Slashdot Mirror
Hackers (Or Pen-Testers) Hit Credit Unions With Malware On CD
redsoxh8r writes "Online criminals have taken to a decidedly low-tech method for distributing the latest batch of targeted malware: mailing infected CDs to credit unions. The discs have been showing up at credit unions around the country recently, a throwback to the days when viruses and Trojans were distributed via floppy disk. The scam is elegant in its simplicity. The potential thieves are mailing letters that purport to come from the National Credit Union Administration, the federal agency that charters and insures credit unions, and including two CDs in the package. The letter is a fake fraud alert from the NCUA, instructing recipients to review the training materials contained on the discs. However, the CDs are loaded with malware rather than training programs." According to the linked article, the infected CDs were (or at least may have been) part of a penetration test, rather than an actual attack.
One of my consulting clients is a small (<$10,000,000 in assets) credit union. The disk was mailed directly to the CEO. According to him the letter contained therein actually resembled the form and structure of NCUA correspondence but had grammatical errors. I find it amusing that someone would go to such lengths to forge US Government correspondence but not bother to run spell check and/or proof read the letter.
Thankfully he knew better than to load random CDs received in the mail and gave me a call. The Secret Service actually came down and collected both the letter and the CD. They are taking this seriously. I hope they catch the bastards. Mail fraud, financial fraud, computer fraud and forgery. What have I missed?
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Did the penetration testing "training" CDs at least provide a helpful "Lesson Number 1: Never do what you just did." video?
You're wrong. That is all.
The problem here is Windows Autorun. As soon as you insert a CD, Windows checks for the presence of an "autorun.inf" file, and if it exists, it can specify a binary program on the disc to execute immediately, as whatever user is currently logged in. Thus, killing your security immediately.
like those Emails from Microsoft with attachments that say they are operating system patches you must install to prevent a virus.
Instead of being from @microsoft.com they are from @hotmail.com or @yahoo.com using a free throwaway webmail address.
The attached files usually have malware in them.
Microsoft does updates via Windows Update or Microsoft Update or via their web site in downloading patches, they never attach the patches to email.
I also get mail saying I won the UK Microsoft lottery and other BS as well. I am keeping a "Scams" folder for that sort of stuff.
I'd expect Credit Unions to have better sense than to run random CDs on their systems without verifying that the NCUA sent them. "What? We didn't send them to you."
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Expect malware to appear or be in the wild already on/in:
The more I use my laptop, the more I wish to install a hypervisor on the BIOS (preferably based on Linux CoreBOOT or something) and use it to track my laptop and profit from it if it gets stolen.
Hey if someone steals my laptop, sit and cry?
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
Actually Credit Union customers get "Phising" emails that pretend to be from the Credit Union and goes to a fake web site that looks like the Credit Union but steals their password, user ID, account number, etc.
This happened to a friend of mine, and he phoned it in and the Credit Union asked him to come into their nearest branch and present ID and get his account changed to verify who he is, only the Credit Union near him closed down and he didn't know it and the next one was 100 miles away. He had to drive that far to resolve the problem and eventually switched to a different Credit Unions. It seems Credit Unions are facing hard times and shutting down branches, being that they are too small to be bailed out.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
how 'bout you get that stick out yo ass?
Man I hear ya... It's just like all those fools calling that box on the desk a computer, when we all know a computer is actually a person who performs computations. Anyway, I gotta jump into the old horseless carriage for a spot of motoring. ;)
whoosh
No capitals, no exclamation mark, just a quiet little whoosh. Just about the volume of a tired gnat flying past a dog's ass. Had you bothered to read ANYTHING before you commented, then you might warrant a real whoosh.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
I don't care what percentage of society is cluless in this regard even if it is 99+%. I am just proud to not be one of them. A large percentage of the populace thinks they run the best, most secure OS in the world; indeed the only one. Did they become right by way of their mass delusion?
Considering that language is just a bunch of grunts(spoken) or squiggles(written) with agreed upon meanings...yes. As long as the meaning the speaker intended is imparted to the listener, they served their purpose.
It seems Credit Unions are facing hard times and shutting down branches, being that they are too small to be bailed out.
