Political hacktivism and the exploitation of tragedies is on the rise: “A new McAfee report highlights the rise of political hacktivism in countries like Poland, Latvia, Denmark and Switzerland as well as the most significant spam-generating stories in 2009. 2009 averaged…”
(Via Help Net Security – News.)
81% percent of e-mail links to malware: “81% percent of e-mail links to malware”
(Via Help Net Security – News.)
FaaS: The Emergence of Fraud as a Service: “FaaS: The Emergence of Fraud as a Service”
PCI Stresses Small Business and Web Hosting Companies: ”
‘Mike,’ the owner of a midsized web-hosting company, talks about the effects of the Payment Card Industry Data Security Standard (PCI/DSS) on web hosting companies and small online merchants who are his customers.
s: If PCI/DSS were enforced today, what would happen?
m: Well, all the small businesses would lie. Right? If you’re a small outfit, and the choice is ‘Either I say yes to everything or my business is destroyed…’ What’s the choice?
s: When did you start taking PCI compliance seriously?
m: At some point just prior to fall of 2005, we concluded that PCI applied to us because we’re a merchant who accepts credit cards, and so we had Responsibilities. I don’t remember there being a good enough dialogue about it, or even any dialogue. Was there some point that I said, ‘Yes, I agree that if I would like to continue accepting credit cards as an Internet merchant I additionally agree to comply with this 100-point list?’ I don’t remember ever doing that. I don’t remember ever saying, ‘Dear VISA, yes, I agree, I’ll do it!’
s: What is the impact of PCI/DSS on small businesses?
m: Well, if it continues to be generally ignored by the vast majority of small merchants and small hosting companies, then the impact will be slow and steady.
It’s a matter of how aggressive the credit card processors and the PCI SSC themselves decide to get on their customers. Sure, my payment processing company… could decide to demand from me an attestation of compliance. They could hold this over my head and say, ‘we will REVOKE your credit-card processing privileges if you do not submit your attestation of compliance.’
Imagine us asking thousands and thousands of customers who have previously been on auto-pay to ‘please, hand-write me a check from now on.’ And customers in 40-something countries. Good luck.
s: It’s fair to say you would go out of business.
m: It might not kill us, but it would cripple us. But that credit card processor, in making that decision to revoke our privileges, would of course be cutting themselves out of thousands of dollars of revenue every month that we paid them. They would be killing one of their customers. So, they’re torn in two directions.
s: Do you feel that the PCI SSC took appropriate input from merchants?
m: In reality, 95% of the merchants would have not been capable of providing substantive technical feedback to the committee.
s: How come?
m: Because 95% of merchants are not technical operations. They are business that are selling coffee on the corner, or they’re selling widgets, and their cardholder data environment doesn’t consist of much but a plastic box with a phone line connected to it.
s: What do you think that implies for their ability to comply with PCI/DSS?
m: The jaw-dropping, gasp, oh-my-goodness implication of PCI/DSS is for all the ‘Laura’s Online Candle-Shop’ and ‘Best-Fishing-Lures-in-Arkansas Dot Com’ and the small Internet merchants with online shopping carts. These are my customers. I know a lot of them have shopping carts that are not million-dollar-a-month e-commerce operations. They are not Amazon. They are modestly successful online merchants.
Now these millions of small businesses, and the small-to medium-sized web hosting companies that are called upon by these small merchants, have a 100-point checklist of things that are not terribly understandable and are broadly interpretable and in many ways onerous to the point of absurdity for a small operation.
s: Do you think that PCI/DSS will cause consolidation in the web hosting industry, or that there will be fewer small businesses as a result?
m: I don’t think the American public or the international public is going to shed a tear if there is bloodletting consolidation of the web hosting industry. Where they would take up arms would be if Laura and Sam and Bob can’t open candle shops online. If that becomes impossible, or unrealistic, or incredibly expensive, there’s going to be pushback.
s: You think that people won’t miss the mom-and-pop web hosting companies?
m: Most web hosting companies are noticed by their customers when something breaks. The future of baseline web hosting is like the future of the electric company. Who gives a damn who you buy electricity from? You expect it to work 100% of the time. When it doesn’t, you’re annoyed and it’s disruptive. You don’t have a relationship with your electric company the way you do with your corner coffee shop or brewery.
