Friday, November 30, 2007

HijackThis is Goodware

I occasionally get worried calls from friends saying they have seen our brand turn up on the Internet listed in a long list of programs under the heading "Hijack This".

This certainly does happen. A quick search on Google for "Authentium" will come up with several examples of logs created by folks who have downloaded and used the software, and discovered our software among other programs in their Startup menu.

Authentium says: stop worrying. "HijackThis" is a "goodware" utility program with an unnecessarily-scary name that is owned and maintained by Trend Micro. It enables consumers to quickly create log files containing details on all programs listed in their StartupList, and root out spyware and other potential nasties.

It's really something that only sophisticated users should use. As Trend Micro itself says, "HijackThis does not determine what is good or bad. Do not make any changes to your computer settings unless you are an expert computer user."

That said, it's a useful tool. Here's a short description from

If persistent spyware is bogging down your computer, you might need HijackThis. The tiny program examines vulnerable or suspect parts of your system, such as browser helper objects and certain types of Registry keys.

Pressing the Scan button generates a log of dozens of items, most of which are just customizations. Don't check off an item and hit the
Fix checked button unless you're sure it's malware.

Info on selected item tells you why the entry was flagged as suspicious, but not whether it's actually malware. To find that out, search the Web for that item's name or go straight to a forum, such as SpywareInfo or Computer Cops. Saving the log creates a text document you can post to these forums.

The latest version adds powerful tools to the Config window. The process manager and hosts file editor help you excise virulent infections. The unique ADS Spy tool scans for alternate data streams, which some browser hijackers use to hide from spyware removers.

The program still installs into whatever directory in which you unzip the file, which can make it hard to locate. HijackThis is a serious tool for any user who needs to root out a serious infestation, but wield it with caution.

NZ Cops Praise "Bright and Gifted" Hacker

New Zealand police announced today they have, with the help of Dutch investigators and the FBI, apprehended an 18 year old resident of Hamilton, NZ.

The 18 year old is accused of creating - and selling to criminal gangs - an encrypted piece of malware that enabled professional criminals around to world to evade certain antispyware apps and cause more than $20 million in economic losses.

Martin Kleintjes, the head of the New Zealand Police Computer Crime Unit, knew exactly how to deal with this kind of criminal, and very quickly put him in his place:

"He is very bright and very skilled in what he’s doing. He hires his services out to others. [He is} one of the world leaders in terms of developing this sort of software - it’s absolutely first-class."

At the conclusion of this damning statement, sure to drive fear into the hearts of aspiring NZ hackers everywhere, Mr Kleintkes metaphorically patted the youth on the head, and sent him home to await a call back.

Test Question. You've just nabbed a bank robber that you're pretty sure has stolen $20m from a bank in downtown Auckland. Do you let him go home?

Despite the size of the crimes perpetrated, and the fact that the youth appears to have actively sought out criminal partnerships, the youth, known as "AKILL" online, is not facing an immediate stint in jail.

He has indeed been sent home by Mr. Kleintjes, pending further investigation. In addition, his identity has been protected, just in case some of the crimes he allegedly conducted happened prior to him turning 18.

Note: his crime was enabling identity fraud. Anyway see a contradiction here?

Authentium to New Zealand Police Computer Crime Unit: murderers can oftentimes appear intelligent and charming. That doesn't mean they should be mollycoddled. Cybercrime of this magnitude needs to be taken seriously and the perpetrators treated no differently than any other form of grand larceny, including bank robbery.

Consumers are sick to death of this kind of crime, and praise just leads to replication of effort. We need to start throwing the book at these guys.

Further note re this hack: Most sophisticated forms of antispyware or antimalware technology can detect encrypted malware of this type. Users should update to the latest available definition files regularly.

Tuesday, November 27, 2007

40% of Consumers Lose Trust in "Phished" Brands

YouGov and CloudMark have published a survey that brand managers might find worthwhile reading - not that they are likely to learn anything new. To the surprise of no one, brands, once phished, are no longer trusted by 40% of consumers.

