Archive for October, 2012

The Spooky Side of Healthcare Cybercrime and Steps to Protect Your Data

Article source: http://www.healthcareitnews.com/blog/spooky-side-healthcare-cybercrime-and-steps-protect-your-data

,

No Comments

South Carolina Data Breach Casts Spotlight on Lack of Encryption, Stolen …

South Carolina governor Nikki Haley said a mouthful this week when she spilled a dirty industry secret that Social Security numbers are generally not encrypted by state agencies. Reeling from a Department of Revenue data breach that leaked 3.6 million Social Security and credit card numbers as well as other personally identifiable information for more than three-fourths of the state’s residents, Haley called encryption complicated and cumbersome technology.

“The industry standard is that most Social Security numbers are not encrypted. A lot of banks don’t encrypt. A lot of those (government) agencies you might think encrypt Social Security numbers actually don’t,” Haley said during a press conference this week. “It’s not just that this was a DOR situation, but an industry situation.”

While Haley may be correct that most agencies don’t deploy encryption, there are other data protection technologies that could help keep personal data away from hackers. Encryption, meanwhile, is a go-to technology in environments governed by the PCI-DSS standard as well as data breach notification laws which do not mandate public disclosure if lost data is encrypted.

South Carolina residents, meanwhile, are under the gun for identity theft and a host of other potential financial issues related to the breach. Greenville Online reports today that the breach includes some businesses and that the attack was pulled off using legitimate credentials stolen from one of 250 state employees with access to the DOR database in question.

DOR director Jim Etter said that state identity numbers used for businesses were also stolen along with 3.6 million Social Security numbers and 387,000 credit card numbers; 16,000 of those credit card numbers were not encrypted. The breach began in late August and the Secret Service notified the state on Oct. 10 of the incident.

Attackers, meanwhile, have been making great use of stolen credentials, not only for identity theft scams, but in higher level, state-sponsored attacks against manufacturers, the defense industrial base and other government agencies.

“Within local and state governments, most don’t encrypt SSN numbers. That’s why we are seeing record numbers of SSNs be stolen in 2012,” said Adrian Lane, analyst and CTO at Securosis. “But with most other industries –and specifically banks — they do encrypt PII to protect their customers and their own businesses.”

Prior to the South Carolina breach, 18 breaches in October alone involved tens of thousands of compromised Social Security numbers, according to the Privacy Rights Clearinghouse and the Data Loss Database.

“In most cases, encryption or other forms of obfuscation (masking, tokenization) can be done transparently to business operations, and at a reasonable cost,” Lane said. “It need not be complicated — but you have to actually invest some time and money to get it done, and that’s how most states fail.”  

Governor Haley, meanwhile, said her state is now evaluating encryption as an option, looking at cost and implementation timelines, she said.

“When something like this happens, it forces a whole new conversation,” she said. “This is a situation where a sophisticated, intelligent criminal got into a database and it’s unbelievably creative how they did it. And now we have to deal with it.”

In the meantime, the state is paying for a year of real-time credit monitoring for anyone who signs up, and offering $1 million in insurance to residents to help pay for any breach-related investigation costs.

Sam Curry, CTO of RSA Security’s identity theft and data protection business unit, said any organization must properly assess risks in conjunction with current threats, determine targets and then think about compensating controls such as encryption and tokenization.

“The tools are advanced enough now that if you do your risk assessments correctly  and then downstream reduce the places where PII exists, you can then put controls in place with the right processes around them,” Curry said.

Curry added that organizations cannot underestimate the importance of intelligence gathering about threats and systems in place on a network, as well as a proper investment in incident response.

“I’m always leery of people who say ‘If we only had X…’ Well if you only had X, the bad guys would have attacked Y,” Curry said. “I care more about processes and approaches versus which widget you’ve bought.”

Commenting on this Article will be automatically closed on January 31, 2013.