Where are you getting your information from? There's been a handful of credit unions that have failed but taken as a whole they've failed at a significantly lower rate than the banks. This is actually a boom time for credit unions and local community banks because the big boys are cutting back and people are looking for an alternative. The big players are closing accounts, jacking up interest rates and imposing all sorts of new fees. The credit unions are humming along with the same business model they've had for the last few decades: Slow sustained growth backed by proper lending standards and an emphasis on member service
Go through the NCUA/FDIC data some time and compare the percentage of "well capitalized" credit unions to the percentage of similarly capitalized banks. I think you'll find that credit unions are doing just fine.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
The set of hackers and Pen Testers is not disjoint. The summary writer is thinking of crackers. And yes, I know 1200 morons will pipe up to say that Hacker is in common usage, to which I say millions of teenagers say "minute" when they mean a long time, but a minute is still 60 seconds. The world can be divided many ways. One way is those who know what Hacker means, and those who mistakenly think it is a synonym for cracker. I don't care what percentage of society is cluless in this regard even if it is 99+%. I am just proud to not be one of them. A large percentage of the populace thinks they run the best, most secure OS in the world; indeed the only one. Did they become right by way of their mass delusion?
You know there's a whole school of philosophy dedicated to the common usage vs. defined meaning problem. As for which one is right.. Inconclusive.
Maybe you also missed the part of my post about the 1200 morons? It should have conveyed to you I was well aware that there is a faction of the audience that is as ignorant as you describe. There are, however, quite a few people with a clue as well or I wouldn't bother with the site. Presumably you feel the same way, or you wouldn't be posting here either, right?
(Faction is NOT a typo)
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Aside from the usual gripes about the efficacy of pen-testing, this gives pen-testing a bad name. The firm I work for does this exact same ploy, and so do teams from the Big 4 and various security firms, but they are always planned ahead of time. You have to do this sort of thing in a controlled manner (or as controlled as possible.) Usually, these things are dropped in a parking lot, the the payload is innocous, because a customer (or member in the case of a CU) can pick it up. These guys exposed themselves to a lot of liability and can screw it up for honest hardworking sellout hackers such myself and others.
Just because "minute" means 60 seconds, it is not prohibited from gaining other valid meanings.
Right, right. It's like when my wife goes, "Why do you bother reading what a bunch of frigtards think on some lame site for dorks?"
And I correct her, "Honey, they're FREETARDS, not frigtards. And the site is for nerds, not dorks!"
Then she blows me!
Ironically, the word ironically is often used incorrectly.
True, but Gang Bangers are prohibited from doing the defining ;-) Also, clueless reporters are similiarly excluded.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
If the credit union was a member of the CUService co-op, your friend should have been able to go to a closer branch. For the most part, any member credit union is practically as good as his own.
No, the descriptivists are right. Probably even in France.
If nearly every language had not changed drastically over time, there might at least be an interesting conversation there, but alas.
Nerd rage is the funniest rage.
I'm not sure a large percentage of the populace even has a clear idea what an OS is.
Nerd rage is the funniest rage.
We all know AC loves dick, but it is a little unusual for one to come right out and say it.
Nerd rage is the funniest rage.
In fact, I've used it. Until last year I worked for a credit union and frequently described a scenario almost exactly like this to justify things like a least-privilege security model for end users. It's scary to consider what an attacker might be able to accomplish with a scheme like this. The article only touches the surface in pointing out that credit unions are typically smaller than banks and lack security resources. Mine was one of the largest and probably the most technologically progressive credit union in my state but I had a lot of interaction with smaller credit unions due to their cooperative, less competitive nature. (less competitive with each other, that is.) My experience is that most credit unions have IT departments that can be counted on one hand, and no security-oriented individuals on staff at all. (IT or otherwise) In fact, there are many credit unions whose ENTIRE staff can be counted on one hand. Not long before I left, we absorbed a failed credit union's assets and member base at the NCUA's request. This particular example's infrastructure consisted of three desktop computers and an Access database. Credit unions make great financial sense but only the largest ones have the kind of IT and security resources most of us associate with a bank.
That's the problem. When a word (like "hacker") has different usages and definitions to different people and can be interpreted in various ways, the meaning is not conveyed properly.
No existe.
A large percentage of the populace thinks they run the best, most secure OS in the world
Most people think they're runing Linux? Oh, wait...
Hostile takeover by Sony?
lol. I bet he tells people that he is gay when he is happy too,
You're really hung up on language issues. So why do you say "Which begs the questions..." when you mean "Which raises [asks] the questions..."? To beg the question is to commit the fallacy of petitio principii.
