Friday, July 10, 2009
Juniper pulls talk on ATM vulnerabilities
Juniper pulls talk on ATM vulnerabilities
Robert Lemos 2009-07-01
Networking giant Juniper canceled a presentation on ATM vulnerabilities scheduled to be given by one of its researchers at the Black Hat Security Conference later this month.
The talk, which would have revealed flaws in the automated teller machines (ATM) of an undisclosed vendors, will be postponed until the vulnerabilities are fixed, Juniper said in a statement. The original description of the presentation stated that the researcher, Barnaby Jack, would "retrace the steps I took to interface with, analyze, and find a vulnerability in a line of popular new model ATMs," and would "explore both local and remote attack vectors, and finish with a live demonstration of an attack on an unmodified, stock ATM."
On Monday, Juniper announced that it would not allow the presentation to go forward, at the request of the affected vendor.
"The vulnerability Barnaby was to discuss has far reaching consequences, not only to the affected ATM vendor, but to other ATM vendors and — ultimately — the public," Brendan P. Lewis, director of corporate social media relations, said in a statement posted to the Juniper blog. "To publicly disclose the research findings before the affected vendor could properly mitigate the exposure would have potentially placed their customers at risk. That is something we don't want to see happen."
Cash machines have increasingly been targeted by hackers and cybercriminals. In March, security firm Sophos uncovered malware specifically written for Diebold ATM devices, which was found on a number of machines in Russia. The security firm stated at the time that the malicious software had been created as early as November 2008.
Diebold warned customers as early as January, according to reporting by IDG News, and provided a software patch for customers.
"Diebold continually emphasizes the customers’ role in reducing the risk of attacks by following industry-standard security procedures related to managing physical access to ATMs, password management and software updates," the company stated in a cover letter that accompanied the advisory about the issue.
Robert Lemos 2009-07-01
Networking giant Juniper canceled a presentation on ATM vulnerabilities scheduled to be given by one of its researchers at the Black Hat Security Conference later this month.
The talk, which would have revealed flaws in the automated teller machines (ATM) of an undisclosed vendors, will be postponed until the vulnerabilities are fixed, Juniper said in a statement. The original description of the presentation stated that the researcher, Barnaby Jack, would "retrace the steps I took to interface with, analyze, and find a vulnerability in a line of popular new model ATMs," and would "explore both local and remote attack vectors, and finish with a live demonstration of an attack on an unmodified, stock ATM."
On Monday, Juniper announced that it would not allow the presentation to go forward, at the request of the affected vendor.
"The vulnerability Barnaby was to discuss has far reaching consequences, not only to the affected ATM vendor, but to other ATM vendors and — ultimately — the public," Brendan P. Lewis, director of corporate social media relations, said in a statement posted to the Juniper blog. "To publicly disclose the research findings before the affected vendor could properly mitigate the exposure would have potentially placed their customers at risk. That is something we don't want to see happen."
Cash machines have increasingly been targeted by hackers and cybercriminals. In March, security firm Sophos uncovered malware specifically written for Diebold ATM devices, which was found on a number of machines in Russia. The security firm stated at the time that the malicious software had been created as early as November 2008.
Diebold warned customers as early as January, according to reporting by IDG News, and provided a software patch for customers.
"Diebold continually emphasizes the customers’ role in reducing the risk of attacks by following industry-standard security procedures related to managing physical access to ATMs, password management and software updates," the company stated in a cover letter that accompanied the advisory about the issue.
Hackers steal money from Bullitt County account
Hackers steal money from Bullitt County account
Posted: Jul 01, 2009 6:14 PM CDT
Updated: Jul 01, 2009 11:01 PM CDT
Walter Sholar, Bullitt County Attorney
Melanie J. Roberts, Bullitt County Judge-Executive
Greg Schreacke, president of First Federal Savings Bank By Marisela Burgos - bio | email
Posted by Charles Gazaway - email
LOUISVILLE, KY (WAVE) - The federal agents and members of the Bullitt County Fiscal Court are trying to recover thousands of dollars that went missing from a county account at First Federal Savings Bank in what appears to be a cyber crime. Limited information is being released, but a FBI agent WAVE 3 spoke with believes this crime has international ties.
"It is not like the old days when the bank got robbed and the sheriff generated up a posse and took off after the bad guys," said Walter Sholar, the Bullitt County Attorney.
Sholar said the county is working aggressively to recover what was taken from them and he is concerned about cyber crimes.
Even though $415,000 went missing, Bullitt County Judge-Executive Melanie Roberts said she is glad everyone worked in a timely manner. "I'm so thankful for the quick action of the counties leaders of Bullitt County in going to the First Savings Bank and trying to solve this problem as quickly as we can."
Greg Schreacke, president of First Federal Savings, told WAVE 3 he believes the people responsible for the crime are a sophisticated group. "They logged on as a Bullitt County user, stealing one of the user names and passwords and transferred money out of the accounts to fictitious individuals."
Although the crooks were able to log in from a remote location, Schreacke said once logged in, they were able to be a user on the Bullitt County network just like they were sitting in front of the computer. They got away with more than $400,000 from the county's account at First Federal Savings Bank, money that Sholar said is not missing, it was stolen. "Money is stolen just the same as somebody who took a .45 pistol and held it up to a teller."
$46,000 has been recovered and Schreacke said they are doing everything possible to get more of the taxpayer dollars back. "We're going to do as much as possible to get the money back and then after that, people have insurance and so forth that'll kick in."
Roberts told WAVE 3 that Bullitt County residents can rest assured of one thing - none of the county's services are going to be lost because of the theft. "No interruption will occur and we will work very hard to get this missing money back into the bank account."
Schreacke said this is an unusual crime and First Federal Savings customers should not be worried that their accounts have been compromised. The FBI is still investigating this case.
Posted: Jul 01, 2009 6:14 PM CDT
Updated: Jul 01, 2009 11:01 PM CDT
Walter Sholar, Bullitt County Attorney
Melanie J. Roberts, Bullitt County Judge-Executive
Greg Schreacke, president of First Federal Savings Bank By Marisela Burgos - bio | email
Posted by Charles Gazaway - email
LOUISVILLE, KY (WAVE) - The federal agents and members of the Bullitt County Fiscal Court are trying to recover thousands of dollars that went missing from a county account at First Federal Savings Bank in what appears to be a cyber crime. Limited information is being released, but a FBI agent WAVE 3 spoke with believes this crime has international ties.
"It is not like the old days when the bank got robbed and the sheriff generated up a posse and took off after the bad guys," said Walter Sholar, the Bullitt County Attorney.
Sholar said the county is working aggressively to recover what was taken from them and he is concerned about cyber crimes.
Even though $415,000 went missing, Bullitt County Judge-Executive Melanie Roberts said she is glad everyone worked in a timely manner. "I'm so thankful for the quick action of the counties leaders of Bullitt County in going to the First Savings Bank and trying to solve this problem as quickly as we can."
Greg Schreacke, president of First Federal Savings, told WAVE 3 he believes the people responsible for the crime are a sophisticated group. "They logged on as a Bullitt County user, stealing one of the user names and passwords and transferred money out of the accounts to fictitious individuals."
Although the crooks were able to log in from a remote location, Schreacke said once logged in, they were able to be a user on the Bullitt County network just like they were sitting in front of the computer. They got away with more than $400,000 from the county's account at First Federal Savings Bank, money that Sholar said is not missing, it was stolen. "Money is stolen just the same as somebody who took a .45 pistol and held it up to a teller."
