All posts by mitch tanenbaum

Banks Bilked Out Of More Than $1 Billion

Reuters is reporting that Kaspersky Labs is working with Interpol, Europol and other law enforcement authorities to ferret out more details of the attack, but they have announced several details.

Gene Kaspersky, founder and head of Kaspersky Labs is well known in white hat (good guy) hacking circles.  His public pronouncements, while sometimes flashy, usually are found to hold water, so it is likely that the facts that have been released are accurate.

The attackers who have looted 100 banks for more than a billion dollars (which you and I get to pay for in the form of higher fees and lower interest payments), have taken several forms.

The first form, which I have reported on in the past (see this post), uses a spear phishing attack to get inside the bank and then inside the ATM network.  The hacker then causes the ATM to dispense inappropriate bills to the hacker’s accomplice who is at the ATM at that moment.

The second form is even more creative.  After hacking into the banks in the same way, the hackers watch the video surveillance feeds to figure out “normal” ways bank employees behave.  They then add a sum of money to someone’s account and later, using what they learned watching the video, transfer it to their account.  Since the customer’s balance is unchanged in the end, the customer is less likely to notice it.  To the bank, it just looks like a regular deposit and later a withdrawl.   It is likely that the funds are wired out to a bogus account set up by the hackers and then drained.

Pulling off these attacks requires a great deal of technical skill and logistics, so this is the work of a professional team, possibly state sponsored.

Unfortunately, for the banks – and ultimately us – this is a pretty expensive caper.

According to Kaspersky, these attacks are still going on.  With them having already found 100 banks affected, it is unknown how many more have not been discovered.

The common components here are successful phishing attacks on administrators at the banks and lack of effective segmentation between the different parts of the bank like the ATM network, the surveillance network and the corporate network.  Usually this is because that would be inconvenient for the employees.  So is losing a billion dollars.



Facebooktwitterredditlinkedinmailby feather

Company Bilked Out Of $17 Million in Spear Phishing Attack

Scoular Company, a $6 Billion, 800 employee commodities trading company got bilked out of a little more that $17 million in a modified spear phishing attack.

Simply put, the attacker generated emails over time last summer to the company’s CFO that looked like they came from the company’s CEO and their Auditor that instructed the CFO to wire installment payments for an acquisition to a bank in China.  That seemed plausible since the company was trying to expand in China (see article).

In the setup emails which seemingly came from the Company’s CEO, the attacker said that they were working on a blockbuster international deal, swearing the recipient to secrecy and told him to only communicate though this email address to not infringe on SEC regulations.

Those requests should have sent the CFO RUNNING down the hall to the CEO to confirm the authenticity of the request, but it did not.

In additional emails, the CFO was told to wire $780,000 first, then $7 million and finally $9.4 million to a bank in China.  All told, they were out $17 million.

For a company that big, a $7 million wire probably isn’t that out of the ordinary, but the secrecy part as well as using an unusual email address to communicate should have been a tip-off.

Wires, unlike checks, are almost impossible to reverse and international wires are even harder.

The FBI is working on the case, but I would say the odds of them recovering their money are low.

The good news is that this attack will not have a material effect on Scoular’s financials.

If you reduce the size of the request to match the size of your company, would your internal controls detect this form of attack prior to disbursing money?  There is an opportunity to learn from an incident like this so your employees do not get sucked in like they did.




Facebooktwitterredditlinkedinmailby feather

Director And Officer Liability

Brenda Sharton, Senior Partner and member of the executive committee at Goodwin Proctor (see bio) wrote this week about director and officer personal liability for data security breaches.

While no individual directors and officers have been held liable for the costs of a data breach yet, it is not for lack of trying.

Ms. Sharton’s opinion as a litigator with two decades plus of experience is that it is only a matter of time before one of these suits is successful and that will start an avalanche of litigation.

Ms. Sharton believes that the 1996 Caremark decision which found that directors can be held personally liable for failing to supervise the corporation can be extended to data breaches pretty logically. This decision has been extended to cover officers as well.

In addition, as regulators step up the pressure and issue consent decrees and fines, this can for the basis for a lawsuit against directors and officers. For the first time, the FCC fined two telephone companies $10 million each for “unjust and unreasonable” data security practices (see article).

After Wyndham Hotels had 3 data breaches in as many years, a shareholder filed suit alleging that the company’s data security practices were lacking. The suit was dismissed, but only because the company was able to show that the data breaches were discussed at 14 separate board meetings and 16 audit committee meetings.

Below are some of Ms. Sharton’s recommendations for boards to consider (the complete list is in her article, linked above):

  • Hire a Chief Information Security Officer and engage outside technical experts to conduct regular assessments and to educate officers and board members on data security.
  • Evaluate and/or appoint a board committee to focus on data protection.
  • Have the board regularly address and deliberate when deciding issues of data security, and carefully document the deliberations to demonstrate appropriate care.
  • Perform gap analyses and comparative benchmarking with peer organizations that hold similar types of information.
  • Review D&O insurance and related insurance policies holistically for coverage regarding security incidents and protection of the company’s brand, information assets and other assets.

Bottom line is that it is likely that unless a company can show that they are being proactive, the directors, personally,  may become the next target for lawsuits. Delaware law allows a company to waive or limit a director’s personal liability for violations of the duty of care, they cannot waive liability for violations of duty of loyalty.


Facebooktwitterredditlinkedinmailby feather

FBI Says Most Businesses They Investigate Have Little To No Security is reporting that the FBI says that most breaches are entirely avoidable.

