Archive for March, 2010

China’s Great Firewall Spreads Overseas | HostExploit News

March 27, 2010

China’s Great Firewall Spreads Overseas | HostExploit News: “”

(Via .)

Advertisements

Malware delivered by Yahoo, Fox, Google ads | InSecurity Complex – CNET News

March 23, 2010

Malware delivered by Yahoo, Fox, Google ads | InSecurity Complex – CNET News: ”

Home News InSecurity Complex
InSecurity Complex
March 22, 2010 12:57 PM PDT
Malware delivered by Yahoo, Fox, Google ads
by Elinor Mills
Font size
Print
E-mail
Share
36 comments

Share
168

These charts show incidences of malware distributed by a number of ad delivery platforms over a six-day period last month that were detected by Avast. Yahoo and Fox have the highest counts.
(Credit: Avast)
Malware that exploits holes in popular applications is being delivered by big ad delivery platforms including those run by Yahoo, Fox, and Google, according to Prague-based antivirus firm Avast.
Viruses and other malware were found to be lurking in ads last year on high-profile sites like The New York Times and conservative news aggregator Drudge Report.com, and this year on Drudge, TechCrunch and WhitePage”

(Via .)

PNC: Former National City Bank Accounts Hacked

March 23, 2010

PNC: Former National City Bank Accounts Hacked: “

Some presents just aren’t the kind you want. You buy a new product get it home only to find it’s busted. PNC Financial Services Group Inc. found that out the hard way recently after they purchased National City Bank. Turns out that prior to the acquisition there was a data breach affecting customers. Much like herpes, it was an unpleasant surprise.

From Cincinnati.com:

Bank officials were made aware of the data breach earlier this week, but Solomon would not say how many customers’ accounts have been compromised or how much money was stolen.

PNC Financial, which is based in Pittsburgh, said some customer debit cards were compromised shortly before the company acquired Cleveland-based National City Corp. in December 2008.

This naturally begs the question, why did it take so long to discover? I’d be interested to read more on this story as the details emerge.

Article Link

(Image used under CC from elycefeliz)

UPDATE: Here is more on this story from Channel 9 WCPO

Some Charged More than $1,000

Other customers were hit harder.

* Cynthia Suchoski e-mailed to say ‘there was a charge made yesterday at Macy’s in Costa Mesa, California for $1,300″ on her old National City debit card. She was not in California.
* Jonathan Vasiladis told me his old debit card was hit for $4,000 in bogus charges, many of them happening in England.
* And another, who asked that we not use his name, e-mailed to say his PNC account ‘is more than one $1,000 overdrawn,’ again, after unauthorized charges in California.
* A fourth viewer reports another series of unauthorized charges, supposedly from March of Dimes.


(Via Liquidmatrix Security Digest.)

Police Find Skimming Devices Inside Pumps at 180 Gas Stations in Utah

March 23, 2010

Police Find Skimming Devices Inside Pumps at 180 Gas Stations in Utah: “This is news regardless of where you live. Why? The use of skimming devices by identity criminals is not limited to Utah. ABC 4 television news reported: ‘Utah police investigators said crooks have installed electronic ‘skimming’ devices at 180 gas stations from Salt Lake to Provo in an attempt to…

(Via I’ve Been Mugged.)

Online finance flaw: Ameriprise III – please make it stop

March 23, 2010

Online finance flaw: Ameriprise III – please make it stop: “NOTE: This issue was disclosed responsibly and repaired accordingly.

‘Now what?’, you’re probably saying. Ameriprise again? Yep.
I really wasn’t trying this time. Really.
There I was, just sitting in the man cave, happily writing an article on version control and regression testing.
As the Ameriprise cross-site scripting (XSS) vulnerabilities from August 2009 and January 2010 were in scope for the article topic, due diligence required me to go back and make sure the issue hadn’t re-resurfaced. 😉
I accidentally submitted the JavaScript test payload to the wrong parameter.
What do you think happened next?
Nothing good.
I reduced the test string down to a single tic to validate the simplicity of the shortcoming; same result.

At the least, this is ridiculous information disclosure, if not leaning heavily towards a SQL injection vulnerability.
As we learned the last two times we discussed Ameriprise, the only way to report security vulnerabilities is via their PR department, specifically to Benjamin Pratt, VP of Public Communications.
Alrighty then, issue reported and quickly fixed this time (same day)…until some developer rolls back to an old code branch or turns on debugging again.

We all know the ColdFusion is insanely verbose, particularly when in left in debugging mode, but come now…really?
I really didn’t want to know the exact SQL query and trigonometry required to locate an Ameriprise advisor.
Although, after all this, I can comfortably say I won’t be seeking an Ameriprise advisor anyway.

Please Mr. Pratt, tell your web application developers to make it stop.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

(Via HolisticInfoSec.org.)

Secret Service Paid TJX Hacker $75,000 a Year

March 23, 2010

Secret Service Paid TJX Hacker $75,000 a Year: “

albert2_crop_small

Convicted TJX hacker Albert Gonzalez earned $75,000 a year working undercover for the U.S. Secret Service, informing on bank card thieves before he was arrested in 2008 for running his own multimillion-dollar card-hacking operation.

The information comes from one of Gonzalez’s best friends and convicted accomplices, Stephen Watt. Watt pleaded guilty last year to creating a sniffer program that Gonzalez used to siphon millions of credit and debit card numbers from the TJX corporate network while he was working undercover for the government.

Watt told Threat Level that Gonzalez was paid in cash, which is generally done to protect someone’s status as a confidential informant. The Secret Service said it would not comment on payments made to informants. Gonzalez’s attorney did not respond to a call for comment.

‘It’s a significant amount of money to pay an informant but it’s not an outrageous amount to pay if the guy was working full time and delivering good results,’ says former federal prosecutor Mark Rasch. ‘It’s probably the only thing he was doing — other than hacking into TJX and making millions of dollars.’

Gonzalez’s salary highlights how entwined he was with the government at the time he participated in the largest identity theft crimes in U.S. history. Gonzalez, 28, is set for sentencing this week on three indictments covering nearly every headline-making bank-card theft in recent years, including intrusions at TJX, Office Max, Hannaford Brothers, 7-Eleven and Heartland Payment Systems (which alone exposed magstripe data on 130 million credit and debit cards). The hacker’s plea agreements contemplate a total prison term of between 17 and 25 years.

Rasch says Gonzalez’s $75,000 is nothing compared to the million-dollar payouts some undercover informants get for high-risk, high-value cases such as Mafia investigations. But Gonzalez’s payments dwarf the meager handouts given previous computer crime informants.

Identity thief Brett Johnson, aka Gollumfun, said he earned $350 a week — the equivalent of about $18,000 a year — while working undercover in the Secret Service’s Columbia, South Carolina, field office helping catch card thieves. Johnson was recruited by the agency in 2005 after he was arrested buying merchandise with counterfeit cashier’s checks; his public service ended 10 months later when agents discovered that, like Gonzalez, Johnson was two-timing them, running a fraudulent tax-return scheme during his off hours that was bringing him an extra $5,000 to $6,000 each week.

Another carder, David ‘El Mariachi’ Thomas, worked undercover for 18 months for the FBI in 2003 and 2004 running a carding site called The Grifters out of a Seattle apartment. The bureau paid rent and expenses for him and his live-in girlfriend, and bought the computers he used to run the undercover operation, but didn’t pay him a salary.

In the 1990s, informant Justin ‘Agent Steal’ Petersen was reportedly paid $200 a week while helping the FBI build a case against Kevin Mitnick, then the number one hacker target on the government’s radar.

For his part, Gonzalez began working for the Secret Service when he was arrested making fraudulent ATM withdrawals in New York. Under the nickname ‘Cumbajohnny,’ he was a top administrator on a carding site called Shadowcrew. The agency cut him loose and put him to work undercover on the site, where he set up a VPN the carders could use to communicate — a supposedly secure communications channel that was actually wiretapped by the Secret Service’s New Jersey office.

That undercover operation, known as ‘Operation Firewall,’ led to the arrest of 28 members of the site in October 2004. After the site went down, Gonzalez changed his nick to ‘Segvec’ and moved to Miami where he resumed his life of crime under the noses of the agents who were paying him. Authorities finally arrested him in May 2008. After many months, he directed them to a stash of more than $1 million in cash buried in a barrel in the backyard of his parents’ home.

Rasch says a number of factors determine what an informant is paid, such as whether they have specialized technical skills or have infiltrated an underground organization; whether they’re putting themselves or family members at risk; and whether the investigations they work involve stolen funds that the government has a good chance of recovering.

‘If I’m working on a case involving $20 million in fraud and the government is likely to get some of that money back, $75,000 is chump change,’ Rasch says. ‘They don’t use paid informants that often…. Criminals will ordinarily cooperate [without payment] in return for a non-prosecution’ or sentence reduction.

The Department of Justice publishes nonbinding guidelines that discuss the necessity of monitoring informants and assessing a criminal’s suitability to be one, but they don’t provide standards for doing so.

Per the attorney general’s guidelines, two law enforcement representatives are required to witness any payment made to a confidential informant and document the payment in the case files, indicating if it’s for information, services or expenses. The informant must also sign or initial a written receipt.

At the time of the payment, the law enforcement agents are required to advise the confidential informant that the payment may be taxable income that must be reported to the IRS and state agencies.

The Secret Service’s embrace of Gonzalez as a professional informant may have reinforced his criminal behavior. Gonzalez felt he’d been rewarded for his preoccupation with computers, according to a letter written by his sister to one of his sentencing judges.

‘All this seemed okay at the time, but psychologically it was feeding an obsession that in the end would become my brother’s downfall,’ Frances Gonzalez Lago told the court in December.

Gonzalez is set for sentencing Thursday in U.S. District Court in Boston for the TJX, Office Max, and Dave & Buster’s breaches. He appears in front of a different judge the next day for sentencing on the Heartland, Hannaford and 7-Eleven thefts. The government is seeking a sentence of 25 years in prison.

Photo of Albert Gonzalez courtesy of Stephen Watt

See Also:


(Via Wired: Threat Level.)

Cybercrime losses almost double

March 23, 2010

Cybercrime losses almost double: “

FBI figures show huge rise in online miscreantage

US net crime loss complaints almost doubled in value from $265m in 2008 to reach $560m last year, according to official figures.…

(Via The Register – Security.)

Computer forensics tool for banks aims to trace Trojans

March 23, 2010

Computer forensics tool for banks aims to trace Trojans: “Computer forensics tool for banks aims to trace Trojans”

(Via The Register – Security.)

Exploit code with DNS tunnel

March 23, 2010

Exploit code with DNS tunnel: “A hacker has written exploit code which can tunnel a shell connection through firewalls via DNS

(Via The H Security.)

Mac OS X: “safer, but less secure”

March 23, 2010

Mac OS X: “safer, but less secure”: “Mac OS X: ‘safer, but less secure'”

(Via The H Security.)