Of Skimmers & Scumbags

A skimming device came off in the hands of a Bank of America customer when she tried to use her debit card at an ATM recently, police said.  The man who had planted the credential stealing device appeared and asked for it back.  The woman refused to return the card and growled at the man who fled.

Sixth Precinct police are seeking two male suspects in connection with the  incident. The first is about 40, stands 5 feet 10 inches tall, and weighs 170  pounds. The second male is about 30, stands 5 feet 8 inches tall, and weighs 160  pounds, police said.

The two suspects face felony forgery charges and up to 15 years in  prison.  I wouldn’t advise anyone to do this, but that 23 year old woman sure has moxxy.  I hope the bank rewards her for her valiant stance.  DNAinfo

The reason that I don’t advise people to take this kind of action?  Read the article just published in The Compliance Exchange blog about Aaron Hand, already convicted in a $100 million mortgage-fraud scheme and serving a sentence of eight years and four months to 25 years.  He was sentenced to 8 – 16 more for plotting to have a key witness in his case killed.

Please remember that these guys mean business, and that there is more than just your current balance at stake.  These guys are all in it for the big money payoff.  If you find yourself involved in a confrontation or an investigation, a little paranoia is healthy, and caution is not cowardice, in my humble opinion.

2011 PCI Breach Research

There is a very good article regarding research into 2011 breach statistics by Trustwave over at InfoWorld Security Central.  A great source for much IT & Security information, by the way.  According to the article, hackers infiltrated 312 businesses making off with customer payment-card information.  Their primary access point was through 3rd-party vendor remote-access apps, or VPNs setup for remote systems maintenance.  Seventy six percent!  These external ingress paths introduced security deficiencies that were exploited by attackers.

The vast majority of the 312 companies were retailers, restaurants or hotels, and they came to Trustwave for incident response help after one of the payment-card organizations traced stolen cards back to their businesses, demanding a forensics investigation within a matter of days.  Only 16% of the 312 companies detected the breach on their own!

The businesses hit claimed to be compliant with Payment Card Industry (PCI) security standards, when in reality there were gaps.  The remote-access provisions were poorly protected by simple, re-used, shared, and seldom changed passwords.

I will leave the most scary statistics, how long the attackers were able to maintain their ownership of the networks in these cases, for you to seek out yourself on the second page of the article.  It is not a happy number!

The lesson to take away from this article is, PCI compliance is the bare minimum that an organization should do, and DOES NOT equate to comprehensive security.  A PCI-DSS pass score does not ensure actual compliance either.  It is a good starting point to ensure that the bare minimum, common sense, security controls are implemented at a single point of time, but good security practices must spread out from the center.  If your security efforts don’t include other servers and the workstations that access them AND the Internet, you are not managing security, you are faking it for compliance sake.  Russian roullette with a fully loaded gun.

pcAnywhere Source Posted

According to the Register, hacktivists affiliated with Anonymous have uploaded what they claim is the source code of Symantec’s pcAnywhere software today, after negotiations broke down with a federal agent posing as a Symantec employee.  Symantec confirmed that it had turned the case over to the Feds as soon as the hackers made contact.

According to the article, the release of the 1.27GB file coincides with the breakdown of the “negotiations” – which the group has now published on Pastebin – that took place between “Symantec” and the spokesperson of hacker group Lords of Dharmaraja, an Indian hacking crew affiliated with Anonymous.

Catch the details in the original article.  Beware downloading anything purporting to be a source code cache.  These things are tracked by the vendor, law enforcement agencies, and others, and are most often laced with some type of malicious software.  Stories like this are news-worthy, generating a lot of interest, and anything that generates conversation and controversy is fair game for miscreants.  And what better way to get their hooks into your computer than to offer you something enticing, like a peak at some commercial source code?

Adobe Sandboxes Flash in Firefox

I am happy to post that Adobe has released beta code for sandboxing Flash content within Firefox.  Sandboxing is an excellent way to isolate ancillary code from the operating system and other applications.  I have been using it for years to keep my browser and its myriad vulnerabilities isolated after experimenting with it in malware analysis.  It just makes sense to contain the raft of cruft that tends to come in from an uncontroled, but necessary network, like the Internet.

It is not a foolproof method for containing all malware or avoiding malicious content, but it cuts down significantly on the impact of what mal-content can do by restricting its reach, and it increases the cost, package size, and effort required on the part of the bad guys to get through an additional layer of defense.  Every defensive layer that they have to identify and circumvent presents another opportunity to discover and analyze their attack code…

Adobe used elements of Google’s Chrome sandboxing technology in its Reader code after a flurry of vulnerability announcements and high profile attacks targeting the application.  Adobe says that since its launch in November 2010, they have not seen a single successful exploit in the wild against Adobe Reader X, where they initially offered sandboxing technology.

The new code currently supports Firefox 4.0 or later running on Windows 7 or Vista.  Adobe promises wider browser protection soon.  More details will be given at the CanSecWest security conference in Vancouver, BC next month.  I sure would like to attend this conference.  Maybe I will meet some of you there?!

UPDATE:  ComputerWorld reports that IE is next on Adobe’s list to “sandbox” its popular Flash Player within browsers, Adobe’s head of security said today.