Welcome to the WindowSecurity.com newsletter by Stu Sjouwerman, Founder of Sunbelt Software & CEO of KnowBe4.com . Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: firstname.lastname@example.org
Cybercrime Never Sleeps
Europe's banks are well ahead of the U.S. in the sense of security. Many of them now require 2-factor authentication. My wife has an account at a Swedish bank, and they sent us a card with built-in chip, and a card reader that hooks up to the PC via USB. When she logs into her online banking site, she needs to slip in the card and provide a pin code. Only then can she get access to the website. You would think this is safe, and it is a lot safer than just a user name and password. But very few banks use this, as it's very expensive. Many rely on 2-factor authentication via SMS, and here is where the trouble starts.
An online banking fraud tool that was recently discovered by researchers at Trend Micro cheats two-factor authentication, fully automates the attack and then hides out so that the victim cannot see the loss or any traces of the theft until long after.
There is a new name for these attacks, they are called 'automatic transfer systems' (ATS) and currently they target customers in Germany, Italy and England where SMS is used for 2-factor authentication. Some US banks use SMS-based 2-factor for wire transfers.
Tom Kellermann, vice president of cybersecurity for Trend Micro said: "It also has the capacity to move funds out of the [victim's] account so that the criminal doesn't have to sit there and wait or wait for communication from his bot. It's totally automated." This concept is not new of course, but they have taken the ATS module to the next level for Zeus and SpyEye. The user sees nothing, only the transaction amount that has been taken out of your account. Kellerman said: "...It's elegant."
Perhaps from the perspective of the malware researcher, but from the victim's perspective it's horrific, and costs an enormous amount of time, hassle and heartache. I would strongly recommend if you are in IT, to create a linux bootup disk for the people in Finance that handle online banking, and have them use that for browser-based banking transactions. When done, reboot and go back to Windows.
Meet My New Business Partner: Kevin Mitnick
Late last year the Wall Street Journal wrote an article about social engineering. They concluded that the end-user was the weak link in IT security, quoted some experts in the field and talked about possible solutions. My company KnowBe4 was mentioned in the article, and so was Kevin Mitnick, who in the mid-nineties was the World’s most wanted hacker, and who now is a successful security consultant and keynote speaker.
Kevin is now our Chief Hacking Officer. More here.
PS: Did you know that I also write a weekly newsletter called CyberheistNews? It goes to 40,000 people every Tuesday. Subscribe here.
Quotes Of The Month
"Far and away the best prize that life offers is the chance to work hard at work worth doing" –- Theodore Roosevelt
"Choose a job you love, and you will never have to work a day in your life." -- Confucius
Editor, WindowSecurity.com Newsletter
Email me at email@example.com
Prevent Email Phishing
Sign Up For Your Free Email Exposure
Want to stop Phishing Security Breaches? Did you know that many of the email addresses of your organization are exposed on the Internet and easy to find for cybercriminals? With these addresses they can launch spear-phishing attacks on your organization. This type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.
IT Security specialists call it your ‘phishing attack surface‘. The more of your email addresses that are floating out there, the bigger your attack footprint is, and the higher the risk is. Find out now which of your email addresses are exposed with the free Email Exposure Check (EEC). An example would be the email address and password of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses. The number is usually higher than you think.
Sign Up For Your Free Email Exposure Check Now
Welcome To The Age Of Weaponized Malware
The cyberweapon genie is out of the bottle, and the U.S. is engaged in a cyberwar. Now it becomes clear why the Government has been trying to get private industry to agree to certain cybersecurity standards. They are basically like an “arsonist calling for a better fire code”, as per Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council.
June 2012 it was revealed that the White House decided to wage cyberwar against Iran starting with the Bush Administration and continued in an intensified form by the Obama Administration. President Obama was, and I assume still is, personally involved with the details of the attacks on the Iranian Natanz uranium enrichment facility. In David E. Sanger’s book ‘Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power’ this has been spelled out for the first time. Michael D. Hayden, the former chief of the CIA, said: ”This is the first attack of a major nature in which a cyberattack was used to effect physical destruction… you can’t help but describe it as an attack on critical infrastructure.” He continued with: “Somebody has crossed the Rubicon… in one sense at least, it’s August 1945, the month that the world saw the first capabilities of a new weapon, dropped over Hiroshima. The big difference is that the cyberweapons that were created by the U.S. Administrations are weapons of precise destructions, not mass destruction, but Hayden does make a good point, in the hands of cybercriminals it easily can become a weapon of mass destruction.
The U.S. Administration obviously wanted to keep this under wraps for as long as possible, and even when it was discovered, hoped it would be unattributable. So much for that. The idea was if they could damage Iran’s uranium enrichment capabilities, it would not be necessary for Israel to bomb Natanz, and potentially spark a war in the Middle East with disastrous consequences for oil prices. I understand all that. But now you have highly powerful cyberweapons in the hands of every somewhat capable hacker. Compare that to the limited nuclear proliferation we have today and you see that this genie is impossible to put back in the bottle.
Now, what risks are we talking here? Well, there is a spectrum of cyberthreats that you can see in a gradient scale from nuisance to catastrophic. Spam is a nuisance, your economic infrastructure shut down and utilities destroyed sets you back 50 years as a country. No, the sky is not falling. But bad guys are now getting their hands on some mighty powerful malcode that could be used to penetrate your organization. How to protect yourself?
ABC News investigative producer Lee Ferran argues that “human carelessness” is more responsible for cyberthreats than technical advances: “no matter how sophisticated the attack or how capable the defenses, the weakest link in cybersecurity is often the human at the keyboard.” He just wrote an article called Bigger Than Flame, Stronger Than Stuxnet: Why ‘Idiot’ Humans Are Best Cyber Weapon.