Article source: http://threatpost.com/en_us/blogs/south-carolina-data-breach-casts-spotlight-lack-encryption-stolen-credentials-103112

,

No Comments

Final Report on DigiNotar Hack Shows Total Compromise of CA Servers

The attacker who penetrated the Dutch CA DigiNotar last year had complete control of all eight of the company’s certificate-issuing servers during the operation and he may also have issued some rogue certificates that have not yet been identified. The final report from a security company commissioned to investigate the DigiNotar attack shows that the compromise of the now-bankrupt certificate authority was much deeper than previously thought.

In August 2011 indications began to emerge of a major compromise at a certificate authority in the Netherlands, previously unknown to most of the Internet’s citizens, and the details quickly revealed that the attack would have serious ramifications. The first public acknowledgement of the attack was the discovery of a large-scale man-in-the-middle attack against Gmail users in Iran. Researchers investigating that attack discovered that the operation was using a valid wildcard certificate, issued by DigiNotar, for *.google.com, giving the attacker the ability to impersonate Google to any browser that trusted the certificate.

It quickly emerged that the attacker also had obtained valid certificates for a number of other high-value domains, including Yahoo, Mozilla and others. The browser manufacturers scrambled to revoke trust in the compromised certificates and reassure users that the Internet was not broken. Now, the final report from Fox-IT, the Dutch company brought in at the time of the attack in 2011 to find the root cause and determine the extent of the damage, says in its final report that the attack was a wide-ranging one that likely started more than a month before the CA discovered it.

“The investigation by Fox-IT showed that all eight servers that managed Certificate Authorities had been compromised by the intruder. The log files were generally stored on the same servers that had been compromised and evidence was found that they had been tampered with. Consequently, while these log files could be used to make inconclusive observations regarding unauthorized actions that took place, the absence of suspicious entries could not be used to conclude that no unauthorized actions took place,” the report, which was just made public this week, says.

One of the most worrisome aspects of the DigiNotar breach at the time it leaked out was that the company not only was a commercial CA, but it also issued government certificates, calling into question the legitimacy of those certificates, as well. The Fox-IT report says there are some indications in their investigation that the attacker may have issued some rogue certificates that have not been identified yet, a troubling prospect.

“Serial numbers for certificates that did not match the official records of DigiNotar were recovered on multiple CA servers, including the Qualified-CA server which was used to issue both accredited qualified and government certificates, indicating that these servers may have been used to issue additional and currently unknown rogue certificates,” the report says.

An anonymous hacker who earlier had claimed responsibility for the attack on Comodo, another certificate authority, said he also had executed the DigiNotar hack. In its report, Fox-IT said that there were some signs that the same person who compromised Comodo had indeed penetrated DigiNotar, as well.

“A fingerprint that was left by the intruder was recovered on a Certificate Authority server, which was also identified after the breach of the Certificate Service Provider Comodo in March of 2011. Over the course of the intrusion at DigiNotar, the intruder used multiple systems as proxies in order to obscure his true identity. However, several traces were recovered during the investigation by Fox-IT that independently point to a perpetrator located in the Islamic Republic of Iran,” the report says.

DigiNotar had its network highly segmented and had a number of those segments separated from the public Internet. However, the company did not have strict enforcement of the rules on its network, something that may have enabled the attacker to move from the Web server he initially compromised over to the servers that house the certificate authorities.

“The investigation showed that web servers in DigiNotar’s external Demilitarized Zone (DMZ-ext-net) were the first point of entry for the intruder on June 17, 2011. During the intrusion, these servers were used to exchange files between internal and external systems, with scripts that were placed on these systems serving as rudimentary file managers,” the Fox-IT report says.

“From the web servers in DMZ-ext-net, the intruder first compromised systems in the Office-net network segment between the 17th and 29th of June 2011. Subsequently, the Secure-net network segment that contained the CA servers was compromised on July 1, 2011. Specialized tools were recovered on systems in these segments, which were used to create tunnels that allowed the intruder to make an Internet connection to DigiNotar’s systems that were not directly connected to the Internet. The intruder was able to tunnel Remote Desktop Protocol connections in this way, which provided a graphical user interface on the compromised systems, including the compromised CA servers.”

