Achtung! TrickBot!
TrickBot does not rest. Following the recent addition of its first targeted US-based bank, a new version of the malware has been spotted in the wild. Now in its 11th incarnation, TrickBot has expanded its ever growing target portfolio yet again – this time increasing its focus on Germany. Figure 1 – TrickBot configuration, showing its most recent version upgrade While previously TrickBot’s focus in Germany was distinctly on Sparkassen Finanzgruppe, this latest version now includes more previously untargeted financial institutions in Germany. Figures 2-7 – TrickBot Dynamic Webinject configuration snippets showing some of its recently added targets in Germany TrickBot continues to evolve rapidly, constantly adding targets and using varying techniques to pose an ever increasing risk to online banking users and financial institutions in multiple regions across the globe. Recent TrickBot malware sample MD5s: c044f4a710f3a0b1997a4470145677ea, 07df1af1c3b8c33df61ff4f3f07f3f54 VirusTotal links: https://www.virustotal.com/en/file/f560268063ab5a2104482937212f75714a55da680d50efe4c20b1a80b29a6e8f/analysis/ https://www.virustotal.com/en/file/05389e4a60b59cb6b4d4ebe959837441b4fbbb71dd17cac77778d8973b480a26/analysis/ Analysis links: https://www.hybrid-analysis.com/sample/05389e4a60b59cb6b4d4ebe959837441b4fbbb71dd17cac77778d8973b480a26?environmentId=100 https://www.hybrid-analysis.com/sample/f560268063ab5a2104482937212f75714a55da680d50efe4c20b1a80b29a6e8f?environmentId=100 References: TrickBot targets its first US bank - https://devcentral.f5.com/s/articles/malware/trickbot-targets-its-first-us-bank-24713 TrickBot targeting Sparkassen Finanzgruppe - https://f5.com/labs/articles/threat-intelligence/malware/trickbot-now-targeting-german-banking-group-sparkassen-finanzgruppe-24420 Review of TrickBots rapid evolution - https://devcentral.f5.com/s/articles/malware/is-xmaker-the-new-trickloader-24372TrickBot targets its first US bank
The latest arrival to the banking malware scene, and successor to the infamous Dyre Trojan continues to evolve. TrickBot previously targeted banks and businesses in Australia, New Zealand, Germany, UK, Ireland, Canada, India and Singapore. In a recent update, this list has now expanded to include The United States. Figure 1 – Map showing TrickBot’s global target distribution Figure 2 – TrickBot configuration snippet showing newly added US based target. TrickBot’s target tally now includes a total of 225 unique banking and business related URLs. While this is still a far cry from vast numbers of banks and businesses targeted by Dyre globally, this number is very likely to grow in the future as the malware’s authors are constantly increasing their target tally and continue to improve their malware with new features and abilities. A previous review of TrickBot’s rapid evolution can be found here: https://devcentral.f5.com/s/articles/malware/is-xmaker-the-new-trickloader-24372 TrickBot sample MD5: 5abea77ce54fc029151a524ff1d428f VirusTotal link: https://www.virustotal.com/en/file/554132df407db525382baceb43fc0804839592fbd7038ffcd0e3736119d37be2/analysis/ Analysis link: https://www.hybrid-analysis.com/sample/554132df407db525382baceb43fc0804839592fbd7038ffcd0e3736119d37be2?environmentId=100Is "Xmaker" the new “TrickLoader”?
