Identity Theft Expert; Conficker Virus Countdown

Robert Siciliano Identity Theft Speaker

News of Conficker out of control then under control is everywhere.

60 minutes reports on everything we have discussed in these posts. Main stream media has recognized the Internet has a cancerous virus and is infected. Criminal hackers are creating viruses infecting webpages in record numbers all in the name of money.

Security professionals are losing sleep as they race against the bad guys in anticipation of the next big breach.

Conficker is big news as its infecting mainly corporate networks at an astonishing estimated 10-12 million PCs and this sleeper cell is set to get its next set of updates April 1st.

Like Al Queda operatives living amongst us, cyber terrorists waiting for their next communiqué from a remote cave, Conficker waits to strike.

Nobody knows what’s going to happen April Fools, but security professional have a plan. Do you?

By all accounts Conficker has the potential capacity to steal data or launch a massive denial of service attack which encompasses massive amounts of data, flooding the Net, bogging down mainframe servers that distribute data to our inboxes.

60 Minutes used the example of what I did on CNN describing a Facebook hack and used a Morley Safer Facebook account that may be hacked with Conficker and begins to send messages to Morleys friends. Then Leslie Stahl who is a Morely “friend” receives an email looking like it’s from Morelys Facebook account to click a video. That video has a destructive payload that infects Leslies machine and the virus replicates itself to Leslies contacts.

Now Morelys PC has a virus that records all his keystrokes and Leslie is just as vulnerable. Bank accounts are cracked, credit card log-ins are stolen, the contents of their My Documents folders are copied and sent to Turkey and identities are stolen. People who don’t have any identity theft protection face years of dealing with creditors who accuse them of being bad debtors.

Malware is showing up on thousands of websites compromised in numerous ways and infecting computer users whose defenses are down.

Most attacks can be prevented with updated anti virus like McAfee or others. But with an estimated 15,000 new infections daily it’s difficult for the every day user to protect themselves unless they are automatically downloading virus definitions. And that may not be enough.

Criminal hackers come in all shapes and colors from every corner of the world. Russian hackers are often depicted as the best of the worst. These cyber criminals are often put on a pedestal in their communities as they brag about their accomplishments, hacking wealthy hacker Americans and stealing 10s of thousands of dollars monthly and spending that money in their remote villages.

Russian authorities generally don’t prosecute and may even employ criminals to steal from greedy Americans. As long as hate and money are motivators, foreign governments will groom and incite talented 14 year olds into a life of crime.

This story is far from over.

Robert Siciliano Identity Theft Speaker discusses online banking security here

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information

Identity Theft Expert; Anatomy of a Hack

Robert Siciliano Identity Theft Expert

There is a battle going on round the clock, between the bad hackers and the good hackers. Most of the time, the good guys lose. Here we have an example of the bad guy actually getting caught.

At age 19, an Israeli criminal hacker named Ehud Tenebaum made news as “The Analyzer,” (a great tag for a criminal hacker) after he cracked and penetrated the Pentagon, NASA and even Hamas computer networks.

He then went silent and is believed to have embarked on a 10 year long international conspiracy to hack networks of United States and Canadian banks and other financial institutions. Losses are estimated at $10-12 million.

The Analyzer’s hacking technique is believed to be “SQL injection,” a tactic that I’ve blogged about previously, which exploits vulnerabilities in software development.

A forensic analyst who investigated breaches in both countries found a common thread in each hack. Servers in Virginia owned by HopOne, an ISP, were used as a routing point, receiving their commands from another set of servers at a Dutch hosting company.

Here’s where Big Brother is watching, and in this case, for good reason.

Last spring, US investigators working with Dutch authorities requested that all data traffic from the Dutch servers on route to Virginia be intercepted through wiretapping and provided to authorities.

During this time, criminal hackers from all over the world used the stolen data to create ATM white cards and prepaid gift cards loaded with cash. They withdrew cash from ATMs on three continents to the tune of approximately $450,000.

