Category Archives: IT News

Guest Blog: Operation Trident Breach

….”hear from the investigators directly involved in this sensational story of intrigue and deception.”

It’s interesting how many major crime investigations begin when an alert citizen sees something suspicious and picks up the phone and notifies the proper authorities. Operation Trident Breach began just that way. This is a story which began in Omaha May 2009, when FBI agents in Omaha, Nebraska learned of automated clearing house batch payments to 46 separate bank accounts throughout the US. The case soon blossomed into an international investigation that spanned Europe and the wilds of the former Soviet Union. From England to the Netherlands and onto the Ukraine and Moldova the case has all the excitement of a spy novel with false passports, the recruitment of youth in search of overseas work, and cyber sleuths from around the global.

Keyboard

Cybercrime is a global phenomenon that requires international detective work and collaboration. For the first time hear from the investigators directly involved in this sensational story of intrigue and deception. The crime ring that organized this crime operation targeted $220 million in bank accounts in the United States. Over 100 people were ultimately arrested and over $70 million was stolen. In fact, this cybercrime ring stole more money in Operation Trident Breach than all bank robberies combined last year in the United States. The thieves targeted small- to medium-sized companies, municipalities, churches, and individuals.

These cyber criminals would insert Malware steal passwords of bank accounts of target companies with the use of sophisticated ZeuS banking Trojan. This would be inserted into a targeted computer by someone opening an email that contained the virus. Once inserted the criminals would capture the password to the bank account and transfer funds to other bank accounts around the country. These accounts were set up by money mules how came the US to work menial summer jobs under temporary J-1 visa’s to launder the money. Using false passports the temporary workers would established bank accounts with false passports they have been provided by the crime ring. After the transferred occurred they would withdraw the money and fly back to their home countries and jeep 10 percent of the proceeds.

Our keynote panel at FOSE on Wednesday, July 20th at 3:30pm, Operation Trident Breach – Lessons Learned from FBI Global Cyber Crime Arrests, will have FBI Agents from Omaha and Eastern Europe who were involved in the case. The panel will also feature Gary Warner, director of Computer Forensics at the University of Alabama in Birmingham and we anticipate a surprise guest.

About Paul Joyal
Paul M. Joyal is an American security analyst and media commentator who frequently comments on political and security matters concerning Russia and former Soviet countries. Joyal holds a master’s degree in international relations from The Catholic University of America. He was a staff member for the United States Senate Select Committee on Intelligence and later became a vice president at, and currently serves as managing director of National Strategies Inc. Joyal has been cited as an expert source by many news outlets, including Time Magazine and PBS The NewsHour with Jim Lehrer. 

Advertisements

Guest Blog: Mobile Risks

 Your mobile device is a treasure chest of valuable information for criminals…

Mobile computing is quickly changing the way we live and interact with the world around us.  While being connected to the world at all times makes us more efficient and productive in society, there are many security and privacy issues to take into consideration.

The threat model for mobile devices differs significantly from their larger desktop and laptop counterparts.  They travel everywhere with us, they are turned on at all times, and we use them to access a multitude of services.  We have a much better chance at losing an iPhone than a 27 inch iMac desktop computer.  Our smartphones contain all of our contacts, constant access to several email accounts, our social networks, our banks, corporate networks, and much more.  Your mobile devices know where you have been, who you were there with, and what you did with them.  Your mobile device is a treasure chest of valuable information for criminals and others with less than honorable intentions.  Often, a vulnerability in a single application can lead to a compromise of many services where there may be password reuse by a user or leaked Single Sign On (SSO) credentials.  A single piece of malicious software can extract everything about your life and potentially allow an attacker to pivot into your enterprise’s network.  This is bad.

As more companies move into the mobile space, we continue to see trends indicating that we have taken several steps backwards from a security perspective.  From both privacy and security perspectives, this is frightening.  In application security, we have cultivated a list of best practices over the years, many of which have been adopted as formal standards.  These include storing sensitive information encrypted, leveraging SSL for data in transit, and following the principles of least-privilege access.  We have not seen many of these best practices and “easy wins” replicated within the mobile application space.  As the “easy” issues are being neglected, we are simply not preparing ourselves to tackle the security challenges of more exotic mobile technologies and use cases that are being developed.

In many cases, security is being neglected as a result of racing new products to market to gain a competitive edge.  The difference between being first to market and finishing in second place can mean the world to a company.  At the same time, building your house out of straw instead of bricks will eventually come back to haunt you.  While balancing security requirements with usability is a constant juggling act that one must endure, organizations built for long-term success understand and embrace these challenges.

The harsh reality is that before we can get better, things will probably get much worse.  We have only scratched the surface of what is possible in mobile computing.  There will surely be many new risks and security obstacles to overcome in the next few years.  With technologies such as Near Field Communications (NFC) set to become integrated with virtually everything around us, these risks to businesses and organizations will become much more visible and widely exploited.

I encourage any individuals, government organizations, or companies developing mobile applications to pay close attention to how secure their applications are and how well they are protecting the data for their users. Security extends far beyond the mobile device itself; your infrastructure is vital to a secure mobile architecture as well, even if you do not host your own physical servers.  A serious security breach could place a huge financial and resource burden on your organization.  More importantly though, you owe it to your customers and users to do your absolute best to protect their privacy and personal information.

About Jack Mannino
Jack Mannino is the CEO of nVisium Security, a leading provider of mobile application and web application security services. At nVisium he is responsible for ensuring that all services are delivered at the highest levels of quality and with keen attention to detail. nVisium’s offerings include security source code reviews, penetration testing, remediation services, threat modeling, and developer training. He focuses on mobile application security research (especially Android), and is the co-leader of the OWASP Mobile Security Project. In addition to the Mobile Security Project, Jack is also heavily involved with the OWASP Northern Virginia Chapter where he serves as a member of the chapter’s board.