The bug bounty program is a remarkable shift for a company that has for the most part eschewed paying researchers for finding security vulnerabilities in its products. But unlike tech giants like Facebook, Google, Mozilla and Twitter — which have for some time now offered bounties ranging from a few hundred to several thousand dollars to researchers who report bugs in their products or Web properties — Microsoft is reserving its reward money for research on products that are still in beta.

The reward program — which officially launches June 26, 2013 — will pay up to $100,000 USD for “truly novel exploitation techniques” against protections built into the latest version of Windows  – Windows 8.1 Preview. Additionally, Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying mitigation bypass submission,” the company said in a blog post today.

These two offers are open-ended, but for just 30 days beginning June 26, Microsoft is offering a separate bounty of up to $11,000 for critical flaws in Internet Explorer 11 Preview on the latest version of Windows (Windows 8.1 Preview).

On Monday, I asked Mike Reavey, director of Microsoft’s Security Response Center, whether the company was concerned that restricting the offering to beta products might be perceived as a promotional gimmick for Windows 8, which has registered flagging sales and mixed reviews. Reavy said the research gleaned from the bug bounty program may well turn out to be useful in hardening older versions of Windows and IE, but in any case the company was focused on fixing big security issues before releasing these products for broader use.

“These are unique programs, because you don’t see white-market vulnerability brokers incentivizing research on products before they’re released,” Reavey said, referring to bug bounty programs run by companies like iDefense and HP Tipping Point, which pay researchers for critical bugs in third-party software and then work with vendors (including Microsoft) to help fix the problems.

Vulnerability researchers have long dug through beta versions of Microsoft products, only to sit on their findings until the product is officially released. That’s because vulnerability brokers don’t typically pay for bugs in beta versions of popular software. But by tying its offer of up to $11,000 to a 30-day preview window only, Microsoft removes the incentive for researchers to hold onto their findings, said Jeremiah Grossman, chief technology officer for WhiteHat Security Inc.

“When any IE preview edition comes out, researchers will start pounding on it looking for bugs, but but since bug brokers don’t pay for preview vulnerabilities the researchers have to hold on to their bugs and hope that they’re still there when the product is finally released,” Grossman said. “Microsoft really is targeting that window of time with this offering.”

Charlie Miller, a former analyst at the National Security Agency and a security researcher who has found his share of bugs in big name software -most notably Apple’s products), applauded Microsoft for trying to fix flaws in software before most customers start using it.

“The whole industry has evolved over the past few years, so there’s now less of a focus on finding and fixing bugs and more of a focus on making exploitation of bugs more difficult,” said Miller, now a security engineer at Twitter. “Most people don’t care about software betas, and Microsoft is trying to change that, and I think that’s good. They’re trying to get the bugs worked out before the software is in most peoples’ hands.”

The latest patch brings Java 7 to Update 25 (looks like Oracle has finally followed through on its promise to stop shipping updates for Java 6). In its accompanying advisory, Oracle notes that 37 of the 40 vulnerabilities fixed in this update may be remotely exploitable without authentication — that is, they can be exploited over a network without the need for a username and password.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from Java.com or via the Java Control Panel. Keep in mind that updating via the control panel will auto-select the installation of the Ask Toolbar, so de-select that if you don’t want the added crapware.

Other, seriously consider removing Java altogether.  I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). Java 7 lets users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

There are a couple of ways to find out if you have Java installed and what version may be running.  Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

Mac OS X 10.6 (Snow Leopard) users who have Java should check Software Update for any available updates. Mac OS X 10.7 (Lion) and 10.8 (Mountain Lion) users can grab the updated version of Java from Java.com.

The main window of EMET 4.0

First, a quick overview of what EMET does. EMET allows users to force applications to use several key security defenses built into Windows — including Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). Put very simply, DEP is designed to make it harder to exploit security vulnerabilities on Windows, and ASLR makes it more difficult for exploits and malware to find the specific places in a system’s memory that they need to do their dirty work.

EMET can force a non-Microsoft application to perform ASLR on every component it loads, whether the program wants it or not. Please note that before you install EMET, you’ll need to have Microsoft’s .NET Framwork 4 platform installed. And while EMET does work on Windows XP (Service Pack 3 only), XP users cannot take advantage of mandatory ASLR and a few other notable protections included in this tool.

However, EMET includes several important security features that can help fortify third-party applications on XP. Namely, its “Structured Exception Handler Overwrite Protection,” or SEHOP protection, which guards against the most common technique for exploiting stack overflows on Windows. Microsoft says this mitigation has shipped with Windows ever since Windows Vista Service Pack 1.

In addition to a revised user interface, EMET 4.0 includes a handful of new features that were bundled with the 3.5 tech preview version, such as novel methods of blocking an exploit technique called return-oriented programming (ROP). Attackers can leverage ROP to bypass DEP protections by using snippets of code that are already present in the targeted application.  

