When it comes to presentations sure to please the crowd atBlackHat, it's got to be hard to beat a hacked cash machine blinking the word "Jackpot!" and spewing twenties onto a stage at Ceasar's Palace in Las Vegas. That's exactly what Barnaby Jack, director of research at IOActive Labs, brought to the crowd in early August, delayed a year by the ATM makers' request that he hold back revealing vulnerabilities 'til they had patches in the market. If you haven't seen the video of Jack's hacks, its worth the few minutes it takes to watch them on YouTube.
Jack's display wins the award for most theatrical, but the honor for uncovering the most ironic hack goes to Joe Stewart, director of malware research at SecureWorks. Stewart's day job seems to be tracking how Eastern European and Russian hackers are siphoning money out of bank accounts, and he routinely comes up with some pretty hair-raising schemes. The check counterfeiting scheme dubbed the "Big Boss" is a profitable hack that surely had its creators smirking all the way to the banks: a check-fraud detection firm and a check archiving service were hacked through typical means, the thieves stole archived check images and created new checks valued at more than $9 million.
The fraudulent checks were written out in amounts less than $3k, and mailed to money mules recruited from among the nearly 3,000 who applied for legit-looking jobs the "Big Bosses" posted online. Mules were paid a 15 percent commission if they deposited the check within a day. SecureWorks isn't revealing the name of the hacked lockbox or check verification vendors, and it's not clear how much of the $9 million in checks resulted in losses. But that amount is just a drop in the bucket when you consider the $50 billion that U.S. banks, consumers and businesses lose to check fraud each year.
All this despite products like positive pay and check counterfeiting detectors that are available to banks and business customers. "If they have positive pay they will catch this every time," says Mike Fenton of Parascript, a vendor that handles image analysis for fraud detection.
And finally, some positive news from BlackHat. The Cloud Security Alliance unveiled the industry's first user certification program designed to teach technicians how to design and implement secure clouds. The CSA, not yet a year old, primarily consists of tech vendors like Qualsys and PGP, but Alan Boehme, svp, IT Strategy & Enterprise Architecture, ING, was among the founders. So was EBay CISO and outspoken security guru Dave Cullinane, who says eBay plans to make the certification a requirement for technical staff, "to ensure they have a solid baseline of understanding of best practices for securing data and applications in the cloud."