From VUNet: "Banks' reputations were the hardest hit when it comes to phishing. Over 40 per cent of respondents said that a phishing email about their bank would put them off. A similar percentage felt the same about their ISP, 36 per cent about an online shopping site and 33 per cent about a social networking site."

That wasn't the most surprising statistic to me - according to the survey, only 26% saw it as a user-level problem, while fully 40% of those surveyed felt their ISP should be primarily responsible for stopping phishing attacks. From The Register:

One in four (26 per cent) of 1,960 adults surveyed reckon the main responsibility for protecting against phishing attacks lies with themselves, with a similar percentage (23 per cent) responding that their ISP ought to bear the brunt of filtering spam emails. A further (17 per cent) think the sender's ISP and email service provider holds the greatest responsibility in combating scam emails.

Also troubling is the news that VOIP-based caller ID spoofing (aka "vishing") appears to be well on its way into the mainstream of attacks in the UK as well. Here's Neil Cook, Cloudmarks's UK technology chief, quoted in the same article:

"If the recipient makes the call, it gets routed to a cheap VoIP answering system, which may have been set-up on a compromised host. The system captures the user ID and pincode to sell on to the highest bidder, who then has full access to your account. All the while the call seems very genuine. The reassurance of speaking to an individual rather than working online will lead to many instances of consumers falling foul to such threats."

If you've never set up a call center, this probably sounds like science fiction, but unfortunately, this kind of "vishing" is extremely easy to set up, very cheap, incredibly portable, and because it sounds so real and involves live call-center-like humans, rather convincing.

Full article here.

Saturday, November 24, 2007

"Koffi Anan" Email Scam

This morning I was forwarded an email from none other than "Koffi Anan", the former Secretary General of the United Nations.

Sadly, since leaving the UN, "Mr. Anan" has apparently forgotten how to correctly spell his own name. I guess it must have been the stress of the job.

That said, "Koffi" was considerate in wishing to apologize for all the email scams that have taken place under the masthead of the UN. He suggested that I contact a certain Mr. Jim Ovia at Zenith Bank Nigeria Plc, who has been instructed to forward me $150,000, no questions asked.

Folks, this ranks as probably the dumbest scam email I've ever seen. It is so outrageous that I'm left wondering if The Onion isn't somehow behind it.

If not, I take back everything I have said recently about criminals getting more sophisticated and intelligent, as a whole. Clearly, some criminals are evolving at a considerably slower pace than others.

Everyone, Authentium says: beware of any email that promises you money, or contains advice from a celebrity, or suggests you immediately contact a bank or lawyer you've never heard of because money is waiting.

Every single one of these emails is a scam, and if you respond, you're going to get duped.

Friday, November 23, 2007

BayRob Downloads Fake eBay to Desktops

The BayRob Trojan currently tormenting eBay Motors demonstrates some of the increasingly sophisticated tactics that online criminals are using to defraud eBay's customers.

Like most malware these days, BayRob appears to be primarily distributed in the form of a phishing email carrying eBay Motors branding. The Trojan is attached in the form of an image, which presents itself to the user as the image of a vehicle.

When the user clicks on the image, BayRob installs a web server, does a location search on the user's IP address, then launches the user's web browser and starts serving up fake pages designed to appear as if they are coming from eBay or CarFax or similar services.

According to Symantec, quoted by the Register, the web server is in constant communication with a "fleet of control servers" designed to mimic the auction site and constantly update the pages.

Consider for a moment what is happening here, from the end user's perspective. The end user's aim is to get a great car for a great price, from a trusted brand (eBay). The criminal's aim is to take money from the consumer without providing goods.

The criminal accomplishes this by using the trusted brand in combination with a reverse IP address lookup to place the cars in the fake ads just a little bit too far away from the user's home address. In this carefully-calibrated scam, the criminal has everything they need to control the user's action - control of price, control of the desktop, control of the transaction mechanism.

The sad part of this (or happy part, depending on how you look at it) is that there are solutions out there that can mitigate this eBay scam and remove the problem entirely.

Our technology, Authentium VERO, completely prevents these scams from occurring, by ensuring eBay pages are identified as coming from actual eBay web servers (not faked local web servers), and disallowing all other (fake) pages access to the user's web browsing environment.

