- October 2008
- September 2008
- August 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- March 2005
- February 2005
- January 2005
- December 2004
- September 2004
Monthly Archives: June 2005
This is a helpful review on the rationale and methods for blog creation for business professionals and individuals.
New crop of thieves: Pharmers hit Net banking: New crop of thieves: Pharmers hit Net banking
The Arizona Republic
Apr. 19, 2005 12:00 AM
It’s the next Internet scam, and it could be the most menacing.
The reason: Even experienced Internet users can become victims and not know it.
The ploy is called pharming – a play off “phishing,” the previous Internet fraud – and it involves highly skilled hackers who secretly redirect users’ computers from financial sites to the scammers’ fake ones, where they steal passwords and other personal information. Even the Web address looks the same.
Unlike phishing, where users click on links in e-mails and are taken to fake sites, pharming intercepts a user on his or her way to the bank or a credit-card firm. And it potentially can affect thousands of users at a time.
“With pharming, you don’t have to do anything stupid to get on the hook,” said Tom Leighton, chief scientist of Internet software firm Akamai Technologies Inc. in Cambridge, Mass. “You’re just swimming along, and you get caught in the net.”
Banks in Arizona are starting to see the problem, and large members are familiar with the scam, said Tanya Wheeless, president and chief executive of the Arizona Bankers Association. The Arizona Attorney General’s Office said it heard of a case last month in which a Phoenix man lost $5,000 from his bank account after answering an online pop-up survey that purported to be from his bank.
It is just a matter of time before the scam becomes widespread, experts fear.
“If it didn’t get worse, it would buck the trend of all known security problems,” said David Jevans, a Silicon Valley executive who is chairman of the fraud-fighting Anti-Phishing Working Group.
The scam is so new that Internet security gurus have just started warning about it.
Akamai’s Leighton told a technology conference in Phoenix in December that hackers are targeting small sections of the Internet and rerouting traffic to fake bank sites to capture users’ passwords. The legitimate sites don’t notice the drop in Web traffic because it is just a fraction of the total, he said.
An anti-phishing bill introduced in Congress last month would also apply to pharming. It calls for prison time and fines for those caught either phishing or pharming.
Security experts say pharmers have two main ways of operating: attacking either users’ computers or the large servers that find Web sites for users.
The first way is to send virus-laden e-mails that install small software programs on users’ computers. When a user tries to go to his bank’s Web site, the program redirects the browser to the pharmers’ fake site. It then asks a user to update information such as log-ins, PIN codes or driver’s license numbers, said Chris Faulkner, chief executive officer of CI Host Inc., a Web-hosting firm in Bedford, Texas. Scammers use the information to steal identities.
Other viruses, called keyloggers, track a user’s keystrokes on legitimate sites and can be used to steal passwords.
The pharmers’ second method takes advantage of the fact that Web sites have verbal names but reside at numeric addresses on the Internet. When users type a Web site’s name into their browsers, Domain Name System, or DNS, servers read the name, look up its numeric address and take users to the site.
Pharmers interfere with that process by changing the real site’s numeric address to the fake site’s numeric address.
The servers can belong to financial institutions, Web-hosting companies or Internet service providers. This tactic, called DNS poisoning, has been around for years, but it is only in the past six months that techies have seen it used for identity theft and dubbed it pharming.
“It’s like the name sounds,” said Rami Habal, senior product manager at Proofpoint Inc., a Cupertino, Calif.-based e-mail security software firm. “They’re planting the seeds of malicious code and harvesting the identity information later.”
What alarms the experts is that pharming can reroute thousands of Internet users at a time, making the impact potentially huge.
“With phishing, you’re scamming one person at a time with e-mail,” Faulkner said. “Pharming allows you to scam a large group at once. You’re definitely hurting the masses.”
Pharmers generally come from overseas, such as China, Russia and Eastern Europe, experts say. They fear many are tied to organized-crime rings that buy and sell identity information.
Pharmers tend to target online banking sites, experts say. Financial institutions in Australia and the United Kingdom, including the venerable Barclays bank and Lloyd’s of London, reportedly have been hit, experts said.
Attacks so far have been limited, though there is no real way to know, said Jevans, of the Anti-Phishing Working Group.
Pharming isn’t as big as phishing yet, in part because it takes more skill. Sending e-mails and copying a few Web pages are relatively easy, while pharmers must build viruses for each site they want to target or must hack into large servers that control the Internet.
“It has the potential to be more dangerous, but what it’s done so far hasn’t been much,” said Hunter Bennett, director of operations for Tempe-based Ensynch, a data center and technology services company.
Brad Keller, an Atlanta online consultant for BITS, a consortium of the 100 largest U.S. financial institutions, said he is optimistic because relatively few hackers have the skills needed to pharm. Industries that improve the security of their servers can protect thousands of computer users at once, he added.
But he and Jevans worry about pharming viruses.
“I’m far more concerned about activity that causes individual users’ machines to be altered,” Keller said. “There, we have no way of knowing their machines have been attacked.”