According to Wired, the wiretapped traffic included email discussions between numerous criminal hackers, regarding their accomplishments. One email address, Analyzer22@hotmail.com, provided investigators with their smoking gun. The Hotmail address had Ehud Tenebaum’s name and age registered along with it. Not too smart, E.T.

Ehud Tenebaum owned and operated a Canadian computer security company called Internet Labs Secure. One of the IP addresses used to access the Hotmail account was registered to Tenebaum’s business. E.T. phoned home and got caught.

This is one example of high tech organized criminals taking advantage of numerous flaws in the technology we use every day.

Be warned, there are plenty more to take E.T.’s place. Chances are, someone moved right in where he left off.

Invest in identity theft protection. Install and update Internet security software such as McAfee. Check your bank and credit card statements online bi-weekly and make sure to refute unauthorized charges within a 30 to 60 day period.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Identity Theft Speaker Robert Siciliano discussing credit card hacks here

Identity Theft Speaker; April Fools Day is conficker worm day

Robert Siciliano Identity Theft Expert

Criminal hackers have created a virus that has slipped into millions of PCs and is set to strike on April Fools day. This is no joke.

So far this year it is estimated that somewhere between 3 and 12 million computers have been compromised by the “Conficker” worm, also known as “Downup,” “Downadup” and “Kido,” possibly considered the largest known global botnet.

Microsoft and others are in a 24/7/365 battle with the makers of Conficker to see who ends up at the finish line first.

None of the PCs infected with Conficker are displaying any of the characteristics generally exhibited by the recent spate of viruses, offering a remote control component and often used to host spoofed websites and other malicious fraud related activities. At least not yet.

If Conficker reaches its full potential, it will result in data breaches, credit card fraud and numerous forms of identity theft.

It has been widely believed that Conficker is waiting for its next set of updates on April 1st, to unleash the endgame its writers had in mind.

The sense among security professionals is that Conficker will unleash an uncontrollable fury not yet seen or experienced by the security community.

Conficker duplicates like viruses of old and infects PCs that are unpatched and outdated. The virus scans the Internet, seeking and infecting unpatched computers. Conficker was built with encryption pirated from an MIT researcher and has the ability to circumvent anti-virus programs.

This level of technology has the ability to slip into external hard drives, thumb drives and any memory based peripheral. When that same peripheral is plugged into another PC, that PC is also infected.

Many PCs in Asia have rogue versions of Windows, and are largely unpatched due to Microsoft not allowing updates.

Update your Microsoft Windows ASAP. Make sure you have up to date Internet security software, such as McAfee. Stay away from rogue websites and be careful what you click.

As stated in a previous post, Microsoft offered a global bounty for the arrest and prosecution of whoever created and released the Conficker virus.

Even with the security community vigorously trying to defend PCs globally, in early March, millions of Conficker-infected PCs were upgraded into a peer to peer network, which makes the botnet even more dangerous by giving each infected PC commanding authority over others. This means that every PC has the capability of running every other PC on the botnet.

The anticipation among researchers leading up to April 1st is much like that which was felt prior to midnight on December 31st, 1999. The Y2K ”bug” was considered a ticking time bomb for all major computer applications.

Much has been done to avert a Conficker disaster, but nobody knows for sure what will happen. April 1st is a day of foolery, but this year it may also be a major breakthrough for hackers, good or bad, to see who is top dog.

See Robert Siciliano, identity theft speaker, discussing viruses in peripherals here.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Identity Theft Expert; Scareware Scares You Into Paying

Robert Siciliano Identity Theft Expert

If one could have a favorite scam, for me it would be “scareware.” My reasoning for this is thats it’s one of the few scams that actually gets through to me. My defenses are pretty good, but I still see scareware. They’ve even taken my blog posts and used my name to launch scareware in Google News Alerts. I got some criminal hacker’s attention and he created scareware in honor of lil’ ole me!

Web pages may be infected or built to distribute scareware. The goal is to trick you into clicking on links. After landing on a page, pop-ups bombard you and warn that your PC is infected with an Ebola- like virus and your PC will die a horrible death with fluids running from all ports if you don’t fix it immediately for $49.95.

