http://www.cosn.org/Initiatives/CyberSecurity/CyberSecurityInformation/UnderstandingtheIssues/EightAssessmentQuestions/tabid/5258/Default.aspx

http://www.sans.org/reading_room/whitepapers/sysadmin/protecting-students-public-school-environment_1428

Understanding scam victims:
seven principles for systems security
Frank Stajano, Paul Wilson
August 2009

Archived here.

While reading the example scams in the article, it becomes clear much like corporate fraud they depend on collusion. A team pulling off a social hack is far stronger then a single person trying to do so.

1) While you are distracted by what retains your interest, hustlers can do anything to you and you won’t notice.

2) Society trains people not to question authority. Hustlers exploit this “suspension of suspiciousness” to make you do what they want.

3) Even suspicious marks will let their guard down when everyone next to them appears to share the same risks. Safety in numbers? Not if they’re all conspiring against you.

4) Anything illegal you do will be used against you by the fraudster, making it harder for you to seek help once you realize you’ve been had.

5) Things and people are not what they seem. Hustlers know how to manipulate you to make you believe that they are.

6) Your needs and desires make you vulnerable. Once hustlers know what you really want, they can easily manipulate you.

7) When you are under time pressure to make an important choice, you use a different decision strategy. Hustlers steer you towards a strategy involving less reasoning.

It is well-funded and pursued by mature individuals and groups of professionals with deep financial and technical resources, often with local government (or other countries’) toleration if not support. It is already responsible for billions of dollars a year in losses, and it is growing and becoming more capable. We have largely ignored it, and building our military capabilities is not responding to that threat.

James Fallow, Atlantic Magazine, February 2010

Linux:
Rootkit Hunter
Chkrootkit

Windows:
RootkitRevealer

Note how close the arrows are to the slot, that’s because there’s a skimmer inserted:

Battery pack, pinhole camera to watch what PIN is typed in, and cell phone which would send the information from the card swipe + PIN as a text message live time to the thieves:

Eastern Europeans pulled off an attack like this in the Boston area in December, 2009:

Two more arrested in alleged ATM scheme
Pair is accused of stealing PIN, credit card data

Two more suspects, including one who was in possession of nearly $100,000 when he was arrested, are facing charges in an alleged scheme to steal ATM card data from unwitting customers in Eastern Massachusetts, authorities said yesterday.
One of the two, Anton Venkov, 40, of Toronto, was arrested Thursday by the US Secret Service in Boston and charged with using counterfeit bank account access codes and aiding and abetting the plot. He has not yet entered a plea and has a detention hearing scheduled for Tuesday in federal court. Authorities say he had $99,100 in $20 bills in his car when he was arrested at Best Western Roundhouse Suites on Massachusetts Avenue.

Another alleged member of the plot, Vladislav Vladev, 36, of Quincy, was also arrested Thursday while sitting on a plane that was headed for Germany, at Logan International Airport, Norfolk County prosecutors said. He was arraigned in Quincy District Court yesterday on larceny and identity fraud charges relating to a theft from a Milton ATM on Granite Avenue. He pleaded not guilty and was ordered held on $1 million cash bail. He has a hearing scheduled for Monday.

State Police said Vladev is from Bulgaria.

Prosecutors say Venkov and Vladev teamed up with Ivaylo Hristov, 28, of Ontario, who was arrested Wednesday, and stole debit and credit card data and PIN numbers by placing scanner devices and hidden cameras in ATM machines at several locations. Authorities believe they have stolen at least $100,000 from customers at Citizens Bank and other institutions.

Hristov was also charged yesterday in the Milton ATM theft and ordered held on $500,000 cash bail. He was charged Thursday for an alleged similar scheme in Quincy and was ordered held on $1 million cash bail. He is due back in Quincy District Court on Monday.

The Secret Service learned in December that a Bank of America ATM in Saugus had been rigged with the scanner device, called a skimmer, and a pinhole camera, according to a court affidavit from a Secret Service agent. A surveillance photo showed Vladev attaching the skimmer, the affidavit said. Another photo allegedly showed Hristov removing the camera.

Authorities were informed on Jan. 22 of ATM tampering at Citizens Bank locations in Quincy, Milton, Braintree, and Somerville, the affidavit said. Surveillance photos showed the same men at the Citizens locations, according to the affidavit.

Three days later, photos showed the men rigging Bank of America ATM machines in Saugus, Milton, Weymouth, Cambridge, Dorchester, and Roslindale, the affidavit said.

