs, the company's senior research engineer Roel Schouwenberg said.
But bot masters are now controlling malware distribution and execution by separating the worm from the back door.
"The worm will only start spreading when the IRC operator (the bot master) gives a specific command in the channel, or to one specific victim machine," Schouwenberg said. "It should be noted that in such cases, the worm spreads as a link to the backdoor, not to itself."
IM malware evolved from basic IRCBot installers such as Bropia and Kelvir, to Prex which uses links to separate worm and bot, to social-engineered "chatboxes", which incorporate messages to fool users into thinking Hilton is offering her explicit personal imagery, or that the FBI will confiscate your PC unless you visit a Web site.
These may lure more users into responses that lead to infection, but such infections are inevitably terminated due to high media attention which result in the quick release of fixes.
Schouwenberg says the use of .php dynamic content to steal e-mail addresses led to a leap in IM hacking.
"The most common scenario in the case of IM worms is that the e-mail address will be stored in a database for spamming purposes, then an executable will be presented to the user for download," he said.
He said new IM malware, such as IRCBot.lo, controls botnet size unlike earlier Kelvir variants that spread uncontrollably.
The simple life, unless you're the one battling the malware
Darren Pauli
July 18, 2006 (Computerworld Australia) -- Paris Hilton being exploited? It's hard to believe. But virus writers are becoming more sophisticated in their use of celebrities such as Hilton to entice users to unknowingly install malware.
It may be hard to understand how any reasonable user could believe that Paris Hilton is inviting him to chat on instant messaging or to receive a copy of that video via e-mail, but they do -- or maybe they're just hopeful.
The IRCbot and IM-Worm-based Kelvir families, made famous by the use of videos and images of Hilton, are becoming more sophisticated, according to antivirus vendor Kaspersky Labs.
To date, celebrities, security and law enforcement agencies and politicians have been used to create fast, high-profile infections in devices using IM programs, the company's senior research engineer Roel Schouwenberg said.
But bot masters are now controlling malware distribution and execution by separating the worm from the back door.
"The worm will only start spreading when the IRC operator (the bot master) gives a specific command in the channel, or to one specific victim machine," Schouwenberg said. "It should be noted that in such cases, the worm spreads as a link to the backdoor, not to itself."
IM malware evolved from basic IRCBot installers such as Bropia and Kelvir, to Prex which uses links to separate worm and bot, to social-engineered "chatboxes", which incorporate messages to fool users into thinking Hilton is offering her explicit personal imagery, or that the FBI will confiscate your PC unless you visit a Web site.
These may lure more users into responses that lead to infection, but such infections are inevitably terminated due to high media attention which result in the quick release of fixes.
Schouwenberg says the use of .php dynamic content to steal e-mail addresses led to a leap in IM hacking.
"The most common scenario in the case of IM worms is that the e-mail address will be stored in a database for spamming purposes, then an executable will be presented to the user for download," he said.
He said new IM malware, such as IRCBot.lo, controls botnet size unlike earlier Kelvir variants that spread uncontrollably.
Phishers Edge Past Banks' Strong Authentication
Phishers edge past banks' strong authentication
Robert McMillan
July 14, 2006 (IDG News Service) Scammers have found a way around new token-based authentication systems that have been adopted by some banks.
Over the past few weeks, approximately 35 phishing Web sites have been set up that use the new attack. They attempt to trick users into divulging the temporary passwords created by the security token devices used by banks such as Citigroup Inc., said Rich Miller, an analyst with Internet research company Netcraft Ltd.
Phishers have only recently begun looking for ways around token authentication, using what is known as a "man-in-the-middle" attack, Miller said. "These attacks are worrisome because they took advantage, fairly early on, of a system that's seen as enhancing security for banking customers," he said.
Token devices are used to create a temporary second password for online banking customers. These passwords are valid for a very short period of time and can be used only once, making it impossible for attackers to steal them for later use. U.S. banks have been offering the tokens to users in an effort to comply with federal guidelines that call for stronger, two-factor authentication for online transactions by year's end.
Security experts had predicted that phishers would eventually use a man-in-the-middle attack to circumvent token-based authentication, but these recent attacks mark the first time they have actually done so, Miller said.