Shutting off this pop-up is often difficult and any buttons you press within this pop-up could mean downloading the exact virus they warned you of. BRILLIANT!

Criminals are even using Google Ads, and have posted ads on well known sites such as E-Harmony and Major League Baseball.

I’m online all day, every day and do a ton of research, which means I click lots of links, and see scareware often. If I wasn’t aware of IT security and what this ruse was about, I’d have been bilked of $49.95 long ago. Many people take the bait, more than you can imagine.

Studies show that organized criminals are earning $10,000.00 a day from scareware! That’s approximately 200 people a day getting nabbed. Some “distributors” have been estimated to make as much as $5 million a year.

What makes the scam so believable is there is actual follow through of the purchasing of software that is supposed to protect you. There is a shopping cart, an order form, credit card processing and a download, just like any online software purchase.

The software is sometimes known as “AntiVirus2009” “WinFixer,” “WinAntivirus,” “DriveCleaner,” “WinAntispyware,” “AntivirusXP” and “XP Antivirus 2008.” These are actually viruses or spyware that infect your PC, or just junk software that does nothing of value.

A report by the Anti-Phishing Working Group, released in March 2009, found 9,287 bogus anti-malware programs in circulation in December 2008 – a rise of 225% since January 2008. That’s simply because the scam works so well.

Teams of criminal hackers each have their own tasks and responsibilities. Team 1 creates pages loaded with scareware and works those pages into the search engines, while others infect legitimate websites. Team 2 creates the junky or spyware-ridden software you are scared into buying. Team 3 creates the infrastructure to process your credit card.

Protect yourself. Invest in anti-virus software, such asMcAfee. Make sure your browser has a pop-up blocker turned on, to avoid having to be “scared.” If you get a pop-up, you can close it by clicking the red X in the upper right corner, just don’t click on anything in the body of the pop-up. I suggest shutting down your entire browser, however, to be safe.

Make sure your PC is updated with critical security patches and most of all, be smart.

See Robert Siciliano, identity theft speaker, discuss Ransomeware, a form of scareware here.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Credit Card Hackers Target Small Business

Robert Siciliano Identity Theft Speaker

Up until now, identity thieves have been hunting elephants. But that may soon change.

According to this study, small to medium size businesses (SMB’s) are the criminal hackers next target. This should come as no surprise, as large enterprise networks have gradually become better at defending themselves.

Over the past few years, criminal hackers have acted like hornets, attacking and swarming unassuming enterprise networks. Big business has responded by allocated billions of dollars in funding for technology and talent to thwart their sting.

In 2009, enterprise defense is the best it has ever been. It’s still lax, but now the path of least resistance has become SMB’s. Your mom and pop shops simply don’t have the resources, including deep pockets, to keep up.

Studies by the International Council for Small Business show that one fifth of small businesses aren’t even equipped with basic defenses, such as McAfee security software. Furthermore, as many as 60% don’t even have wireless encryption activated. What is most disturbing, but not surprising to this security analyst, is two thirds don’t have any type of security plan in place.

According to poll responses, these same SMB’s overwhelmingly believe that they aren’t targets, that only big businesses need to worry. However, this same study shows that 85% of fraud related to criminal hacks occurs within this exact group.

The National Retail Federation stated that Level 3 businesses are only 60% compliant and Level 4’s are even less secure.

PCI Compliance, a Visa based organization that regulates merchants in order to prevent credit card fraud, recognizes retailers at different levels. Level 1 retailers process 6,000,000 Visa transactions per year, Level 2 retailers process 1,000,000 to 6,000,000, Level 3 retailers process 20,000 to 1,000,000, and Level 4 retailers process fewer than 20,000.

Many security issues stem from the SMB’s lack of resources, coupled with their shift to online transactions and the handling and storage of their own data.

Some say that the responsibility of handling these transactions should be shifted back to the banks.

One additional recommendation for these Level 3 and 4s is to adopt a strategy in which the merchant never handles the credit data at all. The merchant would have an online shopping cart, but the credit card transaction would be diverted to the bank server, without ever being touched by the merchant.