$46,000 has been recovered and Schreacke said they are doing everything possible to get more of the taxpayer dollars back. "We're going to do as much as possible to get the money back and then after that, people have insurance and so forth that'll kick in."
Roberts told WAVE 3 that Bullitt County residents can rest assured of one thing - none of the county's services are going to be lost because of the theft. "No interruption will occur and we will work very hard to get this missing money back into the bank account."
Schreacke said this is an unusual crime and First Federal Savings customers should not be worried that their accounts have been compromised. The FBI is still investigating this case.
Ex-Goldman programmer out on bail in theft case
Ex-Goldman programmer out on bail in theft case
By Martha Graybow
Reuters
Tuesday, July 7, 2009 12:21 AM
NEW YORK (Reuters) - A former Goldman Sachs Group Inc computer programmer accused of stealing secret trading codes from the financial firm has been released from federal custody after posting bail, authorities said Monday.
Sergey Aleynikov, 39, was arrested by the FBI Friday and charged with "theft of trade secrets." He met the terms of his $750,000 bail and was released Monday, said FBI spokesman James Margolin.
Aleynikov is accused of misusing computer codes that belong to his former employer, a New York-based financial institution that authorities did not identify in court papers but sources say is Goldman Sachs.
A transcript of Aleynikov's appearance before U.S. Magistrate Kevin Nathaniel Fox in Manhattan Saturday also shows that Aleynikov worked for Goldman.
His lawyer, Sabrina Shroff, said at that proceeding that Aleynikov told authorities after his arrest that he did not intend to sell the information or use it "contrary to my employment agreement with Goldman Sachs."
Goldman has not seen its business or clients harmed by the purported computer breach, a source familiar with the situation said Monday. The firm declined to comment.
The case could shed light on the workings of intricate trading systems developed by Goldman. It also raises questions about the security of lucrative Wall Street proprietary trading operations.
However, the New York Stock Exchange said Monday there was no connection between the alleged security breach and an error that dropped Goldman from a trading report the NYSE issued last week.
Aleynikov, a Russian immigrant living in New Jersey, was arrested Friday night as he got off a flight at Newark Liberty International Airport, according to an FBI affidavit filed in the case.
Aleynikov had been held at the Metropolitan Detention Center in Brooklyn.
Terms of his bail required a $750,000 personal recognizance bond to be secured by three financially responsible people.
His bail also included $75,000 in cash, and Aleynikov was ordered to surrender his travel documents and not to access the computer data at issue in the case.
A preliminary hearing was scheduled for August 3.
A "For Sale" sign stood on the lawn of Aleynikov's home on Monday night in Little Falls, New Jersey. The vacated two-story Colonial-style home, whose open mailbox had letters peeking out, was listed as "priced to sell" in an online advertisement by an area real estate agency.
Authorities contend Aleynikov stole codes used for sophisticated automated stock and commodities trading. They say Aleynikov, who earned $400,000 a year at Goldman, improperly copied proprietary computer code and then uploaded it to a computer server in Germany.
After he was arrested, he told authorities he had only intended to collect "open source" files on which he had worked but "later realized that he had obtained more files than he intended," the FBI agent said in the court papers.
The FBI said Aleynikov worked at the financial institution from May 2007 until June 5, when he left to work for a new company focused on high-volume automated trading.
Aleynikov was suspended by Teza Technologies LLC, a Chicago-based firm for which he started to work on July 2, Bloomberg cited the firm as saying in an emailed statement.
The firm, which was co-founded by Misha Malyshev, a former trader at Citadel Investment Group LLC, said it first learned of the allegations on July 5 and suspended Aleynikov without pay following an investigation, according to the news agency.
Teza offered to cooperate with the government and said it "was not aware of the alleged misconduct," according to the news agency.
Teza could not be immediately reached by Reuters for comment on the report.
Aleynikov's wife, Elina, told Reuters Sunday that her husband is innocent. She said in a phone interview from the couple's New Jersey home that her husband worked hard for Goldman and has been a good citizen who has lived in the United States for 19 years.
By Martha Graybow
Reuters
Tuesday, July 7, 2009 12:21 AM
NEW YORK (Reuters) - A former Goldman Sachs Group Inc computer programmer accused of stealing secret trading codes from the financial firm has been released from federal custody after posting bail, authorities said Monday.
Sergey Aleynikov, 39, was arrested by the FBI Friday and charged with "theft of trade secrets." He met the terms of his $750,000 bail and was released Monday, said FBI spokesman James Margolin.
Aleynikov is accused of misusing computer codes that belong to his former employer, a New York-based financial institution that authorities did not identify in court papers but sources say is Goldman Sachs.
A transcript of Aleynikov's appearance before U.S. Magistrate Kevin Nathaniel Fox in Manhattan Saturday also shows that Aleynikov worked for Goldman.
His lawyer, Sabrina Shroff, said at that proceeding that Aleynikov told authorities after his arrest that he did not intend to sell the information or use it "contrary to my employment agreement with Goldman Sachs."
Goldman has not seen its business or clients harmed by the purported computer breach, a source familiar with the situation said Monday. The firm declined to comment.
The case could shed light on the workings of intricate trading systems developed by Goldman. It also raises questions about the security of lucrative Wall Street proprietary trading operations.
However, the New York Stock Exchange said Monday there was no connection between the alleged security breach and an error that dropped Goldman from a trading report the NYSE issued last week.
Aleynikov, a Russian immigrant living in New Jersey, was arrested Friday night as he got off a flight at Newark Liberty International Airport, according to an FBI affidavit filed in the case.
Aleynikov had been held at the Metropolitan Detention Center in Brooklyn.
Terms of his bail required a $750,000 personal recognizance bond to be secured by three financially responsible people.
His bail also included $75,000 in cash, and Aleynikov was ordered to surrender his travel documents and not to access the computer data at issue in the case.
A preliminary hearing was scheduled for August 3.
A "For Sale" sign stood on the lawn of Aleynikov's home on Monday night in Little Falls, New Jersey. The vacated two-story Colonial-style home, whose open mailbox had letters peeking out, was listed as "priced to sell" in an online advertisement by an area real estate agency.
Authorities contend Aleynikov stole codes used for sophisticated automated stock and commodities trading. They say Aleynikov, who earned $400,000 a year at Goldman, improperly copied proprietary computer code and then uploaded it to a computer server in Germany.
After he was arrested, he told authorities he had only intended to collect "open source" files on which he had worked but "later realized that he had obtained more files than he intended," the FBI agent said in the court papers.
The FBI said Aleynikov worked at the financial institution from May 2007 until June 5, when he left to work for a new company focused on high-volume automated trading.
Aleynikov was suspended by Teza Technologies LLC, a Chicago-based firm for which he started to work on July 2, Bloomberg cited the firm as saying in an emailed statement.
The firm, which was co-founded by Misha Malyshev, a former trader at Citadel Investment Group LLC, said it first learned of the allegations on July 5 and suspended Aleynikov without pay following an investigation, according to the news agency.
Teza offered to cooperate with the government and said it "was not aware of the alleged misconduct," according to the news agency.
Teza could not be immediately reached by Reuters for comment on the report.
Aleynikov's wife, Elina, told Reuters Sunday that her husband is innocent. She said in a phone interview from the couple's New Jersey home that her husband worked hard for Goldman and has been a good citizen who has lived in the United States for 19 years.