At the Online Trust Alliance’s Data Privacy And Protection Town Hall in New York City, FBI Special Agent George Schultzel said that over 90 percent of the companies who reported breaches to them had little to no security whatever.

The FBI said that most of the breaches are totally avoidable and that the hackers were attacking out of convenience.

This is great news for lawyers – at least for those lawyers suing businesses that have a breach.

If the FBI says that in 90 percent plus of the cases that businesses had no security and that the breaches were totally avoidable, then the businesses will need to show that they are in the less than 10 percent that had defenses and were not totally avoidable.  If I was an attorney, that is not a box I would want to be placed in.

The FBI suggested that businesses need to start creating and implementing security plans to prevent easy hacking in the future.

I would also assume that insurance companies might start taking the stance when you make a claim that your company was in the 90 percent, not the 10 percent.  Can you defend your counterclaim that you are part of the 10 percent?


Facebooktwitterredditlinkedinmailby feather

Verizon Has A New Friend – The U.S. Senate

Well, maybe not a friend that you want to have, but they will likely get to visit the nation’s Capitol.

Verizon has gotten way more press than it would like by inserting super-cookies into it’s customers web traffic to allow folks like the marketing giant Turn to build dossiers on Verizon customers and then sell that information to advertisers in a thousandth of a second to the highest bidder.

Senators Bill Nelson of Florida, Richard Blumenthal of Connecticut and Edward Markey of Massachusetts have asked the FTC to investigate whether Verizon’s use of super cookies violate FTC privacy rules.  These senators wrote Verizon a short note last week asking them a few questions, which Verizon said it would respond to.

The Senators want to know if legislation is required (I assume to regulate or outlaw this activity).

Advertisers are probably really, really mad at Verizon right now.

If Verizon had just done what AT&T did last year when they got caught doing this, the ad industry would not be getting all this unwanted attention.

When AT&T got caught doing this last year, they said it was just an experiment (yeah, right!), my bad, and we will stop doing this now.

Verizon, on the other hand said that no one would ever user our super cookies to track what users were doing.  Even though Turn, who was doing that exact thing, was a vendor to Verzion (must have been a different department).

Turn said that just because people were deleting their cookies didn’t mean that they did not want to be tracked.

If Verizon has just been a little smarter and taken the AT&T route and said sorry, this would all have gone away.

And six months later they could have re-contextualized the program and started it back up.

From my point of view, I am glad they were not being very smart.


Facebooktwitterredditlinkedinmailby feather

Why Encryption Does Not Mean The End Of Law Enforcement

IT World wrote a piece on how the cops caught up with the now convicted founder of Silk Road, Ross Ulbricht, AKA The Dread Pirate Roberts, the man who ran the dark web marketplace for everything from drugs to murder.  The author goes into a lot more detail for those geeks who are interested.

Curious note:  That article ran everywhere under the title 4 technologies that betrayed Silk Road.  Their article lists 5 technologies, but the page name for the article is still called 4 technologies … go figure.

Number 1: He used Bitcoins to transfer money between buyers and sellers and himself, thinking it was untraceable.  Turns out while it might be hard to decrypt the bitcoin wallets themselves, it is easy to watch the transactions on the net.  You can see where the traffic comes from and where it goes to.

Number 2: Ulbricht used TorChat to communicate.  Like Tor, it is encrypted so you can’t just look at it.  However, for some reason, he consciously turning on chat logging, which made unecncrypted logs on his hard disk.  He may have thought that the logs were encrypted or he he may have thought that since his disk was encrypted, he was safe.

Number 3: Encryption makes it difficult for someone to eavesdrop on your world but stuff has to be decrypted in order to use it.  In Ulbricht’s case, he apparently was using whole disk encryption (WDE), like Microsoft’s Bitlocker (but probably not Bitlocker).  The problem every WDE product has is that it decrypts stuff once you login and the keys are kept in memory.  What this means is that WDE offers no protection while the computer is on.

For some reason, Ulbricht used public WiFi at the library some times and the cops caught him there, while the computer was turned on and logged in and were able to grab his computer before he could shut it off.  They now had access to, among other things, his private encryption key. Game over.

I have often said that public WiFi is not secure.  That is certainly true if you are a crook.

Number 4: Loose lips sink ships.  This is as true now as it was during World War II when the phrase was coined.  Ulbricht used Facebook and cross posted information, for example, about a vacation in Thailand to both Silk Road and Facebook.  Tie the FB account to a GMail account and voila.

Number 5: Automated server logins are convenient, but deadly.  because human beings are lazy, Ulbricht had set up a trust relationship between his laptop and the Silk Road servers, so he did not need to enter a password to login to the servers.  If you have access to the laptop, you have access to the servers.

I think most people will be able to figure out what not to do, so I don’t think I need to explain that here, but it does point out that nothing is foolproof.

The Feds – and Prime Minister David Cameron of England – feel that no communication should be private from the government.  The fact that in 99% of the cases, the people who want private communications just don’t trust the government and are doing nothing wrong is not relevant to them.  This case pointed out two things – First, encryption is not a silver bullet and Second, human beings make mistakes.

Maybe the next crook won’t make these five mistakes, but actually, I would not count on that.  The good news for the cops is that there is pretty much an unlimited supply of mistakes for the bad guys to make and while it may be harder to catch them if they use encryption, it is, for sure, not the end of catching crooks.  Ask Ross Ulbricht.



Facebooktwitterredditlinkedinmailby feather