I’m one of those Level 4 merchants and this is the strategy that I use. All orders are taken online and nobody aside from the bank handles client credit card data. PCI compliance is a breeze – no hiccups.

While this is practical for some SMB’s, it doesn’t work for others, so those retailers need to get their act together immediately, because criminal hackers are watching.

See identity theft speaker Robert Siciliano discuss data breaches here.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Recession Turns IT Workers Into Hackers

Robert Siciliano Identity Theft Expert

What a nasty headline for an article.

From ABCnews.com the journalist roasts IT professionals on a spit. And the comments were all inspiring.

As the recession rears its ugly head, disgruntled ex employees are in the best position to drop a bomb in the companies network or suck all the data out with a few terabyte drives.

A recent study by McAfee and Purdue University put the tally of fraud, data loss and damage done at 1 trillion dollars. A thousand billion sounds like a lot of money.

To paraphrase some of the comments;

No matter how you look at it, when heads start to roll, most people that are about to be let go feel unjust and express hostility towards the employer (often, rightly so). These are the same people who were loyal company employees for years. Unfortunately, these are no win-win situations when it comes to the downsizing and companies should take proper actions to address it.

Your system admin is the gate keeper. Anyone who has access to sensitive data can potentially abuse the privilege. The loan officer, the loan processor, the secretary, the human resources gal two cubes down the hall, the cleaning people that take out our trash at night… Without proper controls in place anybody can be the bad guy. On the other hand, with adequate management these issues can be avoided, even when it comes to IT employees.

Manage your end points, your USB devices, your computer ports, your printers… Segregate your system administration roles. Tools are there. And who is going to implement them? Your IT guy. (thank you Sashimi11)

With the incredible amount of layoffs occurring, companies are bound to layoff an employee who will exact some revenge. Some say “Companies whose knee-jerk response is to cut costs by canning employees deserve some wrath”. But, in the end, the wrath doesn’t get you your job back. (thank you Patches777)

Most are working individuals, doing what they do best. All the while staying under the radar, and afraid, just like everyone else, of the threat of layoffs. The latter doesn’t mean an internal flip is switched and they bug out and start stealing trade secrets. (thank you kyleratliff)

On another note, as budgets are cut and IT pros are let go, the show must go on.

Bill Lynch of RazorThreat said to me “We are encountering lots of very frustrated CIO’s who are caught on the horns of a dilemma…their IT budgets and headcount are being slashed but their CEO’s are simultaneously demanding that they reassure them and the Board of Directors that they are not vulnerable to the same kinds of cyber attacks that have plagued some big firms lately.

They know they cannot afford to buy complex, expensive and difficult to deploy new security software and the people to manage them and yet they have to stand before the Board and profess that their networks are secure”.

The fact is, data breaches will continue and IT will often be to blame. There is a light at the end of the tunnel. There are numerous technologies that won’t break the bank and will keep the BOD happy. Companies have to consider numerous threats of theft and mayhem. Review security policies and who has access to what and why. In the end make sure employees are let go with dignity and respect.

Robert Siciliano Identity Theft Speaker discussing Credit Card Fraud Here

Identity Theft Crime Victims Bill of Rights

Robert Siciliano Identity Theft Expert Speaker

A consortium of a number of companies in the identity theft prevention space have banded together to create a “Bill of Rights” for victims of identity theft. A Bill of Rights would provide victims of identity theft the needed leverage in response to a breach of their information that leads to numerous forms of identity theft. The consortium has some work to do to get the attention of legislators before it becomes law. This is certainly a noble effort that if passed will provide significant relief to victims.

I speak to victims on a weekly basis and the stresses of being victimized takes its toll. When a thief is functioning in society as you, fraudulently, irresponsibly and of course illegally, they tarnish every aspect of your life. There is an overwhelming sense of helplessness for many victims due to the notion that they are guilty until proven innocent. While this will in essence “take an act of congress” to become law, a good faith implementation of the bill by industry and government would certainly provide needed relief to those affected.