Security Guard Charged With Hacking Hospital Systems
From: www.csoonline.com
Security Guard Charged With Hacking Hospital Systems
He allegedly posted video of the activities to YouTube
by Robert McMillan, IDG News Service
July 02, 2009
The grainy video shows a bleary-eyed young man in a hoodie inside the Carrell Clinic in Dallas, Texas. As he hits the elevator button, the theme music from Mission Impossible plays in the background. "You're on a mission with me: Infiltration," he tells the camera.
Then in the course of the next five minutes, the man, who says he hasn't slept in 3 days, uses a security key to roam the halls of the hospital and install malicious botnet software on a computer there.
He says he's "infiltrated a very large corporate office," but according to the U.S. Federal Bureau of Investigation, he was just working the night shift as a security guard, pretending to break into the very building he was supposed to be guarding.
On Friday the federal authorities arrested Jesse William McGraw on a charge of felony computer intrusion, saying he intended to use the botnet to launch a massive distributed denial of service (DDOS) attack on July 4, the day after he was set to stop working there. He'd nicknamed the day "Devil's Day."
He worked for a Dallas security company called United Protection Services, on the 11 p.m. to 7 a.m. shift at the clinic.
McGraw, who went by the hacker name GhostExodus, allegedly installed malicious software all over the Carrell Clinic, including systems that contained confidential information, and others that managed the building's climate-control systems, authorities said Tuesday.
The hacker could have harmed patients or damaged drugs if he had turned off air conditioning during Texas's hot summer months, authorities said.
GhostExodus's Mission Impossible video was one of several that he posted to YouTube. They have since been removed, but copies were seen by the IDG News Service. One video named in court filings that was not deleted shows him skillfully playing a violin.
GhostExodus may have seen his arrest coming.
In a March 14 online journal entry, he said that an enemy was fabricating evidence against him and that he was erasing his tracks, but he did leave some tracks on the Web. For example, there's a May 24 forum post, where he bragged about his hacking and posted screen shots of the administrative interface to the heating, ventilation and air conditioning (HVAC) systems used at the hospital. "Spreading botnets is boring. But sometimes you get a hefty prize for all your hard work and labor," he wrote. "Like this you see below. An HVAC server."
McGraw talks like a big-time spy, but he makes some silly mistakes. In one video he puts on surgical gloves, presumably to hide his fingerprints, after typing on the computer he plans to hack. In another, he crops the video so that his face is not visible, but then shows off a fake FBI identity card -- with his picture on it. Then there's the fact that he posted the whole thing to YouTube.
His undoing came when a member of his hacker group, called the Electronik Tribulation Army, boasted to security researcher Wesley McGrew and showed him screen shots of hacked machines. That hacker, who went by the name XXxxImmortalxxXX, claimed to have hacked the Carrell Clinic systems, but McGrew soon linked the crime to GhostExodus and handed over his findings to authorities.
The group also compromised computers used by the Dallas Police and the National Aeronautics and Space Administration, (NASA) the FBI said in an affidavit. According to GhostExodus's journal he appears to have found a cross-site scripting bug -- a common Web programming error -- on NASA's Web site.
McGrew, a graduate student at Mississippi State University, said that it probably never occurred to GhostExodus to fake the videos he made. "It's a show of skill to his hacker peers," he said via instant message.
Still, the video is "pretty amazing," he added.
"He's a security guard at the hospital, but he's pretending to infiltrate a corporate office and he's running around with a hoodie on over his security guard uniform and installing botnet software on a hospital computer all to the Mission Impossible music," he said. "[You] can't make this stuff up."
Security Guard Charged With Hacking Hospital Systems
He allegedly posted video of the activities to YouTube
by Robert McMillan, IDG News Service
July 02, 2009
The grainy video shows a bleary-eyed young man in a hoodie inside the Carrell Clinic in Dallas, Texas. As he hits the elevator button, the theme music from Mission Impossible plays in the background. "You're on a mission with me: Infiltration," he tells the camera.
Then in the course of the next five minutes, the man, who says he hasn't slept in 3 days, uses a security key to roam the halls of the hospital and install malicious botnet software on a computer there.
He says he's "infiltrated a very large corporate office," but according to the U.S. Federal Bureau of Investigation, he was just working the night shift as a security guard, pretending to break into the very building he was supposed to be guarding.
On Friday the federal authorities arrested Jesse William McGraw on a charge of felony computer intrusion, saying he intended to use the botnet to launch a massive distributed denial of service (DDOS) attack on July 4, the day after he was set to stop working there. He'd nicknamed the day "Devil's Day."
He worked for a Dallas security company called United Protection Services, on the 11 p.m. to 7 a.m. shift at the clinic.
McGraw, who went by the hacker name GhostExodus, allegedly installed malicious software all over the Carrell Clinic, including systems that contained confidential information, and others that managed the building's climate-control systems, authorities said Tuesday.
The hacker could have harmed patients or damaged drugs if he had turned off air conditioning during Texas's hot summer months, authorities said.
GhostExodus's Mission Impossible video was one of several that he posted to YouTube. They have since been removed, but copies were seen by the IDG News Service. One video named in court filings that was not deleted shows him skillfully playing a violin.
GhostExodus may have seen his arrest coming.
In a March 14 online journal entry, he said that an enemy was fabricating evidence against him and that he was erasing his tracks, but he did leave some tracks on the Web. For example, there's a May 24 forum post, where he bragged about his hacking and posted screen shots of the administrative interface to the heating, ventilation and air conditioning (HVAC) systems used at the hospital. "Spreading botnets is boring. But sometimes you get a hefty prize for all your hard work and labor," he wrote. "Like this you see below. An HVAC server."
McGraw talks like a big-time spy, but he makes some silly mistakes. In one video he puts on surgical gloves, presumably to hide his fingerprints, after typing on the computer he plans to hack. In another, he crops the video so that his face is not visible, but then shows off a fake FBI identity card -- with his picture on it. Then there's the fact that he posted the whole thing to YouTube.
His undoing came when a member of his hacker group, called the Electronik Tribulation Army, boasted to security researcher Wesley McGrew and showed him screen shots of hacked machines. That hacker, who went by the name XXxxImmortalxxXX, claimed to have hacked the Carrell Clinic systems, but McGrew soon linked the crime to GhostExodus and handed over his findings to authorities.
The group also compromised computers used by the Dallas Police and the National Aeronautics and Space Administration, (NASA) the FBI said in an affidavit. According to GhostExodus's journal he appears to have found a cross-site scripting bug -- a common Web programming error -- on NASA's Web site.
McGrew, a graduate student at Mississippi State University, said that it probably never occurred to GhostExodus to fake the videos he made. "It's a show of skill to his hacker peers," he said via instant message.
Still, the video is "pretty amazing," he added.
"He's a security guard at the hospital, but he's pretending to infiltrate a corporate office and he's running around with a hoodie on over his security guard uniform and installing botnet software on a hospital computer all to the Mission Impossible music," he said. "[You] can't make this stuff up."
Trojan Swipes FTP Credentials for Major Companies in Malware Attack
By: Brian Prince
2009-06-29
Security researchers are tracking a Trojan that has swiped as many as 88,000 FTP credentials for organizations such as Symantec, McAfee, Amazon, Cisco and the Bank of America. According to researchers at Prevx, the compromises are part of an operation that has been in business for more than two years.
Security researchers have uncovered a cache of stolen FTP credentials belonging to a variety of corporations, including Symantec, McAfee, Amazon and the Bank of America.