For an example of how bad this might get, check out this story about how one potential buyer of a Jeep Cherokee lost $8,600 - and was unable to be compensated for her loss, because, according to eBay customer service, "the fraud happened outside of eBay."

Note: Symantec reports that one victim was recently almost scammed out of $10,000 but managed to track the money to its final destination - a Western Union outlet in Greece - and halt the payment.

Thursday, November 22, 2007

The Dardenne Prairie MySpace Suicide: Act 2

In his best-selling non-fiction work In Cold Blood, Truman Capote travels to the small town of Holcomb, Kansas and pulls together the tiny threads of a quadruple murder into a vast tapestry that entangles an entire society.

In the end, it's the detail, not the larger story, that reels you in. The larger story of the Clutter family murder fades into the background.

Right now, I'm betting there's a lone reporter sitting in Dardenne Prairie, Missouri, 75 miles northwest of St Louis, with similar ambitions, determined to pull together the story of the suicide of a teenage girl and the details of her tragic death following a fight, on MySpace, with her cyber-boyfriend.

The story started innocently enough a little over a year ago: 13 year old teenager Megan Meier meets 16 year old guy Josh Evans on MySpace.

According to several published news reports, including a story published today in the LA Times the chance meeting happened at a good time for Megan - she'd apparently become estranged from her previous BFF (Best Friend Forever), a girl that lived four doors down from Megan on Waterford Crystal Drive - and was struggling to overcome depression associated with the loss of her friend and bullying at school.

Lonely and depressed, Megan found a confidant in the "hot" young Josh Evans, and for several weeks, she poured out her heart to her new friend via the Internet.

Then one night, something changed in Josh. According to FBI transcripts quote in the LA Times, Josh sent Megan a nasty message, saying that he'd heard that she was a "terrible friend". The final message, not published, was, according to her father, along the lines of "Everybody in O'Fallon knows how you are. You are a bad person and everybody hates you. Have a shitty rest of your life. The world would be a better place without you."

Minutes later, Megan left her computer, took Josh's advice, and hung herself in her closet.

Upon hearing the news of 13 year old Megan's death the next day, the Drews and other neighbors in this town of 7,500 people rallied around and provided comfort to the Meiers. The Drews cried at the wake, and sent over cookies, and collectively, they tried to forget the terrible event of Megan's death.

And for weeks, this story ended right there - anonymous guy meets anonymous girl on MySpace and breaks her heart.

Then apparently one day, several weeks later, one of the Meier's neighbors came over to their house and told the Meiers a different version of events - one that they couldn't have imagined. The neighbor told them that Josh Evans was not a real person. That he was a fictional character created specifically for the purpose of targeting the emotionally unstable Megan.

He further informed them that this was no teenager-on-teenager fight: the character "Josh Evans" had been created by an adult - Lori Drew, the mother of Megan's former friend, and the Meier's friend and neighbor. The cooker of the cookies. The person who cried at the funeral.

Legan's mother reacted to this news as you might imagine anyone hearing of something so impossible - by screaming her lungs out and putting an axe through a foosball table that the Drews had asked her to store for them and depositing the pieces on the Drew's driveway.

The townspeople reacted as well - no one could believe it when they heard that Lori Drew had admitted that she had in fact invented the character, and created the messages - and monitored Megan's replies - with the help of her daughter and another friend.

Local blogs started up within hours, targeting the Drew's workplaces. The Drews found themselves shunned in the street. Death threats arrived.

But then, like any orderly citizens of a 21st century town, the good people of Dardenne Prairie calmed down, knowing better than to take justice into their own hands. They stepped back and waited for state, local, and federal law enforcement to step in, and make things right.

They waited. And waited.

But there was a problem. When law enforcement tried to step in, they discovered there was nothing they could do. There were no paths to justice for the Meiers. Cyberbullying, as this act is being called, is not defined under any law in any town, county or state jurisdiction applicable to the Meiers, or to Megan Meier's death.