The attack on DigiNotar lasted for nearly six weeks, from start to finish, according to the report, and the attacker was using multiple systems outside and inside the network during the operation.

“The investigation by Fox-IT showed that all servers that managed Certificate Authorities had been compromised by the intruder, including the Qualified-CA server, which was used to issue both accredited qualified and government certificates. In total, a non-exhaustive list of 531 rogue certificates with 140 unique distinguished names (DNs) and 53 unique common names (CNs) could be identified. The last known date for traffic that was initiated from within DigiNotar’s network to an IP address that was presumably (ab)used by the intruder was on July 22, 2011. Traces of activity by the intruder in DMZ-extnet were found up to July 24, 2011,” the report says.

The attacker had complete control of the CA servers during the attack and had the ability to alter log files, which were kept on the same servers as the CAs, and to make changes to the database. An interesting detail from the report is that DigiNotar could not produce any records showing whether a smart card had been used to activate the private keys in the hardware security module that correspond to the compromised CAs. The attacker would not have been able to issue the rogue certificates without the private keys, so he also needed to find a way to activate them.

“The private keys were activated in the netHSM using smartcards. No records could be provided by DigiNotar regarding if and when smartcards were used to activate private keys, except that the smartcard for the Certificate Authorities managed on the CCV-CA server, which is used to issue certificates used for electronic payment in the retail business, had reportedly been in a vault for the entire intrusion period,” Fox-IT’s report says.

Commenting on this Article will be automatically closed on January 31, 2013.

Article source: http://threatpost.com/en_us/blogs/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112

No Comments

South Carolina Data Breach Casts Spotlight on Lack of Encryption, Stolen Credentials

South Carolina governor Nikki Haley said a mouthful this week when she spilled a dirty industry secret that Social Security numbers are generally not encrypted by state agencies. Reeling from a Department of Revenue data breach that leaked 3.6 million Social Security and credit card numbers as well as other personally identifiable information for more than three-fourths of the state’s residents, Haley called encryption complicated and cumbersome technology.

“The industry standard is that most Social Security numbers are not encrypted. A lot of banks don’t encrypt. A lot of those (government) agencies you might think encrypt Social Security numbers actually don’t,” Haley said during a press conference this week. “It’s not just that this was a DOR situation, but an industry situation.”

While Haley may be correct that most agencies don’t deploy encryption, there are other data protection technologies that could help keep personal data away from hackers. Encryption, meanwhile, is a go-to technology in environments governed by the PCI-DSS standard as well as data breach notification laws which do not mandate public disclosure if lost data is encrypted.

South Carolina residents, meanwhile, are under the gun for identity theft and a host of other potential financial issues related to the breach. Greenville Online reports today that the breach includes some businesses and that the attack was pulled off using legitimate credentials stolen from one of 250 state employees with access to the DOR database in question.

DOR director Jim Etter said that state identity numbers used for businesses were also stolen along with 3.6 million Social Security numbers and 387,000 credit card numbers; 16,000 of those credit card numbers were not encrypted. The breach began in late August and the Secret Service notified the state on Oct. 10 of the incident.

Attackers, meanwhile, have been making great use of stolen credentials, not only for identity theft scams, but in higher level, state-sponsored attacks against manufacturers, the defense industrial base and other government agencies.

“Within local and state governments, most don’t encrypt SSN numbers. That’s why we are seeing record numbers of SSNs be stolen in 2012,” said Adrian Lane, analyst and CTO at Securosis. “But with most other industries –and specifically banks — they do encrypt PII to protect their customers and their own businesses.”

Prior to the South Carolina breach, 18 breaches in October alone involved tens of thousands of compromised Social Security numbers, according to the Privacy Rights Clearinghouse and the Data Loss Database.

“In most cases, encryption or other forms of obfuscation (masking, tokenization) can be done transparently to business operations, and at a reasonable cost,” Lane said. “It need not be complicated — but you have to actually invest some time and money to get it done, and that’s how most states fail.”  

