Tag Archives: cybercrime

It’s not my birthday

Flickr image by andrewmalone used under Creative Commons

I arrived in the office this morning to find a slew of birthday greetings awaiting me, both on Skype and even in direct message form on Twitter, where I was told that my birthday was appearing in someone’s calendar and they had no idea why. For a second I was confused, until my other half told me of her moment of abject fear that she had forgotten my birthday when she logged into Skype, the the proverbial penny dropped.

Like the queen, I have two birthdays each year, my real one and my Skype birthday and there is a good reason for this. Skype decided long ago that certain parts of your Skype profile information should be publicly available and Microsoft have continued this tradition. The privacy settings of these data items are non-configurable, this data comprises your first and last names, gender, detailed location and date of birth which taken together easily constitute “Personally Identifiable Information” under whichever jurisdiction you care to mention.

Whilst is is not compulsory to enter your date of birth on Skype in order to operate an account you are certainly encouraged to do so, whether that be by the “Profile completeness” tips (you get and extra 10% for your birthday!) or the bald invitation to “Add your birthday”. However it is not made clear when you add this data that it will only ever have a privacy setting of “Public”. Once you discover this, no doubt you will want to remove your date of birth, but the interface seems designed to fool you into thinking that this is nether possible nor wise

Skype Date of Birth

“It’s a Security Thing”… It sure is!

Nonetheless it is entirely possible, and advisable to reset this information to read simply “Day”, “Month” & “Year” and to remove your birthdate from the public domain. Either that or elect to have a second alternate birthday, just like I did. I haven’t got any presents yet, but the attention on this Monday morning is lovely.

Of course your friends and people you trust need to know your birthday, otherwise how are you ever going to get the full set of Iron Maiden reissues as birthday presents (true story) but unfortunately information such as date of birth is still all too often used as important security information or qualifying information to apply for identity documents and should not be broadcast so widely. In the words of the New York State Police

“All an identity thief needs is any combination of your Social Security number, birth date, address, and phone number.”

We can argue the pure logic of their claim (“any combination?” surely not) but the fact remains any information given freely, particularly in context increases your risk of identity theft or fraud. If you think that enterprising online criminals are not really interested in this stuff, think again, as much as five years ago they were already referring to Facebook as a “Free DOB Lookup Service”, of course that got resolved but we all know that scammers actively solicit contacts on Skype already and accepting the connection request is all it takes to give away your personal information.

Criminal forum post from 2009

Criminal forum post from 2009

We live in an age where everything is increasingly connected to everything else; accounts, applications, APIs, credentials devices and personal details and more. The less you broadcast, the more you can begin the long process of reclaiming ownership over your own identity. A process which for most of us, is long overdue.

loveme, kissme, catch me, try me.

Picture by dprotz used under Creative Commons

Yesterday evening the FBI issued a press release regarding the legal action against Aleksandr Andreevich Panin, a Russian national perhaps better known as “Gribodemon” and “Harderman”, the online aliases behind the notorious SyEye banking Trojan and Hamza Bendelladj a Tunisian national who went by the online moniker of “Bx1″. Panin has entered a guilty plea to the charges of conspiracy to commit wire and bank fraud, the charges against Bendelladj are still pending. The FBI press release gives thanks to Trend Micro’s Forward Looking Threat Research team for their assistance in the investigation.

Bendelladj is alleged to have operated at least one command and control server for SpyEye, although as our TrendLabs blog and our investigation make clear, his involvement seems to be far deeper. He was arrested at Bangkok airport on the 5th January 2013 and Panin was arrested on July 1 last year when he flew through Atlanta.

The FTR team at Trend Micro began a particularly focused investigation into the person or people behind SpyEye almost 4 years ago. Over the intervening period, we mapped out the infrastructure used to support the malware, we identified weak points in that infrastructure and pursued a number of important leads pointing to the identities of individuals behind this pernicious banking Trojan. Once we felt that we had sufficient information we involved law enforcement who drove it to the successful conclusion you see today.

