PC PORTAL

Experienced. Trusted. Solutions.

Cyber Crime

By

Security newsround: May 2018

We round up reporting and research from across the web about the latest security news and developments. This month: police success against cyber villains, the value of personal data, IoT security, a new ransomware strain, a new security framework and Gmail goes for 2FA.

Law’s long arm collars cyber crooks

Police forces scored three big wins against various cybercrime operations recently. In late April, authorities took down WebStresser.org, one of the world’s most popular marketplaces for launching DDoS attacks. Reuters reported that WebStresser was behind attacks on seven of Britain’s largest banks last November. The service is also alleged to have been responsible for four million attacks since 2015 against governments, police services, and businesses.

The Dutch Politie and the UK’s National Crime Agency led ‘Operation Power Off’, supported by Europol and a dozen other law enforcement agencies. They arrested alleged WebStresser administrators in four countries, seized infrastructure, and took unspecified “further measures” against some of its top users.

Before police pulled the plug, WebStresser had amassed 136,000 registered users. Threatpost aptly described WebStresser as a “criminal fantasy dream site”. It reported that there are 6.5 million DDoS attacks per year on average, earning attackers $13 million in revenue.

In separate operations, a coalition of eight countries led by Belgium took down propaganda broadcasting infrastructure of the Islamic State. Authorities targeted web assets of Amaq News Agency, an online media outlet which authorities called “the main mouthpiece of IS”. The same action also took down other IS-branded media outlets.

Completing the hat-trick, cybercrime teams from Dutch police seized the Anon-IB forum in an investigation relating to criminal offences. Vice Motherboard described Anon-IB as “possibly the most infamous site focused on revenge porn – explicit or intimate images of people shared without their consent”.

We’re always pleased to see law enforcement prevail in the fight against cybercrime. BH Consulting has been a partner of Europol for years. In 2013, our CEO Brian Honan was appointed as a special advisor on internet security to Europol’s CyberCrime Centre (EC3).

What’s your data worth?

If data is the new oil, there’s no shortage of ways that criminals can refine it for profit. As this post from Dark Reading makes clear, stolen data has many purposes that security teams need to know about. Crimes range from stolen IP to filing fraudulent tax rebates to schemes for stealing money, Steve Zurier wrote. Once hackers hold an inventory of stolen data , they package up and sell personal information such as names, addresses, phone numbers, and email addresses. They usually sell this data in bulk to maximise their profits. The more recent the records, the more value they fetch on the black market, Zurier said.

The question of what our data is worth in the digital economy is especially resonant and relevant in light of the recent Facebook/Cambridge Analytica scandal. Not to mention a certain four-letter privacy regulation. In Medium, Rik Ferguson of Trend Micro wrote a thoughtful post that considers the value of our personal information in the online economy. Data, he wrote, “unlike oil … is not burned up when used, but can be sold and resold, mined and reused”.

There’s plenty to chew on for privacy and security professionals. Rik wrote: “Our data is cataloged and combined with the traces we leave behind in the physical world, correlated and mined to reach conclusions far beyond those we might perhaps be comfortable with publicising, and then sold as a commodity or a subscription-based service to any interested party. It is an industry based our ignorance and our nonchalance.”

Securing all the things

ENISA has developed a free interactive tool based on its baseline security recommendations for the Internet of Things. This lets anyone working on IoT projects search and identify good practices. The tool is available to download here, and this page also includes a help guide. It’s based on the agency’s original study on IoT security which it published last year. The new tool is timely, as criminals have apparently begun exploiting IoT as another way to profit from cryptocurrency mining. Trend Micro researchers identified malware that hijacks the processing power of IoT devices and smartphones to mine for cryptocurrency. As Lesley Carhart of Dragos jokingly tweeted: “Your router and your IOT thermostat should really beep like your smoke detector when it’s missing a critical security patch.”

Prepare for a summer of SamSam?

Researchers are warning of criminals taking a new approach to ransomware infections. Sophos analysed the SamSam variant and found criminals carefully choose target organisations. They then launch thousands of copies of SamSam onto that organisation’s computers all at once. Once the infection has hit, the criminals offer victims a volume discount to clean all machines. This differs from the usual spam-like scattergun approach to ransomware of sending one malware copy to multiple possible targets. “The cybercriminals behind SamSam use vulnerabilities to gain access to the victims’ network or use brute-force tactics against the weak passwords of the Remote Desktop Protocol (RDP)”, the researchers wrote. Here’s ThreatPost’s writeup of the research. Sophos’ own blog describes the findings, and here’s a link to the technical paper.