Overview During November of 2015, the Dyre banking Trojan, which was very prolific at the time and targeted countless financial institutions worldwide, vanished from the wild almost overnight. It was only during February of 2016 that the announcement was made that Russian authorities had arrested most of the gang that was operating the Dyre banking Trojan. (Reference: http://www.reuters.com/article/us-cybercrime-russia-dyre-exclusive-idUSKCN0VE2QS) Since then, nothing was heard from the actors behind Dyre, but it has been speculated that members of the Dyre gang which managed to avoid arrest by the Russian authorities have been integrated into other cybercrime gangs. During September of 2016 a new breed Malware has surfaced, calling itself “TrickBot”, which shares some similarities with Dyre. Among these similarities are a similar loader, similar encryption and decryption routines, and similar structure of the configuration files. (Reference: http://www.threatgeek.com/2016/10/trickbot-the-dyre-connection.html) However, it is lacking Dyre’s extensive Command and Control infrastructure, it’s also missing some of the modules that were present in Dyre such as SOCKS and VNC, and the coding style looks different from Dyre’s. TrickBot still appears to be a work-in-progress, doing little to hide its presence on an infected system. One interesting fact is that trickbot’s requests to its C2 servers contain easily identifiable User-Agent strings such as “TrickLoader” and “BotLoader”: (Example: https://www.reverse.it/sample/2c4eab037c37b55780cce28e48d930faa60879045208ae4b64631bb7a2f4cb2a?lang=en#http-traffic ) TrickBot’s Configuration and capability changes During the past few months trickbot is evolving rapidly add constantly adding capabilities, targeted entities, and upgrading its version number. Version 1000002: Initial samples of trickbot started to surface in Virus Total at around august 2016: Related md5s: · 38503c00be6b7f7eeb5076c0bd071b4c · bf621ef7e98047fea8c221e17c1837b8 · 0804499dba4090c439e580f5693660e0 · e4a8dc8fd08d4f65a68d0a40e2190c70 On the 15 th of October 2016, Fidelis Threat Researcher Jason Reaves publishes an analysis of the new trickbot malware. The analyzed sample was shown to be version 1000002: http://www.threatgeek.com/2016/10/trickbot-the-dyre-connection.html this version included the following “modules”: · systeminfo – responsible for grabbing system data · injectDll32 – responsible for browser injections The only method of injection in this version was “dynamic injects” which was implemented in a very similar to Dyre’s dynamic (“server side”) injects - https://devcentral.f5.com/s/articles/dyre-presents-server-side-web-injects Version 1000003: On the 24 th of October 2016, Independent Researcher @hasherezade published a detailed analysis of the trickbot malware which has advanced it's configuration to version 1000003: https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/ On the 25 th of October 2016, ASERT analysts publish insights regarding the methodologies used to initially distribute TrickBot: https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/ Version 1000005: On the 7 th of November 2016, F5 Researchers Julia Karpin, Shaul Vilkomir-Preisman, and Anna Dorfman report updates to trickbot, which advanced to version 1000005: https://f5.com/about-us/news/articles/little-trickbot-growing-up-new-campaign-22790 The new version added new targeted entities, modified the configuration structure, and added a new method of browsers injections - static injects (AKA "redirects") which again, is very similar to Dyre’s static injects. Version 1000007: Version 1000007 of trickbot expanded its target list a bit more as described here: https://f5.com/about-us/news/articles/trickbot-now-targeting-german-banking-group-sparkassen-finanzgruppe-23630 Version 1000009: On the 30 th of November 2016, Version 1000009 of trickbot adds a new "mailsearcher" module: This new module has its own configuration settings: And its own C2 server IP address: The main functionality of the mailsearcher module is: · Traversal over all files in all drives in the system · Comparing their file extensions to the following list: · Creating an http connection with the user agent “KEFIR!” · Sending information over that connection in the following URL format: IP-ADDRESS/GROUP-ID/CLIENT-ID/send/ (client-id information was stripped out in this screenshot) Additionally, it changed its User-Agent header from "TrickLoader" and “BotLoader” to "Xmaker": (client-id information was stripped out in this screenshot) Another example of the changed User-Agent header can be seen here: (Example: https://www.hybrid-analysis.com/sample/3bf7d98b2fede6512fa2f5d5423a3e3b93a2ed357d2112bcadde751765bdb505?environmentId=100&lang=en#http-traffic ) On the 5 th of December 2016, Version 1000009 of trickbot adds a few more targets to its static inject ("redirects") targeted entity list. Shifting from the initial focus on dynamic injections to redirect attacks. This is an interesting shift, as the Dyre Malware had the opposite shift while it was active (it first introduced static injections and only after it shifted to dynamic injections) Related md5s: · 46ffaa075dd586a6f93a4d26a2431355 · 1c8ea23e2892c4c7155c9f976c6e661d · 26992865a2ae96ed48df8ddfc7223a13 Version 1000010: On the 6 th of December 2016, Version 1000010 of TrickBot several more previously untargeted banks in Australia and New Zealand, as well as several Singapore banks to target list – which were not previously targeted at all. This version also adds an Indian bank to the target list – again, previously not targeted at all. Related md5: · 52cab07e1a41e68bd2793a37ba04d270 Conclusion TrickBot is an example of a malware which is currently in an active development mode, and is constantly changing and adding capabilities. Its Authors are clearly trying to replicate Dyre’s capabilities and structure. We suggest to keep a close eye on its evolvements and prepare ourselves to the threats that is may pose to the security of our users.Complying with PCI DSS–Part 3: Maintain a Vulnerability Management Program