According to security vendor Prevx, a Trojan has swiped some 88,000 FTP credentials as of this morning. The FTP logins were discovered while the company’s researchers were investigating what Prevx CTO Jacques Erasmus described as a “prevalent in-the-wild infection.” During their investigation, they noticed the malware was sending out data to a Web server. After visiting the URL, the researchers found the cache of unencrypted FTP logins.
“We have contacted many of the organizations, and also handed the data over to US CERT; we have in the meantime made a Web page where people can go to check if their ftp logins are in the list,” he said. “The url for this is www.prevx.com/ftplogons.asp.”
Resource Library:
Once on an infected computer, the Trojan harvests all FTP details it can find. The infection is randomized so different people will get different components based on where they are, software configuration and other criteria. According to Erasmus, this all appears to be part of an operation that has been morphing in different ways for more than two years.
“It doesn’t target the organizations, what it does do is when it infects a victim it grabs any stored FTP details from the form cache and sends it to their drop site,” Erasmus explained. “A typical example would be a developer working for amazon.com gets infected on his laptop which he used to upload some data to the ftp. The Trojan would steal his login details. In the case of Symantec – Mcafee – et al, what’s happened is partners and resellers who have privileged access to the ftp site for software downloads etc., have had their machines compromised, and their login details for these sites have been compromised.”
For more about malware and your PC, please click here.
The Trojan is a variant of ZBot, which is reported to be receiving the uploaded FTP credentials in plain text. Recently, the ZBot Trojan was spammed out in an e-mail claiming to be a critical update for Microsoft Outlook. Once on the user’s system, ZBot accesses a Website to download a .bin file with information referring to where the Trojan can download an updated copy of itself, and where to send stolen data.
In the Outlook scam, the Trojan logged keystrokes whenever the victim visited one of the monitored sites and saved the stolen information in a file and then sent the file to a dedicated server via HTTP POST.
“From what we can tell this group runs various exploit kits and infects a large amount of people on a daily basis,” Erasmus said. “By looking at their operation, we can see that they are not 'amateur' because of the level of bulletproof hosting they have and the sophistication they are using to infect people in a very effective way.”
With the details in hand, attackers can make a script that uses these login details to try to log in to each site and inject an iframe into each html page they find. This iframe could point to an exploit kit running on the malware distributor’s servers.
“When normal Web surfers visit the Website their browsing session would be redirected to the Exploit kit url where various types of exploits would be executed against their browser to try and automatically infect them,” Erasmus said. “So you might go to one of these sites looking to rent a house, but in the end, you’re getting a whole lot more.”
2009-06-29
Security researchers are tracking a Trojan that has swiped as many as 88,000 FTP credentials for organizations such as Symantec, McAfee, Amazon, Cisco and the Bank of America. According to researchers at Prevx, the compromises are part of an operation that has been in business for more than two years.
Security researchers have uncovered a cache of stolen FTP credentials belonging to a variety of corporations, including Symantec, McAfee, Amazon and the Bank of America.
According to security vendor Prevx, a Trojan has swiped some 88,000 FTP credentials as of this morning. The FTP logins were discovered while the company’s researchers were investigating what Prevx CTO Jacques Erasmus described as a “prevalent in-the-wild infection.” During their investigation, they noticed the malware was sending out data to a Web server. After visiting the URL, the researchers found the cache of unencrypted FTP logins.
“We have contacted many of the organizations, and also handed the data over to US CERT; we have in the meantime made a Web page where people can go to check if their ftp logins are in the list,” he said. “The url for this is www.prevx.com/ftplogons.asp.”
Resource Library:
Once on an infected computer, the Trojan harvests all FTP details it can find. The infection is randomized so different people will get different components based on where they are, software configuration and other criteria. According to Erasmus, this all appears to be part of an operation that has been morphing in different ways for more than two years.
“It doesn’t target the organizations, what it does do is when it infects a victim it grabs any stored FTP details from the form cache and sends it to their drop site,” Erasmus explained. “A typical example would be a developer working for amazon.com gets infected on his laptop which he used to upload some data to the ftp. The Trojan would steal his login details. In the case of Symantec – Mcafee – et al, what’s happened is partners and resellers who have privileged access to the ftp site for software downloads etc., have had their machines compromised, and their login details for these sites have been compromised.”
For more about malware and your PC, please click here.
The Trojan is a variant of ZBot, which is reported to be receiving the uploaded FTP credentials in plain text. Recently, the ZBot Trojan was spammed out in an e-mail claiming to be a critical update for Microsoft Outlook. Once on the user’s system, ZBot accesses a Website to download a .bin file with information referring to where the Trojan can download an updated copy of itself, and where to send stolen data.
In the Outlook scam, the Trojan logged keystrokes whenever the victim visited one of the monitored sites and saved the stolen information in a file and then sent the file to a dedicated server via HTTP POST.
“From what we can tell this group runs various exploit kits and infects a large amount of people on a daily basis,” Erasmus said. “By looking at their operation, we can see that they are not 'amateur' because of the level of bulletproof hosting they have and the sophistication they are using to infect people in a very effective way.”
With the details in hand, attackers can make a script that uses these login details to try to log in to each site and inject an iframe into each html page they find. This iframe could point to an exploit kit running on the malware distributor’s servers.
“When normal Web surfers visit the Website their browsing session would be redirected to the Exploit kit url where various types of exploits would be executed against their browser to try and automatically infect them,” Erasmus said. “So you might go to one of these sites looking to rent a house, but in the end, you’re getting a whole lot more.”
Nevada Mandates PCI Standard
Nevada Mandates PCI Standard
Nevada has recently passed a law mandating PCI compliance for companies accepting payment cards that do business in the state. It is scheduled to go into effect on January 1st, 2010.
This makes Nevada the very first state to actually mandate PCI. The prize for toughest-state-data-security-law used to belong to Massachusetts. But Mass has recently been wavering and its technical requirements are almost non-existent compared to PCI.
The Nevada law is no reason to panic and doesn’t really change much for companies dealing with credit card data. Those companies already have a contractual obligation to adhere to PCI. The Nevada law ups the ante by making this an actual legal requirement, but the standard itself remains the same. And as far as actual enforcement goes, the Nevada law says nothing about penalties whereas PCI has the ability to fine non-compliant companies.
The bigger change is for companies that deal with non-credit card personal data. The Nevada law defines nonpublic personal information as a social security number, driver’s license number, or account number in combination with a password. It mandates the use of encryption for the transfer of such data outside of a company's control (this requirement existed in various forms in previous Nevada legislation as well).
One would hope that there aren’t too many companies out there sending account information together with passwords unencrypted. That leaves full Social Security Numbers and the much-less-frequently used driver’s license numbers. (Interestingly, the regulation doesn’t consider the last four digits of the SSN to be personal information. Which is kind of strange when you consider that the last four digits are the most random parts of the number. Oh well).
I suspect there are many companies out there with Nevada customers who will have to play some catch-up when it comes to SSNs. Full SSNs are still frequently used as a primary identifier for many web services related to payroll and benefits as well as many services that have nothing to do with taxes.
Most of these services already encrypt data on the interface level – it is the exception rather than the rule today to see a plain old http login page that asks for your SSN. It’s much tougher to know what is going on behind the scenes. But does the Nevada law really require companies to change their back-end data processing?
Because the law only talks about the “secure system” and the area “beyond the logical or physical controls of the data collector”, it is doubtful that this regulation requires any sort of SSL encryption of data that is not going out in cleartext over public networks. Data behind firewalls or behind some form of password protection would not appear to require encryption based on this wording.