Currently, Lori Drew has not been charged with any crime. She is still turning up for work and will likely continue to do so. Sure, some cars still speed pass the Drew house in the middle of the night, filled with people shouting "murderer!", and there has been some property damage to their house, but for the most part, the Drews are untouched, and unaffected.

Meanwhile, the Meiers family has been decimated by the tragedy. Ron and Tina Meier have split up and are now living apart, considering a divorce. Lawyers are attempting to move things forward. No one sleeps in the house on Waterford Crystal Drive anymore.


Earlier this year, Alex Eckelberry and others, including myself, and Robert Sandilands at Authentium posted a number of blogs about the injustice faced when cybercrime charges were brought against a school teacher in Norwich Connecticut around an incident that was obviously caused by malicious javascript.

The Meier case is different. In this instance, we have a clear example of potentially the first case in which a false online identity is used by an adult to induce suffering in a real child, resulting in her death. That the incident involved a bullying fictional identity and not a bullying real person is apparently not covered by any applicable law. Not yet.

Here's my "small change." I'd like to suggest that the mayor, the state law enforcement officials, and the county law enforcement officials start lighting a new fire under this case by boning up on how MySpace works - because I suspect that if they can prove that the communications sent by "Josh Evans" to Megan Meiers went through the MySpace servers in Los Angeles, or some other out-of-state data center, then I think they have a case they can hand to the FBI.

Parry Aftab has suggested the federal Telecommunications Harassment Law may apply. I have no doubt that the FBI's federal cybercrime division will find an applicable statue they can use to enforce justice. And I have no doubt that there is a tremendously interesting story still to be played out in Dardenne Prairie. We're just at the start of Act Two.

7.25 Million UK Families + MailMerge = Problem

As you already know, this week, the UK Government lost two disks in the mail that contained the personal information of 7,250,000 families, or 25,000,000 individuals, including, in many cases, their banking information.

Ho-hum, I hear you say. This "lost data" stuff happens all the time. It won't affect me.

I understand this reaction. Subconsciously, most of realize that by now, statistically, our personal data, including that of our family members, has probably been stolen or misplaced multiple times. And because we can correlate that with the additional fact that there is still money left in our bank accounts, we think, "why worry"?

Here's why we should worry: Things are about to get really rough in the identity theft market. The reason? Online criminals are starting to discover the power of database mining and targeted marketing. Consider the "Better Business Bureau" phishing scam of earlier this year.

During this scam, I received a phishing email that I'm ashamed to say almost fooled me - a security professional. Why? Several reasons. First of all, the email was very well-formed, and it was not flagged as coming from an IP address associated with any previous phishing activity.

But most importantly, this scam email addressed me personally - by my correct name, my correct title, the name of my company, and our address - plus, it contained a plausible premise that any business owner can relate to - a complaint from a customer who has not yet received the goods that he ordered.

In other words, it was targeted - and, unlike the amateurish and non-targeted "Dear Sir" emails from the wives of defense ministers of deposed dictators offering 25 million dollars in return for an email address, it had a good shot at fooling a reasonable percentage of the 29 million small business employees in the United States.

Most industry analysts believe the data was "scraped" from LinkedIn, ZoomInfo, Plaxo, or some other business-oriented social networking site. It doesn't matter. Social networking is just a fancy name for what you do using a "database interface". "Social Network Engineering" is where these crooks are headed.

Since the BBB scam, we've seen a few copy-cat attempts at replicating its success in our labs, but none yet aimed at a specific user population or brand. This what scares me about the situation regarding the data theft in the UK - and phishing in general.

Assuming these disks have indeed fallen into the wrong hands, it is probable that right now, schemes are being crafted by data-smart criminals that will utilize the personal data of these families to fool them into thinking that a counterfeit piece of communication from a criminal is actually coming from a trusted government body.

So how does the UK government now tell these people not to worry? Not by email - email is dying as a communications medium. By phone? Not the best idea - see my earlier posts on VOIP-based caller-ID spoofing. By snail mail? Heard of MailMerge?

So have the criminals.

If I'm wrong, then we can all pour a cup of tea and go back to being complacent. But if I'm right, and the criminals decide to get rich quick, rather than milk this opportunity over the long term, banks, online trading companies, credit unions, and other financial service providers - including Revenue, and other government departments - could be in for a rather bumpy ride.