According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals. Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies. The essential framework of the PCI DSS encompasses assessment, remediation, and reporting. We’re exploring how F5 can help organizations gain or maintain compliance and today is Maintain a Vulnerability Management Program which includes PCI Requirements 5 and 6. To read Part 1, click: Complying with PCI DSS–Part 1: Build and Maintain a Secure Network and Part 2: Complying with PCI DSS–Part 2: Protect Cardholder Data Requirement 5: Use and regularly update antivirus software or programs. PCI DSS Quick Reference Guide description: Vulnerability management is the process of systematically and continuously finding weaknesses in an entity’s payment card infrastructure system. This includes security procedures, system design, implementation, or internal controls that could be exploited to violate system security policy. Solution: With BIG-IP APM and BIG-IP Edge Gateway, F5 provides the ability to scan any remote device or internal system to ensure that an updated antivirus package is running prior to permitting a connection to the network. Once connections are made, BIG-IP APM and BIG-IP Edge Gateway continually monitor the user connections for a vulnerable state change, and if one is detected, can quarantine the user on the fly into a safe, secure, and isolated network. Remediation services can include a URL redirect to an antivirus update server. For application servers in the data center, BIG-IP products can communicate with existing network security and monitoring tools. If an application server is found to be vulnerable or compromised, that device can be automatically quarantined or removed from the service pool. With BIG-IP ASM, file uploads can be extracted from requests and transferred over iCAP to a central antivirus (AV) scanner. If a file infection is detected, BIG-IP ASM will drop that request, making sure the file doesn’t reach the web server. Requirement 6: Develop and maintain secure systems and applications. PCI DSS Quick Reference Guide description: Security vulnerabilities in systems and applications may allow criminals to access PAN and other cardholder data. Many of these vulnerabilities are eliminated by installing vendor-provided security patches, which perform a quick-repair job for a specific piece of programming code. All critical systems must have the most recently released software patches to prevent exploitation. Entities should apply patches to less-critical systems as soon as possible, based on a risk-based vulnerability management program. Secure coding practices for developing applications, change control procedures, and other secure software development practices should always be followed. Solution: Requirements 6.1 through 6.5 deal with secure coding and application development; risk analysis, assessment, and mitigation; patching; and change control. Requirement 6.6 states: “Ensure all public-facing web applications are protected against known attacks, either by performing code vulnerability reviews at least annually or by installing a web application firewall in front of public-facing web applications.” This requirement can be easily met with BIG-IP ASM, which is a leading web application firewall (WAF) offering protection for vulnerable web applications. Using both a positive security model for dynamic application protection and a strong, signature-based negative security model, BIG-IP ASM provides application-layer protection against both targeted and generalized application attacks. It also protects against the Open Web Application Security Project (OWASP) Top Ten vulnerabilities and threats on the Web Application Security Consortium’s (WASC) Threat Classification lists. To assess a web application’s vulnerability, most organizations turn to a vulnerability scanner. The scanning schedule might depend on a change in control, as when an application is initially being deployed, or other triggers such as a quarterly report. The vulnerability scanner scours the web application, and in some cases actually attempts potential attacks, to generate a report indicating all possible vulnerabilities. This gives the administrator managing the web security devices a clear view of all exposed areas and potential threats to the website. Such a report is a moment-in time assessment and might not result in full application coverage, but should give administrators a clear picture of their web application security posture. It includes information about coding errors, weak authentication mechanisms, fields or parameters that query the database directly, or other vulnerabilities that provide unauthorized access to information, sensitive or not. Otherwise, many of these vulnerabilities would need to be manually re-coded or manually added to the WAF policy—both expensive undertakings. Simply having the vulnerability report, while beneficial, doesn’t make a web application secure. The real value of the report lies in how it enables an organization to determine the risk level and how best to mitigate the risk. Since recoding an application is expensive and time-consuming and may generate even more errors, many organizations deploy a WAF like BIG-IP ASM. A WAF enables an