News &
Information
________________________________________________________________________
Law Firms - Social
Engineering Hack
Septmeber 8,
2008
We were recently hired by a law
firm who was facing a potential social engineering hack. A social
engineering hack is one where a "hacker" attempts to manipulate a person into
doing something they shouldn't do. In this case a person acting as a
potential client was trying to get the firm to transfar money to a 3rd
party. It sounds ludicrous, but the plan was actually well conceived, and
could easily have worked. Our goal in relating this story is to alert
people of the fact that everyone, including law firms, are subject to scam
artists.
Here is what
happened:
A potential client contacted
the law firm one day via email asking for legal services. The
lawyer who received the email assumed the request was legitimate and
started an email dialogue with the prospective client. Over the course of
a few weeks they discussed the nature of the case and outlined the terms of
an agreement. The lawyer said in an email that the law firm had a
policy of only accepting clients only after at least one face-to-face
meeting. The potential client agreed to this initially, however they
continuously made excuses on why they couldn't meet with the attorney in
person. They said they were on vacation overseas and were
not sure when they would be back. As the conversation dragged on into
weeks the potential client kept saying that their vacation was being
extended which delayed their
meeting.
The lawyer decided they
would at least start the process and only begin the actual work once the
face-to-face meeting was done and the contract was signed. The
lawyer sent the potenail client a contract via email and asked for the
client to review it. The lawyer also sent them an email discussing a
retainer fee. The client immediately sent the lawyer a check to cover the
retainer fee, though it was above the amount the lawyer had
noted. The client then emailed the lawyer asking them to
send money via a wire transfer to a 3rd party who was also supposedly
involved in the legal dispute. Fortunately the lawyer was smart
enough at this point to have seen enough red flags to ask us
to step in.
We met with the firm and
discussed the potential client and everything that had transpired. After
reviwing the information we told the firm that this may or may not be a real
client. However, based on all of the information we believed there was a
better than average chance this was someone perpetrating a fraud. The
first thing we did was limit the law firm's legal liability in the event this
was a fraud. We instructed the firm to email
the prospective client letting them know that no contract was in
effect between them since both parties had not yet signed the
contract. The email went on to say that the contract would only be valid
once it was signed by BOTH parties, which would need to occur at the law
office. This email limited their liability, yet kept the door
open in case this was a real client who was simply on vacation and acting
suspiciously. We also instructed the firm to not deposit the
check. If they had deposited the check they may have
inadvertantly agreed to the contract through this action. We asked
them to email the client mentioning that they money would not be deposited
until the contract was signed and agreed
to.
After a more thorough investigation
of the information we determined that this was in fact a potential fraud
case. We instructed the law firm to have no further contact with
the potential client until a meeting was done in person at the law
firm. We also instructed them to take necessary precautions if the meeting
was to take place. If this was someone perpetrating a fraud they would
probably never show up. However, you can never assume that someone won't
be desperate enough to include physical harm as part of their fraud.
We then submitted the information to
the IC3 (FBI) so they could be on the lookout for scams of this nature and alert
other law firms of this potentail fraud.
Here are list of the Red
Flags that other law firms (and businesses) should be aware of:
1. The
potential client would not meet with the law firm in
person.
2. They sent a check though it did not have a person's name on
it (just the name of the bank it was from).
3. They asked the lawyer to send
money to a 3rd party before the lawyer had a chance to ensure the check
cleared.
4. They instructed the lawyer to wire
transfer money to the 3rd party. Scam artists typically request
wire transfers as they are extremely fast, and can be done before a check
bounces.
5. The numerous emails from the potential client changed in tone and
grammar. This was a very bright red flag.
6. The potential client told
the law firm which country they were emailing them from. However, in
reviewing log data we determined that their emails were not coming from that
country. This could have been caused by numerous factors such as a proxy
server, though added together it all pointed towards a scam.