One of the much-hyped new capabilities of EMET 4.0 is its “certificate trust” feature, which is designed to block so-called “man-in-the-middle” attacks that leverage counterfeit SSL certificates in the browser. The past few years saw several attacks that impersonated Webmail providers and other top Internet destinations using fraudulent digital certificates obtained by certificate authorities, including Comodo, DigitNotar and Turktrust. This feature is a nice idea, but it seems somewhat clunky to implement, and only works to protect users who browse the Web with Internet Explorer. For tips on configuring and using this feature of EMET, check out this post.

To proceed with EMET, download the program and install it (if you are upgrading from an older version of EMET, uninstall the older version first before proceeding with the EMET 4.0 install). This new version of EMET gives users an option to allow a pre-set group of applications to be automatically protected by EMET, including Java, Adobe Acrobat, Internet Explorer and any Office apps that may be installed. Alternatively, users can start from scratch and select their own applications to put behind EMET.

To wrap EMET’s protection around a program — say, Mozilla Firefox — launch EMET and click the “Apps” button in the upper portion of the main EMET window. Selecting the “Add Application” button in the next box brings up a program selection prompt; browse to C:\Program Files (x86)\Mozilla Firefox, and then add the “firefox.exe” file. It should be okay to accept all of the defaults that EMET adds for you.

While you’re at it, add the rest of your more commonly used, Internet-facing apps. But go slow with it, and avoid the temptation to make system-wide changes. Changing system defaults across the board – such as changing ASLR and DEP settings using the “configure system” tab – may cause stability and bootup problems.

I’ve been using EMET on a 64-bit Windows 7 system and phasing in some of my most-used applications one-by-one with the “configure apps” button just to make sure the added security doesn’t crash the programs.  Microsoft’s support forum has a useful thread on applications that may not play nice with EMET’s default protection settings.

For example, a handful of applications will simply crash or not work with EMET’s “export address table access filtering” (EAF) mitigation turned on. Skype is one well-known example here. I’ve also experienced issues with running EAF on Google Chrome.

This is really where EMET’s unobtrusiveness can be a blessing and a curse. Unlike some security and antivirus tools that periodically pop-up annoying warnings or notifications to let you know they’re still there and doing their job, EMET is likely to do its job unnoticed by most users. I say curse because on one occasion (I can’t recall the name of the application at issue) I spent a few days scratching my head over an app that wouldn’t work properly, only to remember later that I’d set it to use EMET months before.

If you have questions about EMET or run into issues with the program, check out the Microsoft support page for EMET, which lets you to submit questions to the user community if you don’t see your problem addressed in a previous support thread.

The chart above indicates which system- and application-specific protections in EMET 4.0 are available for each supported version of Windows. Visit this link to download EMET 4.0, as well as a detailed user guide on the software.

Source: Mybanktracker.com

Louisville, Ky. based news station WDRB Inc. carried a story last week about a local man who was arrested after allegedly using mobile banking to steal more than $12,000 from multiple Kroger stores.

“Police say 34-year-old Boma Robert Spero-Jack went into several different Kroger stores and purchased at least 32 Western Union money orders. Each money order was issued for an amount between $195 and $500, according to an arrest report. Police say he would then leave the store and deposit the money order into his Bank of America checking or savings account, via a mobile deposit. Spero-Jack would then go back into the Kroger and ‘cash’ the same money order, according to the arrest report. Later, police say he would withdraw the amount of the money order from his bank account.”

The technology that Spero-Jack is accused of exploiting — known as mobile remote deposit capture (mRDC) — allows banking customers to deposit a check by taking a picture of it with a cellphone. The risk for financial institutions that allow mRDC is that the customer retains the paper check, and can potentially deposit it again and again at other institutions.

Robert McGarvey, a reporter who wrote about the Kentucky incident for Credit Union Times, said paranoids in the banking business have long fretted about this ever since MRDC started to roll out a few years ago.

“Frankly, there have been few reported cases — there have been more accidental double deposits than criminal,” McGarvey said. “But now I am hearing about small time gangs doing this.”

McGarvey and others say this is an area that is ripe for exploitation by far more organized operations — the kind of criminal gangs recently busted for extracting tens of millions from ATM cashout schemes, or from account takeovers involving fraudulently-obtained prepaid debit cards. Those schemes involved transferring funds from compromised accounts and did not require the attackers to put up 50 percent of the cost of the fraud to start with, as was the case with the Kentucky crimes.

“The key is to open an account with fake ID, then buy a throwaway phone at WalMart,” McGarvey said. “You are then in business and very, very unlikely to get arrested. Most banks set a low limit – maybe $3,000 per day on MRDC – which also tells the crook he can get $2,999 with no sweat.”

Julie Conroy, a research director with the retail banking practice of Aite Group, a Boston-based research and advisory firm, said banks are not seeing a lot of losses due to this type of fraud…yet.

“But I think ‘yet’ is the operative word there,” Conroy said. “The product is still fairly new, with many banks just rolling out their offering in the last year or so.  Most banks are protecting the product through a combination of rules and velocities, and due to this approach, and the fact that the product is relatively new and doesn’t have a ton of volume yet, this has worked fairly well so far.  However, the service is popular with customers, and as this report shows, the bad guys are finding it too.”