I've tried repeatedly to warn my own credit union of a security breach in their "self-help" terminal. It's running windows and a modified version of IE (no close out x). The problem is that the "View cookies" menu item open an explorer window in focus and the whole directory can then be traversed and written to. It's also internet friendly and not firewalled for third party sites. Sounds like a perfect recipe for a keylogger to me.
For someone who is fighting so strongly that hacker =/= cracker and that language shouldn't change like that, you've horribly misused "begs the question". Begging the question refers not to a statement causing a question to arise, but instead to a circular argument.
Why are you so down on white people? You could at least call them "honkeys" as it has a more lyrical sound.
... and then they built the supercollider.
I'm in favor of it; I think that banks really need pen testers.
Their pens usually are broken off of those little chain things, and when you do find one that's still attached, it doesn't write.
http://www.merriam-webster.com/dictionary/hacker
4 : a person who illegally gains access to and sometimes tampers with information in a computer system
Just because something started out as a mistake, doesn't make it incorrect now. Try taking a look at the dictionary definition of "nauseous," as I would guess you would be one of those people who say that "I feel nauseous" is incorrect, while "I feel nauseated" is the only correct way to convey the feeling. http://www.merriam-webster.com/dictionary/nauseous
Those who insist that nauseous can properly be used only in sense 1 and that in sense 2 it is an error for nauseated are mistaken. Current evidence shows these facts: nauseous is most frequently used to mean physically affected with nausea, usually after a linking verb such as feel or become; figurative use is quite a bit less frequent. Use of nauseous in sense 1 is much more often figurative than literal, and this use appears to be losing ground to nauseating. Nauseated is used more widely than nauseous in sense 2.
Note how 'the most frequently used' definition becomes the correct one? Language changes, and sometimes people just make honest word/grammar mistakes. Get used to it.
You're annoyed because some people confuse hackers with crackers. I'm annoyed because some people confuse begging the question with asking the question. Let's both just let it go, we've lost.
Your nice little rant there sidestepped the FACT that you INCORRECTLY used the term "begs the question". You used it in a way that DIFFERS from the TRUE DEFINITION, yet has become ACCEPTED into COMMON SPEECH. The irony here is so unbelievable that I must conclude that your whole attitude on this topic is an epic troll, and you don't believe any of the stupid shit you are rabidly babbling about.
I say millions of teenagers say "minute" when they mean a long time, but a minute is still 60 seconds.
Yeah, I don't think so. Your definition of "a long time" is something that YOU have pretty much made up on the spot and in the process ruined any claim to being an authority on english word definitions. Very few teenagers, or anyone else, mean "a long time" when they say "minute" - its pretty rare for anyone to mean anything even approaching an hour when they say "minute." And unless you are a fruit-fly or suffer from ADD, an hour hardly ever qualifies as "a long time."
But, since a "short space of time" is a merriam-webster endorsed standard meaning of the word "minute," you kinda had to make up some BS in order to support your rather unsupportable point. It's ironic that you misused the key word in your own rant on people misusing words. I think its the best case of grammar-nazi karma I've seen to date.
When information is power, privacy is freedom.
Go fuck yourself
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
As I said to the OP, the meanings of words change regardless of the source of that change. Get the fuck over yourself.
You know about all of the teenagers on the planet??? Who would have thought that Santa Clause posts on Slashdot under the SlashID Jah-Wren Ryel !!!
You know about all of the teenagers on the planet??? Who would have thought that Santa Clause posts on Slashdot under the SlashID Zero_Kelvin !!!
When information is power, privacy is freedom.
Interesting... I just noticed, that when you would exchange the quote and the answer of your comment, GP would still be right. I've never seen that before, but it's certainly cool. I'm going to try to reproduce that... ^^
Any sufficiently advanced intelligence is indistinguishable from stupidity.
This bout of reasonable discourse brought to you by: Slashdot
Shoes for Turds, Stuff that Splatters.
I gotta jump into the old horseless carriage for a spot of motoring.
"Fill it up with petroleum distilates, post haste!"
We also would have accepted: "My car gets 40 rods to the hogshead, and that's the ways I likes it."