The Santa Fe Group, a financial services consulting firm, and The Santa Fe Group Vendor Council, a consortium of leading service providers to the financial services industry, today released the first comprehensive Bill of Rights for victims of identity theft. The Bill of Rights calls for consistent processes for handling identity crime incidents in addition to amendments to privacy legislation and regulation so victims can more easily access and correct their personal information records.

The five basic rights address the need for legislation that enables individual victims of identity theft to access and correct personally identifiable information (PII) records. The Bill of Rights white paper, titled Victims’ Rights: Fighting Identity Crime on the Front Lines, is now available.

The Identity Crime Victims Bill of Rights advocates improved protection and support for victims and includes:
• Assessment of the nature and extent of the crime that removes the procedural “Catch-22s” when validating identity
• Full restoration of victims’ identities to pre-theft status, including the ability to expunge records
• Freedom from harassment from collection agencies, law enforcement and others
• Prosecution of offenders and accountability for businesses that fail to reasonably secure personal information
• Restitution that includes repayment for financial losses and expenses

The white paper effort was led by the Identity Management Working Group of The Santa Fe Group Vendor Council chaired by Rick Kam, President of ID Experts

“Despite new additions to the Fair and Accurate Credit Transaction Act of 2003 (FACT), such as free credit reports and the ability to place fraud alerts after identity theft, victims are still subject to inconsistent and unfair treatment from state and federal agencies, law enforcement and businesses,” said Rick Kam, President of Portland-based ID Experts, a leader in data breach prevention and remediation. “We created the Bill of Rights to empower victims by granting them the same rights as victims of other crimes.”

According to Javelin Strategy and Research, 9.9 million Americans were victimized by identity crimes in 2008, an increase of 22% from 2007, with annual costs to consumers and businesses of more than $49 billion. In their journey to recover their identities, victims face a disjointed maze of privacy laws and information sources. Law enforcement processes are not always in place, and organizations often won’t share evidence with victims. As a result, a victim’s life can be disrupted for years.

“Victim empowerment is key to thwarting identity crime,” said Catherine A. Allen, Chairman and CEO of The Santa Fe Group. “With the Identity Crime Victims Bill of Rights, we’ve launched a national call to action, laying the groundwork for meaningful and much-needed legislation while building awareness of the issue in the media and among consumers and businesses. Our intent is that victims of all types of identity crime be provided with the same rights afforded to them via the FACT Act for resolving credit issues.”

Robert Siciliano Identity Theft Expert Speaker discusses identity theft victims Here and Here

Recycle Your Phone? Sell it on eBay? Lose it? Still Have Your Data On It?

Robert Siciliano Identity Theft Speaker – Expert

Cell phones are the invention of the 20th century. Its a computer and a phone. Its as cool as the invention of the wheel. Its the single most effective communication tool since the land line.

Millions of cell phones are sold every year. Many are lost, stolen, millions more end up on eBay, recycled or tossed in the trash. Many of these phones still have enough data on them to commit identity theft or, in the wrong hands, make your life miserable.

A study done in December by Regenersis, a UK based recycler, tested a sampling of 2000 cell phones. They learned 99% had personal identifying data such as banking info, credit card data, personal emails, contacts, text messages, pictures, music, videos, calendar entries, notes, mailing lists, to-do lists, automatic log-ins for Twitter, LinkedIn, Facebook and more.

Studies show cell phones are replaced on average of every 18 months. Over the past 4-5 years Blackberrys, iPhones and countless other smartphone/PDAs have flooded the market. All of these devices technologies are upgraded within 6 months and the user wants the latest and greatest.

What kind if data is on your phone today? If it fell in the wrong hands would someone have access to all your social network sites? Usernames and passwords? Customer data? Corporate secrets?

Someone recently bought a Blackberry off eBay and scored phone numbers for Hollywood producers, writers and movie stars Natalie Portman, Julianne Moore and Jude Law. Not a huge deal, but in the wrong hands problematic for the affected.

What if someone got the names, addresses and emails for everyone in your life? Not good.