organization to protect its web applications by virtually patching the open vulnerabilities until developers have an opportunity to properly close the hole. Often, organizations use the vulnerability scanner report to either tighten or initially generate a WAF policy. While finding vulnerabilities helps organizations understand their exposure, they must also have the ability to quickly mitigate those vulnerabilities to greatly reduce the risk of application exploits. The longer an application remains vulnerable, the more likely it is to be compromised. For cloud deployments, BIG-IP ASM Virtual Edition (VE) delivers the same functionality as the physical edition and helps companies maintain compliance, including compliance with PCI DSS, when they deploy applications in the cloud. If an application vulnerability is discovered, BIG-IP ASM VE can quickly be deployed in a cloud environment, enabling organizations to immediately patch vulnerabilities virtually until the development team can permanently fix the application. Additionally, organizations are often unable to fix applications developed by third parties, and this lack of control prevents many of them from considering cloud deployments. But with BIG-IP ASM VE, organizations have full control over securing their cloud infrastructure. BIG-IP ASM version 11.1 includes integration with IBM Rational AppScan, Cenzic Hailstorm, QualysGuard WAS, and WhiteHat Sentinel, making BIG-IP ASM the most advanced vulnerability assessment and application protection on the market. In addition, administrators can better create and enforce policies with information about attack patterns from a grouping of violations or otherwise correlated incidents. In this way, BIG-IP ASM protects the applications between scanning and patching cycles and against zero-day attacks that signature-based scanners won’t find. Both are critical in creating a secure Application Delivery Network. BIG-IP ASM also makes it easy to understand where organizations stand relative to PCI DSS compliance. With the BIG-IP ASM PCI Compliance Report, organizations can quickly see each security measure required to comply with PCI DSS 2.0 and understand which measures are or are not relevant to BIG-IP ASM functions. For relevant security measures, the report indicates whether the organization’s BIG-IP ASM appliance complies with PCI DSS 2.0. For security measures that are not relevant to BIG-IP ASM, the report explains what action to take to achieve PCI DSS 2.0 compliance. BIG-IP ASM PCI Compliance Report Finally, with the unique F5 iHealth system, organizations can analyze the configuration of their BIG-IP products to identify any critical patches or security updates that may be necessary. Next: Implement Strong Access Control Measures psComplying with PCI DSS–Part 5: Regularly Monitor and Test Networks
According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals. Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies. The essential framework of the PCI DSS encompasses assessment, remediation, and reporting. We’re exploring how F5 can help organizations gain or maintain compliance and today is Regularly Monitor and Test Networks which includes PCI Requirements 10 and 11. To read Part 1, click: Complying with PCI DSS–Part 1: Build and Maintain a Secure Network, Part 2:Complying with PCI DSS–Part 2: Protect Cardholder Data, Part 3: Complying with PCI DSS–Part 3: Maintain a Vulnerability Management Program and Part 4: Complying with PCI DSS–Part 4: Implement Strong Access Control Measures. Requirement 10: Track and monitor all access to network resources and cardholder data. PCI DSS Quick Reference Guide description: Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management. The presence of logs in all environments allows thorough tracking and analysis if something goes wrong. Determining the cause of a compromise is very difficult without system activity logs. Solution: The spirit of this requirement is to ensure appropriate systems generate logs, with implementation and monitoring of log aggregation and correlation systems. The ability to monitor and log all user sessions and requests for access to sensitive information, such as cardholder data and Social Security numbers, is critical to any security environment. F5 offers a suite of solutions that are session-based, not packet-based. With this full reverse proxy architecture, the BIG-IP platform has the ability to manage full user sessions, regardless of the transport mechanism or network, and match those user sessions to specific data actions, supplying log data and a full audit trail from the user to the data. This allows F5 application security devices to ensure the confidentiality, integrity, and availability of all application data on the network. All F5 products support remote logging, allowing logs to be pushed to secure networks and devices for archiving. In addition, the TMOS architecture can manage isolated, secure logging networks in conjunction with the application networks, using features such as mirrored ports, VLANs, and virtualized administrative access. Protecting network resources and application data 24 hours a day, seven days a week, without affecting network performance, is a core function and the foundation of all F5 security products. Requirement 11: Regularly test security systems and processes. PCI DSS Quick Reference Guide description: Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security is maintained over time. Testing of security controls is especially important for any environmental changes such as deploying new software or changing system configuration. Solution: The spirit of this requirement is to ensure that the complying organization itself tests its security system and processes. Since F5 does not offer a penetration testing service, this is one of just two PCI DSS requirements that F5 products cannot significantly address. Next: Maintain an Information Security Policy psComplying with PCI DSS–Part 1: Build and Maintain a Secure Network
