Today the UK government published a 2010 National Security Strategy of the United Kingdom. The Prime Minister will give a press conference about this tomorrow.

Interestingly, the document does talk about cyber security and cyber terrorism as a top 4 threat to the UK.

The top 4 threats are:

1. International terrorism including chemical, biological, or nuclear attack

2. Hostile attacks on UK cyber space

3. A major accident or natural hazard such as an influenza pandemic

4. International military crisis

Researchers at Pennsylvania State University, Duke University and Intel Labs have published a paper this week called “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones”

Their tool installs deep into the Android operating system, and profiles apps on the phone, looking for which ones send out a user’s private information to third parties. That information includes a user’s geographic location, unique phone id, phone numbers and SIM card serial numbers. They profiled 30 popular Android apps and found that half of them send a user’s geographic location to remote advertising services. 7 of the 30 send other private identifying information to the app developers.

None of the 15 apps mention data collection in their user license agreements!

Researchers at Pennsylvania State University, Duke University and Intel Labs have published a paper this week called “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones”

Their tool installs deep into the Android operating system, and profiles apps on the phone, looking for which ones send out a user’s private information to third parties. That information includes a user’s geographic location, unique phone id, phone numbers and SIM card serial numbers. They profiled 30 popular Android apps and found that half of them send a user’s geographic location to remote advertising services. 7 of the 30 send other private identifying information to the app developers.

None of the 15 apps mention data collection in their user license agreements!

I was a speaker at today’s NCSA/APWG Consumer Security Messaging Summit at Intel Headquarters in Santa Clara, CA.

In the morning, Jennifer Airey presented the results of a study of consumer attitudes and fears regarding online security and privacy. This was a study of 1,000 consumers. It asked them what their fears were about online activities, buzzwords regarding security and privacy, what steps they had already taken to protect their online security and privacy, and it also tested some consumer messaging about security.

Of interest for me, was a set of finding about what worries consumers worst about online activities.

31% Identity theft
25% Someone hacking into my financial information or accounts
7% Cyber criminal gaining information about me or my family
7% My personal information being made public
6% Falling victim to an online scam or fraud
6% Someone monitoring or recording my online activity
5% Someone hacking my online connections
5% Loss of privacy
4% Someone hacking my email or non-financial accounts
2% Online bullying

On September 28, the user name and password for the City of Brigantine’s online bank account was stolen, either through crimeware or a phishing site, and criminals logged into the bank account and transferred $600,000 of the City’s funds. The money was wired to bank accounts of several “money mules”, people who then forward the money on to the actual perpetrators of the crime, and take a cut of the proceeds.

This week there have been a number of arrests of money mules around the globe, in the USA, United Kingdom, and most recently in the Ukraine.

The way that money mules work is well described in a graphic image posted on Brian Kreb’s excellent KrebsOnSecurity.com website. It’s linked below:

The US Department of Justice, Attorney for the Southern District of New York, has announced that 37 defendants have been charged in conjunction with global bank fraud schemes that used “Zeus Trojans” and other malware to steal millions of dollars from U.S. bank accounts. The law enforcement program by the FBI was called Operation ACHing Mule.

Charges include:
Conspiracy to commit bank fraud
Conspiracy to commit money laundering
Money laundering
Transfer of false identification documents
Production of false identification documents
Possession of false Immigration documents
False use of passport

Some of the defendants face maximum penalties of 30 years in prison and fines of $1,000,000.

Noteworthy is that false immigration documents are involved. Sometimes we think that cyber-criminals are geeks sitting in dark rooms in Eastern Europe. Here is a more human face of high-tech crime: people creating fake passports and entering the US falsely.

District Attorney CYRUS VANCE, JR. said: “This advanced cybercrime ring is a disturbing example of organized crime in the 21st Century – high tech and widespread. The 36 defendants indicted by our office stole from ordinary citizens and businesses using keyboards – not a gun. The far-reaching results of this investigation to date represent what people deserve: successful cooperation between city, state, federal and foreign law enforcement officials, who worked together for a common goal – to identify and prosecute individuals who commit fraud against New Yorkers and the rest of the nation.”

FBI Assistant Director-in-Charge JANICE K. FEDARCYK stated: “The Zeus Trojan allegedly allowed the hackers, from thousands of miles away, to get their hands on other peoples’ money – with far less exertion than a safecracker or a bank robber. But their scheme didn’t eliminate risk. Like the money mules, many, if not all, will end up behind bars.”