Conroy said the key challenge for banks is that they can’t detect in real-time when an item has been deposited via the mobile channel, and then deposited at a branch.

“There are some anti-fraud services that can help detect multiple presentments at multiple banks via mRDC, so to the extent that the banks are subscribing to those services, that can help minimize the risk somewhat,” Conroy said.

According to Conroy, the other aspect of mRDC that has many bankers nervous is the consequential damages provision that was part of the enabling regulation.  That provision says that if an item is deposited twice, and that second deposit causes harm to the maker of the item, then the bank responsible for the second presentment has to cover any consequential damages that may result.

“So, to give you the worst case scenario, say I write you a check, and you deposit it once via mRDC, and a second time at a bank branch,” Conroy said. “The second deposit causes my account to go into overdraft status, and the very next check that would have cleared was my homeowners insurance check.  That check bounces, and the next day my house burns down.  Technically, the bank where that second presentment occurred could be on the hook for the cost of my house if my homeowners insurance lapsed due to that bounced check.  No banks have seen much in the way of losses due to this provision, but the possibility of unlimited losses is scary — as is the potential that the consequential damages provision itself could be gamed by the bad guys.”

Phishing email targeting Iranians. Source: Google.

Since September 2012, nearly 50 U.S. financial institutions have been targeted in over 200 distributed denial of service (DDoS) attacks, according to the U.S. Department of Homeland Security. A Middle Eastern hacking collective known as the Izz ad-Din al-Qassam Cyber Fighters has claimed credit for the assaults, and U.S. intelligence officials have repeatedly blamed the attacks on hacker groups backed by the Iranian government.

But roughly three weeks ago, experts began noticing that the attacks had mysteriously stopped.

“We haven’t seen anything for about three weeks now,” said Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry coalition that disseminates data about cyber threats to member financial institutions. “It’s not clear why [the attacks stopped], but there are a lot of things going on in Iran right now, particularly the presidential elections.”

Meanwhile, data collected by Google suggests that the attackers are focusing their skills and firepower internally, perhaps to gather intelligence about groups and individuals supporting specific candidates running for Iran’s presidential seat. In a blog post published this week, Google said that it is tracking a “significant jump” in the overall volume of phishing activity in and around Iran.

“For almost three weeks, we have detected and disrupted multiple email-based phishing campaigns aimed at compromising the accounts owned by tens of thousands of Iranian users,” wrote Eric Grosse, vice president of security engineering for Google. “The timing and targeting of the campaigns suggest that the attacks are politically motivated in connection with the Iranian presidential election on Friday.”

Grosse said the attacks appear to be the work of the same group that used SSL certificates fraudulently obtained from the now-defunct Dutch certificate authority Diginotar in sophisticated Iranian phishing campaigns that spoofed Gmail and other online services in August 2011.

Jeff Bardin, chief intelligence officer at Treadstone 71, a cyber intelligence and training firm, said he expects the phishing attacks to subside following today’s election in Iran.

“They are ahead of the game this time around as opposed to 2009 when they could not control Web 2.0 and cell phone activities,” Bardin said of the Iranian government. “Since then, they have acquired or nationalized telecoms, established filters, cutoff switches for the Internet and infiltrated Facebook, Twitter, YouTube. Iran has established a high degree of surveillance and control.”

For now, it’s unclear whether the same volume of DDoS attacks against U.S. financial institutions will continue after the Iranian election is over. According to Bardin, the attacks have been increasingly ineffective as more U.S. financial institutions moved to commercial providers of DDoS protection, including companies like Akamai, Arbor Networks, Prolexic (which protects this blog) and Radware.

“We’ll see what happens after the elections, but we’re not holding our breath,” FS-ISAC’s Nelson said. “Maybe this is the end, but they’re probably just gearing up for another round.”

Check out the video I recorded of this phish in action (turn down in the sound if you hated the Iron Man soundtrack):

Update, June 17, 3:07 p.m: Google’s Youtube team has inexplicably removed my video, calling it a violation of YouTube’s policy on the depiction of harmful activities. 8:09 p.m.: YouTube has restored the video.

Hover over the search links returned in Yahoo.com after searching for “Mtgox” and you’ll see what appears to be a paid or perhaps sponsored search ad that lists a result for mtgox.com, although hovering over the link displays a long “yahoo.com” URL. The same is true when you currently search for “mtgox” on Bing.com: hovering over the returned link shows a bing.com address.

In the video above, entering any credentials at the fake “mtpox.com” site caused a site error, but when I tried it again a moment later, I was redirected to the real Mtgox.com.

Interestingly, it appears the phisher in this case simply copied and pasted the code from Mtgox.com; as shown in the video, hovering over either the username or password field on mtpox.com produces the same warning present on mtgox.com — a message advising visitors to check for the green “extended validation” or EV browser certificate in the URL address bar.

This attack, while not particularly unusual, is a good reminder that relying on trusted bookmarks is among the safest ways to navigate to sites that hold your personal and financial information. Using a search engine to find these sites is better than direct navigation (in which a fat-fingered key can lead to a phishing site), but as this phish illustrates, it’s always a good idea to double check the URL in the address bar.