s: Why is that?
m: The nature of commoditization, I guess.
s: Sounds like you’re suggesting that what will happen with the web hosting industry is similar to what happened in the telephone industry.
m: Sure, or any of the utilities that we all take for granted. Now, everyone assumes that cell phone service is going to work, your cable is going to work, there’s going to be water when you turn on the spigot. Web hosting companies will need to grapple with that commoditization and provide services that impress or delight or become more part of the daily workflow of the customer, rather than being part of some background thing that [you only notice when] something breaks.
s: Do you think there’s value for the public in having a variety of hosting options, or is it simpler to have it centralized?
m: The web hosting industry has got to be incredibly confusing for a customer right now. There are tens of thousands of hosting operations, many of which are 1, 2, 3, 4 dollars a month… Talk about a race for the bottom! How low can you go? It’s below the threshold of constituting commerce. A dollar a MONTH? I think the industry would benefit greatly from a culling.
I have in my mind that perhaps half of all ‘web hosting companies’ are a one-man show with someone who has another job, whether a student or some sort of professional. Those folks are in no way equipped to ensure the security of credit card data or to fix a server when it breaks. There’s such a low barrier to entry in the web hosting industry right now.
s: What do your peers in the industry think of PCI/DSS?
m: People are flabbergasted at the absurb impossibility of the vast majority of web hosts from ever approaching PCI/DSS compliance. Laura’s Candle Company? She’s required by PCI/DSS to ONLY host her web site that accepts credit cards in an environment that is itself PCI/DSS compliant. The only hosting that she’s allowed to use under PCI/DSS [requires 8 separate devices]: hardware firewall, application firewall, log audit system, and all that business. However, the vast majority of companies load up customers onto one box, and then get a new box. Then they load up customers on that, and then get a new box. And so on.
I know someone who has a hosting account with one of the top ten hosting companies. When she wants to FTP or SSH into her server, she goes to server 192 dot domain name dot com, and that machine hosts FTP, SSH, web, database, DNS, SSL, POP3, etc. It hosts all services. Bang, right off the bat, that’s not a PCI/DSS compliant hosting environment. For these web hosting companies, it’s a shaking of the foundation.
s: Do you think it’s realistic to expect small business owners to comply with PCI/DSS in the near future?
m: As a small business owner myself, I’m both the operations guy and the people manager. We have always hired new staff as we identified a clear and defined role, and more importantly, had the revenue to pay that person a fair wage and benefits. We’ve got this daily pop and crackle of operations plus customer service. We do not have the extra thousands or tens of thousans of dollars a month to, oh, just staff up!
Stopping customer service is not a viable option. Stopping operations pop and crackle is not a viable option. So who do I pull off? Where do I find the right staff or the right expertise to start working through the things that are required of PCI/DSS? I don’t know.
If I ran a technical operation that had 1000 operations employees, I could say, ‘Hey! pull team B-13 off of their raised floor construction project. They are now the PCI/DSS regulation security team.’ That sounds fine. That’s something that a big operation could pull off. If I was in a position to hire three new engineer sysadmins next week, then I’d surely put one or maybe two of them on PCI/DSS. ‘Hey, we’ve got to rewrite this code,’ or ‘Hey, we’ve got to reconfigure this network,’ We’ve got to do this, we’ve got to do that. But like many small businesses, we barely keep up with what’s going on right now.
s: This economy must be especially hard.
m: That’s right. We’re watching customers shut down their gardening blogs and their chess club web sites. These sites were important to them until they lost their jobs, and now they’ve got to figure out what the priorities are in terms of monthly expenses.
s: How much do you think this is going to cost you?
m: Well, of course if our credit card processor tells us it’s going to cost us an extra 1% of every transaction, that’s measurable. If they, like I’ve heard from other web hosts, decide that until we submit our attestation of compliance, we’ll have an extra $19.95 a month nuisance fee, then it’ll be $20 a month for the foreseeable future.