Note: There are some practical steps we need to start taking. Authentium strongly advises consumer banks, credit unions and other online financial service providers to refrain from telling their customers that personalized emails can be trusted. Some of your web sites still suggest that personalized emails under the bank's letterhead should be trusted. This is very poor-quality advice.

Tuesday, November 20, 2007

Enabling Premium Online Banking Services

Back in 1959, American Express issued their first charge card. Then in 1966, they introduced the Gold Card, and in 1984, the Platinum Card. This was followed up by the introduction of the Centurion, or "black card" in 1999. Coming this December: the American Express "Plum" card.

Where am I going with this?

The regular introduction of a new premium service tier has proven to be a huge success for American Express. For an increasingly large percentage of the American Express member population, annual service fees have risen from $6 in 1959 to more than $2,500 annually for a Centurion Card today (not counting the $5,000 account activation fee).

Clearly, offering premium service tiers generates revenue. So why is it that no online banks are lining up to charge me a $200 annual fee for "Platinum Online Banking"?

Jim Bruene, who authors the Online Banking Report, believes 2008 is the year that "Platinum" premium online service programs will take flight. In fact, Jim lists "Premium Online Banking Services with a Security Emphasis" third in his list of the Top Fifteen Marketing Tactics for 2008 in his 2008 Planning Guide.

Currently, several banks offer security software suites to their consumers, and typically they earn a bounty on each purchase. However, selling a non-sticky retail product-in-a-box doesn't promote retention - consumers can use the product regardless of whether or not they remain loyal to the site they got it from.

What is needed instead are attractive services that promote lasting relationships, based on technologies that securely and persistently link consumer devices with the bank's infrastructure.

Example 1: Real-time information widgets that update rate information, account transactions, security alerts, investor tips, and financial news - in real time, right on the consumer's desktop.

Example 2: Data backup and restore software, as enabled by our partners FarStone and IBM CDP. This service leverages the bank's extensive IT infrastructure to keep secure and provide access to statements, records of web sessions, expense reports, scanned documents, and "create-once, administer-remotely" personal banking profiles.

Example 3: ID Theft Prevention software, such as our own Authentium VERO Virtual Desktop and Virtual Browser (called VirtualATM in some markets) - software that only runs if first "recognized" by the banks infrastructure, and allowed to execute on the consumer's machine.

I could go on, but you get the idea: software now exists that can add value to a bank's infrastructure, and justify offering a premium service tier consisting of security offerings and services that leverage the bank's existing assets and proprietary market intelligence.

Note 1: If you haven't read Jim Breune's 2008 Online Banking Report Planning Guide yet, I strongly recommend you head over to Jim's Online Banking Report site and buy a copy - this guy is one of the hardest-working people in the industry.

Note 2: Marketers, here's a great story - Amex originally set their $6 annual fee a dollar higher than Diner's Club so they could position their card as the "premium offering".

This initial positioning exercise has to rank as one of the most successful marketing decisions ever taken in the finance industry.

Sunday, November 11, 2007

eCrime is not yet Organized

Fact: Criminals have become quite adept at stealing your personal information via the Internet.

Malware designed to secretly steal personal information is currently resident on millions of computers. Millions of bank customer records are available for purchase from corrupt BPO (Business Process Outsourcing) employees in India and elsewhere for a few dollars per record.

Online criminal gangs have proven their ability to regularly break into databases and pull down millions of customer accounts, including credit card details and other personal data. Phishing scams regularly fool thousands of people into revealing their personal information and banking details.

Q. So why aren't these activities bringing down major banks or retailers?

I believe the answer lies in the fact that ecrime is not really organized - yet. While the criminals have become adept at malware manufacture, they are not yet data-parsing geniuses.

Currently, the sheer volume of data being collected, and the current inability of criminal gangs to parse the data they are collecting, means they are unable to target individuals based any useful analysis of that data, such as "net worth", "timing of deposit activity", "statement viewing frequency", or similar paradigms.

