[fc-discuss] Financial Cryptography Update: Notes on today's market for threats

iang@iang.org iang@iang.org
Sat, 20 Aug 2005 10:38:53 +0100 (BST)


(( Financial Cryptography Update: Notes on today's market for threats ))

                            August 20, 2005


------------------------------------------------------------------------

https://www.financialcryptography.com/mt/archives/000535.html



------------------------------------------------------------------------

A good article on Malware for security people to brush up their
understanding.

http://www.acm.org/ubiquity/views/v6i30_kabay.html

http://balrog.de/security/archives/2005/08/18/124_honeyclients

On honey clients, with pointers to what's happening, copied verbatim:

"In my earlier post about Microsoft’s HoneyMonkey project I mentioned
that the HoneyNet Project will probably latch on and develop something
along the same lines.
In the meantime, I was notified of Kathy Wang’s Honeyclient project and
the client-side honeypots diploma project at the Laboratory for
Dependable Distributed Systems at Rheinisch-Westfälische Technische
Hochschule in Aachen."

http://www.paymentsnews.com/2005/08/towergroup_pres.html

>From PaymentNews:  TowerGroup has announced new research examining the
impact that phishing attacks may be having on fraud perpetrated at ATMs
and debit POS locations that concludes that losses from fraud due to
phishing runs about $81 million annually in the US.

That report is confused, it is looking at card skimming and seems to be
conflating that with phishing.	This may explain the lower-than-others
estimate of $81m, or it may be explained by the fact that they only
looked at identifiable banks' losses, not consumer losses and other
costs.	So I feel this number is a low outlyer, rather that really
representative of phishing.

There is a lot of buzz on how wireless networks are being used
"routinely" to attack people.  So far it's all the same:  the attacks
are generally of access, rarely listening and no known cases of MITMs
_even though they are trivial_!  Here's a typical case pointed out by
Jeroen from El Reg where the attack is misrepresented as a bank hack
over wireless:

http://www.theregister.co.uk/2005/08/19/finnish_wifi_bank_hack/
 
"The data security chief at the Helsinki branch of financial services
firm GE Money has been arrested on suspicion of conspiracy to steal
€20,000 from the firm's online bank account. The 26 year-old allegedly
copied passwords and e- banking software onto a laptop used by
accomplices to siphon off money from an unnamed bank.

"Investigators told local paper Helsingin Sanomat that the suspects
wrongly believed that the use of an insecure wireless network in
commission of the crime would mask their tracks. This failed when
police identified the MAC address of the machine used to pull off the
theft from a router and linked it to a GE Money laptop. Police say that
stolen funds have been recovered. Four men have been arrested over the
alleged theft with charges expected to follow within the next two
months. ®

Now, we have to read that fairly carefully to figure out what happened,
and the information is potentially unreliable, but here goes.  To me,
it looks like the perpetrator stole the passwords from the inside and
then used a wireless connected laptop (in a cafe?) to empty the
account.  So this is an inside job!  The use of the wireless was
nothing more than a forlorn hope to cover tracks and is totally
incidental to the nature of the crime.

(Also, it doesn't say much for the security at GE Money ... "Maybe they
should have employed a CISP" ... or whatever those flyswatter
certifications are called.)

-- 
Powered by Movable Type
Version 2.64
http://www.movabletype.org/