Comments on: FBI Investigating Theft of $500,000 from NY School District

By: BrianKrebs

BrianKrebs — Tue, 23 Nov 2010 22:23:53 +0000

Hi Jim. Thanks for your comment. How about commenting on a slightly more recent thread on this topic. Like, say, today’s story:

http://krebsonsecurity.com/2010/11/escrow-co-sues-bank-over-440k-cyber-theft/

Like or Dislike: 0 2

By: James R. ("Jim") Woodhill

James R. ("Jim") Woodhill — Tue, 23 Nov 2010 22:18:04 +0000

I have been trying to find the words that would persuade those who think that online banking funds transfer fraud is the *users’* fault and that Duanesburg School District et. al. should bear the losses that they are wrong. As Brian has reported in:

http://krebsonsecurity.com/2010/10/bill-would-give-cities-towns-and-schools-same-e-banking-security-guarantees-as-consumers/

It looks like Sen. Chuck Schumer (D, NY/Committee on Banking, Housing, and Urban Affairs/Subcommittee on Financial Services) beat me to it. Those words, of course, begin with, “Be It Enacted by the Senate and the House of Representatives of the United States of America, in Congress Assembled…”

Just nine months from this incident to the introduction of this legislation. Not bad as things on the Hill go…

Not that I support this bill as written. I believe Sen. Schumer has the right problem, but the wrong solution. A straight extension of Regulation E could drive America’s small- and medium-sized banks out of online banking. At a minimum, it will force them to divert their time and attention from making loans to becoming cyber-security experts. Now, there is nothing about cyber-security that is inherently harder than running a community bank, so if our bankers work hard enough they will succeed, but do we really want eastern European cyber-criminal gangs to force America to change the way we do things? This is about as sensible as allowing a handful of Jihadist crazies to force us to submit to having our private parts patted down every time we fly.

Like or Dislike: 2 2

By: ChuckD

ChuckD — Sun, 31 Jan 2010 21:54:59 +0000

Just posting to subscribe to this. I live within ten miles of this school district and have been in IT since before the internet, have not seen any follow-up on it. Looking forward to it.

And sorry, I have no contacts there, nor any inside info to offer.

Like or Dislike: 2 0

By: Most just don’t know

Most just don’t know — Thu, 28 Jan 2010 18:35:43 +0000

[...] hackers are using malware to steal banking information netting millions of dollars from business, schools and [...]

Like or Dislike: 0 0

By: Cyber Crooks Cooked the Books at Fla. Library — Krebs on Security

Cyber Crooks Cooked the Books at Fla. Library — Krebs on Security — Fri, 22 Jan 2010 17:06:23 +0000

[...] strongly suggests that the group that hit Delray Beach Public Library also was responsible for the $3,000,000 fraud perpetrated against Duanesburg Central School District in upstate New York late last year. var [...]

Like or Dislike: 0 0

By: Gary

Gary — Sun, 10 Jan 2010 19:35:50 +0000

Great Article.

Like or Dislike: 1 2

By: Rob Lewis

Rob Lewis — Fri, 08 Jan 2010 19:47:17 +0000

Awareness is a good thing, but unfortunately the current security model is so full of holes that there are few pragmatic ways to stop the bleeding, short of abandoning on-line banking. Even with that scenerio, there would be no full-proof guarantee that customer finances would be fully safe in the banks hands, since they are also dependent on vulnerability-centric defenses.

Like or Dislike: 3 0

By: MichaelFigueroa

MichaelFigueroa — Thu, 07 Jan 2010 20:22:33 +0000

Brian – I’ve been following you for years as a security consultant and as a CISO and am glad to see the new site up and active.

My partners and I have been debating who should be responsible for these attacks. On one hand, you can blame the banks for having poor business processes that do not account for the potential for misuse. On the other hand, you have the organizations themselves who have ignorant users who provide access to banking credentials.

Since I think that the argument can go either way (or both ways, which would be the reality), I think that it would be really interesting if you were to put up a “Wall of Education” page that lists the affected banks and organizations, sorted by dollar value of the attack. It would be interesting to see how many times individual banks start popping up.

Like or Dislike: 3 2

By: infosec_pro

infosec_pro — Thu, 07 Jan 2010 00:04:03 +0000

@BrianKrebs – thanks for sharing that email, and thanks to the author for being willing to have it shared. I think it should give a good argument against those who continue to blame the victims, that organization probably knows more about securing systems than most of your readers and still took big losses despite strong motivation to protect themselves with best in class measures. If they couldn’t stop the bleeding how is a local school district going to do so?

btw I served on a local (regional) school board for a few years, comparable in size to Duanesburg. Our entire IT budget would not have covered my present salary, and that’s probably true for most of the knowledgeable readers on here. It takes time and effort and diligent competence to properly manage and secure systems, that’s why it is so seldom done right. If local governments and schools spend money to get the resources they need to do the job right they get slammed by taxpayers and/or cut back in mission critical areas.

@ TheGeezer, “Parkinson Construction is not in the computer business.” Exactly the problem. It takes so much competence and diligence to properly secure desktop PCs that almost anyone not in the IT business cannot justify the expense to do it right, especially with the need for expertise so outstripping the available supply.

Well-loved. Like or Dislike: 5 0

By: TheGeezer

TheGeezer — Wed, 06 Jan 2010 18:12:14 +0000

You are right Rick that the registration is after the fact of installing the malware.
However, the malware is often accessed via a registered domain name.

The registrar’s role is therefore VERY important!
And yes, we can claim to not know how this happened. Was it again a fraudulently registered domain that should have been detected by the registrar? Or was it an employee downloading ‘free’ software? We don’t know how this happened. “not having a clue about operating systems and system security” is not the answer.

Let’s look at the example of the small business in D.C., Parkinson Construction, which fell victim to the Social Security Administration exploit which Brian reported on early december.
http://voices.washingtonpost.com/securityfix/2009/12/who_says_pay-per-click_revenue.html

The Zeus botnet SSA exploit was running in late November using the ccTLD of ‘.be’.
It should have been clear to any registrar that the US Social Security Administration does not register with DNS.be and does not use a fast-flux server. The registrar is in the computer business.
They should be able to see this and respond. Parkinson Construction is not in the computer business.
If this registrar had shown the same responsibility demonstrated by some others, Parkinson Construction would have received a ‘Host Not Found’ error message rather than a trojan.

The personal computer has become a necessary but dangerous appliance for most people and certainly for business.
No one is required to know electronics to be guaranteed safety from electrical shock from their dvd player.
You should not have to be a computer guru to avoid ‘software shock’ from your computer either.

The registrars need to have their focus redirected from bragging about how many domains they’ve registered to how few malevolent domains they’ve registered. They are the ones who should be the computer gurus, not victims like Mr. Parkinson and Duanesburg Central School District.
It doesn’t take much of a computer guru to know that the IRS and SSA are not located in Chili or Argentina.
Let the Registrar be responsible for the research. That would prevent the majority of these incidents.

Like or Dislike: 4 1