Tag Archives: Security

Data Theft: Just another day at the Office for one Exec

An IT executive from a Canadian marketing business stands accused of stealing a computer backup tape that holds the personal details of 3.2 million customers, which if sold on the lucrative black market could make as much as $10 million.

The man accused of the crime is one Nick Belmonte, the (now) ex-vice-president for C-W Agencies, who are based in Vancouver. He asked one of his employees to deliver three backup tapes to his office for copying, however only returned two of them when the employee went back for them.

The details stolen not only include names and addresses, but also credit card details and the banking information of around 800,000 customers. Belmote was accused of the theft, and promptly went on leave.

“The information in the customer library is highly confidential to the plaintiff and its clients,” a C-W executive wrote in to the courts. “If the customer library data is sold, it cold have a devastating effect on CW’s business and that of CW’s clients worldwide.”

To this point its unclear how many of the company’s customers have been informed of the data theft. In America businesses must inform its customers of any threat to their data, so one would assume that it’s the same in Canada. However, executives have known of the theft since November 4th.

This sheds light on areas in businesses that do not guard our data properly. Banks and the National Health Service are expected to follow stringent rules on data security, but low level marketing companies and other ‘media’ businesses tend to be a bit less security conscious.

In related news, a hi-tech credit card from a company called CryptoCard has designed new security measures in an effort to cut down on credit card fraud.

The CD-1 Credit Card Display token uses two-factor authentication to safeguard against online fraud, namely phishing scams. The company wants to develop the technology further so that it may provide more watertight security for customers using their cards online.

Cardholder Not Present (CNP) fraud, is becoming more common, so the new card, which combines a payment can and authentication, is due to ship at the start of 2009. CryptoCard said that the new card is already being tested in a number of banks across Europe and the Middle East.

The company’s chief executive, Neil Hollister, said that the card “integrates long-established key-fob token two-factor authentication technology into a credit card”.

Users have to press a button on the card to receive a one-time password, that when used with a traditional PIN code, will be used to authenticate access to their online backing accounts via a back-end authentication server. The server technology can be built in to bank call centres to allow for phone customer verification.

CrytoCard’s technology will sell for around $30 each, which is much less than the Emue designed Visa card currently being trialled by many banks across the world.

Emue cards can digitally sign transaction, and a designed to replace passwords and the “Verified by Visa” scheme when customers buy something online. The digital signature would cut the chances of fraud dramatically.

Emue are lucky enough to have Visa working with them, so they have a distinct advantage in the credit card designing industry right now. Hollister argues that in this economic climate, and with people worried about spending money, there is room for his company.

CryptoCard’s Hollister said: “I don’t want to criticise to technology of Emue card but it’s too expensive for the extra benefit it offers. I don’t expect you’ll see large volumes. It’s further up the technology curve than banks want to go.”

*UPDATE*

C-W Agencies CEO, Gloria Evans, contacted us to “set the record straight” on some of the issues in the above article.

“We noted your interest in recent events at our company and wanted to provide the correct facts:

  • The tape stolen from our premises on Nov. 4 has been recovered.
  • The recovered tape is being examined by forensic experts who will determine whether the information has been accessed.
  • Because of encryption, the requirements for specialized equipment, knowledge and facilities, it is our hope that the data has not been compromised.
  • We informed our customers of the theft immediately.
  • The criminal and civil matters that have arisen from this situation are before the courts and we cannot comment further.

“We are determined to protect our data and are very confident we are taking all reasonable measures to ensure the security of our customers.  Our ability to protect our customer data is at the core of our ability to sustain our company. “

Highly Advanced Trojan Steals 500,000 Financial Accounts

A cyber-gang has stolen the details of over 500,000 financial accounts over the course of the past three years using a highly advance Trojan that remains undetectable to the majority of its victims.

The Sinowal Trojan has enabled one of the largest ever gathering of banks, credit and debit card details in history, and was spotted by researchers at the RSA FraudAction Research Lab. The program, also known as Torpig and Mebroot, as been operating constantly for almost three years, claim the team, which is an unusual amount of time in the cybercrime world.

“Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment card data, and compromising bank accounts as far back as 2006,” RSA researchers wrote.

Even more impressive is that Sinowal has managed to become more productive over time. In the past six months, the Trojan has compromised over 100,000 accounts. Since February, the number of variants has jumped from less than 25 a month, to mover than 70, according to the RSA.

The figures are staggering. The research team reckons that at least 300,000 windows machines have been infected, stealing over 270,000 online bank account numbers and 240,000 credit and debit credentials.