Another potential angle on cost: Will our customers begin demanding some sort of certification / attestation? ‘My credit card processor tells me that I’m only allowed to host with a PCI complant host so I really need to know.’ If our only answer is ‘no,’ we’ll lose customers. Our growth will be stifled, and we may shrink as an operation. So, we could wither, or be crippled or killed, or just be taxed by PCI/DSS.
s: Basically, you’re saying that PCI/DSS could cause small businesses to go under.
m: Yes, if it was enforced vigorously. I should go on record as saying that I support the general idea of having standards for how credit card data is handled on behalf of your customers. People should use secure best practices and due care to ensure that credit card data is not released to hackers in Des Moines or Denmark or Indonesia. We must avoid that. Good! Let’s have some standards.
s: What is the purpose of PCI/DSS?
m: To push cardholder data security downstream to the merchants who handle it first.
s: Do you think PCI/DSS is at all effectve?
m: Yes. I would say that PCI/DSS is effective in encouraging- let’s say urging or demanding- entities that handle personal information, including card holder data, card numbers and whatnot, to review the security procedures. It provides a not-valueless checklist of things to think about when handling this sensitive information.
s: What is the future of PCI/DSS?
m: First, I’ll say that no more than 20% credit card merchants will be PCI/DSS compliant, truly, in the next decade. It will be a slow and gradual process. At some point, a team of brilliant security engineers is going to come up with something that renders plaintext credit card numbers like telegraphs. There will no longer be a concept of entering some numbers that magically allow you to move money around.
s: You think our financial transaction system will evolve beyond credit cards into something different?
m: Yes, that is exactly what I mean. Even the biggest, most responsible badass security processors with awesome security practices keep getting compromised. The data at rest is inherently vulnerable, and so will continue to be a succulent target. We need to make the target less tasty. [We need] a transaction system that could- perhaps magically- ensure that the transation was legitimate, and it isn’t just a string of not very many magic numbers. When smart guys and gals invent that, we will begin forgetting about PCI/DSS compliance in its current form.
s: Do you think that the credit card companies should be focusing on changing the system?
m: For all I know they have teams of ten thousand in underground bunkers who are developing the next great payment transaction processing technology. If they are, that’s great. That’s awesome. I have no idea what they’re doing, but I hope they are. I hope they are not believing that a short string of numbers is the tool of the future.
| Sherri Davidoff |
| PGP-signed text: 2010-02-08 (current) |
Did you like this article? Share it!
“
(Via philosecurity.)
BofA Discloses “Undisclosed” Breach: ”
Recently, a friend of mine received a letter from Bank of America informing her that ‘some credit card information on your Bank of America account may have been compromised at an undisclosed third-party location.’
The letter went on to state that BofA had reviewed her account and saw ‘no evidence that your account has been misused in any way. We will continue to monitor activity on your account, and if we detect suspicious transactions, we will notify you.’ BofA also informed her that ‘we will close your existing account and issue you a new account number and credit card(s).’
Imagine if your doctor sent you a letter informing you that ‘you’ve contracted an undisclosed disease from an undisclosed third party. Take these pills and carry on as before. We’ll monitor your symptoms and notify you if you show signs of further infection.’
The underlying subtext here is that a) my friend’s information was probably compromised through a merchant that she has done business with; b) she does not have the right to know who that was; and therefore c) she must continue to do business as usual without the ability to change her behavior based on the fact that the merchant did not safeguard her information appropriately.
BofA referenced a web site where they talk about data compromise:
http://www.bankofamerica.com/compinfo
According to this site, ‘When a data compromise occurs Bank of America is notified by multiple sources, including Visa®, MasterCard®, American Express® and law enforcement agencies when our accounts have been included in a data compromise… Unless the merchant announces the breach to the public, we are unable to provide the name of the merchant or where the data breach has occurred.’
In other words, the credit industry is facilitating willful ignorance in order to protect their fundamentally broken system. If you or I found out where exactly the breach happened, we might not be so inclined to give our credit-card numbers to the end merchant or payment processors involved. Customers are not provided with the information we need to make educated decisions about who we trust with our information.
Truth be told, the fundamental problem isn’t with the end merchants, anyway. The problem is that our financial infrastructure rests on the broken concept that a short string of numbers can be used to move money from one person’s account to another. This string of numbers has to be kept ‘secret,’ but it also has to be given to dozens of people throughout the course of a day in order to conduct routine transactions.