Governor Haley, meanwhile, said her state is now evaluating encryption as an option, looking at cost and implementation timelines, she said.

“When something like this happens, it forces a whole new conversation,” she said. “This is a situation where a sophisticated, intelligent criminal got into a database and it’s unbelievably creative how they did it. And now we have to deal with it.”

In the meantime, the state is paying for a year of real-time credit monitoring for anyone who signs up, and offering $1 million in insurance to residents to help pay for any breach-related investigation costs.

Sam Curry, CTO of RSA Security’s identity theft and data protection business unit, said any organization must properly assess risks in conjunction with current threats, determine targets and then think about compensating controls such as encryption and tokenization.

“The tools are advanced enough now that if you do your risk assessments correctly  and then downstream reduce the places where PII exists, you can then put controls in place with the right processes around them,” Curry said.

Curry added that organizations cannot underestimate the importance of intelligence gathering about threats and systems in place on a network, as well as a proper investment in incident response.

“I’m always leery of people who say ‘If we only had X…’ Well if you only had X, the bad guys would have attacked Y,” Curry said. “I care more about processes and approaches versus which widget you’ve bought.”

Commenting on this Article will be automatically closed on January 31, 2013.

Article source: http://threatpost.com/en_us/blogs/south-carolina-data-breach-casts-spotlight-lack-encryption-stolen-credentials-103112

No Comments

Cisco Patches Vulnerabilities in Data Center and Web Conferencing Products

Cisco is warning its customers about a remote command execution vulnerability in its Cisco Prime Data Center Network Manager.The product manages Ethernet and storage networks and troubleshoots for performance issues on Cisco products running NX-OS software. Versions prior to 6.1.1 are vulnerable to remote exploits on the underlying system that hosts the application, Cisco said.

An attacker could send abitrary commands via the JBoss Application Server Remote Method Invocation (RMI) service, which is exposed to unauthenticated users. Cisco said no exploits are in the wild, but there is a Metasploit module that would exploit the JBoss configuration in question.

Users are urged to upgrade to release 6.1.1. In the meantime, allowing only legitimate devices to connect to the RMI registry port (either TCP 1099 or 9099) will serve as a workaround.

Cisco is also reporting a SQL injection and buffer overrun vulnerability in its Cisco Unified MeetingPlace Web Conferencing product. Attackers can use a SQL injection to create, delete or alter information in the product’s database. Exploiting the buffer overrun flaw could crash the server hosting the product.

Versions prior to and including 7.0 are vulnerable, as well as 7.1, 8.0 and 8.5

Updates have been released that address these two vulnerabilities. No workarounds are available, Cisco said. 

Commenting on this Article will be automatically closed on January 31, 2013.

Article source: http://threatpost.com/en_us/blogs/cisco-patches-vulnerabilities-data-center-and-web-conferencing-products-103112

No Comments

Porticor Data Security Platform Designed for Cloud

The Virtual Private Data (VPD) cloud-based data-encryption solution uses a homomorphic key-encryption approach and encrypts the entire data layer.

Cloud security specialist Porticor announced on Oct. 30 the availability of its cloud-based data-encryption solution, Virtual Private Data (VPD), which is designed to protect public, private and hybrid cloud data while stored and in use. The offering is currently available directly from Porticor through the company’s Website. The VPD is deployed in the cloud and managed from Porticor’s customer portal, with prices starting at $65 per month per Porticor Virtual Appliance.

The company’s patented Virtual Key Management service, with split-key encryption technology, keeps encryption keys in the organization’s control, delivering a cloud-based key management system for cloud data at rest. In addition, Porticor keeps the master encryption keys fully encrypted and secured even while being used to access cloud data.

“Potential cloud users worry about two things about information protection in the cloud—protecting it from other tenants and protecting it from the cloud provider,” Neil MacDonald, vice president and fellow at IT research firm Gartner, said in a statement. “Encryption is one protection option; however, when the encryption keys are used, data is at risk at that point. A solution that works completely in the cloud, yet is able to keep the keys protected in memory would help reduce the scope of a possible breach entry point.”

