Data Breach , Fraud

A Positive Step in Cross-Border Efforts to Fight Cybercrime Tracy Kitten (FraudBlogger) • May 10, 2016    

Israel will reportedly extradite two suspects who were indicted last year for their alleged connection to cyberattacks that breached JPMorgan Chase, Fidelity Investments Ltd., E*Trade Financial and others, as well as fraud schemes against the New Stock Exchange.

See Also: Detecting Insider Threats Through Machine Learning

Cybersecurity experts say this is the latest example of how cross-border collaboration to bring cybercriminals to justice is improving. "This is a leap forward for Israeli and U.S. relations," says Tom Kellermann, CEO of security firm Strategic Cyber Ventures. "There has been collaboration in the past, but limited."

On May 9, Israeli authorities agreed to extradite Israeli nationals Gery Shalon and Ziv Orenstein, who were arrested in July 2015, to face charges in the U.S. that include wire fraud, document fraud, securities fraud, aggravated identity theft and money laundering, according to The Times of Israel.

The third person indicted in the case last year, U.S. citizen Joshua Samuel Aaron, remains at large.

The Israeli newspaper report does not indicate when the suspects will be extradited. Israel's Justice Ministry did not respond to Information Security Media Group's request for information; and the U.S. Attorney's office in Manhattan, which requested the extradition, said it would only comment once the extraditions are, in fact, in motion.

Cross-Border Cooperation

Cooperating on cases such as this improves relations among the U.S. and other nations, even for countries like Israel, which already have strong relationships with the U.S., says financial fraud expert Avivah Litan, an analyst at consultancy Gartner.

"Israel needs to accommodate these types of U.S. requests in order to continue benefiting from being a U.S. ally and 'strategic partner,'" Litan says. "However, it could be drawn out, depending on what Israel is trying to extract in return from the U.S. Otherwise, I think we would have seen some kind of date spoken about with regards to this extradition."

Litan notes that cross-border collaboration has played a significant role in other recent cybercrime cases.

For example, in June 2015, a Turkish man who allegedly masterminded a string of ATM cash-out attacks in the U.S. was extradited from Germany (see Feds Extradite 'Most Wanted' ATM Hacker).

Similar extraditions deals have in recent years been struck with authorities in Malaysia, Spain and Holland.

The Scheme

In the scheme involving Shalon, Orenstein and Aaron, the three are believed to have used customer contact information stolen from Chase and other financial firms to run spam campaigns that fueled demand for the publicly traded stocks they owned. While the indictment for the scheme does not mention this alleged connection, Bloomberg reported last year that an unnamed person familiar with the investigation said authorities suspected the Chase breach and others were connected to the scheme.

Between 2012 and 2015, Shalon, Orenstein and Aaron allegedly ran a pump-and-dump stock scheme that artificially inflated or "pumped" the prices of penny stocks they owned just before they turned around and "dumped" the stocks, netting them at least $2.8 million in illegal profits, according to the 11-count indictment filed against them last summer by the Manhattan U.S. Attorney's office.

The indictment accuses the suspects of using a variety of false identities to open bank and brokerage accounts in the United States, and operating a network of shell companies registered in the United Kingdom, British Virgin Islands and Cyprus. "Aaron acted as the scheme's 'front-man,' communicating with U.S.-based co-conspirators and others at the direction of Gery Shalon," according to the indictment. It says those co-conspirators, who were not named in the indictment, were based in New Jersey and Florida.

"As alleged, the defendants manipulated trading in U.S. securities from overseas, using fake identities to funnel millions of dollars in unlawful proceeds through a web of international shell companies," Manhattan U.S. Attorney Preet Bharara noted in a July 2015 statement. "Using false and misleading spam emails sent to millions of people, these defendants allegedly directed their pump-and-dump scheme from their computers halfway around the world."

In a second indictment announced last November, Shalon, Orenstein and Aaron were accused of being linked to cyberattacks that affected Chase and 11 other U.S. banks and financial services firms (see Charges Announced in JP Morgan Chase Hack). The Chase breach resulted in the compromise of contact information, including names, addresses, phone numbers and email addresses linked to 76 million households and 7 million small businesses (see Report: Spammers Tied To JPMorgan Chase Hack).

