Saturday, February 22, 2014

Threat Agent Profile: Irrationals

The majority of system compromises can be traced to a simple principle – the benefits, at least in the short to medium term, outweigh the cost. Broadly, leaving governments aside, benefits can be divided into either financial or psychological. Money is the root of almost all compromises. The targets these hackers will go after are pretty simple to predict; roughly, they’ll go after systems that provide the highest return at the lowest personal risk of incarceration. Attacks motivated by psychology are more difficult. Most of the psych hacks are web site defacements and limited to simple exploits – more in the vandal category we reviewed. Within the psychology category is a subset that is irrational; system compromises that really can’t be explained or predicted, that stand against reason. What systems they will go after and how much resource they’ll dedicate in doing so is anyone’s guess. Here is one:

During a yearlong period beginning March 2001, Gary McKinnon, a British citizen, compromised scores of sensitive U.S. government and military systems, including systems at the Pentagon, Fort Benning, Fort Meade, the Earle Naval Weapons Station; and the Johnson Space Center.  In responding to journalists regarding the case, the U.S. Attorney heading up the prosecution, Paul McNulty said, “Mr. McKinnon is charged with the biggest military hack of all time.”[1] And what was Gary’s stated motive? It was to discover evidence of a UFO cover-up.[2]

The ‘irrationals’ represent a very small portion of the system hacks, but they are out there and they are very bothersome. Perhaps the people that scare us the most are the ones that we can’t explain.

Monday, February 17, 2014

Threat Agent Profile: Payment Card Data Thieves and Stolen Card Markets

My wife’s friend walked in to a grocery store and quickly realized that she had left her purse in the car. During the minute she was gone a thief had smashed her window and stolen her purse. She immediately called her bank and her two credit card companies. Within thirty minutes she had a hold placed on her accounts, but it wasn’t fast enough. In that time the thief had withdrawn $1200 from her bank account from a teller at a bank branch and had charged over $400 on the cards. That is what the small-scale, petty payment card theft looks like.

Grand scale payment card theft looks like Albert Gonzalez’s ‘Operation Get Rich or Die Tryin’, a payment card hacking crew that stole over 90 million payment card numbers from companies including Heartland Payment Systems, TJ Maxx, 7-Eleven, and Office Max and caused over $200 million in damages. Gonzalez and crew compromised the ATM card and payment card processing systems at these companies by exploiting well-known vulnerabilities in their wireless networks and web applications. Upon arresting Gonzalez, agents found $1.6 million in his several bank accounts. His goal was $15 million, at which point he planned to buy a yacht and retire.[1]

What does one do with 90 million stolen payment cards? At one point, after raiding numerous ATMs with stolen debit cards he had manufactured Gonzales is reported to have complained about having to count over $300,000 in twenty-dollar bills because his cash counter had broken. It’s not as if a small crew can handle even a small fraction of that number.  What happens with much of the data is the thieves offer it for sale on the Internet for purchase by ‘carders’, people who specialize in converting stolen card information in to useable credit and ATM cards and using the cards to commit fraud.

In 2007, when I first explored the online carder markets where hackers sell and carders buy stolen data and other related goods and services, I easily found 17 carder sites, such as,,, and In early 2010, only three of those same sites were still available. Carder sites are still out there, but most have gone underground due to some high profile federal prosecutions, such as the takedown of in 2008. You’ll see in the screenshot below of, that FraudMarket was offering Visa and MasterCard dumps at the time for $25 each for low volume purchases and for $18.50 each when buying 50 or more. Another site,, was selling batches of 700 for $3500 and 900 for $4700. 

Saturday, February 8, 2014

The India I Experienced - Three Weeks, Five Cities and a 700 Mile Road Trip

You must open yourself to India in order to really experience it. India presents a lot of barriers to a Westerner - poverty, disorderly infrastructure, crowds, garbage, and so on. But if you remove your barriers you can really feel it - its beauty, its history, its people, its diversity, its wealth, its culture, its poverty. If I must say only one thing about India it is that the people of India are beautiful and friendly - the friendliest I've ever met.