According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals. Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies. The essential framework of the PCI DSS encompasses assessment, remediation, and reporting. Over the next several blogs, we’ll explore how F5 can help organizations gain or maintain compliance. Today is Build and Maintain a Secure Network which includes PCI Requirements 1 and 2. PCI DSS Quick Reference Guide, October 2010 The PCI DSS requirements apply to all “system components,” which are defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP servers. Applications include all purchased and custom applications, including internal and external web applications. The cardholder data environment is a combination of all the system components that come together to store and provide access to sensitive user financial information. F5 can help with all of the core PCI DSS areas and 10 of its 12 requirements. Requirement 1: Install and maintain a firewall and router configuration to protect cardholder data. PCI DSS Quick Reference Guide description: Firewalls are devices that control computer traffic allowed into and out of an organization’s network, and into sensitive areas within its internal network. Firewall functionality may also appear in other system components. Routers are hardware or software that connects two or more networks. All such devices are in scope for assessment of Requirement 1 if used within the cardholder data environment. All systems must be protected from unauthorized access from the Internet, whether via e-commerce, employees’ remote desktop browsers, or employee email access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network. Solution: F5 BIG-IP products provide strategic points of control within the Application Delivery Network (ADN) to enable truly secure networking across all systems and network and application protocols. The BIG-IP platform provides a unified view of layers 3 through 7 for both general reporting and alerts and those required by ICSA Labs, as well as for integration with products from security information and event management (SIEM) vendors. BIG-IP Local Traffic Manager (LTM) offers native, high-performance firewall services to protect the entire infrastructure. BIG-IP LTM is a purpose-built, high-performance Application Delivery Controller (ADC) designed to protect Internet data centers. In many instances, BIG-IP LTM can replace an existing firewall while also offering scalability, performance, and persistence. Running on an F5 VIPRION chassis, BIG-IP LTM can manage up to 48 million concurrent connections and 72 Gbps of throughput with various timeout behaviors and buffer sizes when under attack. It protects UDP, TCP, SIP, DNS, HTTP, SSL, and other network attack targets while delivering uninterrupted service for legitimate connections. The BIG-IP platform, which offers a unique Layer 2–7 security architecture and full packet inspection, is an ICSA Labs Certified Network Firewall. Replacing stateful firewall services with BIG-IP LTM in the data center architecture Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. PCI DSS Quick Reference Guide description: The easiest way for a hacker to access your internal network is to try default passwords or exploits based on the default system software settings in your payment card infrastructure. Far too often, merchants do not change default passwords or settings upon deployment. This is akin to leaving your store physically unlocked when you go home for the night. Default passwords and settings for most network devices are widely known. This information, combined with hacker tools that show what devices are on your network, can make unauthorized entry a simple task if you have failed to change the defaults. Solution: All F5 products allow full access for administrators to change all forms of access and service authentication credentials, including administrator passwords, application service passwords, and system monitoring passwords (such as SNMP). Products such as BIG-IP Access Policy Manager (APM) and BIG-IP Edge Gateway limit remote connectivity to only a GUI and can enforce two-factor authentication, allowing tighter control over authenticated entry points. The BIG-IP platform allows the administrator to open up specific access points to be fitted into an existing secure network. BIG-IP APM and BIG-IP Edge Gateway offer secure, role-based administration (SSL/TLS and SSH protocols) and virtualization for designated access rights on a per-user or per-group basis. Secure Vault, a hardware-secured encrypted storage system introduced in BIG-IP version 9.4.5, protects critical data using a hardware-based key that does not reside on the appliance’s file system. In BIG-IP v11, companies have the option of securing their cryptographic keys in hardware, such as a FIPS card, rather than encrypted on the BIG-IP hard drive. The Secure Vault feature can also encrypt certificate passwords for enhanced certificate and key protection in environments where FIPS 140-2 hardware support is not required, but additional physical and role-based protection is preferred. Secure Vault encryption may also be desirable when deploying the virtual editions of BIG-IP products, which do not support key encryption on hardware. Next: Protect Cardholder Data psOur Identity Crisis
