Rossander’s Security Reader

In general, I think that the new breach disclosure laws are good for society. The one risk that I worried about but that all the consumer advocacy groups poo-pooed was the threat of frivolous lawsuits over good-faith attempts to comply with the disclosure laws.

I don’t know if that’s the case in the Heartland breach yet, but I’m worried about it. For those of you who haven’t been following the case, Heartland Payment Systems is a transaction processor for debit and credit card transactions, handling about 100 million transactions per month. On 20 January 2009, they disclosed that their systems had been compromised in 2008 by hackers using “sniffer malware” to capture numbers as they went through the processing platform. No SSNs or PINs were exposed but customer names and card numbers were. According to their release, Heartland’s security team started working on the incident in “late 2008“.

One week after making their announcement, Chimicles & Tilellis LLP filed a class action lawsuit asserting that Heartland “made unreasonably belated and inaccurate statements concerning the breach.” The complaint also says Heartland does not appear to be offering any credit monitoring services or other relief to consumers affected by the breach.

For a major incident involving the compromise of a core system, due diligence (and the law) requires an intense and detailed investigation. If they’re smart, Heartland also brought in several layers of law enforcement, each of whom would want more information and their own time to investigate. We don’t have the full details yet but based on what we do know so far, a disclosure in January seems pretty prompt to me.

As to the offer of credit monitoring service, I haven’t seen anything that would indicate that it’s justified. Compromised credit card numbers can’t be used to create new credit accounts or commit identity theft. The thieves could make charges on the cards, but 1) the accounts have been shut down so no further damage can be done and 2) even for the fraud committed so far, the victims’ liability is capped at $50 (and probably won’t even be that high in this case). Credit monitoring won’t provide any protection in this case.

Note that there’s nothing in the suit about whether the company properly protected the customers’ information. Clearly, they should have done something differently but that’s not what these lawyers chose to address. Nor are they talking about real damage or losses to the consumers. They’re arguing only about technical compliance with the breach notification laws.

Even if the company wins the suit, fear of similar suits will increase costs (which are inevitably passed along to customers) and may create a perverse incentive by future companies to cover up the breach rather than risk being sued after a disclosure. If left unchecked, that abuse will erode and quickly outweigh the societal good that comes from the breach disclosure laws.

Well, this will be the first post in the new location. I hope everyone is able to find and read the blog easily. Please let me know if there are any problems.

Back on 26 Sep, President Bush signed the Identity Theft Enforcement and Restitution Act of 2008. This new law should make it easier for federal prosecutors to deal with hackers and other cybercriminals.

Specifically, the law makes it a felony to damage 10 or more protected computers used by or for the federal government or a financial institution. That means we finally have a tool to start using against the malware writers.

The law also eliminates the current requirement that a prosecutor show that the illegal activity caused $5,000 in damages before he/she could bring charges. This is a big deal for us. Because so many of the damages are “soft”-costs – labor to investigate or repair the breach, etc – few cases were ever brought under the old rules. Now, it should be much easier to get federal support if someone commits a cybercrime against your company.

• If you suspect a cybercrime, be sure to call your local FBI office as soon as possible. They will have specific instructions on what to do in order to preserve as much evidence as possible.
• Keep detailed notes of everything you do and all the time you spend working on the cybercrime investigation, repairs, etc. Even if the FBI no longer needs that magic $5,000 to get involved, your records about the damages and costs will be important to the judge when the criminal is finally caught and prosecuted.

The new law allows the Feds to take jurisdiction even when both the criminal and victim live in the same state. Under the old law, the crime had to affect interstate commerce before the Feds could get involved. Since it’s often hard to know where the criminal is working from until far into the investigation, the states were too often left on their own.

Finally, the law has some restitution clauses for the victims of identity theft. Those clauses are rather vague and I suspect will be difficult to enforce. Still, it’s a step in the right direction.

I trust everyone had a good holiday break and hope you have a good new year. With the way 2008 ended, many people are making plans for the future. Unfortunately, some of those planners include phishers and social engineers. And as I’m sure you’ve seen, they are getting more and more creative and professional in their scams. The days when you could delete a message just because it was poorly written are long gone. Today’s scams are targeted, well-written and spell-checked.

