Tag Archives: BANK OF AMERICA CORPORATION

The Hazards of Recommending

image

Think twice before you agree to recommend someone on LinkedIn. They may be a logic bomber.

You may have already read about the fired Fannie Mae sysadmin who allegedly placed a virus in the mortgage giant’s software. The virus was a bad one: it

was set to execute at 9 a.m. Jan. 31, first disabling Fannie Mae’s computer monitoring system and then cutting all access to the company’s 4,000 servers, Nye wrote. Anyone trying to log in would receive a message saying “Server Graveyard.”

From there, the virus would wipe out all Fannie Mae data, replacing it with zeros, Nye wrote. Finally, the virus would shut down the servers.

Luckily the virus was found and removed. But what has yet to be removed is the suspect’s LinkedIn page which shows that since he was fired he has been working at Bank of America, something I’ve not seen mentioned in news covering the alleged incident.

(Apparently this piece mentions this fact but the information has since been removed. This raises other interesting points: What way is there for a company to police claims by people on networks like LinkedIn that they indeed worked at that company? Why was this information removed from the story or comments?)

image

What must also be a bit awkward is that the suspect, Rajendrasinh Makwana, has a recommendation on his LinkedIn profile from a project manager at AT&T, who says that

he was much more knowledgable at the subject matter than I was. He demonstrated leadership at times of crisis. He helped me learn the ropes. I would love to work with Raj again.

The recommendation is a mutual one; the person in question gets a recommendation from Makwana as well. But what adds to the awkwardness is that the recommendation was posted on October 25, 2008, which was, according to an affidavit filed by FBI Special Agent Jessica Nye, the day after Makwana’s last day of work—which was when he allegedly planted the virus:

“On October 24, 2008, at 2:53 pm, a successful SSH (secure shell) login from IP address 172.17.38.29, with user ID s9urbm, assigned to Makwana, gained root access to dsysadmin01, the development server. … IP address 172.17.38.29 was last assigned to the computer named rs12h-Lap22, which was [a Fannie Mae] laptop assigned to Makwana. … The laptop and Unix workstation where Makwana was able to gain root access and create the malicious script were located in his cubicle.”

Ouch. If the FBI is right, the suspect was buffing his CV, seeking recommendations from former colleagues right after planting a script that could have deleted all of Fannie Mae’s data.

Lesson: Think hard before you recommend someone on LinkedIn. How well do you know this person?

Phishing Victim Fights Back

It had to happen some time. Phishing victims are fighting back — against their banks. A Miami Businessman is sueing Bank of America according to AccountingWEB.com and other sources:

 Joe Lopez, a Miami businessman who regularly conducts business over the Internet, is suing Bank of America for negligence and failure to provide protection for online banking risks of which he claims the bank was aware. Last April, Mr. Lopez’s computer system was hacked into and $90,348.65 was wired from his account at Bank of America to a bank in Riga, Latvia without his approval.

Ralph Patino, Mr. Lopez’s lawyer, claims Bank of America had knowledge of a virus called coreflood, a Trojan horse virus known for infiltrating and compromising security systems and enabling unauthorized access to infected computers, and therefore the bank had a responsibility to inform its customers of the virus.

Coreflood, according to The Register, is primarily designed to conduct Denial of Service (DoS) attacks, but the theory is that the backdoor access it enabled criminals to extract banking passwords and account details entered into Lopez’s PC. This remains unproven.

This makes the case a bit more complicated than if Lopez was hoodwinked by a phishing email designed to look like something from Bank Of America. Still, the the AccountingWeb piece quotes Avivah Litan, vice president and research director for research firm Gartner Inc. and an online fraud expert, as saying

banking cybercrime cases such as this one may result in banks adopting stricter security measures in the future. “Banks can’t reasonably expect consumers to protect themselves from cybercriminals,” said Ms. Litan. She believes that consumers need banks to offer greater security if they want online banking to increase. Gartner Inc. predicts that within two years, “50 percent of today’s stronger methods for customer authentication will no longer be strong enough to be a safeguard against phishing and malware.”

In other words, banks have got to find a better way to keep their customers secure, and arguing that cases like Lopez’ are nothing to do with them may not impress customers already increasingly nervous about doing business and banking online.