Indians are Beautiful and Friendly
I've travelled to many places domestically and internationally and the people in India are the friendliest I've met. Rich or poor they were friendly, curious, and open. Walking down the street a 12 year-old girl grabbed my arm and said, 'Sit and talk with me. I want to know about you.' A person in Jaisalmer heard me mention that I wanted to ride a motorcycle around India. He handed me the keys to his motorcycle and said, 'Take mine'. I was welcomed to join a soccer match on the beach of Mumbai. I shared a thousand smiles.

India is Surprising
I almost walked in to an elephant as I rounded a corner in a densely populated neighborhood. Two horses galloped by me on a major road. A herd of free-roaming cattle strolled by me in the shopping district. A camel stood at an intersection along with all the cars, motorcycles, and trucks.  

India is Wealthy and Poor
In India wealth and poverty are neighbors. It isn't like America where neighborhoods are economically separated. Rolls Royces and Ferraris mix in the traffic with bicycles and rickshaws. I saw a woman bathing her child on the street from a water tank immediately outside the JW Marriott. One afternoon while standing in a street I felt a person tug at the back of my pants. I expected to see a child. It was a man with no legs sitting on a small piece of wood with four small wheels. His knuckles were were horribly calloused from pushing on the street to move. There is no safety net in India. There are few public services.

India forced me confront my prosperity and their poverty. Why? I concluded, in humility, that I deserve nothing. Truly, my good fortune is largely luck. The luck of being in my time, in my county, born to my parents, my parents parents.

India is Alive
India is alive. Everything is motion. And the people are interconnected. Families have lived in the same homes, same neighborhoods for generations. Families live together. They don't split up on marriage. The family cares for the family. I dined in the home a family who had lived in the home for 600 years - passing the home from generation to generation, with each generation caring for its older and younger.

India isn't dominated by big box stores and stamped out franchises. Everyone is a business person, operating their small or large operation. And I liked it. It is vibrant. It is passionate. It is real.

India is Stunning
1000 year-old city fortresses. Krishna temples. Ancient neighborhoods and mosques and step wells.

The Food is Amazing
India is many cultures and many histories and many languages in one country. And each region has its own distinct food. I thought I'd return 10 lbs lighter. I think I gained 10. I didn't get sick. I followed the rules of only drinking bottled water and not eating from street vendors. Beyond that, I partook of all that was given me. And I'm glad I did.

I'll remember my trip to India forever. You can't experience India without being changed in some meaningful way.

Friday, February 7, 2014

Threat Agent Profile: Vandals

Vandals are out to damage stuff. In the physical world they smash mailboxes, break car windows, and spray paint walls. In the electronic world they deface web sites and DoS networks. They aren’t necessarily after specific targets, except for those that will impress themselves and their peer group. Vandals typically go after sites that are easy to compromise – systems that will fall to the single fire point and click exploits. Or, they’ll sometimes guess the password for the domain name registration records and redirect all traffic to another site. tracks web site defacements. During the period of January 2008 – April 2010, Zone-H reported that over 1.4 million web sites were defaced.[1] Sixty-seven percent of the defacements were for either reputation, for fun, or for the challenge.  The vast majority of the sites compromised are easy targets belonging to small organizations that have very poor security practices.

Thursday, February 6, 2014

Threat Agent Profile: Identity Thieves

Identity thieves lie somewhere in the lower half of the continuum between the low end smash and grab purse-snatchers and the high-end credit card database heists. Identity theft is “the misuse of another individual’s personal information to commit fraud.”[1]  To pull off identity theft, the criminal usually needs a person’s name, address, Social Security Number, and date of birth. That information is resident in thousands of databases held by employers, government agencies, health care organizations, and educational and financial institutions. And hackers want them because they can use the information to apply for credit in the name of other people. Not quite as direct as stealing payment card information, but still pretty good.

