bank fraud December 7, 2009, 4:15 PM EST CredenBal TheE: $1B A Year in Banking Alone 2 Michigan firm sues bank over theft of $560,000 Experi-Metal says Comerica Bank's online security practices resulted in theft February 12, 2010 A Michigan-based manufacturing firm is suing its bank after online crooks depleted the company's account by $560,000 via a series of unauthorized wire transfers last year. FDIC: Hackers took more than $120M in 3 months March 08, 2010, 8:24 PM EST Online banking fraud involving the electronic transfer of funds has been on the rise since 2007 and rose to more than $120 million in the third quarter of 2009 Poughkeepsie, N.Y. slams bank for $378,000 online theft February 8, 2010 In a statement last week , a town official revealed that thieves had broken into the town's TD Bank account and transferred $378,000 to accounts in the Ukraine. Hackers Take $1 Billion a Year as Banks Blame Their Clients August 4, 2011 In a statement last week , a town official revealed that thieves had broken into the town's TD Bank account and transferred $378,000 to accounts in the Ukraine.
JIRA entry with XSS to steal JIRA admin rights Apr 9: JIRA backdoored to save passwords, phishing mails sent A_acker logs in to admin account with sudo privileges Finds users with SSH keys to main login server On main login server, a_acker thwarted by OTPs 6 “Limited use passwords, especially one-time passwords, were a real lifesaver. If JIRA passwords had been shared with other services/hosts, the attackers could have caused widespread damage to the ASF’s infrastructure.”
OPIE, Grid / TAN Cards, RSA SecurID tokens • PKI smartcards, USB tokens Legacy integraBon schemes • RADIUS, TACACS+, GINA 20+ years old and sBll in style? 7 Courtesy Marcus J. Ranum
July 2007 Barracuda buys Purewire October 2009 IBM buys ISS: $1.2B October 2006 Entrust buys Business Signatures: $50M July 2006 Heartland settles w/ Visa: $60M January 2010 SYMC buys MessageLabs: $695M October 2008 Banking trojans 2005 Chinese "Aurora" attacks January 2010 CVS HIPAA Fine: $2.25M February 2010 FFIEC multifactor requirement: Dec 2006 June 2005 FTC Red Flags Rule January 2008 Deadline extended 7 times now Jan 2011 HIPAA HITECH Act October 2009 HITECH: CT Attorney General vs. Health Net January 2010 HIPAA Security Rule Deadline April 2005 RSA buys Cyota: $145M December 2005 FBI Alert: Rampant ACH Fraud November 2009 “malware and work-at-home scams” Thoma Bravo buys Entrust July 2009 ABA: Commercial Banking Under Attack August 2009 “Only use dedicated PC for online banking” EMC buys RSA: $2.1B June 2006 ISS OEM's Arbor February 2006 Oracle buys Bharosa: $48M July 2007 McAfee buys MX Logic: $140M July 2009 RSA buys Passmark: $44M April 2006 Cisco buys ScanSafe: $183M December 2009 SYMC buys VRSN auth: $1.2B May 2010 So How Are We Doing? 2005: First banking trojans in Brazil 2006: FFIEC mul?factor requirement 2009: FBI Alert on Rampant ACH Fraud 13
to Date Up to Date Zeus vs. Antivirus Hackers entice users to click on contaminated websites or trick users to open e-mail attachments Users open the file, installing the malware The malware sends back stored logins and data typed into web pages The malware checks in periodically for updates, providing a gateway to the internal network Trojan 66% 18% 7% 6%3% Trojan Adware Virus Spyware Worm Other 2009 Malware Source: Panda Labs, Jan 2010 Source: Trusteer, Sept 2009 Source: Washington Post PolyPack: An Automated Online Packing Service for Optimal Antivirus Evasion Jon Oberheide, M. Bailey, & F. Jahanian Users: The Backdoor to the Network 15
(RFC 4226) • Google AuthenBcator Web services APIs • MailChimp’s AlterEgo • Duo Security :-‐) - h_ps://github.com/duosecurity Trust On First Use (TOFU) self-‐service enrollment 21
duosec
shigashiyama
kitsuya0828
kakehashi
stajima
fujiwara3
bbrbbq
chou500
tacck
uhyo
coincheck_recruit
kidooonn
miu_crescent
brianwarren
hatefulcrawdad
kneath
sugarenia
kastner
pedronauck
hannesfritz
philnash
samlambert
stephaniewalter
holman
tammyeverts
