Countrywide employee arrested

NEWS

Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Tel:+44 (0)1865 843695, Fax: +44 (0)1865 843933 E-mail: [email protected] Web: www.computerfraudandsecurity.com Editor: Danny Bradbury E-mail: [email protected] Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia Production Editor: Lin Lucas Subscription Information An annual subscription to Computer Fraud & Security includes 12 printed issues and online access for up to 5 users. Prices:
1017 for all European countries & Iran US$1104 for all countries except Europe and Japan ¥135 300 for Japan (Prices valid until 31 December 2008) To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 843933 E-mail: [email protected], or via www.computerfraudandsecurity.com. Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Computer Fraud & Security, 365 Blair Road, Avenel, NJ 07001, USA Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, e-mail: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and e-mail addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.

02065

2

Computer Fraud & Security

Editorial What’s up with Microsoft? At Black Hat US this year, the firm announced three new programmes. Starting in October, its Microsoft Active Protections Program (MAPP) will give other security vendors early access to upcoming vulnerability information about Microsoft products, the Exploitability Index scores vulnerabilities on how likely they are to be exploited. The Microsoft Vulnerability Research (MSVR) initiative formalises an arrangement in which the firm advises third parties of security flaws in their products (which it often finds during its own vulnerability research). This isn’t the Microsoft that people used to know and hate. The old Microsoft was more insular, and less responsive. But following its Trustworthy Computing Initiative, which started after the now famous Gates memo in 2002, things have been changing. The firm is preaching ‘community security’ these days, and is focusing on inclusiveness. This approach came at a good time. Dan Kaminsky’s discovery of a major DNS flaw (see news article

Continued from front page... Three Ukranians were indicted in the case: Dzmitry Burak, Sergey Storchak, and Maksym Yastremskiy. Aleksandr Suvorov of Estonia and Sargey Pavlovich of Belarus were also charged, as were Hung-Ming Chiu and Zhi Zhi Wang of China. Another participant known only by the nickname ‘Delpiero’ was also charged. Christopher Scott and Damon Patrick Torey of Miami were also a subject of the investigation, along with the other US resident, former Secret Service informant Albert Gonzalez of Miami. He had already been arrested by the Secret Service in 2003 for access device fraud. He faces life imprisonment if all charges stick. The team collected customer card data using the malware planted on

on page 3) called for a massive collaboration between multiple parties to get it fixed. A large collection of ISPs and vendors were involved in the fix, which was still only partially successful (many people at the time of writing still hadn’t patched). It required silence among all those involved, which got the industry a couple of weeks to fix the flaw before exploit code leaked. Vendors and researchers have worked with competitors before, of course, but these developments seem to push the envelope. Are we looking at a new era of cohesion in the security research community? What will this look like? The formation of the Industry Consortium for the Advancement of Security on the Internet (ICASI) gives us some clue. The organiasation, formed at the end of June by a series of industry heavyweights including Microsoft, set out to foster more industry co-operation when addressing security challenges. As threats become more complex and pervasive, it’s a step in the right direction. Danny Bradbury retail computers via the wireless networks. The data was then stored on encrypted servers in eastern Europe and the US, and the numbers sold to criminal networks. Numbers were encoded to forged bank cards and then used at ATMs. “Businesses should see this as clear reminder that with increasing electronic use of customer data they must ensure they use, store and discard it safely following the principles set out by the Payment Card Industry (PCI) and the Data Protection Act,” said Greg Day, security analyst at McAfee.

Countrywide employee arrested

A

Bank of America subsidiary responsible for subprime mortgage loans lost roughly two million customer records to a data

August 2008

NEWS fraudster after data was copied to a thumb drive and sold to third parties, according to an FBI affadavit.

Rene L Rebollo Jr, a senior financial analyst for Countrywide Home Loan’s subprime mortgage division, called Full Spectrum Lending, was arrested for stealing the data. He is said to have sold home loan company names, social security and telephone numbers, and other client records to third parties with the help of an associate. The FBI affadavit suggests that security features designed to stop data being copied from USB keys had been inadequately implemented. “One computer that Rebollo had access to did not contain the Countrywide Home Loan Security features that disable flash drive access,” said the document. “Rebollo took advantage of the unsecured computer and used it to download and save the Countrywide Home Loan data to a flash drive.” Rebollo told FBI operatives that he downloaded 20 000 customer profiles each week to thumb drives for approximately two years. Each week’s files would sell for US$500, making him between US $50-US$70 000 in total. He also harvested particular types of account detail to order, according to the FBI document. Files were mailed from his home computer, in addition to a computer at a local Kinko’s.