Hat tip to Twitter follower Ryan Mattinson.

A majority of the vulnerabilities fixed in Microsoft’s June patch batch — 19 of them — are addressed in a cumulative update for Internet Explorer (MS13-047). The other fix that Microsoft called specific attention to is MS13-051, which tackles a flaw in Office that “could allow remote code execution if a user opens a specially crafted Office document..or previews or opens a specially crafted email message in Outlook while using Microsoft Word as the email reader.”

This Office flaw, which is present in the latest versions of Office 2003 and Microsoft Office for Mac 2011, is already being exploited in targeted attacks, Microsoft said. According to the company’s advisory, this vulnerability was reported by Google. These attacks fit the profile of previous zer0-day incidents, which use targeted email lures and previously unknown vulnerabilities to break into high-value targets.

“When Google encounters flaws that exploit users’ computers, even when the flaws are in other companies’ software, we take strong action to mitigate those attacks,” a Google spokesperson said in response to a request for comment. “Based on the exploit and the way it has been utilized by attackers, we strongly believe the attacks to be associated with a nation-state organization.”

Adobe’s Flash and AIR updates also fix a critical bug that was reported by Google’s security team, although Adobe says it is not aware of any exploits or attacks in the wild against the vulnerability address in its update. The latest Flash version is 11.7.700.224 for Windows and 11.7.700.225 for Mac OS X.  This link will tell you which version of Flash your browser has installed. IE10 and Chrome should auto-update their versions of Flash. If your version of Chrome is not yet updated to v. 11.7.700.225, you may just need to restart the browser.

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

In addition, Adode AIR (required by some applications like Pandora Desktop, for example) was updated to v. 3.7.0.2090 for Windows and Android, and 3.7.0.2100 for Mac OS X. Adobe AIR checks for and prompts you to install any available updates anytime you launch an application that uses AIR; in any case, the download link is here. See the chart below for the updated version numbers for your operating system.

Update, 8:05 p.m. ET: Added comment from Google.

Update, June 12, 2:10 p.m. ET: Microsoft modified its blog post to say the IE patch covers 19 vulnerabilities, instead of 18. The above copy also has been changed to reflect that.

This post aims to raise awareness about the street value of a hacked email account, as well as all of the people, personal data, and resources that are put at risk when users neglect to properly safeguard their inboxes.

Sign up with any service online, and it will almost certainly require you to supply an email address. In nearly all cases, the person who is in control of that address can reset the password of any associated services or accounts –merely by requesting a password reset email.

Your email account may be worth far more than you imagine.

How much are these associated accounts worth? There isn’t exactly a central exchange for hacked accounts in the cybercrime underground, but recent price lists posted by several miscreants who traffic in non-financial compromised accounts offer some insights.

One prominent credential seller in the underground peddles iTunes accounts for $8, and Fedex.com, Continental.com and United.com accounts for USD $6. Groupon.com accounts fetch $5, while $4 buys hacked credentials at registrar and hosting provider Godaddy.com, as well as wireless providers Att.com, Sprint.com, Verizonwireless.com, and Tmobile.com. Active accounts at Facebook and Twitter retail for just $2.50 apiece.

As I’ve noted in previous stories, some crime shops go even lower with their prices for hacked accounts, charging between $1 to $3 for active accounts at dell.com, overstock.com, walmart.com, tesco.com, bestbuy.com and target.com, to name just a few.

Even if your email isn’t tied to online merchants, it is probably connected to other accounts you care about. Hacked email accounts are not only used to blast junk messages: They are harvested for the email addresses of your contacts, who can then be inundated with malware spam and phishing attacks. Those same contacts may even receive a message claiming you are stranded, penniless in some foreign country and asking them to wire money somewhere.

If you’ve purchased software, it’s likely that the license key to that software title is stored somewhere in your messages. Do you use online or cloud file-storage services like Dropbox, Google Drive or Microsoft Skydrive to backup or store your pictures, files and music? The key to unlocking access to those files also lies in your inbox.

If your inbox was held for ransom, would you pay to get it back? If your Webmail account gets hacked and was used as the backup account to receive password reset emails for another Webmail account, guess what? Attackers can now seize both accounts.

If you have corresponded with your financial institution via email, chances are decent that your account will eventually be used in an impersonation attempt to siphon funds from your bank account.

Until recently, some of the Web’s largest providers of online services offered little security beyond a username and password. Increasingly, however, the larger providers have moved to enabling multi-factor authentication to help users avoid account compromises. Gmail.com, Hotmail/Live.com, and Yahoo.com all now offer multi-step authentication that users can and should use to further secure their accounts. Dropbox, Facebook and Twitter also offer additional account security options beyond merely encouraging users to pick strong passwords.

Of course, all of this additional security can be defeated if the bad guys gain control over your machine through malicious software. To keep your computer from being compromised, consider adopting some of the recommendations in my Tools for a Safer PC primer.

Pavel Vrublevsky’s Facebook profile photo.