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
... and you needed to quote my whole post to state that? Actually, you again have those with a clue against those without a clue who refuse to admit it. If it is common usage, but not part of defined meaning, we have an actual defined meaning for that ! It's called slang.
Yah, Wittgenstein was a hack!
Haha, I hear you. As for myself, people who call a tisane simply "tea" or "herbal tea" get on my nerves. If it's not made with the "tea" plant, it's not "tea" damnit!!!! But most grammar softwares don't even know the correct word anyway...
+5 insightful to the AC!
The GP is just one of many "Banks are evil!" types online. You aren't going to convince them otherwise. They have little understanding of finance and less of banking. Also the reason he's whining is because the USSS was involved. He also doesn't understand that they are responsible for this kind of crime, he thinks the president ordered them on the case because banks are special.
I've debated with the "Use only cash, banks are evil, we need the gold standard!" types and there is just no reasoning with them. You are completely correct about the differences with a credit union, but you aren't going to convince him of it. They are a "bank" and banks are evil and so on.
Truly, there's a sucker born every minute. Most of them seem to wind up working in business, and most of them have the technological competence of a retarded toaster. With any luck, the movers and shakers will figure out that paying the IT guy more than minimum wage...and having somebody competent to watch over HIM...is a wise investment.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Dude, you're a moron. You are the one claiming you know all of the teenagers on the planet. ZK is saying some of the teenagers (many?) say this. You are claiming that NONE of them do. Only one of you is claiming to know all of the teenagers on the planet.
Do you really believe that Zero_Kelvin knows "millions of teenagers?" For all practical purposes he is claiming the exact same thing I am, except I'm applying common sense and he's just making shit up to support his own little pet peeve.
When information is power, privacy is freedom.
No-one on slashdot has the necessary experience to make penetration jokes.
Wait, they fake where the CD's were coming from? Wouldn't that constitute as Mail Fraud? And isn't that a Federal offense? Hmmm, it reminds me of the movie "the Firm". Sending a CD with Malware may not be illegal, but faking the source might be. I'm not sure of the law here, but I would think this would draw greater attention to federal authorities.
or not...
Life takes interesting turns, but the most interest is when you're off the beaten path.
Often are the best.
---- Booth was a patriot ----
Haha, everyone look at this idiot. He said 1200 morons would pipe up, and there's only been about 25 so far. Hell, I don't remember the last slashdot story that had 1200 comments total, much less in reply to one troll. I wish the douchebag would learn his numbers before attempting to communicate.
Really though, I wish you a quick recovery. I've laughed my ass off before too; I know how bad it can hurt. Here's hoping yours grows back.
So to recap your position, you don't understand exaggeration, and that makes me an idiot. Thanks. I needed a laugh this morning ;-)
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I think it's really sad that phishing credit unions is even possible. Today's web browsers suck so bad that everyone involved ought to be deeply ashamed.
Credit unions are always local. You always physically meet them. You also (usually) probably have at least some ongoing snail mail communication with them.
You don't even need a trusted introducer, like Verisign. It ought to easy to directly check fingerprints and certify keys yourself, without having to trust anyone else. But no... we're still using X.509 and CAs for this stuff, instead of a system that actually makes sense (OpenPGP). Credit unions and banks ought to be some of the most popular signed and signing keys in existence, practically CAs in themselves.
But we are all still using hopelessly 20-years-out-of-date obsolete key exchange systems in our web browsers. It's a disgrace. And phishing is a great example of why it matters.
The only reason we shouldn't be using OpenPGP for all communications with people and entities that we physically meet, is that large media (optical disks, flash drives, etc) has gotten so big'n'cheap that OTP itself has actually become viable.
Goddamn our software sucks. This situation is pathetic.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
It's called a parody, referencing the fact that you apparently think someone's a liar when they are not, in fact, gone for 'a minute'.
You're so bad at trolling it hurts.
Sadly, I am sure that many of the employees...would not even consider this type of vector for an attack, and with no regard to safety plop it in and press play without scanning with an anti virus, or even contacting head office and asking them why send a manual without warning. Good one hax0rs
You are the greatest troll I've seen in a while. You appoint yourself the defender of language, even though you're wrong (as language has moved on without you). But then you go off and misuse the phrase "to beg the question." That's really awesome. You're a talented troll or a hilariously confused and proud idiot. Either way, stay around and amuse us.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
WTF is your point besides "woe is me"?
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.