In 2006, 8.4 million individuals in the U.S. were victims of identity fraud with related losses totaling $49.3 billion, according to estimates published by Javelin Strategy and Research.[2]  Since 2001, identity theft has been the most common consumer complaint registered to the Federal Trade Commission. 

Why is identity theft such a popular crime among fraudsters? Because it is low risk, low cost, and highly profitable. In 2005 8.3 million U.S. adults were victims of identity theft – 3.7% of the American adult population. In 10% of the cases thieves made off with at least $6,000.[3] Of the 512 cases handled by the Secret Service between 2001 and 2006, the median loss was $31,356.  Of the cases, the highest loss was over $13 million.[3]  Compare this with the average take in a bank robbery of under $5000, a much riskier crime.[5]

As with credit cards, many fraudsters use the information they have stolen to commit fraud themselves. Others, primarily those who have compromised large identity databases such as ChoicePoint in 2005, offer the stolen identities for sale on-line for others to use in identity theft schemes. Numerous online forums provide markets for sellers and buyers of identities. The screenshot below is a listing from In this screenshot the seller provides a ‘sample’ of his goods for sale. Clearly, this “Benjamin’s” identity is completely p0wned.

1) The Presidents Identity Theft Task Force: Combating Identity Theft – A Strategic Plan, page 2, April 2007
2) 2007 Identity Fraud Survey Report, Javelin Strategy and Research
3) Federal Trade Commission – Identity Theft Survey Report, November 2007, Synovate
4) Identity Fraud Trends and Patterns: Building a Data-Based Foundation for Proactive Enforcement – October 2007

Wednesday, February 5, 2014

Threat Agent Profile: Bank Account Hijackers

The ATMs of the Internet are the online retail and commercial banking sites.  These systems, particularly the commercial banking sites, allow account holders to transfer money to external accounts using bill pay, wire and ACH transaction functions. This opportunity is not lost on enterprising fraudsters who specialize in gaining unauthorized access to online bank accounts and use that same functionality to transfer the money to their own offshore accounts.

Phishing attack data, the primary method for hijacking online accounts up through mid-2009, serves as a good guide to the evolution and magnitude of bank account hijacking.[1] The Anti-Phishing Working Group has tracked the details of these attacks since January 2004.  In that month, the APWG reported 28 known unique phishing attacks, 11 of them targeting financial institutions.  As news of the success of early attacks spread, more fraudsters joined in the scheme. The number of unique attacks peaked in September 2007 at 38,514, each targeting thousands of on-line account holders. Since 2004, 82% of all phishing attacks have targeted online financial systems.

Consumer online bank accounts were early targets. In 2007, hackers targeted customers of Sweden’s Nordea Bank with a phishing attack through which they tricked customers into installing malicious software on their computers. Using the malicious software, the fraudsters were able to gain access to 250 accounts, netting $1.1 million in the process.[2]

While consumer accounts are profitable, commercial accounts held by businesses provide much higher profit opportunity because of the higher account balances and transaction limits of commercial accounts. But, banks had put strong defenses on these accounts to keep the bad guys out; primarily strong authentication in the form of one time password tokens. Gaining access to these accounts wasn’t as simple as using a phishing attack to trick the victim into revealing their username and password.

In June of 2005 though, a hacker proved that the commercial accounts could be compromised. Through an attack that involved placing malicious software on the computer of a Miami businessman, a hacker was able to fraudulently wire over $90,000 to an account in Latvia.[3] The businessman wanted his bank to cover the loss; the bank claimed they weren’t responsible because it wasn’t their computer that got hacked. Other fraudsters caught on and developed techniques to defeat advanced commercial security solutions.  In the third quarter of 2009 alone, fraudsters successfully hijacked hundreds of U.S. small business online accounts, hauling away over $25 million.[4]  

1) A phishing attack is a process for fraudulently acquiring sensitive information by falsely representing a trusted entity using electronic means. Commonly, phishing is manifest as an email falsely purporting to be from a company prompting the user to click on an embedded link that directs them to a false site where the user is tricked in to divulging sensitive information such as their user id and password.