Chase declined to comment about this most recent news related to Shalon and Orenstein's reported extradition. E*Trade and Fidelity Investments did not respond to Information Security Media Group's request for comment.

DDoS , Risk Management , Technology

Georgia Tech Developing Process for Fighting Low-Volume Attacks Eric Chabrow (GovInfoSecurity) • May 10, 2016    

The distributed denial-of-service attacks that grab headlines often employ botnets that flood targeted servers with an overwhelming number of packets that deplete systems resources and render a website inaccessible.

See Also: Vulnerability Management with Analytics and Intelligence

But low-volume DDoS attacks, which are far more common and often go unnoticed, can often be just as disruptive. These attacks use less bandwidth, are often shorter in duration and may be designed to distract a security team from the aftershocks of follow-on attacks. Sometimes low-level DDoS attacks are launched through a single computer - not requiring a botnet - and are imperceptible.

Help in battling these low-volume attacks may be on the way. The U.S. military's Defense Advanced Research Projects Agency, as part of its Extreme DDoS Defense program, has awarded researchers at Georgia Institute of Technology's College of Computing a $2.9 million grant to develop a process to identify and defend against these attacks.

DDoS Attacks Unnoticed

Organizations targeted by low-volume DDoS attacks often "aren't even aware that their sites are being attacked, because the attacks can be perceived as only annoying 'noise' in the IT background," Dave Larson, chief operating officer at Coreco, a provider of DDoS protection solutions, writes in a blog. "The attacks are not large enough to get the attention of IT security staff."

A low-level DDoS attack "drags down a network's speed, and in a carrier network they can be supersaturating to a small customer downstream," Larson explains. "More importantly, low-level DDoS attacks often serve as a smokescreen for a more damaging attack."

Trent Brunson, Georgia Tech Research Institute research scientist, explains the workings of a common type of low-level DDoS attack, known as 'Slowloris.'

A survey by the information security research firm Neustar published earlier this year found that 54 percent of DDoS attacks were found to be relatively small, at less than 5 Gbps, yet 43 percent of all DDoS attacks leave behind malware.

Resolving a 25-Year-Old Problem

The goal of Georgia Tech researchers is to create a precise and timely detection method that identifies low-volume DDoS attacks by how they subtly change the resource consumption of a computer.

"This has been a 25-year problem with no practical solution," says Georgia Tech Assistant Professor Taesoo Kim, lead principal investigator for the study.

The researchers say they believe they can devise a method to mitigate the threat, with little to no degradation of system performance, and write a new signature for it inside the hardware within 10 seconds so a network interface card would recognize it again. "This effectively puts an anti-virus patch into your hardware in real time," Kim says.

Researchers involved in Georgia Tech's ROKI project say they initially will establish a baseline of resource consumption. Next, they'll develop continuous analysis algorithms to compare a packet's effect on system performance against historical consumption under similar scenarios. Then, they hope to demonstrate a new path-reconstruction engine that will produce a sequence of instructions to nullify an attack and encode the finding into the network interface card to stop current and future attack traffic.

Achieving Timeliness and Precision

Wenke Lee, co-director of Georgia Tech's Institute for Information Security and Privacy, says ROKI has the potential to achieve timeliness and precision in mitigating DDoS threats. "We don't need to know what an attack looks like, just that it deviates from the baseline," he says. "Existing defenses against low-volume DDoS attacks lack precision and they cannot create a response in a timely manner. This will."

Georgia Tech researchers say they intend to deliver a prototype to demonstrate their core idea by fall 2017. The project is expected to be completed in 2019, when field exercises to demonstrate methods to mitigate previously unknown DDoS attacks should occur.

Data Breach

Same Group That Leaked Data From QNB, InvestBank Apparently Involved Varun Haran (APACinfosec) • May 11, 2016    

Data purportedly belonging to five South Asian banks was apparently posted online May 10 by the Turkish hacking group Bozkurtlar that recently also leaked data tied to Qatar National Bank and UAE's InvestBank.

See Also: The Inconvenient Truth About API Security

The latest banks whose data has been posted online include the Dutch Bangla Bank, The City Bank and Trust Bank, all based in Dhaka, Bangladesh; and two Nepalese banks, Business Universal Development Bank and Sanima Bank, both based in Kathmandu, Nepal.

