Breach Investigation

The Federal Bureau of Investigation is looking into a Russian cybergang that may have targeted a government agency as well as Citigroup Inc., The Wall Street Journal reported Tuesday.

The incident was detected over the summer, and may have led to tens of millions of dollars in losses, unnamed government officials told the Journal. Joe Petro, Citi's managing director of security and investigative services, told the Journal that the report of a massive breach "is just not true," nor were there millions in losses to Citi or its customers.

According to sources the Journal did not name, the incident may have involved veterans of a cybercrime group called the Russian Business Network, which was thought to have shut down two years ago. The hackers are believed to have used software called "Black Energy," which is known for its ability to block access to certain Web sites, but more recent versions can also steal banking data from compromised systems.

Comic Mischief

The comics were not so funny to readers who were prompted last week to install malicious software.

An unpatched bug in Adobe Systems Inc.'s Acrobat Reader software allowed hackers to attempt to distribute their program through online versions of comic strips distributed by King Features Syndicate Inc. The Times Union of Albany, N.Y., was among the publications affected by the scheme, The Washington Post's Brian Krebs reported in his "Security Fix" column Dec. 18.

Although Krebs and the Times Union did not say what the malicious software does, such software typically steals banking credentials or hijacks a compromised machine to send out spam or phishing e-mails.

Adobe said an update to fix the bug would not go live until at least Jan. 12. In the meantime, King Features said it is working to remove the malicious code from its Web server. Krebs said that until the Adobe software is fixed, comic strip fans should either disable Javascript in Adobe software or uninstall Adobe software entirely in favor of another program for reading PDF files.

Phone Fraud

Cell phones are so sophisticated and risk prone that they need their own antivirus software, one company says.

Lookout, a security start-up, is developing antivirus software for Microsoft Corp.'s Windows Mobile and Google Inc.'s Android cell phone operating systems, The New York Times reported Monday. The company also plans to offer similar software for Research In Motion Ltd.'s BlackBerry and Apple Inc.'s iPhone, the latter of which has been in the news for being susceptible to hackers if the iPhone's user has modified the phone to run software Apple has not authorized.

"People are using the mobile Web and downloading applications more than ever before, and there are threats that come with that," John Herring, Lookout's chief executive, told the Times. In addition to protecting phones against hackers, Lookout's software also would allow for backups and remote wipes of the phone's data.

So far, the Times said, security tools for mobile devices have been aimed at businesses, and Lookout said its initial market could be businesses who need to use its software to remotely wipe lost phones. PC security firms like Symantec Corp. are already looking to protect mobile devices.

Hacker's History

Albert Gonzalez, the mastermind of the TJX Cos. Inc. breach and other famous hacks, may have done some horrible things — but at least (as his lawyer argued) he didn't cause the recession.

"No pension plans were wiped out … no investors lost their life's savings. No one's lives and financial security were destroyed. No publicly traded companies were destroyed," Martin Weinberg, Gonzalez' attorney, wrote in a sentencing memo in an attempt to paint his client in a good light.

This argument, along with letters from relatives and a psychological evaluation, is part of Weinberg's bid to get Gonzalez the minimum 15-year sentence for the crimes to which he has pleaded guilty, Wired.com's "Threat Level" blog wrote Dec. 18. The judge could sentence Gonzalez to up to 25 years.

The memo also provides more fundamental details of Gonzalez' motivations. In particular, it said that despite the large amounts of money Gonzalez' activities brought in, he was more interested in the challenge that such hacking presented. Weinberg stressed that most of the stolen credit and debit card numbers were either unused or unusable. For example, in the hack of Dave & Buster's Inc. that Gonzalez orchestrated, only 13% of the 5,132 stolen card details were ever misused.

A psychological evaluation included with the memo said Gonzalez' behavior resembled that of people with Asperger's Disorder. Gonzalez' behavior reflected "flawed and impaired social and cognitive skills; side by side with an idiot-savant genius for computers and information technology," the evaluation said.

Weinberg said that after spending the past 18 months in prison (Gonzalez was arrested in May 2008), without the negative influences of alcohol, drugs and computers, Gonzalez "has had time to reflect on his crimes … [and] is truly remorseful."

Encryption Problem

The military security lapse that led to Predator drone data being intercepted by Iranian-backed groups stems from the same debate going on in the payments world: which data should be encrypted, and when?

James Lewis, a director and senior fellow at the Center for Strategic and International Studies, a public policy research institute in Washington, told Computerworld for a Dec. 18 article that the U.S. military was most concerned with the data it was sending to the drones and less concerned with the data being sent back.

"The theory is that we encrypt the uplinks so that people can't take over the drone, but that we don't need to encrypt the downlinks … these sorts of assumptions always get us into trouble," Lewis told Computerworld.

The article said the exposure, which was first reported by The Wall Street Journal, compares with the situation at many companies that have had payments data stolen — the technology is available to encrypt the data, but because of its cost or complexity, many have not bothered to use it.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.