As as kid, my mom would constantly remind me that I was a Hawaiian Prince – a direct descendant of King Kamehameha’s grandparents and the Kekaulike (23rd Moi of Maui) line. I was born in Hawaii but grew up on the East Coast so as a kid, I was embarrassed to be of Hawaiian Royalty since it was different from the typical ethnic groups of the New England states but that was/is Who I Am. Of course as I got older I like being 254th in line to the Hawaiian throne…if it was still a sovereign kingdom. Your identity is what makes you, You. It is made up of things like, Your Family, Your history, What you say, What you know, Where you are, What you share, Who you know, Your preferences, Your choices, Your reputation, Your profession, Your biggest fears, Your greatest love and all the nuances that make each of us an individual. This information is available on the web, in profiles, contacts, email, data, documents, music, images, blogs, favorites…. Networks… you name it. Some may confuse ‘image’ or ‘persona’ with identity. Many celebrities have images to keep, or present a persona that they want their audience to latch to but many times, it is not their true identity and who they really are at their core. There are also certain pieces of our identity we’d also like to keep secret. That’s the same information that the crooks want. As we approach the holidays, this is an especially critical time to keep an eye on our information and those devices that contain our information, like our mobile devices. You may have seen the recent commercials about making payments over your smartphone – the one where everyone pulls out their phones after dinner to pay their share and the guy with cash looks like the fool. Huh? I got real, crisp, green money in my hand, right from the ATM and nobody wants it. The mobile payment infrastructure is still in the early stages but you can imagine the schemes already being hatched by those who would love to intercept those transactions. And speaking of crooks, did you see that 111 arrested in massive ID theft bust in New York? Prosecutors are calling it the largest ID theft fraud case in US history. For two years, law enforcement dug in for ‘Operation Swiper,’ which targeted a very sophisticated ID theft ring who recruited and paid restaurant workers, retail cashiers and even bank tellers to steal credit card numbers and quickly convert that data into cash. They had everything – computers, skimmers, card readers, embossers, credit card blanks and shopping crews who went coast-to-coast buying high end merchandise while staying in 5-star hotels. They made off with over $13 Million in less than a year and a half. On a separate but positive note, a new Federal law was passed to protect foster children from identity theft. This new law requires states to run credit checks on older foster children and work to resolve ID theft cases so when the child reaches adulthood, they have a clean slate. Foster children are prime targets for and face greater risks of ID theft since their information passes through so many hands and agencies. Most states also still use the foster child’s SSN to identify them, adding to the risk. Many foster children enter adulthood with massive debt due to someone else leaving them with bad credit. This law is intended to both protect against that and help those who have been victims. And lastly, next week is the 4th annual National Protect Your Identity Week (PYIW). Multiple Better Business Bureaus are joining several government agencies and other national advocacy organizations to offer educational workshops, free document shredding and computer recycling. Javelin Strategy and Research noted that in 2010, 8.1 million adults were victims of identity theft resulting in the loss of $37 billion. Plus, according to AllClear ID, children are 51 times more likely to have their identity stolen. So as the year end festivities start heating up, don’t forget to keep an eye on you along with protecting and embracing your identity. ps Related: 111 arrested in massive ID theft bust Foster children gain protection from ID theft New law protects foster kids from identity theft Identity Theft Bust Exposes Need For 'Smart' Credit Cards Alleged Identity Theft Leads to Chase From TD Bank Protecting yourself from identity theft Identity Theft and Your Family: Deterring Disaster The Web Leaks Like a Sieve Technorati Tags: F5, PCI DSS, virtualization, cloud computing, Pete Silva, security, cloud, credit card, compliance, web, internet, cybercrime, holiday shopping, identity theft,Hackers Hit Vacation Spots
Just when you were having all that fun running around the waterpark and playing those arcade games comes news that the card processing system of Vacationland Vendors Inc., a Wisconsin Dells firm that supplies arcade games and installs vending machines, was breached. From the notice on their website, they say, ‘Vacationland Vendors recently discovered that an unauthorized person wrongfully accessed certain parts of the point of sales systems that Vacationland Vendors uses to process credit and debit transactions at the Wilderness Resorts.’ Up to 40,000 debit or credit cards that were used in the arcades any time between December 2008 to May 2011 at the Wilderness Waterpark Resort near Wisconsin Dells and a companion resort in Tennessee are potentially compromised. The hackers, according to Vacationland Vendors, improperly acquired credit card and debit information and around 20 accounts have shown irregular activity. Reservation and restaurant transactions were not involved in the breach, only the point-of-sale devices. Malware was the apparent culprit. Point-of-sale devices and the networks they are connected to are often the target of malicious hackers. These ‘kiosks’ are typically unattended and might be in locations where observation is limited. A couple years ago, Target’s breach was the result of hackers gaining access via the customer service kiosks and the huge hit at Heartland Payment Systems, resulting in tens of millions of exposed credit and debit cards was from a breach of the company's point-of-sale network. After successful installation of malicious software, thieves are able to sniff and intercept payment card data as the information is transmitted within the internal network or to the bank for authorization. It might not even be encrypted as it travels. If it was, then the crooks wouldn’t have the info. Many people may think these kiosk point-of-sale devices are safe since it is taking credit card data and merchants need to be PCI compliant. While the overall deadline for PCI 1.2 compliance was a couple years ago (and PCI 2.0 at the end of this year), the deadline for unattended point-of-sale devices was July 2010, a little over a year ago. That’s why you’ve seen a whole slew of new gas station pumps at your favorite fueling stations and just like regular compliance, it’s going to take time to update all the point-of-sale devices. Now, I’m not insinuating that the arcade devices were not PCI compliant since nothing has been reported about that, but what I am saying is be careful with those since you may not know if it is or not. If it looks a few years old, then most likely, it is not. With this and other similar point-of-sale breaches, many security experts (and even the Heartland CEO) believe end-to-end encryption is necessary, even if transmitting on the internal network, from the time the card is swiped all the way until the data reaches the the processor or bank. Many credit card swipe terminal vendors are building encryption into the hardware itself and F5 can help keep that information encrypted while it’s travelling the great unknown. Our BIG-IP APM and BIG-IP Edge Gateway (voted Best Secure Remote Access Product by TechTarget Readers) can easily encrypt any traffic, internal or external. Heck, even a couple BIG-IP LTM running our latest v11 code can initiate a secure tunnel between them, creating an instant, secure WAN connection. With the advent of credit card swiping capabilities on mobile phones now in full force, I’m not sure if this is going to get better or worse. The terminal might be fine but if you install a hacked mobile payment app, then you can skim credit card info like the pros. Remember, humans will often trade privacy for convenience. ps Related blogs & articles: Vending machine company announces major data breach Vending Company Reports Significant Data Breach Security breach affects card users tied to Wilderness arcade Vacationland Vendors Notice Encryption Anywhere and Everywhere Will you Comply or just Check the Box? PCI Turns 2.0 CloudFucius Wonders: Can Cloud, Confidentiality and The Constitution Coexist? Identity Theft Resource CenterIdentity Theft: Good News-Bad News Edition
So which would you like first? Javelin Strategy & Research said identity theft incidents were down 28% in 2010 (vs. 2009) according to their latest consumer survey. This is the lowest level since 2007 and about 3 million less victims than in 2009. They partially attribute this to a decline in industry reported data breaches going from 604 (221 million exposed records) to 404 (26 million exposed records) in 2010 along with economic conditions, better security measures and busts by law enforcement playing a major role. If you have an existing credit card account, there’s good news on that front also – fraud from existing credit cards was down 38% ($14 billion) compared to 2009 ($23 billion). New account fraud, where the victim might not have any idea than an account was opened in their name, took top honors in types of fraud with $17 billion siphoned. ‘Change in physical address’ was the No. 1 method of account takeover reported by victims. Don’t drop the confetti yet, however. While the overall numbers look encouraging, the devil is in the details as the cliché goes. Even thought the overall numbers are down, the consumer out-of-pocket expense to resolve ID fraud went from $387 per incident to $631 in 2010 – a 63% increase. Because criminals are using more clever ways to steal you data, you have to spend more time fixing the issue and the costs can grew. Your friends and family are also sticking it to ya. ‘Friendly Fraud,’ when someone you know steals your info, increased 7% with 41% of this batch saying their SSN was stolen. They also found a correlation between retail sales and identity fraud. When sales are up, fraud is down and when sales are down, fraud goes up, says James Van Dyke, founder of Javelin Strategy & Research. He feels that when the economy is doing well and people can make purchases with their own money, they are less likely to steal. Add to that, better security measures are in place and people are more aware of identify fraud, thus they keep a better eye on questionable transactions. Another bad sign is that while credit card fraud has dropped, debit card fraud went from 26% to 36% in a year. This could be due to more people using debit cards rather than credit for purchases but also due to debit’s lower level of protection when it comes to fraud. Some would question the validity of the survey since it is a ‘self-report’ telephone survey and bank data would argue that fraud is actually up in many areas. There are many more intriguing tidbits in the report and you can check out Javelin’s report with a couple interesting charts here. psThe New Wallet: Is it Dumb to Carry a Smartphone?