Links to the file archives containing data from all the banks have been posted from a Twitter account supposedly operated by Turkish hacking group "Bozkurtlar" - or "Grey Wolves." The group appears to be making good on their threat to release data of more Asian banks - an indication that more such disclosures may be expected in the region, in the near future.

Analyzing the Data

The latest targeted banks have not replied to a request for comment from Information Security Media Group. Several security experts who have been following Bozkurtlar say that while the data in the newest leak appears genuine, the volume of data from these five banks is relatively small compared to the massive QNB and InvestBank dumps.

The file archives posted were 251 MB for Business Universal Development Bank, 47 MB for Sanima Bank, 11.2 MB for The City Bank, and 312 and 95 Kilobytes for Dutch Bangla Bank and Trust Bank, respectively.

The scope of the data varies widely. But preliminary analysis, researchers say, shows that each of the zip files contains at least some customer information or account credentials.

Security engineer and RootedCON conference organizer Omar Benbouazza tells ISMG that his analysis of the data points to a webshell upload being used at Sanima Bank and the Dutch Bangla Bank, as was the case of the Qatar National Bank. A webshell is a piece of code uploaded to a server or computer, allowing attackers to gain access, escalate privileges as admin/root and control the entire system. It can also can be used to extract the entire information stored in the system.

A primary researcher in this case, who requested anonymity, says that the data posted for each of the banks appears to be old - the latest being from The City Bank dates to August 2015. This, he says, raises a question about whether the leaks are the result of recent breaches, as claimed by Bozkurtlar, or if the group has simple aggregated data from older incidents and posted it.

In a statement shared with ISMG, InvestBank says the data tied to the bank is from a breach in December 2015. "No new hack has happened, as claimed by these attackers," InvestBank says.

Content of Latest Leaks

The researcher who asked not to be named says that while the latest postings do not seem as significant as the previous two disclosures, there are still elements that should be of concern. No credit card numbers are present in the latest data dump, unlike the QNB and InvestBank leaks, he says. Taking each of the bank's data individually, attempts have been made to verify the authenticity.

His analysis of the data reveals the following:

Dutch Bangla Bank - Dhaka, Bangladesh: This 312 KB archive appears to contain records of customer banking transactions - either physical or internet banking. The researcher says that using admin credentials found in clear text in the dump, he was able to gain access from the public internet to the bank's ATM transaction analyzer for research purposes. The username/password appear to be very simple or default, he explains. "The website of Dutch Bangla bank appears to contain vulnerabilities and could have been the point of penetration to the internal servers or files." Trust Bank - Dhaka, Bangladesh: The smallest archive at 96 KBs, the file contains two spreadsheets that, among other things, contain user ID, email, username and encrypted passwords. The latest file is from June 2015. The City Bank - Dhaka, Bangladesh: This 11.2 MB dump has a single spreadsheet, which appears to contain the personal information of at least 1 million bank customers. Details include: full name, father's name, mother name, date of birth, age, mailing address, contact number, permanent address and email. The most recent data is from August 2015. Sanima Bank - Kathmandu, Nepal: This 47 MB archive contains a spreadsheet with customer information that includes name, account balance with current withdrawal and deposit details for the account. The most recent data is from February 2015. The bank's website appears to have been recently upgraded to enhance security, according to a message on the site, which asks users to change their passwords. An April 21, 2015 op-ed column in the online edition of the Kathmandu Post newspaper refers to fraud having taken place at Sanima Bank, although no other mention of the fraud is available on the site. BUD Bank - Kathmandu, Nepal: The largest of the archives released by Bozkurtlar hackers on May 10, the 251 MB file appears to contain email communication of senior management and managers in Microsoft Outlook format. The data also contains phone-banking customer details, including phone number, username, encrypted password and customer ID. The most recent data is from January 2015.

InvestBank Denies New Hack Took Place

InvestBank stressed in a statement provided to ISMG on May 10 that no new hack has taken place this year. "This is the same set of old data [from a previous incident] that has been released again for unknown reasons," the bank says. "We have not been contacted by anyone, [and are] unable to speculate on the motives or confirm whether or not it is the same group."

