Apr 30 2013

Wash. Hospital Hit By $1.03 Million Cyberheist

Organized hackers in Ukraine and Russia stole more than $1 million from a public hospital in Washington state earlier this month. The costly cyberheist was carried out with the help of nearly 100 different accomplices in the United States who were hired through work-at-home job scams run by a crime gang that has been fleecing businesses for the past five years.

cascadeLast Friday, The Wenatchatee World broke the news of the heist, which struck Chelan County Public Hospital No. 1, one of several hospitals managed by the Cascade Medical Center in Leavenworth, Wash. The publication said the attack occurred on Apr. 19, and moved an estimated $1.03 million out of the hospital’s payroll account into 96 different bank accounts, mostly at banks in the Midwest and East Coast.

On Wednesday of last week, I began alerting the hospital that it had apparently been breached. Neither the hospital nor the staff at Cascade Medical returned repeated calls. I reached out to the two entities because I’d spoken with two unwitting accomplices who were used in the scam, and who reported helping to launder more than $14,000 siphoned from the hospital’s accounts.

Jesus Contreras, a 31-year-old from San Bernadino, Calif., had been out of work for more than two months when he received an email from a company calling itself Best Inc. and supposedly located in Melbourne, Australia. Best Inc. presented itself as a software development firm, and told Contreras it’d found his resume on Careerbuilders.com. Contreras said the firm told him that he’d qualified for a work-at-home job that involved forwarding payments to software developers who worked for the company’s overseas partners.

Could he start right away? All he needed was a home computer. He could keep eight percent of any transfers he made on behalf of the company. Contreras said he was desperate to find work since he got laid off in February from his previous job, which was doing inventory for an airplane parts company.

Best Inc.

Best Inc. Website

His boss at Best Inc., a woman with a European accent who went by the name Erin Foster, called Contreras and conducted a phone interview in which she asked about his prior experience and work-life balance expectations. In short order, he was hired. His first assignment: To produce a report on the commercial real estate market in Southern California. Contreras said Ms. Foster told him that their employer was thinking of opening up an office in the area.

On Monday, Apr. 22 — shortly after he turned in his research assignment — Contreras received his first (and last) task from his employer: Take the $9,180 just deposited into his account and send nearly equal parts via Western Union and Moneygram to four individuals, two who were located in Russia and the other pair in Ukraine. After the wire fees — which were to come out of his commission — Contreras said he had about $100 left over.

“I’m asking myself how I fell for this because the money seemed too good to be true,” Contreras said. “But we’ve got bills piling up, and my dad has hospital bills. I didn’t have much money in my account, so I figured what did I have to lose? I had no idea I would be a part of something like this.”

A small, but significant part, as it happens. Contreras never got to use any of his meager earnings: His financial institution, Bank of America, froze his account and seized what little funds he had in it.

Meanwhile, the Chelan County treasurer’s office is struggling to claw back the fraudulent transfers. According to press reports, roughly $133,000 of the lost funds have been recovered so far, and it may take at least 30 days to learn how much was actually lost.

Some observations about this crime:

-It could have been far worse of a loss. The Chelan County bank accounts that were hacked also are used to administer 54 other junior taxing districts in the county. My guess is this attack would have been worse, but that the fraudsters simply exhausted their supply of money mules.

-Just as real-life bank robbers are restricted in what they can steal by the amount of loot that they can physically haul away from the scene of the crime, the crooks behind these cyberheists are limited in how much they can steal to how many money mules they can recruit to help launder the fraudulent transfers. That’s because unless the mules have access to business accounts that can receive and forward much larger wire transfers, the amounts sent to mules typically range from just below $5,000 to slightly less than $10,000. Edwin Walker of Alpharetta, Ga. – another mule who unwittingly helped launder money for Best Inc. — received and processed a $4,970 transfer on April 20. And while available mules may be a bottleneck for this type of crime, this group appears to have a well-oiled mule-recruitment machine going 24/7.

