Firesale at the Cyber Criminal shopping mall.

This month special:  
    $2 each -  a legitimate but unverified bank account or credit card number,

         with guarantee for the available credit line or bank balance, add $70.

According to a just released report from Panda Security, the cyber criminal are facing competition like we all are.  So price is dropping. 


Panda Security 2011 January The-Cyber-Crime-Black-Market.pdf
In this article, Panda Security has done a great job explaining how this illegal underground business operates. There are the manufacturers - ones who actually does the stealing, distributors - aggregaters of illicit information, bankers - mules who handle the money laundering and, of course, source - the victims. The report even include screenshots of a transaction.


In any economy, supply and demand hold true. If the price drops, it can either be that the demand has dropped or the source is getting plentiful. I don't think anyone believes that the demand has dropped, so the source must be getting plentiful. In other words, if you are not a victim today, you soon will be!


With malware generating tools like Zeus freely available, it will be foolhardy for us not to recognize the need for cyber security vigilance at office and at home.






    

Can Service Provider Take You Down - Part 2 another first hand experience

Just received my Visa billing and I saw a line item for $1100 from a well know Fortune 100 software company. I had bought from them before, but I just cannot remember what it was for. So naturally, I called up the number on the line item right next to the company name and amount:  xyzcompany 617-xxx-xxxx  $1100.

The person answering was pleasant, she asks for my name and credit card info. Which I provided.

Then she said "Oh, I cannot access your account information and I have to transfer you". It is obvious she had no access to any account information let alone mine. I said "OK, but now that you have my credit card information, what are you going to do with it?" Silence - no reply. I then asked for her name and the name of the company she is employed at, knowing full well, it can be an outsourced answering service. She reluctantly did give me her name but she didn't provide the company".

My point to this whole encounter is that over the phone, we are used to the idea that these calls can be taken by 3rd party contractors. Phone calls can be transferred all over the world. And I have no idea who these 3rd party companies are and if they are PCI certified!

At this time, I still don't know if my credit card information is stored in a computer or just a piece of paper laying in the wastebasket waiting for malicious harvesting.

Contractors, whose work are related to handling credit card information, must be able to articulate security compliance policies just like they were working within one's company.  These security procedures must be entrenched into these operators' minds regardless of whether they are internal employees or 3rd party contractors. They must be able to show their understanding of the policies to me - the customer.

I, as a customer, need to be assured that my credit card information is handled with care!

 

How secure are your service providers?

To follow up on the previous post on how service providers can get a company into trouble, I just read Richard Bejtlich's blog article regarding plausible links between information leaks at suppliers' information system to the development of the new J-20 Stealth fighter from China. While I am not saying that this is what happened, it certainly brings up a scenario that we should be aware of.

Let's take a look at how this might happen...

In working with our large and small business partners, information has to be passed back and forth. With advanced persistent threat (APT) implanted at these partners' information systems, it is possible to gather a company's intellectual property without ever breaching the security of the original company.

Internal emails or documents can be copied from these partners and deposited into bigdata systems like Hadoop. Hadoop is an open source Apache project and can be obtained by simple web download. Companies like Google and Yahoo provided the initial research so that they can have an efficient web search on hundreds of millions of web articles.
 
With these technologies in hand, an attacker can gather relevant and non-relevant messages from multitude of sources large and small into bigdata systems and sieve for the good information that they are interested in.

So taking the attacker's viewpoint, it does not matter whether the stolen information comes from large or small partners. It is usually easier to attack smaller companies because they are not as dedicated to the protection of their information. The value of getting information from tens of sources versus from only one gives the same ultimate result. Because an email has a sender and one or more receivers, when any party gets compromised, this email is compromised.

What can we do?

The credit card industry imposed PCI-DSS security compliance on any company dealing with credit card transactions. The medical industry imposed HIPAA security compliance on doctors and its service providers. It is high time industries like engineering and manufacturing start issuing security guidelines to its tiered suppliers and make sure they are understood and adhered to.