It should be
noted that none of these red flags offer any assurance that someone is in
fact perpetrating a fraud. However, these are things that should you be
aware of and on the lookout for. The Internet makes fraud extremely easy as it
allows a very far arms-reach divide between parties. As an afterword, the
potential client has yet to respond to the last email from the
firm.
Vantage Marketplace
August 27,
2008
One of our principal consultants is
now a "Thought Leader" in the Technology and Digital Media verticals for
the Vantage Marketplace. Vantage is a service that connects clients with
thought leaders in specific verticals. The Vantage Marketplace is a
subsidiary of Goldman Sachs.
________________________________________________________________________
Security - Government or Companies... or You?
August 26,
2008
As with many large scale issues there seems to be the never-ending question... Who's job is it? The Los Angeles Times today wrote an article asking if national cyber security was the task of the public, or the private sectors. While it is fun to ask and squabble over the pros and cons to each side, the solution may not be quite so simple as one or the other.
The issue seems to be that neither group
is currently well equipped to handle national cyber security. Look at
how well our Congress is run to see the potential pitfalls with
handing things over to the Government. And see how well our banking
institutions are financially doing to know that the public sector is not exactly in-tune with
self policing. Even working together the private and public sectors are
not exactly a dynamic duo of calmness and serentity. One look at the
current state of our financial markets and you will see them failing
under the strain of a fundamental lack of regulation from both sides. Does
this mean we should lock down the Internet? Hardly. What we need to
do is ask a few simple questions...
If the government stepped in, would
anything change? The answer is probably no. It would seemingly take a
blue-ribbon panel 2 years to come up-to-speed on what a web-browswer is.
By the time they institute any security policies for Firefox 3, we will be on
Firefox version 159. They could staff the panel with "security
experts" though it is hard to believe much will be achieved by a group of 10
people meeting once a quarter to debate Vista vs. XP (my money is
on Linux). Undoubatdly these folks will come from companies
like Microsoft and Oracle with vested interests in the outcomes of any such
debate.
With the private sector at least there is accountability.
If your web-browser is unsecure you are opening the door to
someone else building a more secure one - and adding nice additions
like Tabs. Companies know that in the world of technology they are only as
good as their last product. And they know that any day now there
"app killer" can be taken out by someone else's. One look at the
iPod tells every other MP3 player that they moved too slowly and are now doomed
to failure (unless of course they build a better iTunes). If you are
a software developer you should stop focusing on the next best thing.
Instead think about how you could make a current product just a little bit
better. Odds are people will find you out and download whatever it is you
are offering.
In the end it should be up to the private sector to come up
with products and services that offer at least a minimum level of
security. People should feel relatively secure knowing if they go to your
web-site, their credit-card won't show up the next day on a Russian hacker
site. At the same time, the government should focus on offering customers
easy ways of learning about, and dealing with credit-card theft, identify theft,
and phishing scams. They should have user-friendly web-sites offering
information on protection and response.
For now this debate seems to be a lot of talk
with no one listening. Politicians are too busy wondering if Obama or
McCain will ask them to have a post in their administration. Overlal
though what I noted above is an easy solution that does quite a bit.
It allows the market to have its say,
and allows the government to continue in its role of educator and enforcer. In
the end though it will of course be up to end-users
to take security into their own hands. No amount of governent or comany protection can
stop someone from opening an email that says, "Naked Pictures of Paris Hilton!!!" Who can
resist that?
Countrywide - Do they have a case?
August 25, 2008
One of the men who allegedly stole customer information while working at Countrywide
has pleaded not-guilty to the charges. As with any case it will
be up to the prosecution to present their evidence to support the claim that
he did in fact steal personal info. Also, they probably have to prove that
this was not a part of his responsibility at the company. How well
the prosecution is able to prove these two factors depends on the
security protocols in place at the time, and the record keeping of the Human
Resources department. Hopefully they took security serious enough to at
least perform the minimum recommended security steps.