Under an ongoing attack against Citibank customers, phishers have set up a fake Web site where victims are tricked into entering their passwords. The fake site instantly forwards the password information to Citibank's real Web site, allowing the criminals to sign on before the victim.
With a total of 35 such phishing sites now spotted, it seems that the attack is becoming widespread, Miller said. "This is getting organized," he said. "It is not just an isolated incident of somebody coming up with a proof of concept or an exploit that's unique to them."
Many of the 35 phishing sites found by Netcraft have now been shut down, although some are still operative, Miller said.
Although these new phishing techniques show that no technique is impervious to attack, token-based two-factor authentication remains a useful tool against malicious software such as Trojan horse programs, said Johannes Ullrich, chief research officer at the SANS Institute.
Ullrich also noted that these attacks rely on victims who will enter sensitive information into an untrusted Web site, a type of victim that is becoming harder to find as users clue into the phishing phenomenon.
"The real problem is not the phishing sites; it's the Trojans and keyloggers," he said, adding that "they'll have a harder time working around the two-factor authentication."
Robert McMillan
July 14, 2006 (IDG News Service) Scammers have found a way around new token-based authentication systems that have been adopted by some banks.
Over the past few weeks, approximately 35 phishing Web sites have been set up that use the new attack. They attempt to trick users into divulging the temporary passwords created by the security token devices used by banks such as Citigroup Inc., said Rich Miller, an analyst with Internet research company Netcraft Ltd.
Phishers have only recently begun looking for ways around token authentication, using what is known as a "man-in-the-middle" attack, Miller said. "These attacks are worrisome because they took advantage, fairly early on, of a system that's seen as enhancing security for banking customers," he said.
Token devices are used to create a temporary second password for online banking customers. These passwords are valid for a very short period of time and can be used only once, making it impossible for attackers to steal them for later use. U.S. banks have been offering the tokens to users in an effort to comply with federal guidelines that call for stronger, two-factor authentication for online transactions by year's end.
Security experts had predicted that phishers would eventually use a man-in-the-middle attack to circumvent token-based authentication, but these recent attacks mark the first time they have actually done so, Miller said.
Under an ongoing attack against Citibank customers, phishers have set up a fake Web site where victims are tricked into entering their passwords. The fake site instantly forwards the password information to Citibank's real Web site, allowing the criminals to sign on before the victim.
With a total of 35 such phishing sites now spotted, it seems that the attack is becoming widespread, Miller said. "This is getting organized," he said. "It is not just an isolated incident of somebody coming up with a proof of concept or an exploit that's unique to them."
Many of the 35 phishing sites found by Netcraft have now been shut down, although some are still operative, Miller said.
Although these new phishing techniques show that no technique is impervious to attack, token-based two-factor authentication remains a useful tool against malicious software such as Trojan horse programs, said Johannes Ullrich, chief research officer at the SANS Institute.
Ullrich also noted that these attacks rely on victims who will enter sensitive information into an untrusted Web site, a type of victim that is becoming harder to find as users clue into the phishing phenomenon.
"The real problem is not the phishing sites; it's the Trojans and keyloggers," he said, adding that "they'll have a harder time working around the two-factor authentication."
Labels: Citigroup Inc.
Enter The Visherman
Enter the vishermen
Grant Gross
July 10, 2006 (IDG News Service) A new kind of identity theft scam, with thieves using easy-to-obtain VoIP (voice over Internet Protocol) telephone numbers to trick Internet or telephone users, is beginning to pop up, said a cybersecurity vendor.
Related to phishing scams, the new scheme uses cheaply obtained VoIP numbers as bogus credit card or financial services telephone numbers, said Paul Henry, vice president of strategic accounts for Secure Computing Corp. The company has observed only two such scams so far, but it expects the practice to "explode," Henry said.
With Internet users being warned about clicking on hyperlinks in unsolicited e-mail, the new scam includes a phone number instead, Henry said. "It's a natural elevation of the art to move it to the telephone," he said. "People are getting nervous about clicking on links."
In phishing scams, identity thieves send e-mail that looks like it comes from a bank, credit card company or online payment service such as PayPal. The e-mail typically says the recipient's account has been compromised in some way, and it contains a link to an official-looking Web site where the recipient can enter account information.
