Privacy and Identity Theft

The US Department of Homeland Security is warning that “Most natural gas pipeline infrastructure in the U.S.” is experiencing targeted spear-phishing attacks designed to infect employee computers with specially targeted malware.

DHS is asking pipeline companies and suppliers to keep copies of this malware so that it can be disassembled and analyzed to determine what this targeted malicious code is trying to do. It seems like this is the logical progression of the Stuxnet threat.

I was pleased to receive a statement for a rollover 401k from Fidelity today. Imagine my surprise when I found out that my 401K was registered to RSA Security (whom I’ve never worked for).

As a security guy, you can also understand my shock that they snail mailed me a physical envelope asking if I wanted to change my address. They mailed this to my “new” address.

Excuse me, but this only allows criminals to confirm online address changes.

To prevent this, you need to ONLY send the confirmation to the OLD address.

The document I received in the postal mail, says, “Please contact us if you wish to make transactions, Inquiries on your account, or ask questions regarding this confirmation”. And gives no contact information at all. Seriously. This was neither a work of art from marketing (no contact details) nor from security (sending it to the criminals new address for her to confirm). Really, who wins? Only the bad guys.

The guys who were arrested for LulzSec and Anonymous hacking last summer face still jail terms. While the “mastermind” faces over 100 years of sentences, he will likely only serve 2. Still, 2 years in jail is an eternity, and it’s not time that anyone can get back in their life.

But despite the fact that judges are in the mood to punish hackers more severely than ever, I don’t think that this will put much of a dent in cyber crime or hacking.

Here’s why: hacking and online financial crime has always been illegal. The real issue here is not what happens when you get caught, it is really about the chances of you getting caught in the first place, and the risk/reward of your activities. If you a a hacktivist, then reward doesn’t even enter into the picture (unless you count negative PR against your victim as reward). The real force that will reduce cyber crime is in the ability for law enforcement agencies to investigate cyber crime, and to find the criminals and put them into the justice system. So far, I have not seen a big change in funding and training that would facilitate this.

Let’s face it, hacktivists won’t be stopped by longer jail sentences. As long as systems are insecure, you will have people hacking into them. They will just be more cautious next time.

By my count, 14 of the 37 disputed Java APIs in the Google vs Oracle (Sun) dispute around java are security specific APIs. Do we really need to go to court to fight around simple common APIs such as SLL initiation or Certificate management? The disputed security APIs include:

java.security
java.security.acl
java.security.cert
java.security.interfaces
java.security.spec
javax.crypto
javax.crypto.interfaces
javax.crypto.spec
javax.net.ssl
javax.security.auth
javax.security.auth.callback
javax.security.auth.login
javax.security.auth.x500
javax.security.cert

Rumors are circulating on the Internet that “Krabz”, the author of the notorious SpyEye banking trojan, has died of a drug overdose.

News.com published an article about Nicholas Merrill describing his plans to develop an ISP and mobile phone carrier that is focused on user privacy. Using end-to-end encryption, and not storing any log files, he plans to protect subscribers privacy.

He will run into legal issues in the USA where there is increasing legal pressure to force ISPs to store logs. I’m not sure how he will get around this. Perhaps running the service outside of the USA?

This guy knows some things about Internet privacy. He has been the subject of subpoenas and NSA wiretap demands when he ran an ISP years ago.

“The idea that we are working on is to not be capable of complying” with requests from the FBI for stored e-mail and similar demands says Merrill.

The FBI has been increasingly concerned about privacy protecting services. They call this “going dark”. Well, if you’ve been tracking TOR for any amount of time, you will know that Darknets are growing rapidly. What this means for society is yet to be determined, but it is definitely a destabilizing process. Seems like Internet anarchy is approaching, just as the governments are trying to crack down with RIPA and SOPA.

An interesting time to be alive, that is for sure.

Researchers at NQ Mobile and North Carolina State University have found Android malware circulating in the wild that appears to me to be test code by attackers to see how they can exploit vulnerabilities in the Android mobile phone operating system.

The code acts like a traditional PC-based botnet, in that once installed on the Android device, it is invisible, and it communicates with a Command and Control server (C&C) to get new commands to steal your data. The way that it communicates is via the SMS (text messaging) functionality of the phone. It is smart enough to be able to hide its text messages from you, the user, so that only this invisible bot can see the commands.

So far the bot can do things like record your GPS location, modify network settings, upload images and reboot the phone. This looks like test code to me.

However, if the bot can modify the network settings on your Android phone, then they can route all of your browsing and app traffic through their criminal servers, giving them surveillance capabilities on any unencrypted traffic.

The malware is called TigerBot by the researchers. This is the beginning of the malware race on Android.

In my role at the Anti-Phishing Working Group (www.apwg.org), I get to learn all about the latest kinds of Internet fraud. For a decade now, we have been dealing with scammers, based in Nigeria, who send scam emails such as “You have inherited $5M. Please contact us.” (known as a 419 scam). There have been many cases of Nigerian scammers exporting stolen goods out of the country.

Now AT&T is being sued by the Department of Justice for aiding and abbetting Nigerian scammers. Apparently AT&T runs services, paid for by the government, that allow deaf and mute people to type in messages which are turned into voice calls. The government pays AT&T to run this service for disabled people.

It seems that up to 95% of the users of this service are alleged Nigerian criminals! They use this service to anonymously place phone calls to merchants in the USA, placing orders for goods using stolen credit cards.

This “IP Relay” service, is paid for by the FCC. The department of Justice is suing AT&T, saying that they knew that most of the usage of the system was for fraud, and that the intentionally did not verify the identities of the users, so that they could ring up millions of dollars in fees that AT&T then billed back to the US government.

I was shocked to read an article today on News.com, describing a practice by employers or potential employers of asking employees or job applicants for their Facebook passwords!

This just seems like a blatant invasion of personal privacy on behalf of employers.

Facebook says that divulging your password to someone else is a violation of their terms of service. According to the article, some companies just don’t care. They want to see your contacts and private messages before offering you a job, or as a routine part of employee “diligence”.

Apparently the Maryland Division of Corrections ask job applicants to log into their Facebook pages DURING THE INTERVIEW!!!!

All of this highlights the dangers of using social media for your truly private conversations. It also shows why its a really bad idea to use the same password at different websites….

Carlos Castillo at McAfee Labs has posted on his blog the details of newly discovered Android malicious apps that pretend to be One Time Password apps from major European banks.

Users download these apps, which mimic actual OTP apps from Santander, BBVA and Banesto banks. The fake OTP app requires an initialization password, that the actual bank provides to the user, before pretending to generate OTPs. It sends to the attackers the IMEI hardware ID of the victims phone, as well as their phone number.

The app installs a man-in-the-middle app that intercepts real SMS messages from the bank that contain mTANs (OTP numbers to authenticate banking transactions). It can thus intercept messages from the bank, and forward them to the attacker.

We are entering an age where the smartphones and tablets will come under increasing attack, not from common viruses, but from malicious applications.