Vrublevsky is on trial for allegedly hiring two brothers — Igor and Dmitri Artimovich — to use their Festi spam botnet to attack Assist, a competing payments processor. Prosecutors allege that the resulting outage at Assist prevented Russian airline Aeroflot from selling tickets for several days, costing the company at least USD $1 million.

Vrublevsky was imprisoned for six months in 2011 pending his trial, but was released at the end of that year after admitting to his role in the attack. Later, he recanted his jailhouse admission of guilt. Today, he was re-arrested after admitting to phoning a witness in his ongoing trial and offering “financial assistance.” The witness told prosecutors he felt pressured and threatened by the offer.

Two months ago, I signed a book deal with Sourcebooks Inc. to publish several years worth of research on the business of spam, fake antivirus and rogue Internet pharmacies, shadow economies and that were aided immensely by ChronoPay and — according to my research — by Vrublevsky himself.

Vrublevsky co-founded ChronoPay in 2003 along with Igor Gusev, another Russian businessman who is facing criminal charges in Russia stemming from his alleged leadership role at GlavMed and SpamIt, sister programs that until recently were the world’s largest rogue online pharmacy affiliate networks. Huge volumes of internal documents leaked from ChronoPay in 2010 indicate Vrublevsky ran a competing rogue Internet pharmacy — Rx-Promotion — although Vrublevsky publicly denies this.

My previous reporting also highlights Vrublevsky’s and ChronoPay’s role in nurturing the market for fake antivirus or scareware products. One such story, published just days before Vrublevsky’s initial arrest, showed how ChronoPay executives set up the domains and payment systems for MacDefender, a scareware scam that targeted millions of Mac users.

I found this development noteworthy because I, too, was offered financial assistance by Vrublevsky, an offer that very much seemed to me like a threat. In mid-2010, after thousands of emails, documents and hundreds of hours of recorded phonecalls from ChronoPay were leaked to  this author, Vrublevsky began calling me at least once a day from his offices in Moscow. This continued for more than six months. In one conversation from May 2010 , Vrublevsky offered to fly me to Moscow so that I could see firsthand that he had “only a very remote relationship with this case.”

“My proposition to you is to  come to Moscow, and if you don’t have money….I realize journalists are not such wealthy people in America, we’re happy to pay for it,” Vrublevsky said in a phone conversation on May 8, 2010.

When I politely declined his invitation, Vrublevsky laughed and said I was wrong to feel like I was being bribed or intimidated.

“It’s quite funny that you think somehow when you fly to meet me in Moscow or ChronoPay offices that you are in any possible danger from me for being murdered,” Vrublevsky said. “Come to Moscow and see for yourself. Take your notebook, come to my office.  Sit in front of me and look around. Because you’re getting information, which, to be honest, is not factual.”

As I note in my book (due to be published in late Summer 2014) I believe Vrublevsky’s intention was more to somehow secure my future silence than to set the record straight. I did, however, eventually come to Moscow and interview him at his ChronoPay offices.

According to Russian news outlet Vedomosti, Vrublevsky is likely to spend another six months in prison for this latest stunt. He faces an additional two years in prison if he is ultimately found guilty of orchestrating the attacks on his company’s rival.

Jacksonville, Fla. based FIS is one of the largest information processors for the banking industry today, handling a range of services from check and credit card processing to core banking functions for more than 14,000 financial institutions in over 100 countries.

The company came under heavy scrutiny from banking industry regulators in the first quarter of 2011, when hackers who had broken into its networks used that access to orchestrate a carefully-timed, multi-million dollar ATM heist. In that attack, the hackers raised or eliminated the daily withdrawal limits for 22 debit cards they’d obtained from FIS’s prepaid card network. The fraudsters then cloned the cards and distributed them to co-conspirators who used them to pull $13 million in cash from FIS via ATMs in several major cities across Europe, Russia and Ukraine.

FIS first publicly reported broad outlines of the breach in a May 3, 2011 filing with the Securities and Exchange Commission (SEC), stating that it had identified “7,170 prepaid accounts may have been at risk and that three individual cardholders’ non-public information may have been disclosed as a result of the unauthorized activities.” FIS told the SEC it worked with the impacted clients to take appropriate action, including blocking and reissuing cards for the affected accounts. “The Company has taken steps to further enhance security and continues to work with Federal law enforcement officials on this matter,” it declared in its filing.

FIS’s disclosure to investors cast the breach as limited in scope, saying the break-in was restricted to unauthorized activity at a portion of its network belonging to a small prepaid debit card provider that it acquired in 2007.  But bank examiners at the Federal Deposit Insurance Corp. (FDIC) who audited FIS’s operations in the months following the 2011 breach and again in October 2012 came to a very different conclusion: According to a report that the FDIC sent May 24, 2013 to hundreds of FIS’s customer banks and obtained by KrebsOnSecurity, the 2011 breach was much larger than previously reported.

“The initial findings have identified many additional servers exposed by the attackers; and many more instances of the malware exploits utilized in the network intrusions of 2011, which were never properly identified or assessed,”  the FDIC examiners wrote in a report from October 2012. “As a result, FIS management now recognizes that the security breach events of 2011 were not just a pre-paid card fraud event, as originally maintained, but rather are that of a broader network intrusion.”

