CyberheistNews Vol 1, #5
Editor's Corner
Are Users the Weak Link in IT Security?
[caption id="attachment_1367" align="alignleft" width="150" caption="Stu"]
[/caption] I met Windows IT Pro Magazine Security Editor Jeff James at the TechEd
show in Atlanta. We discussed IT security and the fact that end-users
are now the biggest vulnerability. Then we continued the talk a few
weeks later and this is the result of the two discussions.
Jeff wrote a great article in his security blog and started out with:
"Firewalls and antivirus can only go so far. For most of 2011, the
news headlines have been filled with tales of cyberheists and security
failures... And in all likelihood there were hundreds (if not thousands)
of less well-known cyberattacks that occurred in the same timeframe but
went unnoticed or unreported. IT security seems to be a mess these days,
with even the largest and most well-financed corporations and government
organizations proven to have security defenses the consistency of
half-eaten Swiss cheese... What Sjouwerman advocates is a much more
aggressive training and education regimen for users at every company,
starting with informing users about the threat posed by phishing attempts
and how to identify and combat them." The whole article is here and
warmly recommended:
http://www.windowsitpro.com/article/security/users-weak-link-security-139572
Five Generations Of Cybercrime
It helps to understand more about the history of hacking, when you need
to defend yourself against cyber criminals. So here is your Executive
Summary.
Early hacking started when guys like Kevin Mitnick became 'digital
delinquents' and broke into the phone company networks. That was to a
large degree to see how far they could get with social engineering,
and it got them way further than expected. Actual financial damage to
hundreds of thousands of businesses started only in the nineties, but
has moved at rocket speed these last 20 years.
Generation ONE
Those were the teenagers in dark, damp cellars writing viruses to gain
notoriety, and to show the world they were able to do it. Relatively
harmless, no more than a pain in the neck to a large extent. We call
them sneaker-net viruses as it usually took some one to walk over
from one PC to another with a floppy disk to transfer the virus.
Generation TWO
These early day 'sneaker-net' viruses were followed by a much more
malicious type of rapidly spreading worms like Blaster, Sasser and
NetSky that started to cause multi-million dollar losses. These were
still more or less created to get notoriety, and showing off their
"elite skills".
Generation THREE
Here the motive moved from recognition to remuneration. These guys
were in it for easy money. This is where botnets came in, thousands
of infected PCs owned and controlled by the cybercriminal that used
the botnet to send spam, attack websites, identity theft and other
nefarious activities. The malware used was more advanced than the
code of the 'pioneers' but did not do much to cover its tracks.
Generation FOUR
Here is where cybercrime goes professional. The malware starts to
hide itself, and they get better organized. They are mostly in
eastern European countries, and use more mature coders which
results in much higher quality malware which is reflected by
the first rootkit flavors showing up. They are going for larger
targets where more money can be stolen. This is also the time where
traditional mafias muscle into the game, and rackets like extortion
of online bookmakers starts to show its ugly face.
Generation FIVE
The main event that created the fifth and current generation is
that an active underground economy has formed, where stolen goods
and illegal services are exchanged in a professional manner.
Cyber crime now specializes in different markets, that taken all
together form the full criminal enterprise. Note that because of
this, cybercrime develops at a much faster rate. All the tools are
for sale now, and relatively inexperienced criminals can get to
work quickly. Some examples of this specialization are:
1) Cybercrime has their own social networks with escrow services
2) Malware can now be licensed and gets tech support
3) You can now rent botnets by the hour, for your own crime spree
4) Pay-for-play malware infection services quickly create botnets
5) A lively market for zero-day exploits (unknown vulnerabilities).
The problem with this is that it both increases the malware quality,
speeds up the criminal 'supply chain' and at the same time spreads
the risk among these thieves, meaning it gets harder to catch the
culprits. We are in this for the long haul, and we need to step
up our game, just like the miscreants have done the last 10 years!
Quotes of the Week
"A specialist is a man who knows more and more about less and less." - William Mayo
"A person without a sense of humor is like a wagon without springs.