Guidelines in the NIST

The US National Institute of Standards and Technology (NIST) has released version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity. This updates the original version 1.0 which proved popular on its release in February 2014. Version 1.1’s updated guidelines cover authentication and identity, cybersecurity risk self assessment, supply chain security management, and vulnerability disclosure. NIST programme manager Matt Barrett said the framework is flexible enough to meet an individual organisation’s business or mission needs. It applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things. Later this year, NIST will release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity. NIST’s press release is here and the framework is available free in PDF at this link.

Google beefs up Gmail security

Two-factor authentication got a shot in the arm after Google added this security feature for its Gmail app last month. Also called two-step verification, this sends a prompt to a user’s phone when they access their Gmail account on another computer. Naked Security said this is more secure than sending an SMS code to the phone, which can be vulnerable to fraud. It also pointed out that ease of use will encourage more people to use it, as takeup of 2FA to date has been low. Why does this matter? Here’s how many Gmail users there are in the world: 1.2 billion, to be exact. Google has more details on its blog. If you or your users still prefer passwords, here’s our advice from last year on how to choose better ones.

 

The post Security newsround: May 2018 appeared first on BH Consulting.

By

Security newsround: April 2018

We round up reporting and research from across the web about the latest security news. This month: privacy palaver at Facebook, a cyberattack with explosive intent, securing the IoT, sportswear maker uncovers data breach, and authorities arrest an alleged cybercrime mastermind.

Facebook shook by reverberations and revelations

The worlds of privacy and security collided last month after revelations that consulting group Cambridge Analytica had obtained records of 86 million Facebook users. It then used the data to target voters with pro-Trump messages during the 2016 US presidential election campaign. Scientists working on profiling technology had developed a free personality quiz app that harvested the friend information of users who downloaded the app via Facebook. They then provided this data to Cambridge Analytica. The New York Times reported that the idea for building the app came via Palantir, the data analysis company that works with intelligence agencies.

Facebook initially argued that it didn’t consider this as a breach, because anyone using the app had consented to the terms of service. Such semantic gymnastics didn’t cut much ice with commentators who considered it a ‘breach of trust’ – or worse. The scandal seemed to grow ever more complex as more details emerged. At one point, Facebook saw more than $50 billion wiped off its share price. When CEO Mark Zuckerberg eventually broke his silence days later, his response was “evasive and disingenuous”, wrote Karlin Lillington. Facebook has since suspended another data analytics firm, CubeYou, whose tactics were similar to those of Cambridge Analytica.

Sarah Clarke has written a nuanced perspective on the original story and its privacy implications on her Infospectives blog. Meanwhile, SANS published a guide for infosec professionals on communicating to staff about protecting privacy and deactivating social media profiles.

Life’s a breach

Staying with breaches of a different kind, Verizon has just published its 2018 Data Breach Investigations Report. Now in its 11th year, the DBIR is one of the most widely respected and authoritative sources of security research. Here are some of the key findings: financial gain is the motivation behind 76 per cent of incidents. Outsiders conducted 73 per cent of cyber attacks – mostly organised criminal groups. Ransomware’s unstoppable rise continues: it was the leading malware type last year, responsible for 39 per cent of all infections. The report analyses nine industry sectors and looks at the specific security risks facing each one. The full report is here, with an executive summary available here. The 2018 edition draws on more than 53,000 real-world incidents and 2,347 confirmed data breaches. Ireland’s IRISS-CERT was among 67 agencies contributing to the research.

Cyber crossover

Security experts have long argued that before long, a cyber-attack that began in the virtual world would have real-world consequences. Now there’s an example. News emerged that a petrochemical plant in Saudi Arabia suffered a malware intrusion designed to set off an explosion. The only thing that stopped the explosion from triggering was an error in the computer code, the New York Times reported. The attackers reportedly compromised controllers made by Schneider, which are used in 18,000 plants around the world. The NYT quoted an expert who said a technique that worked against Schneider controllers in Saudi Arabia could also be used in the United States. In separate but related news, the US Department of Homeland Security and the FBI accused Russian hackers of attacking energy companies. The attackers reportedly used spear-phishing to compromise networks in small organisations that are part of US critical infrastructure.