Hristov was arrested on Wednesday near a Citizens ATM in Quincy, with local police acting on a tip from the bank’s security team. He had $1,380 in $20 bills at the time of his arrest, according to the affidavit, as well as Dunkin’ Donuts gift cards and American Express cards with post-it notes that had “PIN’’ and various numbers written on them.

Quincy police said Hristov told them that he received 10 percent from the thieves’ withdrawals and gave the rest to Vladislav to deposit into an account in Chicago. He also had a card for a storage unit in Weymouth that he said contained equipment used in the scam, police said. They are seeking a search warrant for the unit.

The Secret Service learned yesterday that Venkov had checked into the Best Western and rented a black Infiniti, the affidavit said. He was arrested soon afterward and allegedly told investigators that Vladev urged him to come to the United States to make some easy money. Hristov and Venkov told authorities that they were born in Bulgaria but had Canadian citizenship.

David Traub, a spokesman for Norfolk District Attorney William R. Keating, said authorities believe this group of suspects is responsible for most of the ATM thefts in Eastern Massachusetts. He declined to say whether investigators believed there were others working in other parts of the state or region.

Keating told reporters yesterday that bank customers should check their balances and contact their banks and local police if they notice any suspicious withdrawals

Can you call someone a hacker / cracker who uses commercial off the shelf software?  I wonder what the result would have been using either a custom written keylogger (to avoid AV signature hits), or if they had installed physical keyloggers on their keyboards? 

In any case, interesting story about a true event involving hackers, semi-organized crime, and penetrating corporate security.

This is not just organized crime, but I suspect organized criminal groups that are tolerated by states like Russia and China if not outright state sponsored.  It’s not just those old “boogey men” either — there are many nations from Poland to South Korea to Israel that have long histories of industrial espionage, and we must assume at the very least Western European and the descendents of the British Empire (U.S.A. included) at the very least collect and preserve usernames and passwords found passing the internet unencrypted.

When you read in the news about security breach after security breach, you have to assume organizations out there are selling, buying, collecting, and storing in data warehouses usernames and passwords.  If people sell credit card information and known good email addresses, this data has value too.

Passwords don’t even have to be in cleartext to have value in such a market.  As computing power comes down the ability to attack them through methods such as rainbow tables become more and more viable — by my calculations, you could build a highly efficient rainbow table of all possible Windows passwords on Amazon’s Elastic Computing Cloud for about $60,000/month.  While that takes funding and organization, we’re not exactly talking about needing the resources of SPECTRE to pull it off.  How many other databases out there store passwords also without salts, like Windows, making them very susceptible to rainbow tables?  Or how many databases, if breached, are likely to have the salt also revealed?

Most people use variations on the same password.  So once you start to data mine 15+ years of data collected in security breaches you start to have a big collection associating usernames, email addresses, and passwords.  This now gives you a fairly small number of passwords to try in focused attacks.

For an example, let’s consider this data set:

Jdoe    <unknown email>   password
Jdoe    <unknown email>   passw0rd
Jdoe    <unknown email>   password1
Jdoe    Jdoe@aol.com      passw0rd4
JohnDoe Jdoe@aol.com      <unknown password>

Either using data mining or simply people as “mechanical turks” we can make a good guess is we see the username and email “JohnDoe Jdoe@aol.com” that his password will be something like password, passw0rd, password3.  So given just the username and email, we can try setup a low intensity attack — have a botnet try each one password a day so it doesn’t raise alarm bells for bad login attempts.  The “holy grail” for  hacker would be to get into Jdoe@aol.com itself and now can get account resets sent to themselves…and given that set of data it’s a darn good chance he’s using some sort of “password” variant for it.

We know single factor authentication is fundamentally insecure.  There is no doubt today it’s wholely inadequate for logging into systems you expect to trust.  So what do we do until there is universal two factor authentication schemes in place?

First, divide your accounts into ones you care about and ones you don’t.

For sites like newspaper comments or your favorite web forum use a simple password because you don’t care who knows it.  This is analagous to a simple padlock — while it doesn’t stop a determined attacker, it stops the casual attacks and that is good enough.

For finances, work computers, and the like…use a highly secure password.

How do you generate them in a way that is highly resistant to data mining efforts?

My criteria is you can re-create them at will from something you know (in your mind), and can even leave them sitting in plainview and still not be compromised.

How?

