Security Watch

My Computer Made Me Do It!

Alleged insider trader might have case dismissed on hackneyed technicalit. Plus, China invades South Korea; Canadian phishing expedition goes global; more.

• By Russ Cooper
• 04/09/2008

Like The Twinkie Defense, With More Filling
The U.S. Security and Exchange Commissions rules defining "insider trading" may prove valuable to Ukranian Oleksandr Dorozhko. Dorozhko turned $42,000 into nearly $300,000 after IMS Health announced poor earning numbers. Hours before the announcement Dorozhko purchased puts. It is asserted by the prosecution -- and not refuted by the defendant -- that the knowledge of the poor earnings came to Dorozhko via a hack of IMS Health's computers. An appellate judge has ruled that, based on the evidence provided, Dorozhko did not violate insider trading laws as they currently stand.
http://www.nytimes.com/2008/02/15/business/15norris.html?_r=1&oref=slogin

The judge has not yet ruled to dismiss the case, providing the SEC with an opportunity to provide further evidence, but it currently appears that the case will ultimately be dismissed. In the EU, the laws are different. There, insider trading includes trading on information obtained via a criminal act. If this ruling stands, it would be hard to imagine being able to prove a case of insider trading in the U.S. in the future. All any defendant would have to do is prove their computer had been hacked!

Moon Over My E-Mail
US-CERT announced that an e-mail is floating around purporting to be video of the recent Lunar Eclipse. When executed, a Trojan is run and the victim's system compromised.

Ok, so ask yourself, would you open such a video? Even if it came from a friend. I'd be complaining to my friend that they should ask before sending me some significantly sized file. Further, if I wanted to see film of the Lunar Eclipse, I'd just go to the NASA website and get it from one of the best telescopes around. One really has to wonder how people continue to get sucked into running these things.

Canadian Hackers' Global Phishing Expedition
Fourteen criminals were arrested in Quebec and charged with breaking into nearly one million computers around the world. Police allege they infected the systems and then used them to create phishing websites designed to collect financial data. Investigators estimate they made as much as $45 million with the scam.
http://www.cbc.ca/technology/story/2008/02/20/qc-hackers0220.html#skip300x250

It's always great to see cyber-criminals arrested, now we can only hope that the true magnitude of their crimes is recognized by the courts and they get a significant sentence. Can you imagine a pickpocket standing in front of a judge charged with picking the pockets of a million people?

Firewire Frags Windows
The code for a 2006 exploit via a Firewire port has been published. Winlockpwn has been released because, said the developer, nothing has been done to address the security issue it represents. The tool, when run on a Linux device connected to a Windows PC via Firewire, allows the user to execute code in memory on the connected Windows box, bypassing whatever security is currently in place (such as a password-protected screen saver.) A similar hack has work against Linux and Mac OS X from an iPod in 2005.
http://www2.csoonline.com/blog_view.html?CID=33601

The problem is basic: We all have far more turned on than we need. This is typically one of the top issues addressed when corporations define their "standard build," or the basic setup they're going to give all of their employees. Such standard builds can be set up with those features disabled that the corporation either hasn't got a policy to address, or have deemed risky. Unfortunately, the typical consumer system has no such standard build and retailers try to avoid support calls by enabling as much as they think customers might use.

China Goes Phishing in South Korean Waters
A targeted e-mail phishing attack against the employees of South Korea's largest auction site yielded the criminals login credentials. Using those credentials, the criminals were able to collect information on some 18 million users, as well as a significant amount of financial information.
http://fraudwar.blogspot.com/2008/02/chinese-hackers-steal-data-on-18.html

It's unclear whether the e-mails contained malware or links to sites which attempted to harvest information based on user input, but it is clear that there needs to be some out-of-band mechanism to inform your employees that they are under targeted attack. A voice mail blast, for example, may well have thwarted this attack if it had been realized quickly enough that multiple people had received a similar e-mail.