Indeed, the FDIC’s examiners found that there was scarcely a portion of the FIS network that the hackers did not touch.

“From review of the previous investigation reports, along with other documentation provided by FIS, examiners and payment card industry experts identified over 2,000 touch points that indicated a broad exposure of internal FIS systems and client related data,” the report notes. “These systems include, but are not limited to, the The New York Currency Exchange ATM network, prime core application systems, and various Internet banking, ACH, and wire transfer systems. These touch points also indicated approximately 100 client financial institutions, which appear to have had sensitive data exposed by the attackers.”

A screen shot of an excerpt from the FDIC report on security lapses at FIS.

In an emailed statement, FIS maintained that “no client of FIS suffered any monetary loss as a result of the incident, and stressed that the report is based upon a review that was completed in October 2012.

“Since that time, FIS has continued to strengthen its information security and risk position, including investments over two years of $100 million or more, as part of our goal to provide best-in-class information security and risk management to each of our 14,000-plus clients. We have openly and regularly communicated these initiatives, our progress and results to our clients and shareholders through meetings, monthly updates, quarterly public disclosures, Board materials, educational webinars, and more.”

WHAT DOES $100 MILLION BUY?

Nevertheless, investors may be less than pleased about how FIS is spending its security dollars. The FDIC found that even though FIS has hired a number of incident response firms and has spent more than $100 million responding to the 2011 breach, the company failed to enact some very basic security mechanisms. For example, the FDIC noted that FIS routinely uses blank or default passwords on numerous production systems and network devices, even though these were some of the same weaknesses that “contributed to the speed and ease with which attackers transgressed and exposed FIS systems during the 2011 network intrusion.”

“Many FIS systems remain configured with default passwords, no passwords, non-complex passwords, and non-expiring passwords,” the FDIC wrote. “Enterprise vulnerability scans in November 2012, noted over 10,000 instances of default passwords in use within the FIS environment.”

The bank auditors also found “a high number of unresolved network and application vulnerabilities remain throughout the enterprise.

“The Executive Summary Scan reports from November 2012 show 18,747 network vulnerabilities and over 291 application vulnerabilities as past due,” the report charges.

What’s more, investigators probing the breach at FIS may have been denied key clues about the source of the intrusion because FIS incident response personnel wiped many of the compromised systems and put them back on the network before the machines could be properly examined.

“Many systems were re-constituted and introduced back into the production environment before data preservation techniques were applied,” the report notes. “Additionally, poor forensic preservation techniques led to numerous servers being re-imaged before analysis was completed and significant logging data was inadvertently destroyed. Several servers, key to the investigation process, were re-introduced into the production environment and subsequently re-compromised due to misconfigured baselines and inadequate security testing outside of corporate policy.”

Analysts say FIS’s problems almost certainly stem from having to cobble together various networks and systems that it inherited from a long series of corporate acquisitions over the past few years. The FDIC report notes FIS had originally set a target completion date of year-end 2012 for this project, but has since revised the projected completion date to June 30, 2013.

“It appears the extension is necessary due to the immense scale of the project, which consists of approximately 30,000 servers and operating systems, another 30,000 network devices, over 40,000 workstations, 50,000 network circuits, and 28 mainframes running 80 LPARs,” the FDIC examiners wrote. “The vast scope of this project is being addressed in a formal process which requires additional time to complete. Nonetheless, this information asset inventory and risk rating process is critical to effective information security and risk management efforts; and they should have been implemented prior to regulatory intervention.”

An excerpt from the FDIC report on FIS.

MATTERS REQUIRING ATTENTION

In its initial audit in 2011, the FDIC found eight MRAs, or “matters requiring attention.” Ron Lindhart, a former bank examiner for the Office of the Comptroller of the Currency (OCC), said MRAs are extremely serious matters that financial services firms ignore at their peril.  In its Oct. 2012 follow-up report, the FDIC said while FIS had addressed four of the eight MRAs it identified earlier in the year, the agency had since documented an additional four MRAs.

Lindhart called FIS’s eight MRAs a “high average” score on a report card in which high scores are not a mark of achievement.

“I’d say in a typical examination, you might have two or three, maybe four MRAs, so eight is a significant number,” said Lindhart.

Financial institutions that fail to address MRAs in a timely manner and to the satisfaction of the banking regulators can face fines and can even be shut down. But FIS is a service provider — not a bank — and while the company’s role as a core provider for thousands of banks means that it can be audited by regulators, those regulatory agencies can’t levy fines against the company or shut it down directly.

Rather, Lindhart said, the FDIC’s leverage comes from taking their case to FIS’s customers. Perhaps that is why the FDIC’s May 24, 2013 letter attached the report began with the message, “We are sending you this report for your evaluation and consideration in managing your vendor relationship with FIS.”

Translation? Get FIS’s customer banks to pressure FIS and create the fear that they may lose business by not adequately addressing the security weaknesses. ”It’s very effective in getting corrective action when the serviced banks find out about the situation,” Lindhart said.