Embedded devices to get embedded security

The UK Government has published  a proposed code of practice aimed at improving security for the Internet of Things. The ‘Secure By Design’ report aims to encourage manufacturers and service providers to embed security at the earliest stages of developing IoT products and services. Recommendations include not allowing universal default passwords, securely storing sensitive data, and making it easier for consumers to configure the devices. The average UK household owns at least 10 connected devices. This blog from the Information Commissioner’s Office covers the main points. James Lyne, head of R&D at SANS Institute, described the development as “positive and much needed”. The issue also came into focus after a fatal collision in Arizona last month, involving a self-driving car. After all, what is an autonomous car but a very large connected device? The Electronic Frontier Foundation called for sharing data as a way to improve both safety and security.

Under Armour doesn’t run for cover after breach

Under Armour disclosed that its MyFitnessPal app and website was hacked, exposing personal information about almost 150 million accounts. The incident occurred in February and affected usernames, emails and passwords, but not payment data. Under Armour said it used strong encryption to protect the passwords. This story is important for two reasons. It’s less a finger-pointing exercise at a data breach victim; more a testament to Under Armour’s transparency. The company informed affected users quickly, and was on the front foot when dealing with media questions. Security experts praised the company’s proactive steps to deal with the fallout: it had a plan and executed against it. Financial markets weren’t so forgiving, though. Shares in Under Armour fell 3.8 per cent after the company disclosed the breach.

A win for the good guys as Carbanak chief cuffed

Let’s wrap up this roundup with a good news story for a change. Law enforcement agencies arrested the alleged ringleader behind the Carbanak and Cobalt attacks. The arrest was a complex operation conducted by Spain’s National Police, supported by Europol, the FBI, and authorities in Romania, Moldova, Belarus and Taiwan, along with private cybersecurity companies. Since 2013, the gang had targeted banks worldwide with a combination of spear phishing and malware like Carbanak and Cobalt. The phishing emails contained a malicious attachment that, when downloaded, gave criminals remote control of the infected machines. Europol said this gave the gang access to the internal banking network and infected the servers controlling the ATMs. As the agency’s infographic shows, the group’s ill-gotten gains amounted to more than $1 billion.

 

The post Security newsround: April 2018 appeared first on BH Consulting.

By

Own goal: email scam nets €2 million for criminals who hijack Lazio transfer

Business email compromise has found its way into the beautiful game. The Italian football club Lazio fell for an email scam and paid €2 million to fraudsters.

Rome daily Il Tempo reported that scammers tricked Lazio by sending an email pretending to be from Feyenoord. Lazio was due to pay the final instalment of a transfer fee to the Dutch club for the defender Stefan de Vrij, who joined the Italians in 2014.

Foul!

The email contained bank transfer details for another Dutch account not belonging to Feyenoord, Il Tempo said. The Dutch club said it didn’t send the email to Lazio, nor did it get the transfer fee. So, in fact both parties suffered a heavy defeat in this case.

Lazio just happens to be the latest to fall foul of a growing problem affecting many kinds of business. Last year the FBI called it ‘the 5 billion dollar scam’, recognising the huge amounts of money fraudsters have made since 2013. Between 2015 and 2017, fraudulent wire transfers grew at a staggering rate of 2,370 per cent.

Offside!

The eye-watering sums of money swirling around the football ‘industry’ make it an enticing target for crooks. Arguably the surprise is that a case like this didn’t come to light sooner. News of multi-million transfer deals are the stuff of back-page stories, bar-room chatter, and online speculation. It’s not hard to imagine a would-be scammer scouring the sports pages for easy research about potential victims. Many of the details for concocting a plausible cover story were in the public domain.

Regardless of the industry, this is a useful test case for infosec professionals. Companies in many industries routinely announce M&A activity, supplier agreements and product launches. News of big deals might be an opportune moment for criminals to strike. Sophos’ Naked Security blog noted that scammers may try to hack actual email accounts in the target company. This would allow them to send scam emails from a genuine address, and then delete them from the sent folder.

As we’ve noted previously on this blog, there’s also a business process aspect to beating the scammers. Requiring approval from more than one director for large-scale payments could reduce the chances of falling for a fake email.

By way of a footnote, the name of the player in question translates from Dutch into English as ‘free’. As Lazio discovered, this transfer was anything but.

 

The post Own goal: email scam nets €2 million for criminals who hijack Lazio transfer appeared first on BH Consulting.

By

Teach staff to steer clear of phishing hooks with awareness training

One of the most important steps for improving security is to understand where you’re starting from first. That covers technical questions like what systems you run or where you store data. Then there’s the all-important human factor: how much do the organisation’s people know about security risks like phishing and malware?

Research repeatedly tells us attackers still rely heavily on phishing. The 2017 Verizon Data Breach Investigation Report found that malicious email attachments caused 66 per cent of malware infections linked to data breaches or ransomware. The same report showed that phishing affects many industries, from manufacturing and retail to healthcare and accommodation.