However, I think that's about to change. And so do most of the executives I've spoken with at Authentium's customer and partner companies.

In the same way that common criminals currently case a physical bank, or shopping mall, for the right time of day to perform a heist, I believe online criminals may soon start casing online accounts for "spiky activity", such as an executive's payday, or an investment banker's end of year bonus.

Why is such analysis required? Take the typical current account. Many families and small business owners use their current accounts for bill payment.

For much of the month, these accounts sit empty - but at the right time in any given month, these accounts may contain both rent and payroll. At that moment, a stolen "user name and password" combination is more valuable than at other, leaner times - a fact that I'm sure is not going unnoticed by carders and other middlemen.

Right now, there is no compelling evidence that criminals are yet using these sophisticated methods for frauds. However, there is little doubt that, over time, criminals will begin adopting these methods. It's just pure Darwinian logic.

In the future, uninformed criminals lacking information on the right time to "hit" accounts ultimately end up expending a lot of effort for little or no gain. These criminals will eventually go out of business.

The more organized and "informed" criminals (i.e. those capable of processing their data) will grow in sophistication to the point where they will be able to visualize exactly the right time to attack a bank located, say, in a second-tier city, in which a majority of the employees are paid by two large companies on a certain date.

If I'm right, then we could be experiencing a period of calm ahead of what could prove to be quite a storm of activity.

Saturday, November 10, 2007

Alicia Keys Unplugged: The MySpace Hack

The Alicia Keys MySpace hack has been in the news this week. Several researchers, including Chris Boyd, and our friends over at (Authentium partner) Sunbelt Software, have blogged about this attack. Roger Thompson at Exploit Prevention Labs recorded a video of the hack.

The hack uses an interesting approach. A large transparent image (8000 x 1000 pixels) is inserted into the page containing a hyperlink. Clicking anywhere on the page, other than on a legitimate link or an image with a higher z-index, places a GET request to a malware server in China, which then offers up a dialog box , inviting the user to install a new codec in order to properly view the content they are requesting.

Chris Boyd, Director of Malware Research over at, recently blogged about a series of similar attacks on the sites of other musicians, and provided this snippet of code for those interested (note: the URL shown here is the same as the URL mentioned by Thompson):

The codec isn't required and doesn't exist, or course - and as Thompson demonstrates in the video, you don't have to click on the dialog box to be "owned": you were owned the moment you made the first click on the page.

Q. So where does this lead?

Firstly, the Alicia Keys MySpace page is toxic until proven otherwise, and may suffer permanent damage. But what of the parent site itself?

Obviously, the social networking sites don't yet feel these forms of attack are bothering users enough to prove fatal, or overly-damaging to their brands. And there has yet to be announced a venture-backed social networking site based around a promise to scan all code and content.

But that doesn't mean the slow "drip, drip, drip" of user discontent hasn't started...

I'm not aware of any active research groups that are tracking defections away from MySpace, or any of the other social networking sites, based on a negative reaction of the user population to the presence of malware, but you have to wonder: at what point will the parasite cause the fatality of the host?

Medical researchers have studied and now understand the "parasite density" levels various organisms are able to tolerate up to the point at which a fatality occurs - but no corresponding data is available regarding how tolerant a user population might be of a highly-compromised social networking site.

Attention computer science grads looking for a thesis - here's a subject that should prove interesting: At what point does a social networking site become so rife with malware that it can no longer survive?

My Dinner With Christophe

While in a the UK a couple of weeks ago, I got together with Christophe Langlois, editor of Visible Banking, and we had a wonderful dinner at the Red Fort, one of my favorite London restaurants.

At the end of the dinner, we headed back to my hotel for coffee and a demo of Authentium's financially-oriented social networking application, SecureTalk. Over coffee, we also recorded an interview about the rest of the applications in the Authentium VERO solution set.

Christophe had just returned from the inaugural FINOVATE 2007 conference in New York, a show set up by Jim Bruene, publisher of the Online Banking Report.