Let’s first think up a pattern.  That can be a standard word or phrase you use in conjunction with how you identify each resource you need to access.  Then run that compound phrase (base phrase + resource) through a hash generator

So in Linux, we can issue a series of commands like this:

$ echo mybasicpassword@www.yahoo.com |  sha256sum
9a7c3ff19da0207cae4c4c7f820d38397f672a47500795c4f56d6b45fe578603
$ echo mybasicpassword@www.d90.us | sha256sum
f4d0ccb1eb6b8e40472132cd44efc5b6b9bc976a4f951205e9e1bb96a12a1fda
$ echo mybasicpassword@bankofamerica | sha256sum
857a0d7ed6b510f7b7ab615072446552291429ba3c7ca40fe91553520b2f56a3
$ unset HISTFILE

The unset HISTFILE removes the history of the commands you just typed so they’re not stored after you log off, revealing to a hacker your secret “mybasicpassword” as well as the secret way you identify the resources. What you pipe into the hash generator can change — maybe you have to reset a password quarterly and make it a habit of adding the month and year when you generated it.  The only place that pattern should be is in your head, plus maybe a note that helps you remember when you last generated it.

Now simply write them down…

yahoo         9a7c 3ff1 9da0 207c ae4c 4c7f 820d 3839 7f67 2a47 5007 95c4 f56d 6b45 fe57 8603
d90           f4d0 ccb1 eb6b 8e40 4721 32cd 44ef c5b6 b9bc 976a 4f95 1205 e9e1 bb96 a12a 1fda
bankofamerica 857a 0d7e d6b5 10f7 b7ab 6150 7244 6552 2914 29ba 3c7c a40f e915 5352 0b2f 56a3

Now also pick a pattern of what part of the hash to use.  Maybe it’s the 64th, 62nd, 60th, 1st, 3rd, and 7th characters in that order, so for “bankofamerica” you’d use 36f877.

The nice part being is anywhere you are you can re-create the password at will, yet it’s secure from other people unless they’re intercepting unencrypted signals or torture it out of you.

Depending on how you make them, you may need to write a note to yourself — like the date you made the password.

Let’s take a slight variation on this theme for another example:

$ echo mybasicpassword@mybank_022709 | sha256sum
15218a3a5bed25963213e9b558f62d36dffc916dcc874ff307a37b26e62b6257

So in a secure place, like a TrueCrypt encrypted volume you write a note like:

mybank 022709

That really doesn’t reveal much at all, since you still now the algorithm (in this case ‘base password’@'resource’_'date’) in your head.

Now maybe the bank requires special letters and characters.  So on your cheat sheet you write:

mybank     1521 8a3a 5bed 2596 3213 e9b5 58f6 2d36 dffc 916d cc87 4ff3 07a3 7b26 e62b 6257 +A-

Using the same choice in characters I stated above, you look at that and realize you’ve set your password to be 72b123A- .

If you’re using a system you trust you can use a tool like Password Safe to keep your website passwords without having to type each one in each time.

Of course you *should* be using two factor authentication whenever you can.   For the times you can’t, I believe the system I laid out here is almost as strong — and most importantly prevents the breach of one or any combination of resources from exposing many other resources where you have an account.

 Use a program like Ophcrack to launch a brute force attack using Rainbow Tables.  Rather then using bandwidth to download a Rainbow Table, and so you can customize the table with salts, extra characters, etc…get a RT Generator like the rtgen utility in the original RainbowCrack.

 Ah, longing for the quaint old days when you’d run L0pht all weekend to recover an administer’s password on a server you inherited…

=================

Scott Berinato, October 2007 CIO Magazine
This series of three articles (plus a technical write up) contain an in-depth look at a sophisticated malware enterprise revolving around a piece of malware called “Gozi.”  As an example of the sophistication:

Some machines, like some stocks, would under perform and provide little private information. But others would land the subscriber a windfall of private data. The point was to subscribe to several infected machines to balance that risk, the way Wall Street fund managers invest in many stocks to offset losses in one company with gains in another.

While the U.S. Military may protect our shores from national attacks, and Immigration and other police services can keep most of the criminals physically outside our borders — over the coming decades organized, criminal attacks against our information systems are likely.

Article 1

Article 2

Article 3

Gozi Technical Write-up

====================

2009 Verizon Data Breach Report

====================

SANS Evolving Security Threat Report

This report includes this very nice graph using data from the Verizon 2009 Report: