Source: Internet Security Alliance Daily Brief
SpyEye Trojan hijacks mobile SMS security for online fraud. October 5, Help Net Security – A stealth new attack carried out by the SpyEye Trojan circumvents mobile SMS security measures implemented by many banks, Help Net Security reported October 5. Using captured code, Trusteer found a two-step, Webbased attack that allows fraudsters to change the mobile phone number in a victim’s online banking account and reroute SMS confirmation codes used to verify online transactions. This attack, when successful, enables the thieves to make transactions on the user’s account and confirm them without the user’s knowledge. In the first step of the attack, SpyEye steals online banking log-in details. This allows fraudsters to access the account without raising red flags. In the second step, SpyEye changes the victim’s phone number of record in the online application to one of several random, attacker controlled numbers. To complete the operation, the attacker needs the confirmation code sent by the bank to the customer’s original phone number. To steal this code, SpyEye injects a fraudulent page in the customer’s browser that appears to be from the online banking application. The fake page purports to introduce a new security system “required” by the bank and for which customers must register. The page explains the customer will be assigned a unique telephone number and will receive a special SIM card via mail. Next, the user is told to enter the confirmation number they receive on their mobile telephone into the fake Web page to complete the registration process for the new security system. This allows the criminals to steal the confirmation code they need to authorize changing the customer’s mobile number. Now the fraudsters can receive all future SMS transaction verification codes for the hijacked account via their own telephone network. This latest SpyEye configuration shows that out-of-band authentication (OOBA) systems, including SMS-based solutions, are not fool-proof. Using a combination of man-in-the-browser injection technology and social engineering, fraudsters can bypass OOBA, and buy themselves more time since the transactions have been verified.
Banks losing ground on card security. October 4, Reuters – U.S. banks are losing ground in the battle to combat credit and debit card fraud, a new report shows, underscoring the growing threat thieves and hackers pose for the financial system. Globally, security is improving in the payment industry, according to data released the week of October 3 by the Nilson Report, a California trade publication. For every $100 worth of credit and debit card transactions last year, 4.46 cents were lost to fraud worldwide in 2010, down from 4.71 cents in 2009. But many of the security gains were at banks in Europe and Asia, which have adopted stricter security procedures such as issuing cards with computerized chips to help verify purchases, said the publisher of the Nilson Report. Meanwhile, U.S. banks and merchants have balked at the expense of conversion. As a result, fraud in the United States accounted for 47 percent of global fraud losses last year — up from about 46.5 percent in 2009, and 44 percent in the middle of the last decade, he said. Total fraud losses worldwide were $7.6 billion in 2010, up 10 percent from 2009, the report found.
VA errors compromise identity verification credentials. October 4, Federal Computer Week – The U.S. Veterans Affairs department (VA) may have issued more than 157,000 personal identification credentials without authenticating the identity of the individuals who received them, according to a new report from the Office of Inspector General. Overall, the VA may have issued at least 147,000 credentials without determining whether applicants are known or suspected terrorists, and presented genuine and unaltered identity source documents, the assistant inspector general wrote in a September 30 report. Also, VA may have issued at least 5,100 credentials without verifying applicants’ background investigations, and 5,600 credentials where staff circumvented separation of duty control requirements. The assistant inspector general for audits and evaluations recommended the department immediately direct the VA Enrollment Centers to stop issuing new credentials until the control deficiencies are addressed. VA officials said they had taken immediate action to mitigate the risks uncovered in the report by reviewing the questionable credentials. The assistant inspector general estimated the cost to correct the deficiencies at approximately $6.7 million, and said costs would continue to increase if additional credentials were issued.
Medical identity theft a growing Problem. September 23, MedPage Today – According to a recent report on a nationwide survey of 600 executives from U.S. hospitals, doctors’ organizations, health insurance companies, pharmaceutical manufacturers, and life sciences companies, accounting firm PricewaterhouseCoopers (PwC) found medical identify theft is the fastest-growing form of identity theft, affecting 1.42 million Americans in 2010, and costing more than $28 billion. Theft accounted for 66 percent of the publicly reported security breaches documented since 2009, which included stolen laptops, stolen smart phones, using patient data to submit fraudulent claims, and people seeking medical care in another person’s name. The single most commonly reported breach in the security of patients’ private health information was improper use of patient data by a person who works for a doctor’s office, hospital, insurance company, or life sciences organization. The breaches ranged from an employee leaving private documents out in plain sight, to making improper comments on Facebook, or even talking in the elevator about a person’s protected health information. Nearly four out of 10 doctors and hospitals surveyed have caught a patient trying to use someone else’s identity to obtain healthcare services. Patients seeking medical services under someone else’s name was the second most common privacy or security issue reported by healthcare providers. Rounding out the top three most common breaches was improper transfer of files containing personal health data to people who were not authorized to view the information. One in four insurers reported improperly transferring files that contained protected health information.