Its not just cell phones that often contain data. Thumbdrives, MP3 players, are also problematic. Credant Technologies surveyed 500 dry cleaners who said they found numerous USB sticks during the course of a year. Multiplying that by the number of dry cleaners and got a figure of approximately 9000 USBs lost and found annually.

To protect yourself, consider some of the tips below, and this is not a complete list. Please feel free to add in comments.

Don’t store data that will be considered a “data breach” if lost, stolen, sold, recycled.

On phones have strong password protection. Lock it up.

Remove your sim card upon selling.

Reformat the phones operating system multiple times. This generally wipes off the data, but there are programs that do it more thoroughly. There is no universal way to reformat. It is different with every phone/manufacturer/operating system.

Robert Siciliano Identity Theft Expert discussing cell phone security Here

Phishing Attacks Rise Dramatically in 2008

Robert Siciliano Identity Theft Expert – Speaker

Stupid people get hooked by phishers. You have to be a complete idiot to get sucked into a scam email that has typos making requests that are geared toward naïve simple minded pea brain fools. Right? Yes? No? So why have phishing attacks risen dramatically in 2008? That’s 66% higher than in 2007.

Have we gotten dumber or are the attackers getting smarter?

RSA concluded that phishing attacks rose to an unprecedented 15,002 in April of 2008. Millions of people in mainly english speaking nations receiving ruse after ruse. 68% of US bank brands attacked. Less than 7% UK brands experiencing less than attacks.

However the UK takes the title for the most exploits as the most phished country in the world equating to 40% of the 135,426 cases detected by RSA.

This seems to be due to the UKs system allowing fraudulent transfers fast enough “real-time” to avoid detection. Criminals like real time fast cash.

Much of the success of phishers is that they are in fact getting smarter using “flax flux” attacks. *Fast flux is a technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. *Thank you Wikipedia.

Tonight I spent 2 hours on the phone in a webinar with a startup reviewing a fully functional toolbar that makes 54 checks to determine the validity of a website checking for phishing, pharming etc. All any bank needs to do is adopt the technology and require their clients to adopt it in the sign-in process. In most cases problems solved.

And do you know what we labored over in this call? How to get all the banks clients to install a simple toolbar that would protect them and the bank.

Why is this so difficult?

Robert Siciliano Identity Theft Expert discussing Scambaiter in video Here

Quarter Million Dollar Bounty for Criminal Hacker

Robert Siciliano Identity Theft Speaker and Expert

In a Microsoft press release a global bounty has been offered for the arrest and prosecution of whoever has created and released the “conficker” virus.

Conficker was released in the last quarter of 2008 and has infected a wide estimate of 2 million to 10 million PCs. After issuing patches, Microsoft estimates approximately 3 million PCs globally are still compromised.

However none of the PCs infected with the conficker are displaying any of the characteristics generally exhibited by the recent spate of viruses offering a remote control component and often used to host spoofed websites and other malicious fraud related activities.

Although, this virus is designed to constantly ping some 250 different domains that were most likely controlled by the criminal hackers that created it. The virus acts like any software calling home looking for an update, checking time/dates stamps and what version is running.

It is widely believed that conficker is waiting for its next set of updates to unleash the endgame its writers had in mind. BRILLIANT!

Many who study conficker as it phones home have been monitoring the 250 domains looking for the next “update”.

Each of these top level domains include .com, .net and .org. All of which fall under Internet Corporation for Assigned Names and Numbers (ICANN), who heads up the domain registration industry. ICANNs rules prohibit such reserving of domains. ICANN then worked with registrars in heading off any future registration of conficker sought domains.

What has been out of the control of ICANN has been .ws and .cn (China) based domains and due to the ferocity of conficker and negocitions by ICANN, China and other global registrars have agreed to make it difficult for conficker to continue to control its 250 base domains or seek others along the string.

What we are seeing here is a global effort by international agency’s, security professionals from around the world and Microsoft working together to defeat an unknown attacker, that if left un-matched, could infect a significant portion of the worlds computers.

This story is not over.

Robert Siciliano Identity Theft Expert-Speaker video discussing rise in identity theft Here