Julie Conroy, a research director with the retail banking practice of Aite Group, a Boston-based research and advisory firm, said a major reason FIS is receiving such regulatory scrutiny is that the company is not just a credit card processor: thousands of small financial institutions outsource their entire information technology systems to FIS.

“It’s basically outsourced IT infrastructure for these banks, including all of their customer information — names, SSNs, DBAs, account balances — all of that is sitting at FIS,” Conroy said. “These kinds of security lapses threatens a key part of the trust relationship that these banks have with the core processors, and [the banks] expect state-of-the-art security.”

But Avivah Litan, a fraud analyst for Gartner Inc., said many of FIS’s customer banks are smaller institutions that can’t exactly afford to pick up and move their operations to a competing service provider, such as Fiserv or Jack Henry.

“It’s very hard for these banks to switch processors,” Litan said. “The pricing is typically the same, but it takes a lot of manpower to test new systems, to stage it and roll it out in a way that doesn’t disrupt your service.”

Litan said for these institutions, switching service providers is akin to the hassle most consumers experience in trying to switch their Internet service from a cable to a DSL provider - only 100 times harder and more expensive.

“So many of these processors neglect security and have awful customer service, in large part because the switching costs are so high that they can get away with it,” Litan said. “There needs to be more heat on these processors, and I think this is a pretty savvy and important move by the regulators.”

CONNECTIONS TO OTHER ATM CASHOUTS?

The $13 million ATM cashout against FIS in 2011 bears a remarkable resemblance to several similar heists involving organized crime, malware and ATM cashouts. In May 2013, federal prosecutors in New York unsealed indictments against eight defendants allegedly involved in two separate cyberattacks that used prepaid debit cards to siphon a total of $50 million from ATMs across the globe; the first was a breach around Christmas 2012 that netted thieves $5 million from an Indian prepaid network, while the second siphoned $40 million from a bank in the United Arab Emirates in February 2013.

Meanwhile, the hackers responsible for coordinating the ATM heists, raising the daily withdrawal limits and monitoring the withdrawals were not named in the New York indictments.

In its emailed statement to KrebsOnSecurity, FIS said the criminal actors involved in 2011 attack on its own networks “are currently the subject of an ongoing federal criminal law enforcement investigation, and several individuals have been arrested and charged with various crimes.” FIS declined to say whether those arrested were involved in the two thefts connected to the New York investigation.

The FIS breach and the two separate incidents encompassed by the New York case are eerily similar to an intricate 2008 attack against RBS WorldPay. In that heist, crooks obtained remote access to RBS’s systems, raised the daily withdrawal limit and used 44 counterfeit prepaid cards to suck more than $9 million from at least 2,100 ATM terminals in 280 cities worldwide.

Federal prosecutors alleged that the 2008 RBS theft was orchestrated by at least eight men from Estonia and Russia — the alleged ringleader, Sergei Tsurikov,  was extradited to face charges in the United States. His trial is pending and much of his case remains sealed.

Another key figure in that case was Viktor Pleschuk of St. Petersburg, Russia, who monitored the fraudulent ATM withdrawals remotely and in real-time using compromised systems within the payment card network. Pleschuk and Russian accomplice Eugene Anikin were arrested and charged in Russia. Prosecutors asked the court for five- and six-year sentences, but those requests were ignored. In February 2011 (around the time of the FIS breach) Pleschuk and Anikin agreed to plead guilty for their roles in the RBS heist in exchange for suspended sentences  — probation, but no jail time.

In a rating of twenty most widespread harmful programs worm Conficker known also as Downadup and Kido continues to the the leading position. By some estimations, Conficker could infect up to 20 million computers worldwide. The last days this worm has started to form the infected computers in a botnet for distribution of spam emails and spyware.

The second string of “charts”, as well as one month ago, holds the virus Sality with spyware functionality. This harmful program intercepts the information entered by means of the keyboard, and sends gathered information to malefactors.

It is remarkable that the harmful code CodeBaseExec which first versions have been detected in 2004 has returned to April virus “twenty”. The program gets on the PC of a victim through old “hole” in a browser of Internet Explorer of versions 5.01, 5.5 and 6.0.

The complete rating of harmful programs for April under the version «Kaspersky’s Laboratory» looks like this:

1. Net-Worm.Win32.Kido.ih
2. Virus.Win32.Sality.aa
3. Trojan-Dropper.Win32.Flystud.ko
4. Trojan.Win32.Chifrax.a
5. Trojan.Win32.Autoit.ci
6. Trojan-Downloader.Win32.VB.eql
7. Packed.Win32.Krap.b
8. Worm.Win32.AutoRun.dui
9. Exploit.HTML.CodeBaseExec
10. Packed.Win32.Black.a
11. Virus.Win32.Sality.z
12. Virus.Win32.Virut.ce
13. Trojan.JS.Agent.xy
14. Worm.Win32.Mabezat.b
15. Virus.Win32.Alman.b
16. Packed.Win32.Krap.g
17. Packed.Win32.Klone.bj
18. Worm.Win32.AutoIt.ar
19. Exploit.JS.Agent.agc
20. Email-Worm.Win32.Brontok.q

As it is informed, the problem is related to processing of JavaScript code. With help of the document generated in special way malefactors theoretically can organise DoS-attack, provoke emergency end of work of the program or execute any operations on the remote computer.