The platform, made up of the Porticor Virtual Appliance and the Porticor Virtual Key Management Service, uses a homomorphic key-encryption approach, a technique that enables mathematical operations to be performed on encrypted data. Porticor technology implements partially homomorphic encryption techniques for combining and splitting encryption keys, enabling the VPD system to give the application access to the data store without exposing the master keys in an unencrypted state. It also ensures that if a master key is stolen, it can still never be used to access a data store.

Porticor encrypts the entire data layer, including virtual disks, databases, files and distributed storage, and has a minimal impact on application performance or latency. Organizations can create as many Porticor appliances or agents as necessary, and in addition to a management user interface, the company also offers a secure cloud-based application programming interface (API).

“With this release, Porticor enhances the high levels of trust it was already infusing into the cloud with our split-key method to now fully protect cloud data at rest and in use,” Portico founder and CEO Gilad Parann-Nissany, said in a statement. “Now, organizations can trust their data to the cloud, knowing that their data-encryption keys are kept private 100 percent of the time. Because the encryption keys are never exposed to risk, Porticor’s cloud data security system delivers the highest levels of data security available on premise or in the cloud.”

Article source: http://feeds.ziffdavisenterprise.com/~r/RSS/eweeksecurity/~3/h4IFDfAJ2Ls/

,

No Comments

Huawei Faces Hacker Critic to Help Clear Its Name: Report

Huawei continues to take steps to help clear its name as a telecom security threat. It’s now taking advice from one of its major critics, hacker Felix Lindner, says a new report.

Huawei, the Chinese telecom equipment company that officials in the United States and other countries have deemed a national security threat, is taking steps to clean up its act. Or rather, its coding.

The company is sending a team of engineers to visit Felix Lindner, a former hacker in Germany who has publically criticized Huawei products, pointing out vulnerabilities in products from inexpensive Internet devices for the home to multi-million-dollar equipment.

Reuters reported the development Oct. 31, after speaking with John Suffolk, Huawei’s global cyber security chief, at a cyber security conference in India. Suffolk said he was attending the conference to hear what Lindner might say about Huawei, and that while Lindner’s comments can feel like a “slap in the face,” sometimes such wake-up calls are necessary.

“Sometimes you need a bit of a slap in the face to step back, not be emotive in your response, and say, ‘What do I systematically need to change so over time any of these issues begin to reduce,’” Suffolk told Reuters.

He added, “I can fix the Felix issue in a few lines of code. But I’m interested in systemic change within Huawei.”

The U.S. House Intelligence Committee released a report Oct. 8, following an 11-month investigation, warning U.S. companies in “sensitive” industries—from electric power grids to finance systems to gas, oil and water systems—note to do business with Huawei, as it poses a potential risk to U.S. security. ZTE, another China-based telecom equipment company, was also included in the warning.

“Any bug, beacon, or backdoor put into our critical systems could allow for a catastrophic and devastating domino effect of failures throughout our networks,” the committee wrote in the extensive report.

It continued, “We have serious concerns about Huawei and ZTE, and their connection to the communist government of China. China is known to be the major perpetrator of cyber-espionage, and Huawei and ZTE failed to alleviate serious concerns throughout this important investigation.”

Again suggesting Huawei’s desire to clear its name, the investigation was started at the company’s prompting—a fact that left the committee confused and frustrated when members said that Huawei was unforthcoming with information and unwilling to explain its relationship with the Chinese government or the Chinese Communist Party.  

Fears of Huawei’s connection to the Chinese government have additionally kindled from the fact that Huawei CEO and founder Ren Zhengfei is a former Chinese military officer with links to government officials. 

In another effort to move past such suspicions, Huawei set up a center in the U.K. where its products can be tested, and earlier this month announced plans to do the same in Australia.

John Lord, chairman of Huawei’s Australian business, explained to Australia’s Press Club Oct. 24 that as a business-to-business company, Huawei hadn’t grasped the need to sell itself to the public.

