- Email: [email protected]
LexisNexis hackers sentenced
CASE ANALYSIS connect to the Internet on their own can hold critical data. A telling statistic from a survey by data encryption company Pointsec is that 54,874 mobile phones, 4,718 handheld or pocket PCs, 3,179 laptops, and 923 USB memory sticks were left in the back of licensed London taxis (not all black anymore) in the last six months of 2006. There were also 730 laptops lost at Heathrow airport during 2006. Even if only 1% of those contained sensitive data, that is still a significant potential exposure. It is also a fair bet that some of the information held in these lost devices was not backed up. This may not be just corporate information, but also
personal objects such as digital photos which could be a tragic loss on a personal level. So the importance of backing up data held on such devices should go almost without saying. Yet it is laptops and to an increasing extent pocket PCs or PDAs in the corporate or government environments that have received most attention, as the spate of recent thefts has highlighted how sensitive data such as bank customer names and addresses have spilled out across diffuse media, having once been held solely in physically secure data centres. Indeed while the Nationwide case caught the headlines in the UK, attention to the issue had come to a head
LexisNexis hackers sentenced Philip Hunter LexisNexis intrusion in US highlights the improved rate of hacking convictions but also the continuing problem of “social engineering” attacks The recent conviction of five men in the US for breaking into the computer systems of Florida-based LexisNexis, the information management subsidiary of publishing giant Reed Elsevier, showed how increased efforts by dedicated agencies are paying off. It also demonstrated the value of reporting network intrusions swiftly, and LexisNexis deserves praise for its prompt response, when other companies have dithered or even covered up when faced with similar incidents. The US Secret Service was able to block the defendants’ access before too much damage had been done and initiate a prompt prosecution, according to a US government spokesperson. The fact that the database accessed by the perpetrators, called Accurint, was used widely by some of the law enforcement agencies investigating the case may have helped focus minds as well. The database holds
April 2007
credit reference and other information on individuals.
earlier in the US through a spate of incidents during 2006. This led to laptop thieves obtaining possession of a wide assortment of personal data, including credit card numbers, birth dates of pensioners with retirement funds, addresses of nuclear power plant employees, and social security numbers of staff at Equifax, the credit reporting giant. It is interesting to note that in 2002 the UK government thought it had the answer to laptop theft with a scheme for embedding RFID chips so that they could be identified. Perhaps the answer now is to embed a radio controlled self destruct mechanism.
Justin Parras, in March 2007. Parras was sentenced to one year in prison, followed by three years of supervised release and 100 hours of community service. The five defendants between them were also ordered to pay $105,000 in compensation to LexisNexis and the Port Orange police department that prosecuted the case. This is a relative small sum given the potential for damage and disruption, but the custodial component of the sentences indicates that courts are getting tougher on hackers.
Attack Social engineering However the case also highlights the continued threat posed by attacks involving “social engineering” in conjunction with Trojan Horses and other techniques. It raises doubts over whether education alone can ever eradicate human gullibility in the face of evolving tricks, rekindling demands for a second factor of authentication for any user accessing databases containing personal information that could be used for identity theft. In this case, the identity stealing techniques were used to obtain passwords and access codes for subsequent entry into the Accurint database.
Sentenced Five men were sentenced in this case, four of them in December 2006, and the last,
The actual attack took place early in 2005 when data on 310,000 people was possibly stolen, causing temporary damage to the company’s reputation. On that occasion, an investigation by Reed Elsevier itself revealed that LexisNexis databases had been breached over 50 times using stolen passwords, exposing addresses, social security numbers and other personal information. As it happens, LexisNexis was already implementing a new defence in depth strategy at the time of the attack in 2005. However the strategy was re-tuned to take account of lessons learnt then. The main lesson was that there was a limit to the level of security that can be implemented by any organisation providing a service to others. To some extent it can only be as secure as its customers, but steps can also
Computer Fraud & Security
19
CALENDAR be taken to isolate users or networks where and when problems are identified. In the 2005 attack, it was a customer’s environment that was compromised to obtain the user IDs and passwords then used to access the LexisNexis service. This led the company to offload some of the burden for security to its customers, reflecting the risk they posed. This initiative, called the LexisNexis Customer Security Program, comprised four measures. These were stronger log-in requirements, monthly user verification, IP address restriction ( allowing access from pre-designated IP addresses only), and restricted access to full Social Security numbers and driver’s license information. Some of the changes are compulsory for all LexisNexis customers, while others, such as IP address restriction, are voluntary. In most cases the inconvenience for customers has been relatively small, but it remains to be seen whether the measures will protect against identity theft. The company remains a target for identity thieves, because the personal information held on its databases is potentially as valuable for fraudsters as for legitimate customers. Indeed, identity theft continues to increase, particularly in the US, which
after all is the heartland of the hacker community, and also where databases holding personal data are larger and juicier. A recent report from IT leading security product vendor Symantec found that more than half of the world’s “underground economy servers” trading confidential information and stolen personal data were located in the US. Personal records now provide cyber criminals with a soft target now that financial services firms have become harder to attack directly. Criminals can make money just trading stolen identities or even components such as bank account details without using them to perpetrate a fraud directly. In the US, complete identities fetch around $15 each wholesale, so a batch of say 200,000 is enough to make somebody rich. Identity crime does not always involve deception and social engineering. It can be done just by transmitting a Trojan horse to a PC unprotected with the latest security software, and then sniffing keystrokes. In many cases though a Trojan horse tricks the user directly, perhaps by masquerading as a bank, or pretending to conduct a legitimate survey.