Effective attacking

Just last week, the Associated Press reported that the Fancy Bear hacking group targeted at least 87 contractors working on high-tech projects – many of them classified – for the U.S. defence forces. The AP said up to 40 per cent of victims clicked on spear phishing emails. Attackers targeted them via personal Gmail accounts or corporate email addresses.

Clearly, there’s value to having staff trained to spot potential phishing attempts because it reduces their risk of a malware infection, or worse. Last summer, while attackers targeted energy companies around Europe, Ireland’s Electricity Supply Board received spear phishing emails. The ESB avoided any incident because an eagle-eyed engineer recognised the attempt for what it was and reported it.

Establishing a baseline

Awareness training often starts with a simulated phishing attack, because this establishes the organisation’s levels of security understanding at that point in time. Best practice is to follow this exercise with an awareness programme. The next time the organisation runs a simulated phishing test, the percentage of staff who open these emails usually decreases. And so on over time.

Security professionals can then use this information to identify specific training that a particular group of employees might need. It also helps when calculating the benefit of future investments. If senior management needs to approve spending, then data about current awareness levels will strengthen the case.

At BH Consulting, we find the most useful methods for phishing awareness involve combining different types of campaigns, just as genuine attackers would. Real-world phishing campaigns often vary their tactics. Some are designed to obtain user passwords, to compromise other accounts, or to trigger a malware infection.

Avoiding the blame game

In February, the UK National Cyber Security Centre published new guidance on phishing that is full of helpful advice. The NCSC warns, rightly, that focusing excessively on users’ role in foiling phishing attacks can potentially cause a organisational harm. “It opens the door to a ‘blame culture’, and the establishment of punishments and sanctions for users who ‘fail’ at spotting phishes,” the agency said.

That’s why it’s worth thinking about how you promote and encourage positive security behaviour. Accurate or not, some security professionals think of humans as ‘the weakest link’. At BH Consulting, we find it’s more helpful when an organisation sees its people not as weak points to be mitigated but as a vital first line of defence. Phishing awareness training goes a long way to changing that approach.

The post Teach staff to steer clear of phishing hooks with awareness training appeared first on BH Consulting.

By

Reporting for duty: how sharing information helps to tackle cybercrime

In the physical world, people report burglaries to law enforcement all the time. Although some individual crimes may go unsolved because of size or volume, reporting contributes to better policing overall. That’s why it’s important to tell law enforcement whenever your business has experienced a cybercrime incident – even an unsuccessful one.

Improving cybercrime statistics

Reporting gives law enforcement valuable intelligence about crime trends, attack methods, victim types, and financial costs. More accurate crime statistics lead to better decisions about staff resourcing, budgeting and reporting. If one type of crime like cybercrime is increasing noticeably, law enforcement can request more resources for their investigative teams. As a result, these added resources make those agencies better equipped to address cybercrime.

Reducing business risk

So what incentive does the infosecurity professional or IT manager have to report incidents rather than keeping them under wraps? “As a function, information security is an expense the business bears in order to reduce loss and risk. At the end of the day, its job is to protect the business, not to go after the bad guys. Reporting crimes to law enforcement helps take those responsible for crime off the internet,” says Brian Honan, CEO of BH Consulting.

The more that companies report, the more data law enforcement can gather and, crucially, share with other agencies. It’s a vital tool in targeting criminals, and is critical in combating cybercrime which by its nature is transnational. For example, in December, Romanian law enforcement officials arrested five people, including three suspected of spreading CTB-Locker or Critroni ransomware. The arrests came about after Europol, the FBI, and Dutch National Police shared intelligence with Romanian authorities.

Calling for backup

Europol has a useful page with links for reporting cybercrime to law enforcement in every EU country. The No More Ransom project also has a similar page for specifically reporting a ransomware infection. This page directs readers to the relevant local law enforcement agency, where they can follow the link to report ransomware.

As well as advising reporting after an incident has happened, Brian also recommends proactive steps that infosec professionals can take. He suggests identifying the person in their local law enforcement who is responsible for investigating cybercrime. “Arrange to meet them informally, and ask them what they need from you to help them do their job,” he says.

It’s always better to know those contacts before a breach happens than during one. In addition, reporting an incident to law enforcement doesn’t necessarily mean it will become public. If discretion is called for, a good prior relationship with your local law enforcement agency could help.

The post Reporting for duty: how sharing information helps to tackle cybercrime appeared first on BH Consulting.