-Mr. Contreras’ erstwhile employer, Best Inc., is part of a transnational organized cybercriminal gang operating in Russia and Ukraine. Its distinguishing feature is that it operates its own money mule recruitment division. This eliminates the middle man and increases the gang’s overall haul from any cyberheist. “Cashing out” hacked accounts is a complex, time-consuming process that is normally contracted out to third party criminal operations, which can take anywhere from 40-60 percent of the haul for their trouble.

-This gang uses several telltale signatures in its operations, and has been hitting small to mid-sized organizations for the past five years at least. They’ve stolen many, many times more than the millions taken from Chelan County, from hundreds of victim organizations. In fact, this gang appears to have been involved in nearly every cyberheist I have written about for the past four years.

-Mr. Contreras is something of an oddity: A West Coast money mule. The mule recruitment gangs generally prefer to hire  mules that are on the East Coast or in the Midwest. That’s because mules on the West Coast are not particularly attractive for cashing out accounts from victim banks and businesses that open several hours before the banks on the West Coast; time is money, and in this business, the more time that elapses before the mules can withdraw and move the stolen funds, the more likely the victim and its bank will be able to claw back the fraudulent transfers.

-The reporting so far includes no information about the victim’s bank, or what kinds of security procedures they may have required of Chelan County for moving large sums of money. But my guess is it was a small to regional bank, and there were few security hurdles for the bad guys to overcome, aside from maybe a one-time token and a password. But that is just speculation based on lots of experience reporting on these crimes.

Broken record alert: If you are running a small business and managing your accounts online, you’d be wise to expect a similar attack on your own accounts and prepare accordingly. That means taking your business to a bank that offers more than just usernames, passwords and tokens for security. Shop around for a bank that lets you secure your transfers with some sort of out-of-band authentication (a text message sent to a mobile device, for example). These security methods can be defeated of course, but they present an extra hurdle for the bad guys, who probably are more likely to go after the lower-hanging fruit at thousands of other financial institutions that don’t offer more modern security approaches.

But if you’re expecting your bank to protect your assets should you or one of your employees fall victim to a malware phishing scheme, you could be in for a rude awakening. Keep a close eye on your books, require that more than one employee sign off on all large transfers, and consider adopting some of these: Online Banking Best Practices for Businesses.

Apr 30 2013

What’s in a Password?

Nearly every week now we can read about a data breach case somewhere, where millions of user accounts and potential other sensitive data has been compromised. Most people are not even shocked by such news anymore, as it is starting to become humdrum.

One of the most common attacks used in such breaches is an SQL injection. This attack has ranked first place on OWASPs Top 10 faults in Web applications for many years. There are several well-known methods to prevent SQL injections, but unfortunately it is still often encountered in productive sites. Furthermore, mis-configured Web servers and vulnerabilities in remote management tools can allow attackers to gain access to systems and read potentially sensitive files.

There has long been a heated discussion about how best to store passwords and that discussion is still ongoing. Most people agree that storing passwords in clear text in a database is not a good idea. Although sadly it is still done in a lot of places, usually with the excuse of “no one has read access to the database, so what could possibly go wrong?” As history has repeatedly shown, this argument does not hold true for long.

As a user, you normally do not know how your passwords are stored on a service. One enlightening trick can be to use the password reset function. Some services will send you an email with your password in clear text, which obviously means that they store it in clear text to begin with. If in doubt, you can send the service an enquiry, but most will probably just assure you that they are using state of the art cryptography to protect your password, which does not tell you much.

But the keyword is correct, as most systems have started to use cryptographical one-way functions; so-called hash functions like MD5 or SHA1 are being used to store passwords. Note that these are not password functions, but rather functions that are normally used for creating message digests. By using them on the password and only storing the hash value, the problem of clear text passwords disappears. Unfortunately, attackers can create “rainbow tables”, with pre-computed pairs of passwords and corresponding hash values. With today’s cloud services, generating rainbow tables does not take too long and the combination values can easily be stored.  Such a set up would allow a simple lookup to break all common passwords within seconds.