Gullibility is not confined to online activity, for people can also be lured verbally to yield their credentials on the phone or in the street. A survey conducted in London recently found that 100% of people would provide their names upon request by a stranger purporting to be conducting a survey. More worryingly, 94% provided both their pet’s and mother’s maiden names, 98% addresses, 96% the name of their first school, and 92% their date of birth and home phone number. This information would often be sufficient both to set up bank accounts in that person’s name, and in some cases breach existing accounts. Companies such as LexisNexis are striving hard to educate their own customers and users not to fall for such tactics, while also recognising that second factors may have to be implemented. There is natural reluctance within the financial services and online retailing communities to go down the second factor route for the general public, because of the cost, inconvenience and logistical complications involved. Therefore the debate over whether the combination of software, passwords and memorable words is sufficient rumbles on.
EVENTS CALENDAR 30 April–3 May 2007 New Technologies, Mobility and Security 2007 Location: Beirut, Lebanon Website: www.ntms2007.org
3–6 June 2007 The 2007 TECHNOSECURITY CONFERENCE Location: Myrtle Beach, South Carolina, USA Website: www.technosecurity. com
11–13 June 2007 CSI NETSEC ‘07
20
Computer Fraud & Security
Location: Scottsdale, Arizona, USA Website: www.csinetsec.com
25–29 June 2007 Third Annual Government Forum of Incident Response and Security Teams GFIRST
Website: www.academic-conferences.org/eciw/eciw2007/ eciw07-home.htm
12–13 July 2007
Conference: Working to Solve the Cyber Security Puzzle Location: Orlando Florida Website: www.us-cert.gov/ gfirst
Fourth GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA)
2–3 July 2007
Location: Lucerne, Switzerland Website: www.dimva2007.org
ECIW 2007 - 6th European Conference on Information Warfare and Security Location Swindon, UK
3–5 August 2007 DEFCON 15 Location: Riviera Hotel and Casino, Las Vegas, USA
Website: www.defcon.org/
6–10 August 2007 16th USENIX Security Symposium Location: Boston, Massachusetts, USA Email: [email protected] Website: www.usenix.org/ events/sec07/
5–7 September 2007 10th International Symposium on Recent Advances in Intrusion Detection (RAID) 2007 Location: Gold Coast, Queensland, Australia Website: www.isi.qut.edu.au/ events/conferences/raid07
April 2007
personal objects such as digital photos which could be a tragic loss on a personal level. So the importance of backing up data held on such devices should go almost without saying. Yet it is laptops and to an increasing extent pocket PCs or PDAs in the corporate or government environments that have received most attention, as the spate of recent thefts has highlighted how sensitive data such as bank customer names and addresses have spilled out across diffuse media, having once been held solely in physically secure data centres. Indeed while the Nationwide case caught the headlines in the UK, attention to the issue had come to a head
LexisNexis hackers sentenced Philip Hunter LexisNexis intrusion in US highlights the improved rate of hacking convictions but also the continuing problem of “social engineering” attacks The recent conviction of five men in the US for breaking into the computer systems of Florida-based LexisNexis, the information management subsidiary of publishing giant Reed Elsevier, showed how increased efforts by dedicated agencies are paying off. It also demonstrated the value of reporting network intrusions swiftly, and LexisNexis deserves praise for its prompt response, when other companies have dithered or even covered up when faced with similar incidents. The US Secret Service was able to block the defendants’ access before too much damage had been done and initiate a prompt prosecution, according to a US government spokesperson. The fact that the database accessed by the perpetrators, called Accurint, was used widely by some of the law enforcement agencies investigating the case may have helped focus minds as well. The database holds
April 2007
credit reference and other information on individuals.
earlier in the US through a spate of incidents during 2006. This led to laptop thieves obtaining possession of a wide assortment of personal data, including credit card numbers, birth dates of pensioners with retirement funds, addresses of nuclear power plant employees, and social security numbers of staff at Equifax, the credit reporting giant. It is interesting to note that in 2002 the UK government thought it had the answer to laptop theft with a scheme for embedding RFID chips so that they could be identified. Perhaps the answer now is to embed a radio controlled self destruct mechanism.
Justin Parras, in March 2007. Parras was sentenced to one year in prison, followed by three years of supervised release and 100 hours of community service. The five defendants between them were also ordered to pay $105,000 in compensation to LexisNexis and the Port Orange police department that prosecuted the case. This is a relative small sum given the potential for damage and disruption, but the custodial component of the sentences indicates that courts are getting tougher on hackers.