When I was a teenager, I used to have one of those cool nylon surfer wallets with the Velcro close, you remember those don’t ya? While pumping diesel (had a VW Rabbit) one day at an old Gulf station, I left the wallet on top of the car and drove off. Realizing that my wallet was not snug in the sun visor when I got home, I retraced my path and found it - parts of it - scattered all over Route 1. Luckily, I got most of my belongings back but had that sickened feeling of almost losing my most precious possession at the time, my fake I……um, my driver’s license. I then got a leather wallet and shoved so many things in there I could have been mistaken for George Costanza, not to mention the hole that evolved right at the bottom point of my back pocket. Not liking the bump on my butt, I eventually moved to ‘money-clip’ type holders, you know those money holder things you carry in your front pocket. I felt ‘safer’ knowing it was in my front pocket and I only carried the essentials that I needed, rather than the reams of receipts I’d have in my wallet. When I was younger, I’d use tie clips, metal binder clips, and other things until I got a nice Harley-Davidson one which holds credit cards and clips currency. I’d still feel sick if I lost it however. Not having a wallet, purse, money clip or other currency container at all, may eventually be our new reality. You see, our smartphones are starting to carry all that digital information for us and according to a recent CNNMoney article, our smartphones are becoming one of our most dangerous possessions. We can do banking, make payments, transfer money, use the phone for loyalty card swipes along with credit card transactions. At the same time, mobile users more vulnerable to phishing attacks, some banking apps for Android, iPhone expose sensitive info, Android Trojan Emerges In U.S. Download Sites and how IPv6: Smartphones compromise users' privacy. We knew it would eventually happen but the crooks are now adapting to the explosive mobile growth, the rise of mobile banking and our never ending connection to the internet. Don’t get me wrong, like many of you, I love having email, contacts, calendar and entertainment at my fingertips along with the convenience of having all my stuff with me; but the chances of losing much more greatly increase since you have the equivalent, or even more, of all your credit cards, personal and private information and other sensitive stuff right on your smartphone. Sure there are backup programs but how many of you actually backup your computer on a weekly basis? How many have wipe or lock software installed to destroy everything on the smartphone if it is stolen? How many have tracking software if it is lost? How many have your actual home address in the GPS navigator so the offender can find where you live and visit while you are away? How many have sensitive corporate information stored on the smartphone since you use it for both personal and business use? Now I’m starting to spook myself. Many people will willingly trade some personal info for personal convenience. You might never give a total stranger your home address and phone number but if they add, ‘in exchange, we’ll give you this branded card and you’ll get 10% off every purchase,’ more than likely, we’ll turn that personal info over. If you understand that every purchase will be scanned, sent to a database and used for marketing or as the merchant describes, to ‘provide you with the best service and offerings,’ then you might accept that. If you accept and understand the risks of doing mobile banking, transferring money, making payments and carrying around your entire life on your mobile device….and take actions to mitigate those risks, like using encryption, backups, wipe/locate software, antivirus, OS updates and other mobile security precautions along with practicing the same discretion as you would with your home computer (like not clicking links from strangers) then you should stay relatively safe. Unless, of course, you leave that digital wallet on the top of your vehicle and drive off. ps Resources Android Trojan Emerges In U.S. Download Sites Sophisticated New Android Trojan "Geinimi" Spreading in China Chinese crack down on 'money-sucker' Androids Your most dangerous possession? Your smartphone IPv6: Smartphones compromise users' privacy Mobile users more vulnerable to phishing attacks Report: Banking Apps for Android, iPhone Expose Sensitive Info Make Sure Your Smartphone Payments Are Secure F5 BIG-IP Edge Client App F5 BIG-IP Edge Portal App Securing iPhone and iPad Access to Corporate Web Applications – F5 Technical Brief Audio Tech Brief - Secure iPhone Access to Corporate Web Applications