One positive potential outcome of the Nevada law is that it may encourage organizations to move away from using SSNs when they don’t have to (a trend that has already been underway for a while, particularly at universities). There is something particularly jarring about being asked to provide your SSN to get cable service. Strict new rules around handling SSNs may be the necessary kick in the pants for SSN-addicted companies to finally overhaul their authentication methods.
One final thought about the Nevada law itself. In what I believe is a first for state laws, it directly references FIPS, NIST, and other “established standards bodies” when discussing allowable encryption methods. Most data breach notification laws give an exemption for encrypted data without giving any meaningful definition of the term. This has allowed companies to avoid notifying of a data breach when the compromised data was somehow obfuscated. This law will make it harder to claim that some light obfuscation or encoding actually constitutes encryption.
SO…DO I NEED TO BUY SOMETHING TO MAKE THIS GO AWAY?
Companies that sell encryption products have a field day with laws like this. But - like other data security regulation - you don’t need to buy anything to be in compliance with the Nevada data security law. You just need to make sure that you are not sending sensitive data in cleartext over public networks. This means a bit more messing around with certificates and configurations prior to releases but not much more. And of course you also need to make sure that anywhere you are storing this data at rest is considered part of your “secure system” or has some logical or physical controls in place.
FURTHER READING
The actual text of Nevada Senate Bill 227 can be found here.
A good overview of the evolution of data security legislation by Andrew Baer can be found here.
Nevada has recently passed a law mandating PCI compliance for companies accepting payment cards that do business in the state. It is scheduled to go into effect on January 1st, 2010.
This makes Nevada the very first state to actually mandate PCI. The prize for toughest-state-data-security-law used to belong to Massachusetts. But Mass has recently been wavering and its technical requirements are almost non-existent compared to PCI.
The Nevada law is no reason to panic and doesn’t really change much for companies dealing with credit card data. Those companies already have a contractual obligation to adhere to PCI. The Nevada law ups the ante by making this an actual legal requirement, but the standard itself remains the same. And as far as actual enforcement goes, the Nevada law says nothing about penalties whereas PCI has the ability to fine non-compliant companies.
The bigger change is for companies that deal with non-credit card personal data. The Nevada law defines nonpublic personal information as a social security number, driver’s license number, or account number in combination with a password. It mandates the use of encryption for the transfer of such data outside of a company's control (this requirement existed in various forms in previous Nevada legislation as well).
One would hope that there aren’t too many companies out there sending account information together with passwords unencrypted. That leaves full Social Security Numbers and the much-less-frequently used driver’s license numbers. (Interestingly, the regulation doesn’t consider the last four digits of the SSN to be personal information. Which is kind of strange when you consider that the last four digits are the most random parts of the number. Oh well).
I suspect there are many companies out there with Nevada customers who will have to play some catch-up when it comes to SSNs. Full SSNs are still frequently used as a primary identifier for many web services related to payroll and benefits as well as many services that have nothing to do with taxes.
Most of these services already encrypt data on the interface level – it is the exception rather than the rule today to see a plain old http login page that asks for your SSN. It’s much tougher to know what is going on behind the scenes. But does the Nevada law really require companies to change their back-end data processing?
Because the law only talks about the “secure system” and the area “beyond the logical or physical controls of the data collector”, it is doubtful that this regulation requires any sort of SSL encryption of data that is not going out in cleartext over public networks. Data behind firewalls or behind some form of password protection would not appear to require encryption based on this wording.
One positive potential outcome of the Nevada law is that it may encourage organizations to move away from using SSNs when they don’t have to (a trend that has already been underway for a while, particularly at universities). There is something particularly jarring about being asked to provide your SSN to get cable service. Strict new rules around handling SSNs may be the necessary kick in the pants for SSN-addicted companies to finally overhaul their authentication methods.
One final thought about the Nevada law itself. In what I believe is a first for state laws, it directly references FIPS, NIST, and other “established standards bodies” when discussing allowable encryption methods. Most data breach notification laws give an exemption for encrypted data without giving any meaningful definition of the term. This has allowed companies to avoid notifying of a data breach when the compromised data was somehow obfuscated. This law will make it harder to claim that some light obfuscation or encoding actually constitutes encryption.
SO…DO I NEED TO BUY SOMETHING TO MAKE THIS GO AWAY?
Companies that sell encryption products have a field day with laws like this. But - like other data security regulation - you don’t need to buy anything to be in compliance with the Nevada data security law. You just need to make sure that you are not sending sensitive data in cleartext over public networks. This means a bit more messing around with certificates and configurations prior to releases but not much more. And of course you also need to make sure that anywhere you are storing this data at rest is considered part of your “secure system” or has some logical or physical controls in place.
FURTHER READING
The actual text of Nevada Senate Bill 227 can be found here.
A good overview of the evolution of data security legislation by Andrew Baer can be found here.
Heartland CEO commended for data breach response
Heartland CEO commended for data breach response
By Jaikumar Vijayan
June 22, 2009 12:01 AM ET
Computerworld - Heartland Payment Systems Inc. CEO Robert Carr is getting high marks from some analysts for his response so far to a massive data breach discovered at the credit- and debit-card payment processor early this year.
The breach may have been the largest ever involving payment card data -- some analysts estimate that data from more than 100 million cards may have been exposed in the intrusion, which Heartland disclosed on Jan. 20.
Since then, Carr has moved to accelerate an end-to-end encryption project for protecting card data. It is now slated for completion in the third quarter.
Princeton, N.J.-based Heartland is also pushing for development of an industrywide standard for encrypting data while it's being transmitted over networks, and it has co-founded the Payments Processing Information Sharing Council, through which payment processing companies can share information about security threats, vulnerabilities and fraud.
In an interview last week, Carr said he has also reached out to customers, industry groups, security analysts and reporters to discuss the company's response to the breach.
Avivah Litan, an analyst at Gartner Inc., said Carr took a different approach than most CEOs have taken in similar situations.
"Generally when something like this happens, the CEOs hide," she said. "Some might question his real motives. But the bottom line [is], he is elevating the debate around card security and even got card companies to speak about end-to-end encryption."
Tom Wills, an analyst at Javelin Strategy and Research, said Carr's response compares favorably with that of El Al Airlines after a series of plane hijackings in the 1970s.
"El Al redesigned its security from the ground up and went on to build a reputation, one that it holds to this day, as the world's most secure airline," Wills wrote in an alert this month. Based on Carr's moves so far, "it's clear that Heartland intends to take the El Al route," Wills added.
Carr said the breach fulfilled one of his worst fears as CEO of Heartland. "It was devastating," he said. "People had asked me for years 'What keeps you awake at night?' and I would keep telling them it was the fear of a data breach."
By Jaikumar Vijayan
June 22, 2009 12:01 AM ET
Computerworld - Heartland Payment Systems Inc. CEO Robert Carr is getting high marks from some analysts for his response so far to a massive data breach discovered at the credit- and debit-card payment processor early this year.
The breach may have been the largest ever involving payment card data -- some analysts estimate that data from more than 100 million cards may have been exposed in the intrusion, which Heartland disclosed on Jan. 20.
Since then, Carr has moved to accelerate an end-to-end encryption project for protecting card data. It is now slated for completion in the third quarter.
Princeton, N.J.-based Heartland is also pushing for development of an industrywide standard for encrypting data while it's being transmitted over networks, and it has co-founded the Payments Processing Information Sharing Council, through which payment processing companies can share information about security threats, vulnerabilities and fraud.