Here’s my favorite section of BofA’s data compromise FAQ:
‘Is it safe to use my new card?
‘We are confident that this was an isolated incident and that the steps we have taken will ensure the continued security of your account. Please continue to use your new account as you normally would.’
Yes… an ‘isolated incident,’ just like the other 285 million records that were compromised last year. Take these pills and carry on.
| Sherri Davidoff |
| PGP-signed text: 2010-01-24 (current) |
Did you like this article? Share it!
“
(Via philosecurity.)
Texting scam hits Kirksville | HostExploit News: “”
Many people across the country have received text messages notifying them that their bank accounts have been frozen, causing alarm and panic. Although their tricks are well-known, phishers have gone on the offensive in the past few months, targeting both individuals and financial institutions.
Phishers used documentation belonging to the American Bankers Association and demanded payment for an “unauthorized transaction” they claimed had been made from the Jefferson City-based association’s account.
This came in the wake of another phishing scam in which some U.S. Bank clients in Kirksville and other Missouri cities received text messages notifying them that their bank accounts had been frozen.
“We were hit [Jan. 27],” said Bill Ratliff, executive vice president of the Missouri Bankers Association. “The phishers sent us an e-mail saying we owed $700 to the American Bankers Association for a meeting that we never had. They are trying for individuals, corporate and financial institutions. This is a new one for us.”
Ratliff said the scam e-mails had been sent to all 50 bankers’ associations nationwide, and that the American Bankers Association had since contacted all of its affiliates notifying them that the e-mail was a fraud.
The Missouri State Highway Patrol’s Department of Public Safety warned the public last week about an ongoing phishing scam in which fraudsters disguising themselves as bank administrators send text messages notifying bank clients that their accounts have been frozen and asking them to call a certain number to reactivate their accounts.
U.S. Bank clients received a text message reading “Customer issue, U.S. Bank service frozen.” The message then provided a number to call, which traces to Newfane, Vt., and gives an automated request for account information.
U.S. Bank has blocked its customers from returning calls from numbers associated with phishing fraud. These are numbers identified as having originated or redistributed the phishing messages after several clients called in with complaints about the messages last week.
Sgt. Brent Bernhardt, communications officer of MSHP’s Troop B, warned the public against responding to any of these messages, saying financial institutions do not conduct this type of business over the telephone, in e-mail or via text messages.
“We have not been made aware of any more messages since Jan. 15, but identity theft is a growing crime in our country,” Bernhardt said. “These kinds of scams not only target banks but also people who have money in banks and credit cards.”
Although figures for phishing cases in Missouri were not readily available, Bernhardt said more than eight million people had fallen victim to identity theft between 2008 and 2009.
“[Bank clients] are asked to provide their personal banking information,” Bernhardt said. “Once banking information is provided, it is suspected that an unauthorized individual has access to the victim’s account. We are doing everything we can to be proactive and eliminate such scams.”
U.S. Bank spokesman Steve Dell said that although no U.S. Bank clients had fallen prey to the fraudsters, the recent phishing scam is not an isolated incident and has targeted clients from banks across the country.
“Numerous attempts like these are made daily, and we make efforts to notify our clients that we would never ask them to place their confidential information at risk by sending it to us,” Dell said. “We are constantly updating and increasing security for our clients. Security is of utmost importance. Anytime someone sees any activity that is out of the ordinary they should contact a trusted number or location. These phishers are not just targeting U.S. Bank, but every other bank.”
US oil industry hit by cyberattacks: Was China involved? / The Christian Science Monitor – CSMonitor.com:
Iraq’s Rumaila oil field: A key target of 2008 cyberattacks on US oil and gas companies ExxonMobil, ConocoPhillips, and Marathon was exploration ‘bid data’ that provides critical details about new energy discoveries.
Atef Hassan/Reuters
Enlarge
PrintBuzz up! PermissionsEmail and shareRSS
By Mark Clayton Staff writer / January 25, 2010
Houston
At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophisticati”
Lethic Spamming Botnet Shut Down: “Lethic Spamming Botnet Shut Down”
Date breaches: The insanity continues: “In 2009, the Identity Theft Resource Center recorded 498 breaches, less than the 657 in 2008, more than the 446 in 2007.