Tuesday, February 4, 2014

Threat Agent Profile: Hacktivists

Metac0m, in What is Hacktivism?, defines hacktivism as “the fusion of hacking and activism; politics and technology. More specifically, hacktivism is described as hacking for a political cause.”[1] In this context, hacking refers to the skilled and inventive application of computer systems to solve complex problems, while activism holds its standard definition of vigorous, direct advocacy of a cause.

According to, a site that tracks website defacements and the associated methods and motives, since January 2008 – April 2010, political motives are the thrust behind 17% of all web site defacements.[2]

Ilmars Polkans, the ‘Robin Hood’ of Latvia
In late 2008 the economy of Latvia plummeted into a deep recession. In response, the Latvian government increased taxes and slashed spending through measures such as cutting the pay of teachers by half and reducing support of hospitals by 40%. The government also committed to equally cut the pay of officials of government and state-owned entities. In 2009, Ilmars Polkans, a citizen of Latvia, happened upon a feature in the web site of the State Revenue Service while filing his income taxes. The feature allowed him to gain access to over 7.4 million documents, including income statements and tax filing of public officials, government, and business employees. Studying the documents, Ilmars discovered that government officials and managers of ‘destitute’ state-owned companies hadn’t taken the pay cuts they promised to take along with those that were forced on the workers. Rather, the data showed bankers and police chiefs and other heads of state-owned companies continuing to bring down large salaries and bonuses.[3]

Outraged at the hypocrisy of the government, Ilmars published his findings online under the alias of ‘Neo’ and urged people to take action. He posted on Twitter, “Rise up and take the power back, it’s time that the fat cats had a heart attack, you know that their time is coming to an end.” In an online interview, Neo, claiming to part of a group, stated, “The purpose of the group is to unmask those who gutted the country”, and “We could show figures that structural reforms have been a bluff.”[4] The people of Latvia responded to Neo’s posts. The Latvian newspaper, Dienas Bizness, reported, “If we were to compile a list of Latvia’s most popular people over the last several weeks, the top spots would probably be taken by our country’s participants in the Olympic Games in Vancouver, as well as by the person known as Neo.”[5]

After being caught, Ilmars explained his motives during an interview with Baltic Reports. “I’m just a person who had courage to stand up and talk and point fingers to something which doesn’t seem to be right. It is hard to stand and say the first words, but after that, it becomes easy. So, I hope that there will be more and more people won’t keep silence and will stand up and say loudly about the wrong things that are going on in Latvia.”[6]

The Jester
One person’s 2010 New Year’s resolution was to actively disrupt sites he deemed to support “terrorists, sympathizers, fixers, facilitators, oppressive regimes and other general bad guys.” Operating under the handle ‘The Jester’, he has consistently delivered on his resolution by launching Denial of Service attacks against sites he deems to fit within in his objective.

His first Tweet, under the account ‘th3j35t3r’, he announced,

Since that attack, he has launched numerous attacks against sites he deems to be terrorist-related. A few of these are shown below.

In September, The Jester began to turn his attention to Wikileaks after Wikileaks published the Afghan War Logs on their site.

The Jester launched Denial of Service attacks against Wikileaks in November 2010, after Wikileaks published U.S. State Department cable messages.

Wikileaks’ reply posted on to their Twitter account?

Other Hacktivists
In a case a decade earlier, three members of the hacker group Milw0rm protesting the Indian government’s nuclear weapons test program broke in to several servers of the India Atomic Research Centre and modified the organizations homepage and stole thousands of emails and related research documents.[7] That same year hackers compromised and disabled filtering on a half-dozen firewalls used by China to filter its people’s Internet traffic.[8]