I continue to be surprised that we see so little coverage in old school media like newspapers about the technological drivers that are re-configuring our society. I guess its because they are part of the old world so you see precious little about say biotech or computing, why isn't there a software architecture review every Sunday in the NYT? The Economist is a notable exception to this, their quarterly technology reviews are quite interesting.
Another exception on the security beat is Brian Krebs' ongoing work at Washington Post. Recently he has chronicled some patterns in online banking and uncovered some push back from victims back onto the banks.
First off, great work by Krebs in following these stories and providing context. Seems very strange to me that this is not more widely covered. What we see in these cases is a classic examples of Dan Geer's rule that when those charged with protecting information are those that are affected by its compromise, we will get shoddy protection. And of course, its not just financial data.July: The Growing Threat to Online Banking
Earlier this month, I wrote about Bullitt County, Kentucky, which lost $415,000 after criminals planted malicious software on the county treasurer's PC. That rogue program allowed the crooks to initiate wire transfers to more than two dozen so-called "money mules," people duped into laundering the money and wiring it to the perpetrators in Ukraine.
...
That same day, news broke that a public school district outside of Pittsburgh, Pa., filed a lawsuit against ESB Bank, a subsidiary of Ellwood City, Pa., based ESB Financial Corp. The Western Beaver School District charges that crooks used malicious software to siphon more than $700,000 from the school's account at ESB. According to the lawsuit, the funds were transferred in 74 separate transactions over a two-day period, to 42 different individuals who had no prior business with the school.
Since then, I heard from the owners of Slack Auto Parts in Gainesville, Ga., which recently was robbed of nearly $75,000. Slack Auto Parts co-owner Henry Slack said that between July 3 and July 7, cyber intruders used malware planted on the controller's Windows PC. From there, they were able to break into the company's bank accounts, create new user accounts at the bank, and then wire nine payments to at least six different money mules around the country.
August: European Cyber-Gangs Target Small U.S. Firms, Group Says
A task force representing the financial industry sent out an alert Friday outlining the problem and urging its members to implement many of the precautions now used to detect consumer bank and credit card fraud.
"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," the confidential alert says.
...
Avivah Litan, a fraud analyst with Gartner Inc., said few commercial banks have invested in back-end technologies that can detect fraudulent or unusual transaction patterns for businesses.
"The banks spend a lot of money on protecting consumer customers because they owe money if the consumer loses money," Litan said. "But the banks don't spend the same resources on the corporate accounts because they don't have to refund the corporate losses."
September: More Business Banking Victims Speak Out
David Johnston, owner of Sign Designs, Inc., a Modesto, Calif.-based company that makes and installs electric signs, said his company lost nearly $100,000 on July 23, when crooks used the company's credentials to log in to its online banking account and initiate a series of transfers to 17 accomplices at seven banks around the country.
"Our daily limit on these transactions was $100,000, and [the thieves] took just $47 short of that amount," Johnston said. "What we're looking at really is the bank robber of 2009. They don't use a gun, they have lots of helpers, their [profits] are huge, and the likelihood anyone will catch them seems to be extremely slim."
September: Maine Firm Sues Bank After $588,000 Cyber Heist
According to the complaint, the fraudulent transfers began on Thursday, May 7, when thieves who had hijacked the company's online banking credentials initiated a series of transfers totaling $56,594 to several individuals that had no prior businesses with Patco. The company alleges that this pattern of fraud continued each day of the following business week, during which time the thieves made additional batches of fraudulent transfers totaling $532,257.
The complaint says the fraud was discovered on May 13, when one of Patco's co-owners went home for the day and found a notice in his mailbox sent from Ocean Bank, stating that several recent transfers had been rejected. The company later determined that the notices were sent only because some of the account numbers to which the perpetrators tried to transfer money turned out to be invalid.
Patco claims that on the morning of May 14, it notified Ocean Bank that the transfers in question were improper, even as another set of fraudulent transfers were going out the door.
"Also that morning, the unknown third parties had initiated a sixth withdrawal of $111,963, and despite Patco's 11:45 a.m. notice of fraudulent activity, the bank did not check the outgoing [transfers] already initiated until it was too late," the complaint alleges.
September: Cyber Gangs Hit Healthcare Providers
Organized cyber thieves that have stolen millions from corporations and schools over the past few months recently defrauded several health care providers, including a number of non-profit organizations that cater to the disabled and the uninsured.