In the new scam, which Secure Computing calls "vishing," identity thieves ask potential victims to call a phone number attached to a VoIP account, easily obtained online through services such as Skype or through retailers reselling VoIP products such as Vonage Holdings Corp., Henry said.
In one vishing case, scammers targeted PayPal users by including a telephone number in a spam e-mail. In the other case, the criminals configured an automatic telephone dialer to dial phone numbers, and when the phone was answered, played an automated recording saying their credit card has had fraudulent activity.
The recording asked the telephone customer to call a number with a spoofed caller ID related to the credit card issuer, Secure Computing said. Once users call, they are asked for personal account information.
VoIP numbers are easy to obtain anonymously, but Henry didn't fault VoIP providers for vishing scams. A larger problem is the ease of obtaining credit online or over the telephone, he said.
Consumers are comfortable with obtaining credit online or by dialing automated telephone services to get credit, but if credit-granting businesses required physical contact, phishing and vishing scams would be almost eliminated, he added.
"In today's environment, it's absurd," Henry said.
To avoid vishing scams, Secure Computing offered these pieces of advice:
• Credit card companies normally refer to customers by their full names in any communication. If an e-mail or phone call does not refer to your full name, it may be a scam.
• You should not call a telephone number provided in a phone call or an e-mail regarding possible security issues with any credit card or bank account. You should call the phone number on the back of your credit card or on your bank statement to report security concerns.
• If anyone purporting to be a credit card provider calls and requests your card number, hang up and call the phone number on the back of the credit card and report the attempt. If the call was legitimate, the credit card provider will have knowledge of it.
Grant Gross
July 10, 2006 (IDG News Service) A new kind of identity theft scam, with thieves using easy-to-obtain VoIP (voice over Internet Protocol) telephone numbers to trick Internet or telephone users, is beginning to pop up, said a cybersecurity vendor.
Related to phishing scams, the new scheme uses cheaply obtained VoIP numbers as bogus credit card or financial services telephone numbers, said Paul Henry, vice president of strategic accounts for Secure Computing Corp. The company has observed only two such scams so far, but it expects the practice to "explode," Henry said.
With Internet users being warned about clicking on hyperlinks in unsolicited e-mail, the new scam includes a phone number instead, Henry said. "It's a natural elevation of the art to move it to the telephone," he said. "People are getting nervous about clicking on links."
In phishing scams, identity thieves send e-mail that looks like it comes from a bank, credit card company or online payment service such as PayPal. The e-mail typically says the recipient's account has been compromised in some way, and it contains a link to an official-looking Web site where the recipient can enter account information.
In the new scam, which Secure Computing calls "vishing," identity thieves ask potential victims to call a phone number attached to a VoIP account, easily obtained online through services such as Skype or through retailers reselling VoIP products such as Vonage Holdings Corp., Henry said.
In one vishing case, scammers targeted PayPal users by including a telephone number in a spam e-mail. In the other case, the criminals configured an automatic telephone dialer to dial phone numbers, and when the phone was answered, played an automated recording saying their credit card has had fraudulent activity.
The recording asked the telephone customer to call a number with a spoofed caller ID related to the credit card issuer, Secure Computing said. Once users call, they are asked for personal account information.
VoIP numbers are easy to obtain anonymously, but Henry didn't fault VoIP providers for vishing scams. A larger problem is the ease of obtaining credit online or over the telephone, he said.
Consumers are comfortable with obtaining credit online or by dialing automated telephone services to get credit, but if credit-granting businesses required physical contact, phishing and vishing scams would be almost eliminated, he added.
"In today's environment, it's absurd," Henry said.
To avoid vishing scams, Secure Computing offered these pieces of advice:
• Credit card companies normally refer to customers by their full names in any communication. If an e-mail or phone call does not refer to your full name, it may be a scam.
• You should not call a telephone number provided in a phone call or an e-mail regarding possible security issues with any credit card or bank account. You should call the phone number on the back of your credit card or on your bank statement to report security concerns.
• If anyone purporting to be a credit card provider calls and requests your card number, hang up and call the phone number on the back of the credit card and report the attempt. If the call was legitimate, the credit card provider will have knowledge of it.