More On Phishing And Top Level Domains

Further to my posting on top level domains being registered with clear criminal intent (the example I used was paypal.de.com, in ‘How to make a phish look real’) I just received this from Joe Alagna, Manager, North American Markets for CentralNic, the registrar for the TLD in question. Here’s his reply in full:

I wanted to respond to your blog article related to phishing. I am the Manager, North American Markets, for Centralnic and I want to assure you that we are very concerned about the problem of phishing as well.

There are a few issues in your article that concerned me…

1. Although we do not place restrictions on our domains, they are no more prone to phishing use than many regular ccTlds. I have personally received phishing messages based on Chinese, Polish, Czech, and other ccTlds. There are many ccTlds that do not have restrictions and the trend amongst County Code operators is to reduce those restrictions on residency, etc.

The reason for this is that ccTld operators have found that their sales increase when they reduce restrictions. It’s a double edged sword; more sales, more potential abuse.

My point however, is this… You are correct about our domains being easy pickings for phishers, but I think it is unfair to have singled us out because of one example (which we will investigate).

2. Centralnic would like to make it known that we are very willing to help if someone thinks that our domains are being used for fraudulent purposes. We do manage a live whois registry which can be viewed by the public and by the authorities to determine registrant details and which can be queried by any anti-phishing tool. Our whois data can be publicly viewed here.

3. Regarding your contention on registrar responsibility, there are ongoing actions within the registrar/registry community to fight fraud and phishing. The most important of which is verifying whois authenticity. You can read about some of the ongoing work here (PDF).

The problem is that with over 60 million domains registered world-wide, it is very difficult to know that each registrant is real. The industry is trying to get better at that.

4. Finally, we work with a few world renowned brand managers like MarkMonitor.com who regularly try to educate financial institutions about these problems. Companies like Bank of America have registered most all of our domains to protect their customers. It’s a little expensive, but definitely a bargain when it comes to the cost of fraud and phishing. See here.

Financial institutions have the largest risk and responsibility in this. I just want to assure you that they are not in this fight alone and that Centralnic is very sensitive to the problem.

Articles like yours are very important because when all is said and done, the best protection is an educated end-user. I just want you to know that Centralnic is committed to the important battle against this type of fraud.

Thanks for the comment, Joe. I notice the website in question has been removed.

Worm Hits Diebold’s Windows ATMs

It’s not happy days for Diebold, the company behind ATMs and electronic voting. Its e-voting machines have been the source of much controversy — earlier this month it withdrew its suit against people who had posted leaked documents about alleged security breaches in the software. Now its automatic teller machines have been hit — by viruses.

Wired reports that ATMs at two banks running Microsoft Windows software were infected by a computer virus in August, the maker of the machines said. The ATM infections, first reported by SecurityFocus.com, are believed to be the first of a computer virus wiggling directly onto cash machines. (The Register said in January that the Slammer worm brought down 13,000 Bank of America ATMs, but they weren’t directly infected: the worm infected database servers on the same network, spewing so much traffic the cash machines couldn’t process transactions.)

But how can an ATM get infected? SecurityFocus says that while “ATMs typically sit on private networks or VPNs, the most serious worms in the last year have demonstrated that supposedly-isolated networks often have undocumented connections to the Internet, or can fall to a piece of malicious code inadvertently carried beyond the firewall on a laptop computer.” In other words: the folk who write worms are smarter than we are.

News: Have you been brand spoofed yet?

 SurfControl, an anti-spam company, says that “brand spoofing spam” – where a spammer sends fraudulent email that pretends to be from a well-known and trusted company — is getting worse, after only a few months of its existence.
 
 
The spammer, posing as a customer service or security official, directs the unsuspecting recipient of the spam to a phony Web site. The site then requests confidential financial information or a Social Security number that allows the spammer to commit fraud or identity theft. Over the last few months, SurfControl said in a press release, Best Buy, UPS,
 
Bank of America, PayPal and First Union Bank have been brand spoofed. Four large Australian banks also have been brand spoofed, including the Commonwealth Bank of Australia. Last Thursday, Sony Electronics reported that it had become aware of a deceptive spam e-mail that had been sent to consumers, requesting personal information such as password and e-mail address, claiming to come from “SonyStyle Customer Service.”
 
SurfControl says brand spoofing spam was first seen in March and has been growing steadily since then. Brand spoofing spam has grown from zero before March to more than five a month. The increase in such dangerous spam is linked to the growth in the availability of open proxy servers, which allow spammers to send anonymous, nearly untraceable e-mail. According to a researcher at the University of Oregon Computing Center, the number of identified open proxies grew from 1,000 in October 2002, to 100,000 in April 2003.