Our ongoing research turned up a wealth of data, much of which it would be imprudent to share while legal action is still ongoing, however it might interest you to know that some of the most frequent passwords used by one of the accused include “loveme”, “kissme” and “Danny000″. I’ll let you draw your own conclusions regarding OpSec.

The arrests last year and yesterday’s guilty plea are another illustration that Trend Micro’s strategy of going after the people behind online crime, instead of simply the infrastructure they exploit, is the right one. You may more often see stories that a botnet has been “taken down” resulting perhaps in a massive drop in the number of infected computers or Spam, but these types of activity while laudable are only temporary. Criminals will very soon come back and often come back stronger, having learned from their previous failures, the network of compromised computers will be rebuilt and the crime spree begin anew.

As with DNS Changer, as with the Reveton Ransomware, Trend Micro has proactively provided information and assistance to law enforcement that has led to arrests of individuals rather than the simple switching-off of criminal computers. It is through activities such as these that we hope to fulfil our mission of creating a world safe for exchanging digital information.

E-currency, E-wallet, staying safe into the future.

Image courtesy of epSos.de

Commerce is certainly heading ever more towards the E. While alternative digital currencies still hover on the verges of mainstream today, the speed of their adoption indicates a positive future for e-money. Credit cards are already becoming out-dated as a form factor. In fact in many parts of the world the plastic card itself has simply become an emotionally comfortable way to get people to pay using NFC (PayPass, payWave etc.) and it does not take a large leap of faith to imagine the transition to the mainstream of the logical next step of e-wallets on an NFC enabled mobile device. Many financial institutions already offer NFC “stickers” to slap on the back of non-NFC enabled devices but the battle is still on for the dominant form-factor for delivery; SD cards, external devices (stickers or sleeves), embedded hardware, Cloud (via QR) or SIM integrated technology all have roles to play, some as short-term bridge technologies, some as the basis for longer-term solutions. For the foreseeable future, these digital links to traditional currency will vastly outnumber the alternative digital currencies.

If you do use digital currencies or NFC, how to secure those e-wallets? Mostly e-wallets are held on mobile devices that are no strangers to vulnerabilities from an Operating System perspective. On the app front Google’s own e-wallet was easily subverted through an escalation of privileges attack. The dominant platform, Android, suffers not only from vulnerabilities, but also from fragmentation. This means that there are many different flavours of Android, from many different manufacturers, many of which will never see an upgrade or security patch. The mechanism for getting a patch from Google to handset is simply too convoluted, relying on both handset manufacturers and carriers to act as middlemen. Middlemen who actually have an interest in getting you to buy a new phone rather than fix your old one… On top of that the (currently) under-explored area of vulnerabilities in the apps themselves and the widespread abuse of app store platforms for spreading Trojan type malware and there’s a perfect storm of threat brewing for e-wallets.

Much of the burden for securing these technologies lies with app developers and handset and OS manufacturers and perhaps the greatest step toward effective security would be the development of, and adherence to, an open standard that includes security mechanisms such as TPM on the mobile platform. Unfortunately Visa are already talking about waiving the need for merchants need to validate their PCI compliance if 75% of their transactions originate from NFC technology!

Of course consumers have a role to play too, making sure they keep their devices physically safe, using effective device locking passwords, enabling remote lock and wipe functionality and making sure that any sensitive information (or preferably all information) is wiped from the device when it will not be in their hands for a period of time, or when they are disposing of it.

As for the Bitcoin type currencies, dividing your assets between multiple wallets and keeping the lion’s share on a secure device that is not used for regular Internet access is your best defence, breaking wallets up into “spending” and “saving” functionality. There is currently no regulator in the Bitcoin world, so every transaction is effectively final.

By 2020, we fully expect digital currency to be embedded in the economies of the early adopter geographies and consequently there will be greater level of malicious interest in your digital pockets. On the security side, we would hope that those standards are more than just a pipe-dream and that effective multi-factor (biometric) authentication has, by then, been integrated into many of the sensitive transactions that we will increasingly carry out online.

For a wider look at our security predictions for 2014 and beyond check out “Blurring Boundaries” and of course 2020: The Series