Adobe has confirmed the existence of the problem, having underlined, that it mentions all delivered versions of Reader and Acrobat packages , including 9.1, 8.1.4, 7.1.1 and earlier updatings. The situation is aggravated with that there were examples of the harmful code on the Internet, allowing to involve vulnerability.

Employees of Trend Micro underline that the network of zombie computers, formed by Conficker, probably, is one of the most difficult and thought over the history of botnets. The creation of this network proceeds rather slowly, however experts do not eliminate possibility of application the botnet in the organisation of massed attacks and distribution of millions undesirable emails.

Conficker has been detected in November of last year, however the peak of its activity was on the beginning of January. By various estimations, for today the harmful program could infect up to 20 million computers worldwide. For a trustworthy information about authors of worm Conficker the award at a rate of 250 thousand dollars is offered.

The database currently contains over 90 thousand of autorun items, and is constantly being updated.

Visit CESAM Startup files database

F-35 Lightning II is being developed by companies Lockheed Martin, Northrop Grumman and BAE Systems within the limits of program Joint Strike Fighter. Project cost is estimated in 300 billion dollars.

As network sources inform, malefactors managed to penetrate into a computer network of one of participants of the Joint Strike Fighter program and copied several terabytes of information about electronic components and the plane construction. Theoretically this data can simplify development of protection against American fighter of fifth generation.

Attack, presumably, has been carried out from territory of China. It is marked that cybercriminals did not manage to reach the most important information on a fighter as it is stored on computers which are not connected to the Internet. Nevertheless the damage put to program Joint Strike Fighter, can be calculated by millions dollars.

Let’s notice that computer networks of the governmental departments of the USA regularly are exposed to cyberattacks. Last year the president George Bush even has signed the decree which assumes the essential extension of powers of Agency of national safety of the USA for the purpose of preventing of hacker’s attacks.

The trojan was named Winlock.19. The program extends through the Internet under the pretext of counterfeit codecs and suggests to enter the special code ostensibly necessary for registration of a counterfeit copy of the operating system of Windows. To receive this code, it is necessary to send the text message from a mobile phone on a paid number.

It is remarkable that Winlock it is supplied by function of self-destruction and deletes itself in two hours after start. The Doctor Web company does not recommend to users to follow the malefactors and to send SMS anywhere. For those who does not wish to wait two hours to an automatic uninstall, Doctor Web has prepared the special form into which it is possible to enter the text of the prospective short message and to receive an unblocking code.

Conficker has been detected in November of last year, however the peak of its activity has been on the beginning of January: for a few days the worm has infected about ten millions computers worldwide.

New variant of Conficker has started to extend in the end of last week: the infected computers, co-operating with each other through P2P-connections, have given the command to other infected computers on loading of upgrades and two files — FraudTool. Win32.SpywareProtect2009.s and Email-Worm. Win32.Iksmas.atz. The first of these units represents a counterfeit antivirus which is placed on the servers allocated in territory of Ukraine. At start the program suggests «to delete the found viruses», demanding for it about 50 dollars. The second file — a mail worm possessing a functional of theft of the data and a spam sending.

«Kaspersky’s labs» marks that for 12 hours one bot infected with the new version of Conficker has sent over 42 thousand spam emails. If to assume that the total amount of infected computers is about 5 million it turns out that the Conficker botnet is capable to dispatch approximately 400 billions spam messages daily.

Different sources also inform that in the end of last week the Conficker has penetrated into computer network of University of Utah (USA), having infected about 700 computers at medical school, medical nursing care college and so forth the Primary analysis of a code of new variant Conficker allows to say that it will function till May, 3rd.

Conficker has been detected in November of last year, however the peak of its activity was on the beginning of January: for few days the worm infected about ten millions computers worldwide. The malicious program, capable to extend in the various ways, including through removable disk drives, allows malefactors to inspect the infected computers far off.

Computer security experts warn that on April 1st Conficker will receive a certain upgrade. Experts believe that the malicious program can be used for the purpose of the organisation of DDoS-attacks, and also for realisation of a mass spam sending or the infected letters.

Microsoft with support of some the organisations (including OpenDNS) has already launched campaign for struggle against a worm, providing locking of domain names which can be used by the worm.

According to the research, a worm under the name psyb0t is responsible for the creation of the botnet. Network devices on the basis of Mipsel platform — variant of Debian Linux for processors MIPS are the subject of infection. Attack is made by exhaustive search of combinations of a login and the password under the list; after successful breaking psyb0t closes access to a router for other users and incorporates with the botnet.

DroneBL experts mark that they have detected the malicious program during reflexion of the DDoS-attack routed on their servers. The worm, presumably, is unique and extends in the Network from the beginning of the year. At a rough guess, the botnet, organised with the help psyb0t, can consist of more than 100 thousand network devices.

It is informed also that some days ago the botnet has ceased to show activity. However the given information is not confirmed yet.