Fraud Intelligence Newsletter
June 2008
Table of Contents
Comcast.net domain name hijacked
Conference Round-up
- World Wide Web Conference
- AusCERT 2008
- APWG Counter eCrime Operations Summit II
- Authentication and Online Trust Alliance (AOTA) Summit 2008
- Identity Theft Technology Council (ITTC)
- Mail Anti-Abuse Working Group (MAAWG)
Upcoming Event Schedule
June 29 - July 2, America's Credit Union Conference and Expo, New York, NY. We are sponsors of the conference and will be an exhibitor.
Comcast.net domain name hijacked
Near midnight on May 28, two hackers gained control of Comcast's domain
management account at Network Solutions. The account controlled over
200 domains, including comcast.net, which hosts Comcast's consumer
portal and handles e-mail for many of its 14 million subscribers. The
hackers kept control of the domain for over five hours. They claim to
have used a combination of social engineering and a technical hack to
gain access to the account. By Internet Identity's reckoning, the
hackers made educated guesses about the password (social engineering)
and used a brute force assault on the Network Solutions' log in page
(technical hack) to find the right password. At the time, Network
Solutions did not lock out an account after high volume of failed log
in attempts. For a first-person account from the hackers of the
takeover, please read http://blog.wired.com/27bstroke6/2008/05/comcast-hijacke.html
The implications of this domain name hijacking are scary. The hackers
that took over Comcast.net did not have truly nefarious intentions, but
they did make public a vulnerability that Internet Identity first
alerted the registrar community about in September 2007. ICANN
partially addressed this vulnerability with its SSAC Advisory on
Registrar Impersonation Phishing Attacks (26 May 2008) http://icann.org/committees/security/sac028.pdf
The key takeaway is that a criminal can with moderate effort take over the legitimate domain of a financial institution
to operate man-in-the-middle attacks or to replace the institutions
legitimate site entirely. DNS and e-mail flow can also be hijacked.
The domain name is the weakest point in the security for financial
institutions' websites. The attack against Comcast put a spotlight on
this serious problem that has so far been ignored by industry and
regulators alike. Over 94% of financial institutions use consumer
registrars that secure access to domain names with weak
username/password systems that are often vulnerable to a brute force
attack. No consumer registrars even offer two-factor authentication.
To make matters worse, many institutions do not closely control who has
access to their domain name accounts, so they do not even know where
their vulnerabilities are.
If you wish to discuss this very serious vulnerability in greater depth, please contact us.
Conference Round-up
In recent weeks, Internet Identity has continued its strong leadership
role within the anti-phishing industry by participating in conferences,
panels, and education sessions around the world. At these events, we
work together in collaboration with law enforcement, ISPs, registrars,
CERTs, government agencies, and others who are fighting the phishing,
malware and cybercrime problems that threaten business on the
Internet.
Through relationships and alliances we form through these
organizations, we're able to leverage a wide array of resources on
behalf of our clients, and help with the efforts to find and apprehend
the criminals behind attacks. We also learn the latest information and
techniques to help further protect and educate our clients. In today's
threat-filled Internet environment, this collaborative approach has
proven to be what works - no single organization can battle all the
threats on its own. Internet Identity is a strong believer in the
collaborative approach, and continues to contribute significant time
and intellectual resources to these collaborative organizations.
This edition of the FIN provides a summary of those conferences. At
publication time, Internet Identity representatives are also
participating in the ICANN meetings in Paris, as well as the FIRST
(Forum for Incident Response and Security Teams) Conference in
Vancouver. Reviews of those conferences will appear in the next FIN
issue.
World Wide Web Conference - Beijing, China - April 21 - 25, 2008
President and CTO Rod Rasmussen took part in a panel discussion on
e-crime threats at this important annual conference. The conference
brings together academics, industry, and thought leaders on the future
of the Internet to discuss the latest trends, issues, and goals for the
World Wide Web. This year's event focused largely on Web 2.0
applications and all the interesting new ways of delivering web content
and services they are leading towards. Among other things, the e-crime
panel focused on the dangers inherent with these new technologies for
creating unprecedented exposure to web users if security isn't a major
component of developing websites with these new tools. Financial
institutions and companies that are building transactional interfaces
for Facebook should take heed.
While in Beijing, Rasmussen was also able to spend a day at the
headquarters of CNNIC, the Chinese domain registry in charge of the .CN
domain zone. CNNIC is very interested in working to curb phishing and
e-crime abuse. Rod's visit was a major step in creating a close
relationship with them to assist them in their efforts.
AusCERT 2008 - Gold Coast Australia - May 19 - 23, 2008
Rod Rasmussen was invited to present at the AusCERT 2008 conference as
the representative for the Anti-Phishing Working Group. AusCERT has
grown to be the leading Asia-Pacific regional security conference, and
this year's proceedings saw over 1,200 participants engage in a full
week of cutting edge sessions and workshops on cyber-security.
Rasmussen updated a special e-crime symposium on the APWG's current
initiatives, and in the process extended Internet Identity's
relationships with worldwide law enforcement and CERT members.
The presentations throughout the conference were top-notch, and the
spirit of collaboration and desire to pool resources were pervasive.