In an interview last week, Carr said he has also reached out to customers, industry groups, security analysts and reporters to discuss the company's response to the breach.
Avivah Litan, an analyst at Gartner Inc., said Carr took a different approach than most CEOs have taken in similar situations.
"Generally when something like this happens, the CEOs hide," she said. "Some might question his real motives. But the bottom line [is], he is elevating the debate around card security and even got card companies to speak about end-to-end encryption."
Tom Wills, an analyst at Javelin Strategy and Research, said Carr's response compares favorably with that of El Al Airlines after a series of plane hijackings in the 1970s.
"El Al redesigned its security from the ground up and went on to build a reputation, one that it holds to this day, as the world's most secure airline," Wills wrote in an alert this month. Based on Carr's moves so far, "it's clear that Heartland intends to take the El Al route," Wills added.
Carr said the breach fulfilled one of his worst fears as CEO of Heartland. "It was devastating," he said. "People had asked me for years 'What keeps you awake at night?' and I would keep telling them it was the fear of a data breach."
Survey reveals culture of IT admin snooping
Survey reveals culture of IT admin snooping
IT staff admit to regularly accessing privileged information for personal gain
Ian Williams, vnunet.com 11 Jun 2009
Over a third of IT staff have used their administration rights to access privileged information about employees, customers and their company for personal reasons, according to a recent survey by Cyber-Ark.
Despite the rise in high-profile data leaks over the past year, the survey of 400 IT administrators found that 35 per cent had abused their admin rights, up slightly from 33 per cent in the same survey a year ago.
The most common information being accessed is HR records, followed by customer databases, merger and acquisition (M&A) plans, redundancy lists and marketing information.
Cyber-Ark's 2009 Trust, Security & Passwords report also identified a dramatic rise in the number of respondents who would take proprietary data and information with them if they were fired, as well as a change in the type of information they would take.
The survey found a six-fold increase in the number of staff who would take financial reports or M&A plans, and a four-fold increase in those who would take chief executives' passwords, and research and development (R&D) plans. Other targets included customer databases, email server admin accounts and privileged password lists.
Although most companies appear to have some sort of monitoring of privileged account access and activity, three-quarters of respondents claimed that they could get round them if they wanted to.
"This survey shows that, while most employees claim that access to privileged accounts is currently monitored, and an overwhelming majority support additional monitoring practices, employee snooping on sensitive information continues unabated," said Udi Mokady, chief executive at Cyber-Ark.
"Unauthorised access to information such as customer credit card data, private personnel information, internal financial reports and R&D plans leaves a company vulnerable to a severe data leak with the risk of financial or regulatory exposure and damage to its brand, or competitors obtaining critically important competitive information."
The research also revealed that one in five companies admitted to having been the victim of some kind of insider sabotage or IT security fraud. Over a third of these suspect that their competitors have received highly sensitive information or intellectual property as a result.
"Businesses must wake up and realise that trust is not a security policy. They have an organisational responsibility to lock down sensitive data and systems, while monitoring all activity even when legitimate access is granted," concluded Mokady.
IT staff admit to regularly accessing privileged information for personal gain
Ian Williams, vnunet.com 11 Jun 2009
Over a third of IT staff have used their administration rights to access privileged information about employees, customers and their company for personal reasons, according to a recent survey by Cyber-Ark.
Despite the rise in high-profile data leaks over the past year, the survey of 400 IT administrators found that 35 per cent had abused their admin rights, up slightly from 33 per cent in the same survey a year ago.
The most common information being accessed is HR records, followed by customer databases, merger and acquisition (M&A) plans, redundancy lists and marketing information.
Cyber-Ark's 2009 Trust, Security & Passwords report also identified a dramatic rise in the number of respondents who would take proprietary data and information with them if they were fired, as well as a change in the type of information they would take.
The survey found a six-fold increase in the number of staff who would take financial reports or M&A plans, and a four-fold increase in those who would take chief executives' passwords, and research and development (R&D) plans. Other targets included customer databases, email server admin accounts and privileged password lists.
Although most companies appear to have some sort of monitoring of privileged account access and activity, three-quarters of respondents claimed that they could get round them if they wanted to.
"This survey shows that, while most employees claim that access to privileged accounts is currently monitored, and an overwhelming majority support additional monitoring practices, employee snooping on sensitive information continues unabated," said Udi Mokady, chief executive at Cyber-Ark.
"Unauthorised access to information such as customer credit card data, private personnel information, internal financial reports and R&D plans leaves a company vulnerable to a severe data leak with the risk of financial or regulatory exposure and damage to its brand, or competitors obtaining critically important competitive information."
The research also revealed that one in five companies admitted to having been the victim of some kind of insider sabotage or IT security fraud. Over a third of these suspect that their competitors have received highly sensitive information or intellectual property as a result.
"Businesses must wake up and realise that trust is not a security policy. They have an organisational responsibility to lock down sensitive data and systems, while monitoring all activity even when legitimate access is granted," concluded Mokady.
AP IMPACT: Weak security enables credit card hacks
AP IMPACT: Weak security enables credit card hacks
By JORDAN ROBERTSON, AP Technology Writer - Sun Jun 14, 2009 5:06PM EDT
Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.
And while you may take steps to protect yourself against identity theft, an Associated Press investigation has found the banks and other companies that handle your information are not being nearly as cautious as they could.
The government leaves it to card companies to design security rules that protect the nation's 50 billion annual transactions. Yet an examination of those industry requirements explains why so many breaches occur: The rules are cursory at best and all but meaningless at worst, according to the AP's analysis of data breaches dating to 2005.
It means every time you pay with plastic, companies are gambling with your personal data. If hackers intercept your numbers, you'll spend weeks straightening your mangled credit, though you can't be held liable for unauthorized charges. Even if your transaction isn't hacked, you still lose: Merchants pass to all their customers the costs they incur from fraud.
More than 70 retailers and payment processors have disclosed breaches since 2006, involving tens of millions of credit and debit card numbers, according to the Privacy Rights Clearinghouse. Meanwhile, many others likely have been breached and didn't detect it. Even the companies that had the payment industry's top rating for computer security, a seal of approval known as PCI compliance, have fallen victim to huge heists.
Companies that are not compliant with the PCI standards — including one in 10 of the medium-sized and large retailers in the United States — face fines but are left free to process credit and debit card payments. Most retailers don't have to endure security audits, but can evaluate themselves.
Credit card providers don't appear to be in a rush to tighten the rules. They see fraud as a cost of doing business and say stricter security would throw sand into the gears of the payment system, which is built on speed, convenience and low cost.
That is of little consolation to consumers who bet on the industry's payment security and lost.
It took four months for Pamela LaMotte, 46, of Colchester, Vt., to fix the damage after two of her credit card accounts were tapped by hackers in a breach traced to a Hannaford Bros. grocery store.
LaMotte, who was unemployed at the time, says she had to borrow money from her mother and boyfriend to pay $500 in overdraft and late fees — which were eventually refunded — while the banks investigated.
"Maybe somebody who doesn't live paycheck to paycheck, it wouldn't matter to them too much, but for me it screwed me up in a major way," she said. LaMotte says she pays more by cash and check now.
It all happened at a supermarket chain that met the PCI standards. Someone installed malicious software on Hannaford's servers that snatched customer data while it was being sent to the banks for approval.
Since then, hackers plundered two companies that process payments and had PCI certification. Heartland Payment Systems lost card numbers, expiration dates and other data for potentially hundreds of millions of shoppers. RBS WorldPay Inc. got taken for more than 1 million Social Security numbers — a golden ticket to hackers that enables all kinds of fraud.