To make it more difficult for rainbow tables to break passwords, services can use salt. A salt is a long random string, which is combined with the password before hashing. When used per user, this adds extra complexity as it means that even if two people have the same password (e.g. 123456) they would end up with a different hash in the table. More importantly, the attacker now needs a rainbow table for every possible salt, thereby making it a lot more cumbersome to crack the passwords of many users at once. However, brute-forcing the password of one specific user (e.g. an administrator) is still possible.

At this point, iteration or key-stretching can be introduced. By iterating hash functions over and over again, the whole process is slowed down. For normal usage during logon, a small delay does not matter much, but for brute-force attacks, this can add a few thousand years to your key breaking time. Some examples that can easily be integrated are bcrypt and PBKDF2. Of course, the bar can be raised even higher when using two-factor authentication, for example Symantec’s VIP service.

Regardless of the function that is used to store the passwords, it is always a good idea for users to utilize different passwords for different services. As if you use the same password on all services, once one of them has been broken (possibly due to a bad password storing process), then all of the others become known to the attacker as well. Whenever a data breach occurs, attackers typically try the email password combinations on other services—just to see if they’ve gotten lucky.

Needless to say that using a strong password in the first place is a must. “123456” is simply not a strong password and should not be used. If you cannot remember all of your different passwords, you can use a password manager. Your passwords can then be stored on your smartphone so that you have them with you all of the time. Of course, you have to ensure that when the smartphone is lost, no one can access your password manager, but that’s a whole other story.

Apr 29 2013

Good Morning, Captain: open IP ports let anyone track ships on Internet

While digging through the data unearthed in an unprecedented census of nearly the entire Internet, Researchers at Rapid7 Labs have discovered a lot of things they didn't expect to find openly responding to port scans. One of the biggest surprises they discovered was the availability of data that allowed them to track the movements of more than 34,000 ships at sea. The data can pinpoint ships down to their precise geographic location through Automated Identification System receivers connected to the Internet.

The AIS receivers, many of them connected directly to the Internet via serial port servers, are carried aboard ships, buoys, and other navigation markers. The devices are installed at Coast Guard and other maritime facilities ashore to prevent collisions at sea within coastal waters and to let agencies to track the comings and goings of international shipping. Rapid7 security researcher Claudio Guarnieri wrote in a blog post on Rapid7's Security Street community site that he, Rapid7 Chief Research Officer H.D. Moore, and fellow researcher Mark Schloesser discovered about 160 AIS receivers still active and responding over the Internet. In 12 hours, the trio was able to log more than two gigabytes of data on ships' positions—including military and law enforcement vessels.

For many of the ships, the vessel's name was included in the broadcast data pulled from the receivers. For others, the identification numbers broadcast by their beacons are easily found on the Internet. By sifting through the data, the researchers were able to plot the location of individual ships. "Considering that a lot of military, law enforcement, cargoes, and passenger ships do broadcast their positions, we feel that this is a security risk," Guarnieri wrote.

Read 4 remaining paragraphs | Comments

Apr 29 2013

Admin beware: Attack hitting Apache websites is invisible to the naked eye

Ongoing exploits infecting tens of thousands of reputable sites running the Apache Web server have only grown more powerful and stealthy since Ars first reported on them four weeks ago. Researchers have now documented highly sophisticated features that make these exploits invisible without the use of special forensic detection methods.

Linux/Cdorked.A, as the backdoor has been dubbed, turns Apache-run websites into platforms that surreptitiously expose visitors to powerful malware attacks. According to a blog post published Friday by researchers from antivirus provider Eset, virtually all traces of the backdoor are stored in the shared memory of an infected server, making it extremely hard for administrators to know their machine has been hacked. This gives attackers a new and stealthy launchpad for client-side attacks included in Blackhole, a popular toolkit in the underground that exploits security bugs in Oracle's Java, Adobe's Flash and Reader, and dozens of other programs used by end users. There may be no way for typical server admins to know they're infected.

"Unless a person really has some deep-dive knowledge on the incident response team, the first thing they're going to do is kill the evidence," Cameron Camp, a security researcher at Eset North America, told Ars. "If you run a large hosting company you're not going to send a guy in who's going to do memory dumps, you're going to go on there with your standard tool sets and destroy the evidence."

Read 7 remaining paragraphs | Comments