Atlantic City casinos give police access to surveillance systems; will share video, voice, text via Internet. October 5, Press of Atlantic City – Police will soon have access to Atlantic City, New Jersey casinos’ surveillance systems to help them fight crime in the Tourism District, the Press of Atlantic City reported October 5. By early next spring, all gaming halls will be part of Mutualink, a radio and wireless interoperability system that will allow law enforcement access to the closed-circuit televisions in each casino, as well as hospitals and other public institutions. State officials said access to the cameras will help emergency responders in the event of a terrorist attack or other public safety event. The agreement between casinos and the state Division of Gaming Enforcement (DGE) , announced October 4, follows the highly publicized carjacking last month at the Trump Taj Mahal Casino Resort that left a Middlesex County man dead, and his female companion wounded. The DGE has been working with state police and the office of homeland security and preparedness to activate the emergency system in each casino that will allow dispatchers, police, fire, emergency medical services, and other public safety agencies to share voice, video, text, and files across a secure Internet connection.
Tampa takes heed as cyber threat accompanies Occupy Wall Street protest. October 4, St. Petersburg Times; Associated Press – The Occupy Wall Street protest is coming to Tampa, Florida, and it appears a notorious hacker group has threatened Tampa police online assets, the St. Petersburg Times and Associated Press reported October 4. In a YouTube video, a masked man warns police brutality will be the department’s downfall. “If you wish to have the Tampa Police Department alive as a whole — and this is metaphorically speaking — then stay away from the protesters,” he said. The video is attributed to “hacktivist” group Anonymous, best known for its cyber attacks on Sony, Bank of America, and the Iranian government. It is unclear if Anonymous is truly behind the video, or if the masked man is acting alone. Nonetheless, the city is preparing. It has to, Tampa’s chief information officer said, given Anonymous’ previous cyber hacking successes. The city already has intrusion detectors and firewalls in its systems that officials constantly update. They do not plan to buy new products, he said. Instead, employees will monitor the systems more closely this week.
Chrome 14 update brings Flash 11, closes security holes. October 5, H Security –
Firefox and SeaMonkey users warned to disable McAfee ScriptScan. October 5, H Security – A major incompatibility between Mozilla’s browsers Firefox and SeaMonkey, and McAfee’s ScriptScan plug-in has caused “a high volume of crashes,” according to Mozilla. The problem first came to light in September, when members of the McAfee forum began reporting problems with version 14.4.0 of ScriptScan, a tool that checks Web pages, as they are loaded into the browser, for malicious code. This is the first time since July that Mozilla has found it necessary to block a plug-in. All versions of Firefox and SeaMonkey are affected by the problem, as are all current versions of McAfee ScriptScan. Mozilla recommends ScriptScan users disable the browser plug-in. The issue only affects version 7 of the browsers, according to a McAfee spokesperson.
Cisco patch day closes critical vulnerabilities. October 4, H Security – Cisco has published 10 security advisories as part of its bi-annual patch day. The advisories resolve a number of security vulnerabilities. The most serious vulnerability (CVSS 10) addressed was in Catalyst switches running the company’s iOS network operating system software. A bug in the Smart Install remote maintenance feature allowed remote attackers to execute arbitrary code on affected switches. The other advisories fix denial-of-service vulnerabilities in iOS, Unified Communications Manager, and 1000 series routers. Cisco has released updates that fix these vulnerabilities; workarounds exist for some of the problems. Cisco has also fixed the backdoor vulnerability in its Identity Services Engine identity-management software.
XSS Web attacks could live forever, researcher warns. October 4, IDG News Service –
Facebook to scrub itself clean of filthy malware links. October 4, The Register – Facebook has recruited Websense to scan its social network for links to malicious sites. Scammers are increasingly using Facebook as a means to drive traffic towards malware and exploit portals or Internet scam sites. In response, Facebook is tapping Websense for technology that will analyze the jump off points to links. Cloudy technology will assign a security classification to sites, presenting users with a warning if the location is considered dangerous. This warning page will explain why a site might be considered malicious. Users can still proceed, at their own risk, to potentially dodgy sites. Before, individual users had the option to add additional security filtering apps, such as Bitdefender Safego, to their profiles as a means to scan for spam and malicious links. Facebook is now offering this type of technology by default as an extension of its previous relationship with Websense.
Check your machines for malware, Linux developers told. October 4, The Register –
Following a series of intrusions that hit the servers used to maintain and distribute the Linux operating system, project elders have advised all developers to check their Linux machines for signs of compromise. E-mails sent September 30 by Linux kernel’s lead developers arrived as volunteers with the open-source project worked to bring LinuxFoundation.org, Linux.com, and Kernel.org back online following attacks that gained root access to the multiple servers that host the sites. Among other things, project leaders are requiring all developers to regenerate the cryptographic keys used to upload source code to the site, and to ensure their systems are free of rootkits and other types of malware.