In particular, we are already an increase in phishing messages that reference the recipient’s holiday credit care spending pattern. The messages will claim to be requests for confirmation, reports of transactions and even a few of the traditional “your account has been frozen” scams. During the holiday season, many people have more transactions and shop with more different merchants; the scammers are attempting to exploit any confusion over those transactions in order to trick you into disclosing your account information, passwords, etc. If last year is any indication, expect that phishing campaign to accelerate during this week and last until the middle of next month or so.

We are also seeing a number of scams related to the economy. The number of work-at-home scam messages is up dramatically. As you may remember from prior tips, these scams promise easy money either for helping transfer funds or to conduct “quality control checks” on merchandise. In the first case, you become part of a money laundering operation, in the second, a fence. Either way, you’re like to get a visit from some federal law enforcement agency. If it were that easy to make money, they wouldn’t need to be sending out random emails about it.

Interestingly, the old “Nigerian fraud” is back in large numbers. These are fairly transparent messages alleging that someone needs your help to get money out of a foreign country (usually in Sub-Saharan Africa) and offering you a percentage if you will allow the person to transfer the money through your bank account. Foreign lottery scams are also back in significant numbers. I believe that by now most people know that these messages are scams but in times of financial difficulty, sometimes hope trumps common sense.

If an email asks for your personal information or if it contains an offer that looks too good to be true, trust your intuition and delete the message. To learn more about how to identify common scams, check out some of the links in the archived Tips on phishing. Have a safe New Year.

For the past year or so, we’ve seen a significant uptick in attempted scams and frauds around every holiday. Many of them trace back to the Storm Warn gang, a crime ring based out of Germany that sells hacker software. Their last big attack was at the Fourth of July and tricked many thousands of users into downloading the ‘storm-bot’ trojan by offering a fake video clip of “the largest fireworks” celebration in the nation. Victims found their computer hijacked as part of a bot-net or had keystroke loggers and other malicious software loaded onto their computer.

If past patterns hold true, we can expect to see a dramatic rise in the volume of spam and phishing attempts during this holiday season. Some of their cons last holiday season included dedicated sites like the Merrychristmasdude.com website (a site offering suggestive holiday-themed photos along with a very malicious download) and spam emails such as the Happy New Year phishes. This group develops very sophisticated software with hundreds of variants that attempt to evade and outrun standard anti-virus software.

To combat these scams, first be suspicious. Never open unexpected messages or attachments.

Second, keep your anti-virus up to date at all times. Set your anti-virus to automatically update itself as often as the software allows. And if you’re particularly suspicious about an email or website, force a manual update before clicking the link. Remember that if your kids have a computer at home that runs under parental controls, their computer may not be able to complete the update under the restricted ID. Their computer may be at risk until you log on under your parental ID so the updates can take hold.

Finally, keep your firewall turned on and be very suspicious of any ‘free’ video or other offer sent through the internet. In particular, be cautious about electronic greeting cards. While some are legit, many are frauds. See this tip for some thoughts on how to sort out e-card invitations.

As if regular ID theft weren’t enough, now there is an organized crime ring of password stealers who are targeting your online gaming accounts.

For those of you who aren’t familiar with these online games, you create a character or ‘avatar’ who adventures through a fantasy world, interacting with other players to overcome various hazards and quests. Many people invest huge amounts of time and energy developing the character’s skills and building up possessions in these online worlds. The Wall Street Journal has run several stories about the ‘virtual economies’ that sprang up around these games. Some players build up strong characters or search for rare possessions for the sole purpose of selling them to new players who don’t want to go to the effort of building up an inexperienced character themselves. It may sound a little weird but it’s all legal – the free market in action.

The hack in this case is an infection on your machine just so the hacker can steal the password to your online game account. They log on as you and sell all your carefully hoarded possessions for virtual gold coins which are then handed over to some other online confederate who sells the virtual gold for real-world cash at an online exchange like IGE. (Yes, you can make real money playing games.)

Unlike a theft of your real-world bank password, the theft is virtual so it’s not clear that you can actually report it to the police (or that they could do anything if you did). Furthermore, it’s very easy to launder the transaction – there’s almost no chance that the hacker will get caught.

On the plus side, some of the recent security updates have closed the worst holes that these password stealers exploited. This example highlights the need to keep your computer fully-patched and your antivirus and anti-spyware up-to-date. And, of course, don’t play those online games on your work computer.

Read more at CSOonline or get a copy of Exploiting Online Games by Hoglund & McGraw.