“Huawei has done a very poor job of communicating about ourselves and we must take full responsibility for that,” said Lord.

As for the findings of the German Lindner, wrote Reuters, he said he’d found “no deliberate backdoors in the software” offering a way for the products to allow for spying, but that problem was simply “poorly written” software that left the devices vulnerable to attacks.

 

Follow Michelle Maisto on Twitter.  

Article source: http://feeds.ziffdavisenterprise.com/~r/RSS/eweeksecurity/~3/dLcXrJpqJnk/

,

No Comments

Amazon, Equinix Data Centers Vs. Hurricane Sandy

When Hurricane Sandy hurled a blow at the data center-rich territory of northern N.J., the New York City metropolitan area and northern Virginia Monday, some large sites survived intact.

Amazon Web Services, with its U.S. East–1 complex in Ashburn, Va., and Equinix, with seven locations in New York and additional data centers in Washington, D.C., Philadelphia, Buffalo and northern N.J., reported that service was holding up in most instances, despite the storm.

The Amazon Health Services dashboard reported no outages except for its CloudFront, content distribution network, which experienced “elevated error rates for content delivered out of several edge locations” between 3:40 and 5:10 p.m. EST Monday.

Other sources, on the other hand, reported at least isolated Amazon server instance outages. Compuware said its Outage Analyzer service had tracked “more than a dozen outage events on the East Coast during (Monday) afternoon and evening.”

[ Lower Manhattan data centers faced special problems. See Hurricane Sandy Surge Challenges NYC Data Centers. ]

The outages included “intermittent Amazon EC2 East outages that affected hundreds of domains, as well as outages with other shared services,” wrote Colin Mason, product manager for Outage Analyzer at Compuware. He wasn’t available to elaborate or say whether they were specifically storm related or not. But the service, using Compuware’s Gomez-collected data from around the Internet, is one way to watch for a slow down or known outage at specific cloud providers.

Another monitoring service, Boundary, is located in Ashburn, Va., along with Amazon Web Services. Molly Stamos, director of the Boundary product, said she had been monitoring the flow of customer information on the service through the day — with some customers operating servers in U.S. East-1 nearby — and didn’t see any significant outages among them.

Equinix chief of global operations, Sam Kapoor, said several Equinix sites in New York, New Jersey, Philadelphia and Washington, D. C., “experienced power outages and customer loads were transferred to generator power.” One of them, a site known as New York 9, experienced a failure in a generator “that impacted service to several customers. We made repairs and service was returned (Tuesday) morning,” Kapoor said in a statement issued at midday Tuesday.

Equinix sites in New York and Washington, D.C., “experienced water leaks. While most were minor and quickly contained, at least one leak at a New York site impacted a customer. We are currently working onsite with the customer to contain the issue,” Kapoor wrote in a message.

Unlike some sites in New York, Equinix sites “have at least 48 hours of fuel onsite with fuel vendors standing by to deliver more as needed.”

Download the new issue of Must Reads, a compendium of our best recent coverage on IT-as-a-service. It includes articles on cloud computing myths, how to build an IT service catalog, security problems, and more. (Free registration required.)

Charles Babcock is an editor-at-large for InformationWeek.

Article source: http://feeds.informationweek.com/click.phdo?i=543e0c3a9594e6268b3b92ab5f631aa4

No Comments

Huawei Hits Back At U.S. Security Investigation









Permalink

RSS


Executive dismisses U.S. report tying Huawei to security threats, saying it’s a case of “Americans being Americans.”

The recent U.S. House Permanent Select Committee on Intelligence report, which concludes that Huawei Technologies and ZTE are a security threat, is a case of “Americans being Americans,” according to Huawei’s VP for Western Europe. (See U.S. vs Huawei/ZTE: The Verdict.)

Speaking to the media in central London following a morning of broadband market discussions and debate, Tim Watkins said the report was “unbalanced. This is the Americans being Americans. The amount of data requested was absurd. We are very disappointed with the outcome, especially after the considerable efforts we went to” in trying to convince the U.S. investigating team that Huawei is an independent company with technology that is safe to deploy. (See Huawei Responds to U.S. Investigation.)

