Bad Hideout

How not to succeed in illegal business: trade stolen card numbers on a Web site run by the Federal Bureau of Investigation.

Renukanth Subramaniam, a former ringleader of a group that traded in stolen bank accounts, pleaded guilty this month in the U.K. to charges of conspiracy to defraud and distributing false information after he was caught on the FBI-run DarkMarket forum, Wired.com's "Threat Level" blog reported Jan. 21.

Subramaniam joined DarkMarket when it went live in November 2005, and he eventually became one of the site's four administrators. Another of the site's administrators, known to carders as the spammer Master Splyntr, was actually the Pittsburgh-based undercover FBI agent Keith Mularski.

DarkMarket was not always an FBI operation. Mularski joined in 2006 and gradually gained the trust of Subramaniam and other carders.

Wired.com noted that the DarkMarket saga largely echoed that of ShadowCrew, a similar forum that was run in part by Albert Gonzalez, who later pleaded guilty to the infamous hack of TJX Cos. Inc. ShadowCrew was shut down in 2004, and "if the carders learned nothing from ShadowCrew, the authorities certainly did," the article said.

Subramaniam has been under investigation since 2006 and was arrested in July 2007. Mularski shut down DarkMarket for good in October 2008 after the arrest of another of its administrators, Cagatay Evyapan. In all, 60 members of the DarkMarket forum were arrested.

Easy as 123456

Breaking a password by brute force may not be all that difficult.

That's because the most popular password today is "123456," according to a Jan. 21 article in The New York Times. Ten years ago, the most popular password was "12345" — that particular string of digits ranks at No. 2.

This ranking is based on data that was stolen last month from the Redwood City, Calif., software developer RockYou, which serves social networking Web site operators including Facebook Inc. and News Corp.'s MySpace. The data — 32 million passwords — was then posted online for all to see.

Other popular passwords include more strings of consecutive numbers of various lengths, the word "password" and common first names like Daniel.

Amichai Shulman, chief technology officer at the security tech vendor Imperva Inc., said the prevalence of these simple passwords shows that hackers not need not be all that tech-savvy to break into sensitive online accounts.

"We tend to think of password guessing as a very time-consuming attack in which I take each account and try a large number of name-and-password combinations," Shulman told the Times. "The reality is that you can be very effective by choosing a small number of common passwords."

Some companies, including Twitter Inc., protect their users by refusing to let them use obvious passwords. Others require a mixture of capital letters, lowercase letters and numerals, but even these restrictions may not prevent people from using obvious passwords — the RockYou list included "abc123" and "password1" among its top 30.

Stick Figures

Too many people forget their memory sticks when it's time to do the laundry, according to a study sponsored by the security firm Credant Technologies.

The study, which the Addison, Texas, firm announced Jan. 20, found that 4,500 memory sticks had been left in the pockets of clothes brought to the 100 dry cleaners surveyed this month. Though this is half the figure reported in a similar survey a year ago, it is still too high, Credant said.

Many data breaches involve employees who have lost sensitive data stored on memory sticks, laptops or other portable storage devices.

"This survey is just one illustration of the stark truth that device losses are happening everywhere, every day, worldwide," Sean Glynn, Credant's vice president and chief marketing officer, said in a press release.

(Not) Fixing a Hole

A two-year-old problem with Microsoft Corp.'s Internet Explorer browser could allow hackers to read any file on a compromised computer.

Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies, said Microsoft has twice attempted to fix the problem over the past two years, to no avail, according to an article Computerworld ran Monday.

It is not a typical programming bug, Medina said. The hack involves exploiting certain features within the browser, and "some of those features are kind of impossible to fix," he said.

Unlike worms or viruses, which install software on a computer, this method uses Internet links. If hackers can trick people into clicking one of these malicious links, the coding instructs the victim's computer not to download Web site data stored on another computer, but to upload data stored locally, on the targeted machine.

 


 

Used video game systems could be an overlooked avenue for identity theft, according to a Jan. 20 article on the tech news site Ars Technica.

Modern video game systems allow people to store payment information for purchasing downloadable games, the article said.

When people want to sell their Xbox 360, Wii and Playstation 3 consoles, "there's all sorts of personal data that needs to be removed before it can be safely sold," the article said, outlining the procedures for erasing sensitive data from each system. "It may seem like a pain, but these steps really are important for protecting your personal information."

Microsoft Corp. even offers a Hard Drive Transfer Kit that wipes data from an old system as it migrates it to a new one. All systems allow their hard drives and flash storage to be formatted just like the storage on a personal computer, and with good reason, the article said.

"Our consoles are no different" from personal computers and cell phones, "and should be treated accordingly," it said.

Update

Last week a "Security Watch" item mentioned a Jan. 15 Wall Street Journal article that said Dow Chemical Co. would not confirm whether it was among the companies targeted in cyber attacks emanating from China that also affected Google Inc. On Jan. 19, Dow said it had not been targeted.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.