InvestBank, which acknowledges that it suffered a data breach last December, says that publishing the data - and the ensuing media attention - has had a negative impact on its business. The bank declined to provide further details about the breach.

Sources at the bank tell ISMG that after the 2015 breach, the bank underwent a complete forensic analysis by federal agencies and private investigators, following which reports were submitted to the regulator and steps taken to harden security. Threat Intelligence firm iSight Partners has also published analysis that suggested that the recent leak - perpetrated by actors using the names "Bozkurt Hackers" and "AntiQNB" - appears to correlate with the 2015 InvestBank leak.

"This new claimed leak of InvestBank data seems to corroborate our previous suggestion that there may be a link between these actors and 'Hacker Buba,' who leaked data from InvestBank in ... 2015," it says in a research note.

But one researcher analyzing the May 7 data dump claims the InvestBank data does not extend beyond October 2015. The data dump appears to have been taken from a single system, possibly belonging to the database administrator at InvestBank, whose details have been found in a personal folder with the dump, the researcher says. InvestBank declined to comment on the idea.

Mobility

Regulators Demand Details From Device Manufacturers, Wireless Carriers Marianne Kolbasuk McGee (HealthInfoSec) • May 9, 2016    

Two federal agencies have launched security investigations of mobile device makers and wireless carriers, citing growing concerns over vulnerabilities that threaten "the security and integrity" of these products and services. In particular, the regulators say they are examining how security patches are distributed.

See Also: Secure, Agile Mobile Banking: Keeping Pace with Last Best User Experience

In a May 9 statement, the Federal Trade Commission says it issued orders to eight mobile device manufacturers "requiring them to provide the agency with information about how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices."

The FTC says it issued the orders to Apple, Blackberry, Google, HTC America, LG Electronics USA, Microsoft Corp., Motorola Mobility and Samsung Electronics America.

Similarly, the Federal Communications Commission issued a statement saying it "sent a letter to mobile carriers asking questions about their processes for reviewing and releasing security updates for mobile devices."

The FCC says it has sent its inquiries to six mobile carriers: AT&T, Verizon, Sprint, T-Mobile, US Cellular, and Tracfone. Because these carriers represent the majority of U.S. wireless service, they can provide the commission with information that applies to most mobile devices, the FCC says.

"As consumers and businesses turn to mobile broadband to conduct ever more of their daily activities, the safety of their communications and other personal information is directly related to the security of the devices they use," the FCC says.

A growing number of vulnerabilities have been associated with mobile operating systems that threaten the security and integrity of a user's device, the FCC notes, including "Stagefright" in the Android operating system, which may affect almost 1 billion Android devices globally.

"Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered," the FCC says.

The FCC asserts that while operating system providers, original equipment manufacturers and mobile service providers have responded to address vulnerabilities as they arise, "there are, however, significant delays in delivering patches to actual devices - and older devices may never be patched."

FCC Questions

The FCC is giving the carriers 45 days to respond to a number of questions, including:

Does the carrier face issues or hurdles in releasing security updates for operating systems to consumers? Do any mobile devices on the carrier's network run an operating system that is modified for or is unique to the carrier? And if so, what percent of the devices on the carrier's network do those operating systems represent? For those operating systems, is the carrier responsible for developing and providing security updates? Does the carrier face any additional issues or hurdles in releasing security updates for such OS to consumers? Does the carrier face particular issues or hurdles in getting consumers to install updates for either a modified OS or required software on mobile devices as they are made available? Could unpatched, non-updated devices on the carrier's network impact or harm the functionality of that network or carriers' ability to provide effective service?

FTC's Inquiry

In the FTC's inquires sent to the mobile device makers, the commission is asking for information that includes:

The factors that they consider in deciding whether to patch a vulnerability on a particular mobile device; Detailed data on the specific mobile devices they have offered for sale to consumers since August 2013; The vulnerabilities that have affected those devices; and Whether and when the company patched such vulnerabilities.

"The commission is seeking to compile data concerning policies, procedures and practices for providing security updates to mobile devices offered by unnamed persons, partnerships, corporations, or others in the U.S.," the FTC writes.