NYPD Commissioner RAYMOND W. KELLY said: “After NYPD detectives entered a Bronx bank in February to investigate a suspicious $44,000 withdrawal, it soon became evident that it was just the tip of an international iceberg. I want to commend those detectives and our federal partners for coming to the rescue of unwitting depositors who were put at risk in this latest form of transnational thievery.”

USSS Special Agent-in-Charge BRIAN G. PARR said: “As the incidence of transnational cybercrimes continues to rise, the Secret Service remains actively engaged in fighting this type of illegal activity. The results of this investigation clearly demonstrate how the Secret Service is forging strong partnerships with other law enforcement agencies, successfully combating cyberfraud, and bringing high-tech perpetrators to justice.”

The US Department of Justice is about to hold a press conference, announcing that they have arrested more than 60 money mules in conjunction with criminals who are using the Zeus trojan to steal money from corporate bank accounts.

The US Department of Justice is about to hold a press conference, announcing that they have arrested more than 60 money mules in conjunction with criminals who are using the Zeus trojan to steal money from corporate bank accounts.

Yesterday the UK Met Police arrested 19 people who are suspected of being engaged in online theft of bank accounts using the Zeus banking trojan. These people are thought to have stolen between 6 million to 30 million pounds this year.

The group purchased sophisticated crimeware, called Zeus, in online cybercrime forums. They used it to infect the computers of thousands of online banking users in the United Kingdom. The malicious software allowed them to harvest usernames, passwords, and other personal information. They used that information to log into the online accounts of these victims, and fraudulently transfer money from their accounts.

Because the suspects are located in the UK, it makes me wonder if these are actually the perpetrators of the crimes, or if in fact they were money mules: people who accept fraudulent funds transfers and then withdraw the funds, and send it to the real criminals overseas in return for a cut of the proceeds. Time will tell, as the case winds through the courts.

The defendants include Yuriy Korovalenko, 28, of Ukraine; Yevhen Kulibaba, 32, of Ukraine; Aleksander Kusner, 27, of Estonia; Roman Zenyk, 29, of Ukraine; Eduard Babaryka, 26, of Belarus; Valerij Milka, 29, of Ukraine; Iryna Prakochyk, 23, of Ukraine; Ivars Poikans, 29, of Latvia; Kaspars Cliematnieks, 24, of Latvia; and Karina Kostromina, 33, from Latvia. All have been denied bail, as they are considered flight risks.

In the USA, we have seen a marked increase in the targeting of small and medium sized businesses, government agencies and charities by cyber criminals. They have figured out that it’s easier to steal $500,000 from one small business, than to steal $500 from 1,000 consumer online bank accounts.

Today the US Department of Justice announced that it has made several arrests this weel in conjunction with Zeus botnets as well.

Yesterday the UK Met Police arrested 19 people who are suspected of being engaged in online theft of bank accounts using the Zeus banking trojan. These people are thought to have stolen between 6 million to 30 million pounds this year.

The group purchased sophisticated crimeware, called Zeus, in online cybercrime forums. They used it to infect the computers of thousands of online banking users in the United Kingdom. The malicious software allowed them to harvest usernames, passwords, and other personal information. They used that information to log into the online accounts of these victims, and fraudulently transfer money from their accounts.

Because the suspects are located in the UK, it makes me wonder if these are actually the perpetrators of the crimes, or if in fact they were money mules: people who accept fraudulent funds transfers and then withdraw the funds, and send it to the real criminals overseas in return for a cut of the proceeds. Time will tell, as the case winds through the courts.

The defendants include Yuriy Korovalenko, 28, of Ukraine; Yevhen Kulibaba, 32, of Ukraine; Aleksander Kusner, 27, of Estonia; Roman Zenyk, 29, of Ukraine; Eduard Babaryka, 26, of Belarus; Valerij Milka, 29, of Ukraine; Iryna Prakochyk, 23, of Ukraine; Ivars Poikans, 29, of Latvia; Kaspars Cliematnieks, 24, of Latvia; and Karina Kostromina, 33, from Latvia. All have been denied bail, as they are considered flight risks.

In the USA, we have seen a marked increase in the targeting of small and medium sized businesses, government agencies and charities by cyber criminals. They have figured out that it’s easier to steal $500,000 from one small business, than to steal $500 from 1,000 consumer online bank accounts.

Today the US Department of Justice announced that it has made several arrests this weel in conjunction with Zeus botnets as well.