Watkins added that Huawei had been selected by Tier 1 operators in the U.S. but had then been “prevented from doing that business. But the Tier 2 operators are customers. We generated revenues of $1.3 billion in the U.S.” in 2011.

Read the rest of this article on Light Reading.

Related Reading



InformationWeek encourages readers to engage in spirited, healthy debate,
including taking us to task. However, InformationWeek moderates all comments posted to our site,
and reserves the right to modify or remove any content that it determines to be derogatory, offensive,
inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM.
InformationWeek further reserves the right to disable the profile of any commenter participating in
said activities.

Disqus Tips

To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.


Subscribe to RSS

Resource Links











Article source: http://feeds.informationweek.com/click.phdo?i=0da03445732d87ff936205f0394ee954

No Comments

60-Second Cash Kiosk Hackers Steal $1 Million: FBI

11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)The FBI has arrested more than a dozen people on charges that they participated in a gang that stole over $1 million via cash-advance kiosks at 11 casinos and resorts.

According to the FBI, the related indictment, unsealed Friday, said the gang “stole the money by exploiting a gap–which required multiple withdrawals all within 60 seconds–in Citibank’s electronic transaction security protocols.” The gang predominantly targeted casinos and resorts in Las Vegas and southern California.

The FBI last week arrested 13 of the accused gang members in the Los Angeles area. But one of the alleged gang members, Levon Karamyan, 58, remains at large.

According to court documents, accused ringleader Ara Keshishyan, 29, recruited other members of the gang to open multiple Citibank checking accounts, which he filled with seed money. “When inside the casino, the conspirators, including Keshishyan, used cash advance kiosks at casinos in California and Nevada to withdraw — all within 60 seconds — several times the amount of money deposited into the accounts, by exploiting the Citibank security gap they discovered.”

[ Read FBI Expands Cybercrime Division. ]

The gang reportedly also kept each individual withdrawal below $10,000, which is the threshold at which casinos must report the transaction to federal authorities. “After the cash was collected from the casino ‘cages,’ Keshishyan would typically give conspirators their ‘cut’ — and keep the remainder of the stolen funds — which were often used to gamble,” according to the FBI. “The casinos frequently ‘comped’ the conspirators with free rooms due to their extensive gambling activity.”

The facilities targeted were the Agua Caliente, Chukchansi, Morongo, Pechanga, San Manuel and Spa Resort casinos in California; Harrah’s in Laughlin, Nev.; as well as Bicycle, Tropicana, Wynn, and Whiskey Pete’s casinos in Las Vegas.

The cash-advance-kiosk attacks are notable for highlighting how motivated attackers might benefit from even the tiniest information security misstep. “While advancements in technology have created a world of accessibility to users and a convenience for consumers, they have also left room for criminals to exploit even the smallest of loopholes,” said FBI special agent Daphne Hearn in a statement. The flaw exploited by attackers has reportedly now been fixed.

The fraud was spotted by Citibank. “Through our own security measures and the diligence of our people we identified the fraudulent account activity and immediately notified the authorities. No customer accounts were affected by the fraudulent activity,” said Citibank spokeswoman Catherine Pulley, speaking by phone. “We will continue to work with the FBI on their investigation.”

All accused members of the gang have been charged with conspiracy to commit bank fraud and conspiracy to illegally structure financial transactions to avoid reporting requirements, which carries a maximum jail sentence of five years, as well as a $250,000 fine. The alleged ringleader, Keshishyan, also has been charged with 14 counts of bank fraud, each of which carries a prison sentence of up to 30 years, as well as a $1 million fine. All of the accused could see any ill-gotten gains forfeited, if the charges against them are proven.

The defendants, who have been arraigned, are next due back in court Nov. 30.

Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services–and to fix them before they can be exploited. (Free registration required.)

Article source: http://feeds.informationweek.com/click.phdo?i=e6b42c518b504f87ff295eecd972d74d

No Comments