1. Countrywide
should be able to produce and secure the evidence, assuming they had the proper
security protocols in place. This would require that they were logging
access to the systems, as well as logging date and time stamps. If this is
the case they should be able to place the alleged perpetrator at the scene of
the crime.
2. The FBI will need to produce a "paper trail" showing how any personal information they were able to purchase can be tracked back to the computer the perpetrator was accessing at Countrywide. This should just be a matter of checking to see if the exact same information resides in both places (and is not readily available elsewhere). This requires that Countrywide still have access to these systems and the data that were on them the time of the breach. If the administrators were performing tape backups then this seems highly likely.
3. The alleged criminal may say that he was simply performing his duties for the company. It will up to the H.R. department to come forward with a "Roles and Responsibilities' document showing the exact work the person was responsible for while employed at Countrywide. This may also require going back through emails between the alleged criminal and his managers. His defense team will look for any "proof" that this was part of his job. This would not excuse the act from being criminal, but could shift the liability to Countrywide. It is highly unlikely this is the case, though it is something Countrywide needs to consider.
Overall Countrywide, the FBI, and prosecutors need to
mount a very strong case in order to put this alleged criminal in jail. If
Countrywide had the bare minimum of security steps in place they should be
successful in doing so. What is more likely is he pleads to a short
sentence and probation. This will hardly be justice to those who had their
personal information stolen.
This case more than anything shows that companies need to
carefully think through security before something like this happens. Once someone steals your data
it might be too late to put the pieces back into
place.
source: Contra Costa Times
________________________________________________________________________
FLY CLEAR Program
(Update)
August 7, 2008
Verified Identify Pass, the company behind the airport Clear
program, sent out an email today letting Clear members know their data
may have been on the laptop
that was recently
"missing" from the San Francisco International Airport. The email campaign was probably done per
the requirement in California Bill SB1386*. What's interesting is that the email went out the day AFTER the "missing" laptop was
found.
FLY CLEAR
Program
August 6, 2008
Today
Investigators found the "missing" Clear laptop containing the personal
infornation of 33,000 people who had signed up for the Clear program.
This is the program that allows flyers to bypass the typical security screening
line handled by TSA. Fortunately the laptop was found in the
office it was supposedly taken from. For that reason it is doubtful any of
the information was stolen or used improperly. It was noted in the report
that the data was NOT encrypted on the laptop. What was not mentioned was the fact that encrypting
the data would have cost almost nothing, and would have
taken around 10 minutes (including the time necessary to install the
software).
What information
does Clear have on its members? Here are some of the key data points when
enrolling in the program: Social
Security Number, Birthdate, Retina Scan, Fingerprints (all 10), name of your
first pet (probably a security question). Clear has
said in a Press Release that
most of this personal information was not on the "missing" laptop. That does
not mean however that your data is safe anywhere else they may be storing it.
In a search of their site we could not find any information about data storage,
encryption or security measures.
As an aside: On the
Flyclear.com web-site it says the following pertaining to the privacy policy, "We
never sell or give visitor personal information to any third party for
marketing uses." What it fails to mention is if they allow hackers to gain
your personal information. Let the record show that the people who I know use
Clear love the program. Hopefully this is the last time we hear about a
security issue from the company.
________________________________________________________________________
Identity Theft
Ring
August 6, 2008
"Wardriving" once again made a big splash in the news this
week when it was uncovered that it was the technique that allowed hackers to
infiltrate a number of retail chains including TJ Maxx and Barnes & Noble
over a year ago. When TJ Maxx reported the intrusion in January 2007 they
stated that over 40 Million credit-card numbers may have been
stolen.
Wardriving is when people
drive around an office building, house, etc. looking
for vulnerabilities in people's wireless networks. It is an inexpensive and
fairly easy way to search for security weaknesses. Typically all one needs (presumably
a hacker or security expert) is a laptop, a wireless
NIC, and software which scans for wireless networks.