Unfortunately, many sessions also showed some of the emerging threats
we are facing, and in many areas things appear to be getting worse. The
biggest buzz of the conference was the keynote address by John Stewart,
Cisco's Chief Security Officer, where he declared anti-virus to be
"completely wasted money". While we still see tremendous value with
A/V products, the newest malware and delivery methodologies to present
tough challenges that need to be addressed differently. One of the
scariest of these threats is injections of malware onto your own
trusted sites that then infect your own customers. At Internet
Identity, we're actively working on solutions to enable our clients to
detect and fend off these types of threats.
APWG Counter eCrime Operations Summit II - Tokyo, Japan - May 26 - 27, 2008
The Anti-Phishing Working Group's meeting in Tokyo was a smashing
success, with nearly 300 participants - its largest crowd yet. The
event received wide coverage on Japanese television, with three
different film crews and several reporters there. Rod Rasmussen's
presentation with Greg Aaron of Afilias of their comprehensive study on
phishing during 2007 made the evening news. Interestingly, Japan does
not have much of a traditional phishing problem targeting financial
institutions, but rather a big one with on-line games. It's a
multi-billion dollar industry, and there is great value in obtaining
compromised accounts for game play and actual cash-out of cyberworld
artifacts in the real world.
The APWG remains the most collaborative event we attend, and good
progress was made in moving forward with industry data sharing. In the
spirit of collaboration, Rod stayed out till dawn learning all about
singing Japanese Karaoke with the APWG leadership, people from JPCERT,
AusCERT, Korea CERT, LaCaxia, and even the ICANN CTO. According to
Rod, "Terrance Park from Korea CERT was the only one who could actually
sing at all, so it was certainly a collaborative effort to employ
counter-measures (alcohol) to protect from a full assault on our
network interfaces (ears)!"
Authentication and Online Trust Alliance (AOTA) Summit 2008 - Seattle, USA - June 4 - 5, 2008
The underlying theme of this year's AOTA Summit was about how
businesses can develop and maintain a strong, positive reputation
online. As one might expect, building a successful online reputation
boils down to choosing and executing well those actions you control,
and protecting yourself against outside actors looking to harm or take
advantage of your reputation.
Our CTO Rod Rasmussen again took the stage, participating in two panel
discussions. The first panel focused on the role of registrars, web
hosts, and ISPs in the setup, ongoing operation, and response to online
threats. The second panel focused on the preventive and proactive
response planning that organizations should be doing.
Since the Conference took place only 25 miles from our Tacoma
headquarters, Internet Identity was able to host for a few hours at our
offices both Dave Jevans, president of the APWG, and Gary Warner, one
of the world's foremost authorities on phishing and currently the
Director of Research in Computer Forensics at the University of
Alabama-Birmingham. Our two guests graciously participated in an
impromptu and informative discussion about phishing with the Internet
Identity deactivation team and staff. We would like to thank both Dave
and Gary for sharing their time and expertise with us.
Identity Theft Technology Council (ITTC) meeting - Menlo Park, CA, USA - June 11, 2008
The ITTC is a public private partnership initiative supported by the
DHS's Science and Technology Directorate and SRI International. This
series of meetings has developed a following of IT security thought
leaders from the Federal Government, private industry, law enforcement,
research and policy communities and venture capital. Internet
Identity's CEO Lars Harvey participated in a panel discussion about
critical emerging cyber-security threats. The hottest and most timely
topic addressed by the panel was the domain takeover of Comcast.net,
which generated much discussion about the responsibilities of
registrars and domain owners.
Mail Anti-Abuse Working Group (MAAWG) - Heidelberg, Germany - June 10 - 12, 2008
Rod Rasmussen attended yet another meeting filled with great content
and enthusiastic members - this one with wide attendance of the ISP and
e-mail protection community. Highlights included some fascinating
presentations on the power of DNS in malicious activity detections, and
work people are doing to extend "reputation" to domains, name servers,
URLs, and even registrars. Several big providers are testing DKIM at
both sending and receiving ends - time to start working on a deployment
solution if you're a phishing target! Rod gave an update on the APWG
Internet Policy Committee he co-chairs, and looks forward to some
combined efforts from MAAWG on several fronts.
If
you want to learn more about protecting your organization from phone
phishing, phishing, spear phishing, targeted malware and other attacks
against your customers, please contact Internet Identity.
|
|
|
2010 Event Schedule
Jan 31 – Feb 3, BlackHat DC 2010 Briefings and Training, Arlington, VA
Feb 8 – 10, Credit Union Information Security Professionals Association (CUISPA) Annual Summit , Austin, TX.
Feb 15 – 18, Messaging Anti-Abuse Working Group (MAAWG) 18th General Meeting, San Francisco, CA.
March 1 – 5, RSA Conference, San Francisco, CA.
March 7 – 12, ICANN General Meeting No. 37, Nairobi, Kenya. Rod Rasmussen will be attending as liaison for the APWG.
March 16 – 17, e-Crime Congress, London, UK.
April 12 – 14, Educause Security Professional Conference, Atlanta, GA
May 3 – 5, FS-ISAC, FSTC, BITS Annual Summit, St. Pete Beach, FL.
May 11 – 13, Anti-Phishing Working Group (APWG) Counter e-Crime Operations Summit 2010, São Paulo, Brazil.
View Full Event Schedule
|