Attack Social engineering However the case also highlights the continued threat posed by attacks involving “social engineering” in conjunction with Trojan Horses and other techniques. It raises doubts over whether education alone can ever eradicate human gullibility in the face of evolving tricks, rekindling demands for a second factor of authentication for any user accessing databases containing personal information that could be used for identity theft. In this case, the identity stealing techniques were used to obtain passwords and access codes for subsequent entry into the Accurint database.
Sentenced Five men were sentenced in this case, four of them in December 2006, and the last,
The actual attack took place early in 2005 when data on 310,000 people was possibly stolen, causing temporary damage to the company’s reputation. On that occasion, an investigation by Reed Elsevier itself revealed that LexisNexis databases had been breached over 50 times using stolen passwords, exposing addresses, social security numbers and other personal information. As it happens, LexisNexis was already implementing a new defence in depth strategy at the time of the attack in 2005. However the strategy was re-tuned to take account of lessons learnt then. The main lesson was that there was a limit to the level of security that can be implemented by any organisation providing a service to others. To some extent it can only be as secure as its customers, but steps can also
Computer Fraud & Security
19
CALENDAR be taken to isolate users or networks where and when problems are identified. In the 2005 attack, it was a customer’s environment that was compromised to obtain the user IDs and passwords then used to access the LexisNexis service. This led the company to offload some of the burden for security to its customers, reflecting the risk they posed. This initiative, called the LexisNexis Customer Security Program, comprised four measures. These were stronger log-in requirements, monthly user verification, IP address restriction ( allowing access from pre-designated IP addresses only), and restricted access to full Social Security numbers and driver’s license information. Some of the changes are compulsory for all LexisNexis customers, while others, such as IP address restriction, are voluntary. In most cases the inconvenience for customers has been relatively small, but it remains to be seen whether the measures will protect against identity theft. The company remains a target for identity thieves, because the personal information held on its databases is potentially as valuable for fraudsters as for legitimate customers. Indeed, identity theft continues to increase, particularly in the US, which
after all is the heartland of the hacker community, and also where databases holding personal data are larger and juicier. A recent report from IT leading security product vendor Symantec found that more than half of the world’s “underground economy servers” trading confidential information and stolen personal data were located in the US. Personal records now provide cyber criminals with a soft target now that financial services firms have become harder to attack directly. Criminals can make money just trading stolen identities or even components such as bank account details without using them to perpetrate a fraud directly. In the US, complete identities fetch around $15 each wholesale, so a batch of say 200,000 is enough to make somebody rich. Identity crime does not always involve deception and social engineering. It can be done just by transmitting a Trojan horse to a PC unprotected with the latest security software, and then sniffing keystrokes. In many cases though a Trojan horse tricks the user directly, perhaps by masquerading as a bank, or pretending to conduct a legitimate survey.
Gullibility is not confined to online activity, for people can also be lured verbally to yield their credentials on the phone or in the street. A survey conducted in London recently found that 100% of people would provide their names upon request by a stranger purporting to be conducting a survey. More worryingly, 94% provided both their pet’s and mother’s maiden names, 98% addresses, 96% the name of their first school, and 92% their date of birth and home phone number. This information would often be sufficient both to set up bank accounts in that person’s name, and in some cases breach existing accounts. Companies such as LexisNexis are striving hard to educate their own customers and users not to fall for such tactics, while also recognising that second factors may have to be implemented. There is natural reluctance within the financial services and online retailing communities to go down the second factor route for the general public, because of the cost, inconvenience and logistical complications involved. Therefore the debate over whether the combination of software, passwords and memorable words is sufficient rumbles on.
EVENTS CALENDAR 30 April–3 May 2007 New Technologies, Mobility and Security 2007 Location: Beirut, Lebanon Website: www.ntms2007.org
3–6 June 2007 The 2007 TECHNOSECURITY CONFERENCE Location: Myrtle Beach, South Carolina, USA Website: www.technosecurity. com
11–13 June 2007 CSI NETSEC ‘07
20
Computer Fraud & Security
Location: Scottsdale, Arizona, USA Website: www.csinetsec.com
25–29 June 2007 Third Annual Government Forum of Incident Response and Security Teams GFIRST
Website: www.academic-conferences.org/eciw/eciw2007/ eciw07-home.htm
12–13 July 2007
Conference: Working to Solve the Cyber Security Puzzle Location: Orlando Florida Website: www.us-cert.gov/ gfirst
Fourth GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA)
2–3 July 2007
Location: Lucerne, Switzerland Website: www.dimva2007.org
ECIW 2007 - 6th European Conference on Information Warfare and Security Location Swindon, UK
3–5 August 2007 DEFCON 15 Location: Riviera Hotel and Casino, Las Vegas, USA
Website: www.defcon.org/
6–10 August 2007 16th USENIX Security Symposium Location: Boston, Massachusetts, USA Email: [email protected] Website: www.usenix.org/ events/sec07/
5–7 September 2007 10th International Symposium on Recent Advances in Intrusion Detection (RAID) 2007 Location: Gold Coast, Queensland, Australia Website: www.isi.qut.edu.au/ events/conferences/raid07
April 2007