Internet scrambles to fix major DNS flaw

A

security researcher unveiled details of a fundamental flaw in the design of the Internet’s Domain Name Service (DNS) software this month, and warned that more efforts were needed to fix it.

Speaking at the Black Hat security conference in Las Vegas, Dan Kaminsky described a bug in which DNS nameservers could be arbitrarily poisoned, forcing computers to visit the wrong servers when looking for web addresses online. The bug, which Kaminsky said was a basic flaw in the design of the 25 year-old DNS system,

August 2008

could be effectively used to do everything from rerouting browser requests to malicious pages, through to invisibly intercepting and altering email in transit. DNS poisoning isn’t new, but this latest attack made it much easier for malicious parties to convince computers that they were talking to one server when they were in fact talking to another at a different address. At the time of writing, DNS poisoning attacks had already been identified in the wild. Hacker HD Moore said that his company BreakingPoint found requests for Google pages rerouted to a different server when using the nameserver at AT&T’s Houston facility. Kaminsky had worked with vendors, ISPs and US-CERT on a huge effort to try and patch the flaw. When he released the full details in early August, 30% of organisations using a tool on his site to check their status were still vulnerable to the flaw, he said. Kaminsky recommended that IT departments consider the serviceability of the products that they purchased in the future. “You should have a service level agreement with your vendors regarding how long between a bug being found and you getting the patch. That’s something you should be willing to pay for,” he said.

McKinnon loses court appeal

U

K hacker Gary McKinnon is set to appeal to the European Union after his Law Lords appeal to fight US extradition failed.

McKinnon, who was arrested in the UK after gaining access to US army, navy and air force computers seven years ago, faced extradition to the US, which had promised a prison sentence of up to 60 years if he refused to cooperate. McKinnon’s appeal called a plea bargain offer coercive, but the Lords ruled against him. He used perl scripts and password crackers to gain access to the systems in what he said was a search for evidence of UFOs, but many systems were said to be even less secure.

In Brief Banking web sites insecure A study into web site security conducted by researchers at the University of Michigan revealed that 76% of banking web sites suffered from at least one design flaw. http://tinyurl.com/69vzhp US government falls short on encryption The Committee on Homeland Security in the US announced a Government Accountability report revealing that only 30% of computing devices in the federal government were encrypted. Data encryption is mandated in the federal government. http://tinyurl.com/5hs54b E-Gold pleads guilty to money laundering Online digital currency business E-Gold Ltd pleaded guilty to money laundering and the operation of an illegal money transmitting business. The company faces a US$3.7 million fine and its principal director Donald Jackson faces up to 25 years in jail. Sentencing is set for 20 November. http:// tinyurl.com/5kbtqb and http://tinyurl. com/5dgvsd Anti-cybercrime bill reaches milestone A bill to make cybercrime prosecution easier has passed the US Senate. HR 5938 removes the need to prove that perpetrators caused US$5000 in damage before prosecution. They can also be charged with a felony if they install spyware on more than ten computers. The bill now goes before a conference committee before reaching the president’s desk. http://tinyurl.com/5bwkhh Asprox goes nuclear The team behind Asprox claimed a swathe of new victims in the past couple of months as activity related to the malware increased. Asprox, a botnet that forces infected machines to direct SQL injection attacks against web sites, infected over 1000 unique domains during the first two weeks of July, according to Finjan’s SecureBrowsing system. Open source project tracks laptops. Adeona, an open source system from the University of Washington, has made it possible to track the location of stolen laptops for free, and also to surreptitiously take pictures of the thieves. http://tinyurl.com/6jfgdd ICO could get sharper teeth The UK’s Information Commissioner’s Office may get the power to carry out raids on companies breaching privacy laws, following a government review of its powers.

Computer Fraud & Security

3