At the conference, Christophe interviewed a number of key players in the emerging world of Online Banking 2.0, including Aaron Patzer of Mint, Chris Larsen of Prosper, Peter Hazelhurst of Yodlee, Patrick Gannon of Lending Club, and Shawn Ward of Geezeo.

We talked about many of the innovations he'd seen at the show, including the large number of social lending companies vying for mindshare. One of the clearly emerging trends, "financially-based social networking" - an idea pioneered in the Web 1.0 world by Bankrate and Lending Tree, but now being taken to taken to new levels by the emerging companies on display at FINOVATE - is something every bank and brokerage that I've spoken with is watching closely.

One of my favorite sites in the area of social lending is - a site many LinkedIn members will no doubt be familiar with.

I recently lent money through Kiva to the proprietor of a grocery store in Mexico, and thus far she has come through with the payments on time, and all appears to be going well with the business. If you have not yet signed up for, I recommend you take a look - I think you'll like what these guys are doing.

Back on social networking and banks, I noted with interest yesterday that Jim Bruene, editor of the Online Banking Report, has ranked financially-oriented peer-to-peer social networking among the top three marketing tactics of 2008 in his 2008 Planning Guide for online banks. Given the large number of venture-backed companies in attendance at his conference in this area, this is probably right.

Note on the video: To say our "set" was noisy, would be an understatement! But Christophe somehow managed to ensure the result was watchable. If you're interested in taking a look, and learning more about what Authentium is doing in the Online Banking 2.0 world, please click on the video above or go here.

AcidStorm is a Thief, not a Celebrity

Yesterday, in Los Angeles, a criminal admitted to tampering with a quarter of a million home computers, with the intent of eavesdropping on their communications, stealing their identities, and stealing money from their bank and PayPal accounts.

Yet despite his admission of guilt, and the vast number of people involved, the judge didn't remand this person to prison - the criminal was sent home to watch television and eat ice-cream until his arraignment, several weeks from now.


Folks, we need to stop treating e-criminals like celebrities. Using computers to steal, rather than guns, does not make their motives any different from those of a common thug. It is time to do the public a favor and start putting these guys in the same cage as the people who rob banks using shotguns and getaway vehicles.

Consider again the facts: "AcidStorm", aka John Kenneth Schiefer, a 26 year old Los-Angeles based information security specialist, copped a plea yesterday and admitted creating a bot-net consisting of a quarter of a million computers. He admitted to stealing the identities of thousands of these unsuspecting users. He admitted to accessing PayPal accounts and online bank accounts.

According to published reports, it isn't yet clear how much money was stolen. But what is clear, is that his intent was criminal. This is underlined by events in Schiefer's past, which apparently include defrauding $19,000 from Simpel Internet in Holland, and admonishing an under-age colleague worried about stealing that he should just "quit being a bitch and claim it."


Ask yourself this - if this theft has taken place at a "real bank", rather than via online banking interfaces, and had involved an attempt to steal actual dollar bills from the bank's cash register, would the perpetrator of this crime be out on bail?

Note to judge and Los Angeles Assistant U.S. Attorney Mark C. Krause: please try and forget the fact that this guy used computers to commit this crime. There is no longer anything sexy or interesting about online crime that demands these people be treated differently - their motives are no different than those of a safe-cracker or petty thief, and they place a heck of a lot more people at risk.

You should throw the book at this guy.

Update 1: According to, the malware distributed by Schiefer contained "a sniffing feature that siphoned PayPal credentials from Protected Store, a section of Windows that stores passwords users have opted to have saved. Although Pstore, as the Windows feature is often called, encrypts the information before storing it, Schiefer's malware was able to read it, presumably by escalating its Windows privileges."

Update 2: Also from - on one occasion, in December 2005, Schiefer moved money out of a Suffolk National Bank account to buy undisclosed domain names from a registrar by the name of "Dynadot".

Back on the Beat

It's been a massively busy couple of months at Authentium.

In addition to finalizing our 2008 budget, we've been putting the finishing touches to Authentium VERO (Virtual Environment Restricted Operation), our online banking security solution, and demoing the latest version to more than 50 customers and prospects on four continents.

I've barely had time to sleep, let alone post. But I'm back. And there is plenty to talk about.