It's jolted by every pebble on the road." - Henry Ward Beecher
"You can't put a limit on anything. The more you dream, the farther
you get." - Micheal Phelps
Please tell your friends about CyberheistNews! They can subscribe here:
http://www.knowbe4.com/about-us/cyberheist-news/
Selected Dataloss Incidents This Week
Not many people are aware of the excellent work that the people at the
www.datalossdb.org do. They gather all cyber security events and put
these in a database, free for everyone to query. Here are some selected
incidents of last week. There are a lot more, varying from records dumped
instead of shredded to stolen laptops with confidential information.
Do yourself a favor, and take a minute to review this 'Defense-In-Depth'
page. It clearly shows and explains the six areas you need to defend,
and how it all -starts- with Policies, Procedures & Awareness:
http://www.knowbe4.com/resources/defense-in-depth/
Selected Incidents:
Reported Date: 2011-06-24
Summary: Personal information of 58,000
customers and some job applicants
acquired by hackers.
Organization: T&T; Supermarket, Inc.
http://datalossdb.org/incidents/3940
Reported Date: 2011-06-23
Summary: Internal memos as well as
personal information such as names,
phone numbers, addresses and passwords
belonging to Arizona law enforcement
accessed by hackers.
Organization: Arizona Department of Public Safety
http://datalossdb.org/incidents/3926
Reported Date: 22011-06-23
Usernames, passwords, addresses and
email addresses may have been
acquired by hacker.
Organizations: NATO e-Bookshop, Unknown Organization
http://datalossdb.org/incidents/3942
Reported Date: 2011-06-22
Summary: Failure to adequately wipe
devices being re-sold left sensitive
information including Social Insurance
Numbers, provincial health card or passport
numbers, Employment history, academic transcripts,
and personal investment info exposed.
Organizations: Staples Business Depot
http://datalossdb.org/incidents/3931
Reported Date: 2011-06-19
Summary: 177,172 e-mail addresses acquired by hackers.
Organization: Sony Pictures France
http://datalossdb.org/incidents/3890
You can find all of them at:
http://datalossdb.org/
FFIEC Updates Internet Banking Environment Guidelines
Federal banking regulators today released a long-awaited supplement
to the 2005 guidelines that describe what banks should be doing to
protect e-banking customers from cybercrime, hackers and cyberheists.
Experts called the updated guidance a step forward, but were divided
over whether it would be adequate to protect small to mid-sized
businesses against today’s sophisticated online attackers.
“Fraudsters have continued to develop and deploy more sophisticated,
effective, and malicious methods to compromise authentication
mechanisms and gain unauthorized access to customers’ online accounts,”
the FFIEC wrote. “Rapidly growing organized criminal groups have
become more specialized in financial fraud and have been successful
in compromising an increasing array of controls.”
For the complete document click the link below: Authentication in
an Internet Banking Environment
http://www.fdic.gov/news/news/press/2011/pr11111a.pdf
This document illustrates that no matters how well an organization
tries to protects itself from external cybercriminals, that because
of the human factor (like internal employees) network access can
sometimes be gained by the bad guys. You should definitely check the
effectiveness of your security. Take a free phishing security test
of your company.
http://www.knowbe4.com/phishing-security-test/
Cyberheist 'FAVE' LINKS:
* This Week's Links We Like. Tips, Hints And Fun Stuff.
The data breach quiz. Find out how RSA, Sony, Citigroup, Anonymous and the
U.S. Senate fit into this watershed year for data hacks:
http://www.networkworld.com/slideshows/2011/062211-data-breach.html?
Cool Photos of Levitating Girl:
http://www.toxel.com/inspiration/2011/06/24/cool-photos-of-levitating-girl/"
How people in other countries improvise with various methods of transportation.
http://www.flixxy.com/cars-in-poor-countries.htm
A 2 min. short film about two people in two different cities. Shot entirely on a Nokia N8 mobile phone.
http://www.flixxy.com/splitscreen-a-love-story.htm