Please note that it does not
take much time or money to properly secure a wireless network. There are
numerous hardware and software solutions on the market today that will greatly
reduce the effectiveness of wardriving. In addition, companies should hire
security consultants (small plug here for MBridge) to provide "safe"
wardriving in order to properly test out their wireless systems. This is
one way a company can some level of assurance of the efficacy of their
security program.
________________________________________________________________________
Countrywide - Internal Security
Breach
August 5, 2008
News reports state that an analyst at Countrywide
Home Financial was arrested for allegedly stealing 20,000 customer profiles each
week for 2 years. Assuming he took a 2 week vacation every year, this
would mean he stole around 2,000,000 profiles including people's
social security numbers. He would download the files to a personal thumb
drive plugged into the computer accessing the data.
After downloading the profiles he would sell them from a Kinko's for around
$500 a week. In all he claimed to have made around $50,000 to $70,000 over
the two year period. Supposedly while out on bail he offered to sell
someone more of the customer profiles. Perhaps he is attempting to raise
money to cover his legal fees.
Even with software
supposedly limiting access to the USB ports he was able to find a computer which
did not have the software installed. Perhaps companies should purchase
computers without USB ports on them. Or destroy the ports
physically on existing machines. If someone really needs to back-up
their data they can use an IT managed back-up
server.
However, even disabling the USB ports in not
a panacea. He could have simply downloaded the data and then emailed it to
a personal email account. Countrywide would have needed to have a secure
gateway programmed to look for specific data strings (such as XXX-XX-XXXX) in
order to catch him doing so.
On a side note, this is
not the first time someone has used Kinko's as a means of dealing in
illicit and illegal material. In 2003 a 25 year old woman in New
York City installed keylogger software on computers at
numerous Kinko's in the area. The software would keep track of what
people were doing on the computers including passwords to banking
web-sites. She would go back to the Kinko's and download the
information the software had obtained. The only reason she was
caught was because she had gotten information about a person who was accessing
their home PC using a web-site called GoToMyPC. She later
accessed his computer using GoToMyPC while he was at home on his
computer. He saw her going through his computer and called the
authorities. The Service Service got involved and was able
to apprehend her.
While out on bail she attempted to install the
software at another Kinko's.
Sources: SecurityFocus.com;
WashingtonPost.com
________________________________________________________________________
San Francisco - Disgruntled Computer Engineer
July 15, 2008
A city employee held San Francisco's FiberWAN computer
systems hostage this week. He created a password that gave him exclusive
access to the computer systems which contained city payroll information,
official's emails, and law enforcement documents.
The news reported that
supervisors "had tried to fire him" in the past unsuccessfully. They say
he even went so far as to install a monitoring system on computers that would
let him know what administrators were doing and saying about his case. The
computer systems in question were left up-and-running though it seems no one
else was able to manage or administer them as he had the only password.
The city was unsure how much it would take to redo the damage though according
to the San Francisco Chronicle "authorities say undoing his denial of access to
other system administrators could cost millions of
dollars."
The reports also said
that he worked for the city for 5 years. This was probably not
some new employee who took the job to hijack the computer systems. He may
have gained control of the systems over time and used his power to blackmail the
city into not firing him. This plan seems to have backfired as he was
arrested and taken to jail.
Unfortunately, this type of incident happens more often
than people realize. Companies seem to hand off full control to system and
network administrators, and only think about the systems when there is
an outage. Obviously companies need to be more thorough in their hiring
practices (reports state he had numerous prior arrests), and
diligent in ensuring their systems are safe from their own employees.
While this is not what companies want to do, it is a reality they must
face.
We recently helped a
public Fortune 500 company successfully fire two high-level I.T. employees
without any incident or unforeseen situation. The reason we were able to
do so was because they handled the situation proactively. We were asked to
come in well before the employees were aware of their possible firings. We
held strategic planning sessions with the company off-site at a hotel conference
room. Plus we only communicated with them using non-corporate email.