Unlike most other Trojans, Sinowal spreads silently via websites that prey on unpatched vulnerabilities in the Windows OS or in third part apps like Adobe’s Flash Player or Apple’s QuickTime Media Player – a user doesn’t even have to click a link or file to have the Trojan installed.

“This particular trojan can get installed without even awareness of the end-user that they have agreed to anything or that anything has been installed,” Sean Brady, manager of identity protection at RSA, said.

The Trojan hides itself in the computers master boot record, making the infection very difficult to spot. The best way to remove the Trojan is by formatting their hard drive and reinstalling their operating system.

The RSA has shared the data it discovered with affected banks so that they can warn their customers.

Sinowal lays dormant on a system until a user looks at the website of a bank. An HTML injection engine adds fields to the website’s login page that prompts victims to enter in passwords, social security numbers and other details, This information is then carried to a server controlled by the cyber criminals. The HTML injection can be triggered by more than 2,700 web addresses.

Although no one can be totally sure, the trojan’s origin is likely to be Russia. Financial institutions in Europe, Asia and North American have seen the Trojan, but nothing was located in Russia.

How Secure are Your Passwords?

Just a couple of weeks ago Republican vice presidential nominee Sarah Palin had her email address hacked, after someone by-passed her password after guessing the answer to the “secret question”.

She was obviously targeted because of her status, but that doesn’t mean it can’t happen to you. With the average internet user having around 25 online profiles, a secure password is vital to ensure your safety online. The majority people are lazy though. They spend so much time on the net that it’s easier for people to use a simple password that has relevance to them, and is generally short. Remarkably, even though reports of cyber-crime and identity theft are through the roof, people still use passwords like “god”, “abc123” or the classically bad, “password”. These people can be loosely defined as idiots.

A solid password doesn’t have to be difficult, but it should be at least eight characters long and ALWAYS contain a mix of letters and numbers, and if you want to be extra secure – symbols.

Here’s a good way of building a secure, and hopefully memorable password.

•    I’ll start with the word: technologynews (14 characters)
•    Right, now let’s substitute some of the letters for numbers: t3chn010gyn3ws
•    Already that’s pretty solid, but to make it extra tough you could capitalise some of the letters: T3cHn010gYn3wS

That leaves us with a pretty tough password that you need to memorise. It’s not too hard to memorise one password like this, but unless you have a photographic memory, then you’ll struggle to remember a further 24 passwords if you fall into the average net user category.

It’s fair to say that this password is no way the toughest in the world. You could go military style and uses something like 8Uji#ge3s9%=vw2L93VuX>hT:5tPg. When it comes to security, especially if it’s your business, then you should make it as tough as possible.

One way of remembering all your new passwords is to utilise a password manager. These are readily available either online or local and the majority offer ‘one-click-login’ so you don’t even have to remember your gobbledygook.

For more information on ChutneyTech.com and the services we offer send an email to here.

GAO Raises concerns about US-CERT

A government watchdog agency has slapped the wrists of the US Department of Homeland Security for failing to adequately protect the nation’s critical computer networks, in a report that picks out the US Computer Emergency Readiness Team’s lack of efficiency.

US-CERT is tasked with protecting private and government-run computer networks in America.

A member of the Government Accountability Office said that US-CERT should do a better job of monitoring network activity “for anomalies to determine whether they are threats, warning appropriate officials with timely and actionable threat and mitigation information, and responding to the threat.”

He also criticised US-CERT for weaknesses identified during a 2006 cyber-security drill at the hearing on Capitol Hill last Tuesday.

A draft report issued by the GAO claims that US-CERT “lacks a comprehensive baseline understanding of the nation’s critical information infrastructure operations, does not monitor all critical infrastructure information systems, does not consistently provide actionable and timely warnings, and lacks the capacity to assist in mitigation and recovery in the event of multiple, simultaneous incidents of national significance.”

It also believes US-CERT “still does not exhibit aspects of the attributes essential to having a truly national capability.”

DHS officials defended their capabilities but also admitted that they need to do more to safeguard the nation’s infrastructure. “We are undertaking something not unlike the Manhattan Project,” a DHS spokesman said. “We have set a strong cyber strategy, recently created the National Cyber Security Center, and are in the process of aggressively hiring several hundred analysts to further our mission of security critical infrastructure.”

Among the planned enhancements is a system called Einstein, which collects, correlates, analyses and share computer security information with US-CERT members.