The victims are the latest casualties of an online crime wave being perpetrated against U.S.-based organizations at the hands of cyber thieves thought to be based out of Eastern Europe.
On Sept. 9, crooks stole $30,000 from the Evergreen Children's Association (currently doing business as Kids Co.), a non-profit organization in Seattle that provides on-site childcare for public schools.
Kids Co. chief executive and founder Susan Brown said the attackers tried to send an additional $30,000 batch payment out of the company's account, but that her bank blocked the transfer at her request.
"Now we're in this battle with our bank, because my staff accountant checks the account every day, and we notified the bank before this money was stolen and the transfer still went out," Brown said.
Then last week, criminals targeted Medlink Georgia Inc., a federally qualified, not-for-profit health center that serves the uninsured and under-insured. The thieves stole the user name and password to Medlink's online banking account, and used that access to send more than $44,000 to at least five different "money mules," people wittingly or unknowingly recruited via online job scams to help criminals launder stolen funds. The mules typically are told to wire most of the funds they receive to the criminals abroad (minus a small commission).If you think about it the banks' role in online fraud is quite similar to the feeder funds who provided Madoff his $60 billion, the feeder funds made money by taking in the money and did no due diligence on Madoff. The banks are paid on accounts and transfers, and incentivized to not perform due diligence, and why even medium level of assurance remains a pipe dream in financial systems. What does it say when FBI director are afraid to do online banking?
October: Phishing Scam Spooked FBI Director Off E-Banking Not long ago, the head one of our nation's domestic agencies received an e-mail purporting to be from his bank. It looked perfectly legitimate, and asked him to verify some information. He started to follow the instructions, but then realized this might not be such a good idea. It turned out that he was just a few clicks away from falling into a classic Internet "phishing" scam--"phishing" with a "P-H." This is someone who spends a good deal of his professional life warning others about the perils of cyber crime. Yet he barely caught himself in time. He definitely should have known better. I can say this with certainty, because it was me. After changing all our passwords, I tried to pass the incident off to my wife as a "teachable moment." To which she replied: "It is not my teachable moment. However, it is our money. No more Internet banking for you!" So with that as a backdrop, today I want to talk about the nature of cyber threats, the FBI's role in combating them, and finally, how we can help each other to keep them at bay.As I have said before these are not situations that can be fixed by evolutionary progress, we need a revolution in infosec. The systems that often address similar issues are failing, the media (Krebs aside) is asleep at the switch, the banks are incentivized (in the short run) to not solve the problems.
The story goes that frogs dropped in boiling water, try to jump out immediately, but if you put them in cool water and raise the temperature a little bit at a time by the time its boiling they are cooked.
The systems we've built are literally evaporating before our eyes, but like the frog dropped in cool water, we don't notice that everything is subtly getting worse every week, will we jump out before it reaches boiling?
Here's a snippet from an interview in 2003 with Jaron Lanier
Q: Aren't bugs just a limitation of human minds? No, no, they're not. What's the difference between a bug and a variation or an imperfection? If you think about it, if you make a small change to a program, it can result in an enormous change in what the program does. If nature worked that way, the universe would crash all the time. Certainly there wouldn't be any evolution or life. There's something about the way complexity builds up in nature so that if you have a small change, it results in sufficiently small results; it's possible to have incremental evolution. Right now, we have a little bit -- not total -- but a little bit of linearity in the connection between genotype and phenotype, if you want to speak in those terms. But in software, there's a chaotic relationship between the source code (the "genotype") and the observed effects of programs -- what you might call the "phenotype" of a program. And that chaos is really what gets us. I don't know if I'll ever have a good idea about how to fix that. I'm working on some things, but you know, what most concerns me is what amounts to a lack of faith among programmers that the problem can even be addressed. There's been a sort of slumping into complacency over the last couple of decades. More and more, as new generations of programmers come up, there's an acceptance that this is the way things are and will always be. Perhaps that's true. Perhaps there's no avoiding it, but that's not a given. To me, this complacency about bugs is a dark cloud over all programming work.Complacency about security bugs (and flaws) is a dark cloud over the programming work and the socioeconomic systems that they are supposed to support.
Gunnar:
Nicely put. Krebs is doing good stuff, and has demonstrated a capacity to learn that seems rare among today's ink-stained wretches. USA Today's Byron Acohido is pretty good, too. He blogs at http://lastwatchdog.com/
Posted by: Chris Walsh | October 12, 2009 at 12:25 PM