In this way the two employees about to be fired would have little to no chance
of knowing our plan.
We worked with
Human Resources to draft the exit interview questionnaire in order to capture
all of the information we would need once the employees had left. And
we did not let the employee leave until we verified all of the information was
correct. This was done by offering them a severance package dependant on
them fully cooperating with our work. Even during the exit interview we
monitored the critical systems to ensure they were acting appropriately.
After the two employees left the office we caught one of them trying to
access the VPN. We captured the information and provided it to H.R. for
them to act upon. By thinking through the process and putting together a
plan, the company was able to circumvent a situation like the one in San
Francisco.
In the end the FBI and ATF
were both called in based on forensics evidence found on one of the
computers managed by one of the fired employees. Fortunately they were
able to properly gather the evidence before the Director could erase his hard
drive. Again, this was only the case because the company was proactive and
handled things the right
way.
The good news is most
I.T. engineers are working for your company, and not against you. At the
same time, it makes sense to ensure your company is protected. This
involves making backup configuration files, knowing the usernames / passwords to
your critical systems, and doing period background checks. Most
importantly you should have a plan in place just in case you need to deal
with a situation that you'd rather not face.
Side note: Some news
reports have questioned the San Francisco employee's I.T. certification.
We were able to determine through Cisco that he, or someone with his same name,
did receive a Cisco certification (CCIE) in 2004 for "switching and
routing."
Source: San Francisco Chronicle, PC
World
________________________________________________________________________
Activision -
MBridge
July 2008
This month MBridge signed on Activision Blizzard as a client. Activision
is one of the world's largest video game publishers.
________________________________________________________________________
CampusBooks.com
May 2008
CampusBooks.com, an
online retailer targeting college students, has signed on with MBridge, LLC for I.T.
services. The relationship covers numerous aspects of CampusBooks's I.T. systems. You
can learn more about CampusBooks at their web-site CampusBooks.com
.
________________________________________________________________________
Fortune 500 Client
May 2008
A Fortune
500 company in Southern California has hired MBridge to help deal with
a major security issue they are facing. The name of the company is being with-held
for security purposes. The relationship will also encompass Network support
services.
________________________________________________________________________
Effects of Online
Fraud on Your Business
May 2008
According to a research report
by Javelin Strategy & Research, data breaches do have a very negative effect
on consumer's purchase behaviors. These were some of the more
interesting results from the 441 person survey:
Relationship-Changing
Reactions of US Data Security Breach Victims to Breached Company or
Institution:
33% said they
"Closed company accounts"
30% said they
"
Would never purchase company products or services again."
23% said they
"
Switched providers (eg medical, insurance or
banking)"
Source:
eMarketer
What
this tells you is you need to take online fraud seriously. In the
event of a hack / breach / intrusion a lot of your customers won't care
what happened, how it happened, or what you are going to do to fix it.
They will simply find another company claiming to offer the same products and
services you do - only more securely.
________________________________________________________________________
Top 10 US
Online Fraud Categories
January, 2008
The IC3
(Internet Crime Complaint Center) released its survey
results regarding offenses reported to the IC3 in 2007. Over the
year over 90,000 complaints were filed. As you can see Auction
Fraud and Non-Delivery of goods lead the list this year. Credit/Debit Card Fraud
represented 6.3% of all complaints. The top States in terms of number of
Perpetrators were California, Florida, New York, and Texas. It should be
noted that this is only for complaints registered with the IC3, and not
necessarily with law enforcement.
Source: http://www.ic3.gov/media/annualreport/2007-IC3Report.pdf
________________________________________________________________________
DISCLAIMER: The information on this
site does not necessarily represent the views of MBridge, LLC. If you
have an issue with any of the information here contact us at
info@mbridge.com.
Copyright MBridge, LLC (c) 2008,
All rights Reserved.