In the past, each credit card company had its own security rules, a system that was chaotic for stores.
In 2006, the big card brands — Visa, MasterCard, American Express, Discover and JCB International — formed the Payment Card Industry Security Standards Council and created uniform security rules for merchants.
Avivah Litan, a Gartner Inc. analyst, says retailers and payment processors have spent more than $2 billion on security upgrades to comply with PCI. And the payment industry touts the fact that 93 percent of big retailers in the U.S., and 88 percent of medium-sized ones, are compliant with the PCI rules.
That leaves plenty of merchants out, of course, but the main threat against them is a fine: $25,000 for big retailers for each month they are not compliant, $5,000 for medium-sized ones.
Computer security experts say the PCI guidelines are superficial, including requirements that stores run antivirus software and install computer firewalls. Those steps are designed to keep hackers out and customer data in. Yet tests that simulate hacker attacks are required just once a year, and businesses can run the tests themselves.
"It's like going to a doctor and getting your blood pressure read, and if your blood pressure's good you get a clean bill of health," said Tom Kellermann, a former senior member of the World Bank's Treasury security team and now vice president of security awareness for Core Security Technologies, which audited Google's Internet payment processing system.
Merchants that decide to hire an outside auditor to check for compliance with the PCI rules need not spend much. Though some firms generally charge about $60,000 and take months to complete their inspections, others are far cheaper and faster.
"PCI compliance can cost just a couple hundred bucks," said Jeremiah Grossman, founder of WhiteHat Security Inc., a Web security firm. "If that's the case, all the incentives are in the wrong direction. The merchants are inclined to go with the cheapest certification they need."
For some inspectors, the certification course takes just one weekend and ends in an open-book exam. Applicants must have five years of computer security experience, but once they are let loose, there's little oversight of their work. Larger stores take it on themselves to provide evidence to auditors that they comply with the rules, leaving the door open for mistakes or fraud.
And retailers with fewer than 6 million annual card transactions — a group comprising more than 99 percent of all retailers — do not even need auditors. They can test and evaluate themselves.
At the same time, the card companies themselves are increasingly hands-off.
Two years ago, Visa scaled back its review of inspection records for the payment processors it works with. It now examines records only for payment processors with computer networks directly connected to Visa's.
In the U.S., that means fewer than 100 payment processors out of the 700 that Visa works with are PCI-compliant.
Visa's head of global data security, Eduardo Perez, said the company scaled back its records review because it took too much work and because the PCI standards have improved the industry's security "considerably."
"I think we've made a lot of progress," he said. "While there have been a few large compromises, there are many more compromises we feel we've helped prevent by driving these minimum requirements."
Representatives for MasterCard, American Express, Discover and JCB — which, along with Visa, steer PCI policy — either didn't return messages from the AP or directed questions to the PCI security council.
PCI's general manager, Bob Russo, said inspector certification is "rigorous." Yet he also acknowledged that inconsistent audits are a problem — and that merchants and payment processors who suffered data breaches possibly shouldn't have been PCI-certified. Those companies also might have easily fallen out of compliance after their inspection, by not installing the proper security updates, and nobody noticed.
The council is trying to crack down on shoddy work by requiring annual audits for the dozen companies that do the bulk of the PCI inspections. Smaller firms will be examined once every three years.
Those reviews merely scratch the surface, though. Only three full-time staffers are assigned to the task, and they can't visit retailers themselves. They are left to review the paperwork from the examinations.
The AP contacted eight of the biggest "acquiring banks" — the banks that retailers use as middlemen between the stores and consumers' banks. Those banks are responsible for ensuring that retailers are PCI compliant. Most didn't return calls or wouldn't comment for this story.
Mike Herman, compliance managing director for Chase Paymentech, a division of JPMorgan Chase, said his bank has five workers reviewing compliance reports from retailers. Most of the work is done by phone or e-mail.
"We have faith in the certification process, and we really haven't doubted the assessors' work," Herman said. "It's really the merchants that don't engage assessors; those get a little more scrutiny."
He defended the system: "Can you imagine how many breaches we'd have and how severe they'd be if we didn't have PCI?"
Supporters of PCI point out nearly all big and medium-sized retailers governed by the standard now say they no longer store sensitive cardholder data. Just a few years ago they did — leaving credit card numbers in databases that were vulnerable to hackers.
So why are breaches still happening? Because criminals have sharpened their attacks and are now capturing more data as it makes its way from store to bank, when breaches are harder to stop.
Security experts say there are several steps the payment industry could take to make sure customer information doesn't leak out of networks.
Banks could scramble the data that travels over payment networks, so it would be meaningless to anyone not authorized to see it.
For example, TJX Cos., the chain that owns T.J. Maxx and Marshalls and was victimized by a breach that exposed as many as 100 million accounts, the most on record, has tightened its security but says many banks won't accept data in encrypted form.
PCI requires data transmitted across "open, public networks" to be encrypted, but that means hackers with access to a company's internal network still can get at it. Requiring encryption all the time would be expensive and slow transactions.
Another possibility: Some security professionals think the banks and credit card companies should start their own PCI inspection arms to make sure the audits are done properly. Banks say they have stepped up oversight of the inspections, doing their own checks of questionable PCI assessment jobs. But taking control of the whole process is far-fetched: nobody wants the liability.
PCI could also be optional. In its place, some experts suggest setting fines for each piece of sensitive data a retailer loses.
The U.S. might also try a system like Europe's, where shoppers need a secret PIN code and card with a chip inside to complete purchases. The system, called Chip and PIN, has cut down on fraud there (because it's harder to use counterfeit cards), but transferred it elsewhere — to places like the U.S. that don't have as many safeguards.
A key reason PCI exists is that the banks and card brands don't want the government regulating credit card security. These companies also want to be sure transactions keep humming through the system — which is why banks and card companies are willing to put up with some fraud.
"If they did mind, they have immense resources and could really change things," said Ed Skoudis, co-founder of security consultancy InGuardians Inc. and an instructor with the SANS Institute, a computer-security training organization. Skoudis investigates retail breaches in support of government investigations. "But they don't want to strangle the goose that laid the golden egg by making it too hard to accept credit cards, because that's bad for everybody."
By JORDAN ROBERTSON, AP Technology Writer - Sun Jun 14, 2009 5:06PM EDT
Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.
And while you may take steps to protect yourself against identity theft, an Associated Press investigation has found the banks and other companies that handle your information are not being nearly as cautious as they could.
The government leaves it to card companies to design security rules that protect the nation's 50 billion annual transactions. Yet an examination of those industry requirements explains why so many breaches occur: The rules are cursory at best and all but meaningless at worst, according to the AP's analysis of data breaches dating to 2005.
It means every time you pay with plastic, companies are gambling with your personal data. If hackers intercept your numbers, you'll spend weeks straightening your mangled credit, though you can't be held liable for unauthorized charges. Even if your transaction isn't hacked, you still lose: Merchants pass to all their customers the costs they incur from fraud.
More than 70 retailers and payment processors have disclosed breaches since 2006, involving tens of millions of credit and debit card numbers, according to the Privacy Rights Clearinghouse. Meanwhile, many others likely have been breached and didn't detect it. Even the companies that had the payment industry's top rating for computer security, a seal of approval known as PCI compliance, have fallen victim to huge heists.
Companies that are not compliant with the PCI standards — including one in 10 of the medium-sized and large retailers in the United States — face fines but are left free to process credit and debit card payments. Most retailers don't have to endure security audits, but can evaluate themselves.