Are data breaches increasing or decreasing? That is the question no one can …”
(Via Help Net Security – News.)
Shadowserver Foundation – Calendar – 2010-01-09
Saturday, 9 January 2010
DDoS for Hire – More cooperation, or new competition?
I’ve always been interested in DDoS attacks, not only for their technical aspects, but also their social, economic, or political aspects. This past summer, several of us were closely watching a DDoS group that was fairly aggressive and diverse in its attack targets. This group, known as the “hack-off” group used the domains ‘hack-off.ru” & “hack-off.info” for their command and control. What was particularly interesting about ‘hack-off’ was their attack campaigns on targeted industries and groups. Such industries included:
hack-off DDoS targeted industries
* Online pharmacies
* Porn sites
* Automotive parts suppliers
* Replica Watches
* Online Gambling
* Logo Design companies
* Sporting goods and sportswear
* Healthcare products
* Electronics vendors
Many of the attacks victims were fairly high profile, and law enforcement agencies from at least 5 different countries became involved. Eventually, with the assistance of cert-ru and Affilias, the domains were suspended and by October 2009, the ‘hack-off’ crew was offline.
Recently while looking through some of our data sets, I again noticed aggressive DDoS attacks against targeted industry groups. In this case, four domains are seen being used for command and control:
New DDoS controllers
853c9e57.biz
atatatata.org
www.atatata.org
goog-le.ru
Over 250 different sites were targeted for DDoS from these controllers since November, 2009. The victim sites were fairly diverse, but were seen predominately in the following industries:
Industries targeted by atatata and friends
* Car buying sites
* Footwear
* Sporting goods
* Jewelry
* Gambling and Lottery
* Watches
* Appliances
* Travel and Tourism
The domains used by these controllers have been run on various hosting providers as described below. atatata.org has also been seen dropping FakeAv as well as other malware. Another active botnet domain on the same IP as atatata.org, is dia2.cn, however I haven’t yet seen DDoS related activity from them.
The top IP address prefaced is the currently active IP for that domain. The listing below also shows the nameserver history for each domain.
Domain information
853c9e57.biz
* 193.104.94.117 – AS50033 – GROUP3-AS GROUP 3 LLC.
* 91.196.138.97 – AS15756 -CARAVAN
* 91.212.220.242 – ??
Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Nameserver: Dns-diy.net
atatatata.org
* 115.100.250.107 – AS4837 – CHINA169-Backbone
* 210.51.166.229 – AS9929 – China Netcom Corp.
* 61.235.117.76 – AS9394 – CHINA RAILWAY Internet
Registrar:Directi Internet Solutions
Nameserver: Everydns.net
www.atatata.org
* 115.100.250.107 – AS4837 – CHINA169-Backbone
* 210.51.166.229 – AS9929 – China Netcom Corp.
* 61.235.117.76 – AS9394 – CHINA RAILWAY Internet
* 174.37.235.32 – AS36351 – SoftLayer
* 174.36.195.197 – AS36351 – SoftLayer
* 91.212.198.137 – AS49314 – NEVAL PE Nevedomskiy Alexey Alexeevich
Registrar: Privacy Protected
Nameservers:
* 8/22/09 Everydns.net
* 8/29/09 Slavhost.com
* 9/5/09 Agava.net.ru
* 9/6/09 Slavhost.com
* 9/7/09 Intdelivery.com
* 9/11/09 Everydns.net
goog-le.ru
* 91.212.198.171 – AS49314 – NEVAL PE Nevedomskiy Alexey Alexeevich
Registrar: NAUNET-REG-RIPN
Nameserver: freedns.ws
While DDoS for hire is nothing new, these particular attacks and the activity behind them remain interesting. Are these new criminal groups rising up to compete in the lucrative world of DDoS? Or are we just seeing more cooperation and consolidation of efforts among the usual and familiar players?
We’ll continue to keep an eye on any new attacks from these controllers as well as the providers from where they are hosted.
=>Posted January 09, 2010, at 10:25 AM by Andre’ – Semper_Securus
(Via DDoS for Hire – More cooperation, or new competition?.)