Web sites of large financial institutions have boosted protection of their servers against pharming, Keller and other experts say. But smaller banks and Internet service providers may not have done so yet, they warn.
Companies and big organizations can reduce the threat by keeping their software updated and patched. They also can install firewalls, filter for known scams, and watch for changes in IP addresses on their servers, the experts said.
Anti-pharming software is in the works, including products that will display security information and show users where a Web site is being hosted.
Unfortunately, pharmers seem to be a step ahead of the security-software world.
Think the unthinkable: imagine there was a breach in your business intelligence system allowing world-wide access to your most sensitive data.
Note that the MBA admissions ApplyYourself breach lasted only about 9 hours – yet look at the damage and scandal this brief breach has spawned.
As a BI professional, you’ve developed and published data providers that contain a trove of confidential and strategic data that competitors and hackers would love to have. Don’t wait for the the embarrassment of an audit or a disastrous scandal to take responsible action.
- By acquiring a logon id, could a competitor learn about your sales to key accounts?
- It was an insider who published the ApplyYourself hacking instructions – how would you detect it if someone posted hacking information about your company to a web bulletin board – would you like to be notified first by the news media, or a key customer?
- Could an employee with hacking instructions acquire salary data? How would you know?
- What have you done to monitor possible breaches?
- Do you have a rapid response plan in effect that if there is a breach, it is immediately closed?
- How much damage could be done, and how quickly?
- Does your company have a technology insurance policy, and have you complied with its anti-hacking provisions?
- Has your ETL encrypted or masked account data, such as checking account numbers?
- Have you configured newsreaders to crawl the internet for suspicious breach search “strings” or taken other measures?
Hacker helps applicants breach security at top business schools
Among the institutions affected were Harvard, Duke and Stanford
News Story by Linda Rosencrance
MARCH 04, 2005 (COMPUTERWORLD) – A computer hacker helped applicants to some of the nation’s best business colleges and universities gain access to internal admissions records on the schools’ Web sites.
Using the screen name “brookbond,” the hacker broke into the online application and decision system of ApplyYourself Inc. and posted a procedure students could use to access information about their applications before acceptance notices went out. The hack was posted in a Business Week online forum mainly frequented by business students, said Len Metheny, CEO of the Fairfax, Va.-based ApplyYourself.
About 400 colleges and universities use the admissions management system, which is hosted and managed by ApplyYourself, to manage their admissions workflow. But only about a half-dozen schools use the decision management module, which allows individuals to determine if they have been accepted to a particular school, Metheny said.
The affected schools include Harvard Business School, MIT’s Sloan School of Management and business schools at Dartmouth College, Duke University and Stanford University.
“What the procedure did was it allowed an individual student who had an application filed at some particular schools that are using our decision management module to input certain parameters and allow them access to the admission-decision page prior to when that school intended it to be published,” Metheny said.
If a school had no admission-decision information in its database, the student instead got only a blank page. About 150 students tried to execute the procedures to access data from among those half-dozen schools; the vast majority were met with a blank screen, he said.
“We were notified by e-mail by somebody who saw a posting on a Business Week forum that went out there around 12:15 a.m., March 2,” Metheny said. “We immediately moved to make modifications to our admissions management system to close access through the published procedure that was put out there.”
Those modifications went into effect at 9:50 a.m. EST on Wednesday, Metheny said.
“So there was approximately nine hours that there was access to the specific page,” he said. “This did not grant access to the general database or to other people’s information — the person could only log into his or her admissions account. It was his or her specific decision information that was available.”
After ApplyYourself became aware of the breach, it immediately contacted Harvard Business School and, very shortly thereafter, the other schools. Metheny said this was the first time ApplyYourself’s systems have been compromised.
Harvard Business School spokesman David Lampe said the school found out about the problem when an applicant called to say there was a breach in the system. “We found out shortly after midnight on Wednesday, March 2, and as I understand it, it wasn’t fixed until after 9 a.m.,” he said.
Lampe said more than 100 people used the procedure to break through to the secure area during that time. In some cases, decisions had been posted, in some cases, not, he said.
“One of the problems is that no decision is final until March 30, so it’s hard to say if what they saw was the final decision or not,” Lampe said. “All decisions will be announced to the applicants on March 30.”
He noted that school officials know the identities of the people who tried to break into the system. “We will say that this casts a new light on their applications, and we take ethical breaches very seriously. To us, breaking into the system or following a procedure to break into the system is similar to breaking a window to get into someone’s house — or put another way, if the cash register is open, you don’t put your hand in the till.”
Business Week was notified of the posting to its forum at the start of business March 2, said spokeswoman Kimberly Quinn. “We immediately took the posting down and then monitored the site for any other similar postings,” she said, adding that Business Week deleted postings that sent readers to other sites where the hacker’s procedural was posted.
“We made an initial request with Business Week the morning of March 2 to remove that particular published script — they did so, and we have not had any further contact with them,” said Metheny. “We haven’t yet been in touch with law enforcement. We’re researching the data and the sequence of events at this time, and we’ll make a decision shortly on how we’ll procedure.”