Credit card providers don't appear to be in a rush to tighten the rules. They see fraud as a cost of doing business and say stricter security would throw sand into the gears of the payment system, which is built on speed, convenience and low cost.
That is of little consolation to consumers who bet on the industry's payment security and lost.
It took four months for Pamela LaMotte, 46, of Colchester, Vt., to fix the damage after two of her credit card accounts were tapped by hackers in a breach traced to a Hannaford Bros. grocery store.
LaMotte, who was unemployed at the time, says she had to borrow money from her mother and boyfriend to pay $500 in overdraft and late fees — which were eventually refunded — while the banks investigated.
"Maybe somebody who doesn't live paycheck to paycheck, it wouldn't matter to them too much, but for me it screwed me up in a major way," she said. LaMotte says she pays more by cash and check now.
It all happened at a supermarket chain that met the PCI standards. Someone installed malicious software on Hannaford's servers that snatched customer data while it was being sent to the banks for approval.
Since then, hackers plundered two companies that process payments and had PCI certification. Heartland Payment Systems lost card numbers, expiration dates and other data for potentially hundreds of millions of shoppers. RBS WorldPay Inc. got taken for more than 1 million Social Security numbers — a golden ticket to hackers that enables all kinds of fraud.
In the past, each credit card company had its own security rules, a system that was chaotic for stores.
In 2006, the big card brands — Visa, MasterCard, American Express, Discover and JCB International — formed the Payment Card Industry Security Standards Council and created uniform security rules for merchants.
Avivah Litan, a Gartner Inc. analyst, says retailers and payment processors have spent more than $2 billion on security upgrades to comply with PCI. And the payment industry touts the fact that 93 percent of big retailers in the U.S., and 88 percent of medium-sized ones, are compliant with the PCI rules.
That leaves plenty of merchants out, of course, but the main threat against them is a fine: $25,000 for big retailers for each month they are not compliant, $5,000 for medium-sized ones.
Computer security experts say the PCI guidelines are superficial, including requirements that stores run antivirus software and install computer firewalls. Those steps are designed to keep hackers out and customer data in. Yet tests that simulate hacker attacks are required just once a year, and businesses can run the tests themselves.
"It's like going to a doctor and getting your blood pressure read, and if your blood pressure's good you get a clean bill of health," said Tom Kellermann, a former senior member of the World Bank's Treasury security team and now vice president of security awareness for Core Security Technologies, which audited Google's Internet payment processing system.
Merchants that decide to hire an outside auditor to check for compliance with the PCI rules need not spend much. Though some firms generally charge about $60,000 and take months to complete their inspections, others are far cheaper and faster.
"PCI compliance can cost just a couple hundred bucks," said Jeremiah Grossman, founder of WhiteHat Security Inc., a Web security firm. "If that's the case, all the incentives are in the wrong direction. The merchants are inclined to go with the cheapest certification they need."
For some inspectors, the certification course takes just one weekend and ends in an open-book exam. Applicants must have five years of computer security experience, but once they are let loose, there's little oversight of their work. Larger stores take it on themselves to provide evidence to auditors that they comply with the rules, leaving the door open for mistakes or fraud.
And retailers with fewer than 6 million annual card transactions — a group comprising more than 99 percent of all retailers — do not even need auditors. They can test and evaluate themselves.
At the same time, the card companies themselves are increasingly hands-off.
Two years ago, Visa scaled back its review of inspection records for the payment processors it works with. It now examines records only for payment processors with computer networks directly connected to Visa's.
In the U.S., that means fewer than 100 payment processors out of the 700 that Visa works with are PCI-compliant.
Visa's head of global data security, Eduardo Perez, said the company scaled back its records review because it took too much work and because the PCI standards have improved the industry's security "considerably."
"I think we've made a lot of progress," he said. "While there have been a few large compromises, there are many more compromises we feel we've helped prevent by driving these minimum requirements."
Representatives for MasterCard, American Express, Discover and JCB — which, along with Visa, steer PCI policy — either didn't return messages from the AP or directed questions to the PCI security council.
PCI's general manager, Bob Russo, said inspector certification is "rigorous." Yet he also acknowledged that inconsistent audits are a problem — and that merchants and payment processors who suffered data breaches possibly shouldn't have been PCI-certified. Those companies also might have easily fallen out of compliance after their inspection, by not installing the proper security updates, and nobody noticed.
The council is trying to crack down on shoddy work by requiring annual audits for the dozen companies that do the bulk of the PCI inspections. Smaller firms will be examined once every three years.
Those reviews merely scratch the surface, though. Only three full-time staffers are assigned to the task, and they can't visit retailers themselves. They are left to review the paperwork from the examinations.
The AP contacted eight of the biggest "acquiring banks" — the banks that retailers use as middlemen between the stores and consumers' banks. Those banks are responsible for ensuring that retailers are PCI compliant. Most didn't return calls or wouldn't comment for this story.
Mike Herman, compliance managing director for Chase Paymentech, a division of JPMorgan Chase, said his bank has five workers reviewing compliance reports from retailers. Most of the work is done by phone or e-mail.
"We have faith in the certification process, and we really haven't doubted the assessors' work," Herman said. "It's really the merchants that don't engage assessors; those get a little more scrutiny."
He defended the system: "Can you imagine how many breaches we'd have and how severe they'd be if we didn't have PCI?"
Supporters of PCI point out nearly all big and medium-sized retailers governed by the standard now say they no longer store sensitive cardholder data. Just a few years ago they did — leaving credit card numbers in databases that were vulnerable to hackers.
So why are breaches still happening? Because criminals have sharpened their attacks and are now capturing more data as it makes its way from store to bank, when breaches are harder to stop.
Security experts say there are several steps the payment industry could take to make sure customer information doesn't leak out of networks.
Banks could scramble the data that travels over payment networks, so it would be meaningless to anyone not authorized to see it.
For example, TJX Cos., the chain that owns T.J. Maxx and Marshalls and was victimized by a breach that exposed as many as 100 million accounts, the most on record, has tightened its security but says many banks won't accept data in encrypted form.
PCI requires data transmitted across "open, public networks" to be encrypted, but that means hackers with access to a company's internal network still can get at it. Requiring encryption all the time would be expensive and slow transactions.
Another possibility: Some security professionals think the banks and credit card companies should start their own PCI inspection arms to make sure the audits are done properly. Banks say they have stepped up oversight of the inspections, doing their own checks of questionable PCI assessment jobs. But taking control of the whole process is far-fetched: nobody wants the liability.
PCI could also be optional. In its place, some experts suggest setting fines for each piece of sensitive data a retailer loses.
The U.S. might also try a system like Europe's, where shoppers need a secret PIN code and card with a chip inside to complete purchases. The system, called Chip and PIN, has cut down on fraud there (because it's harder to use counterfeit cards), but transferred it elsewhere — to places like the U.S. that don't have as many safeguards.
A key reason PCI exists is that the banks and card brands don't want the government regulating credit card security. These companies also want to be sure transactions keep humming through the system — which is why banks and card companies are willing to put up with some fraud.
"If they did mind, they have immense resources and could really change things," said Ed Skoudis, co-founder of security consultancy InGuardians Inc. and an instructor with the SANS Institute, a computer-security training organization. Skoudis investigates retail breaches in support of government investigations. "But they don't want to strangle the goose that laid the golden egg by making it too hard to accept credit cards, because that's bad for everybody."