Microsoft warns that civilian casualties are inevitable in governments' cyber war. Cyber attacks such as Duqu, Stuxnet and Flame will inevitably hurt private companies and innocent people as well as governments, according to Microsoft Trustworthy Computing (TwC) corporate vice president Scott Charney. Here is the article at the U.K. website V3.
Beware Scare Tactics for Mobile Security Apps
Well known journalist Brian Krebs reported: "It may not be long before your mobile phone is beset by the same sorts of obnoxious, screen-covering, scaremongering ads pimping security software that once inundated desktop users before pop-up blockers became widely-used. Richard M. Smith, a Boston-based security consultant, was browsing a local news site with his Android phone when his screen was taken over by an alarming message warning of page errors and viruses. Clicking anywhere on the ad takes users to a Web site selling SnapSecure, a mobile antivirus and security subscription service that bills users $5.99 a month. Read the article.
With The Convergence, Mobile Security Is A Clear Focus
Ricky Magalhaes here at WindowSecurity.com had a good article about securing all your mobile devices. He started out with: "The days of having a single device with one specific function is over. Mobile devices are converging; your ‘mobile phone’ is no longer just your ‘mobile phone’, it’s your mobile PC. The convergence of data or information and communication technology in a singular intelligent mobile device has the advantages of global and abundant ease of access to information, collaboration and communication at your fingertips. With the exponential rate at which these mobile devices are advancing and becoming more sophisticated, the on-going development of mobile device enterprise application platforms and telecom improvements, the easier it is becoming to access and manipulate information, however on the flip-side the wider the door is being left ajar for hackers or individuals with malicious intent to do the same."
ViewPoint - Your Take
Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at firstname.lastname@example.org
SecOps: What You Need To Know
Passwords: Do You Like Them Plain, Hashed Or With Some Salt?
CloudFlare's @jgrahamc explains the basics of password security, and this is a recommended read for anyone in IT.
"Over the last few weeks a number of companies have seen their password databases leaked onto the web and found that despite having made some effort to protect them many of the passwords were easily uncovered. Unfortunately, the disclosure of password databases is an ugly reality of the Internet; entire forums are dedicated to hackers who collaborate to uncover passwords from files and specialized password cracking software is easy to obtain. To understand password storage it's best to go back to basics and some history." Read this blog post.
How To Decrypt An MD5-Hash
So simple a 5-year old can do it. Go to this site. Enter the hash. Click on 'Decrypt'. Voila! SO that is why you need to salt and pepper your passwords and re-encrypt them a few times. It's all about increasing the cost to the attacker!
Fighting False Positives Is Just As Hard As Fighting Real Malware
A few weeks back Avira, a major antivirus company wreaked havoc on Windows PCs by releasing a Service Pack that bricked machines by blocking boots, and banning the launch of almost every Windows executable. Ouch. Eugene Kaspersky has a good article about this, with some graphs that compare False Positives of leading antivirus products. Very interesting.
He started out with: "Any software vendor sometimes makes unfortunate mistakes. We are human like everybody else and we make mistakes sometimes, too. What’s important in such cases is to publicly admit the error as soon as possible, correct it, notify users and make the right changes to ensure the mistake doesn’t happen again (which is exactly what we do at KL). In a nutshell, it’s rather easy – all you have to do is minimize damage to users.
But there is a problem. Since time immemorial (or rather memorial), antivirus solutions have had a peculiarity known as false positives or false detections. As you have no doubt guessed, this is when a clean file or site is detected as infected. Alas, nobody has been able to resolve this issue completely."
Five Generations Of Cybercrime
It helps to understand more about the history of hacking, when you need to defend yourself against cyber criminals. So here is your Executive Summary:
Early hacking started when guys like Kevin Mitnick became ‘digital delinquents’ and broke into the phone company networks. That was to a large degree to see how far they could get with social engineering, and it got them way further than expected. It was a game to see what could be done more than anything else. Actual financial damage to hundreds of thousands of businesses started only in the nineties, but has moved at rocket speed these last 20 years. The move has been from "fame to fortune."
Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it. Relatively harmless, no more than a pain in the neck to a large extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another with a floppy disk to transfer the virus.
These early day ‘sneaker-net’ viruses were followed by a much more malicious type of super-fast spreading worms (we are talking a few minutes) like Sasser and NetSky that started to cause multi-million dollar losses. These were still more or less created to get notoriety, and teenagers showing off their "elite skills".
Here the motive moved from recognition to remuneration. These guys were in it for easy money. This is where botnets came in, thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, engage in identity theft and for other nefarious activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to find and easy to disinfect.
Here is where cybercrime goes professional. The malware starts to hide itself, and they get better organized. They are mostly in eastern European countries, and use more mature coders which results in much higher quality malware, which is reflected by the first rootkit flavors showing up. They are going for larger targets where more money can be stolen. This is also the time where traditional mafias muscle into the game, and rackets like extortion of online bookmakers starts to show its ugly face.
The main event that created the fifth and current generation is that an active underground economy has formed, where stolen goods and illegal services are bought and sold in a 'professional' manner, if there is such a thing as honor among thieves. Cybercrime now specializes in different markets (you can call them criminal segments), that taken all together form the full criminal supply-chain. Note that because of this, cybercrime develops at a much faster rate. All the tools are for sale now, and relatively inexperienced criminals can get to work quickly. Some examples of this specialization are:
- Cybercrime has their own social networks with escrow services
- Malware can now be licensed and gets tech support
- You can now rent botnets by the hour, for your own crime spree
- Pay-for-play malware infection services that quickly create botnets
- A lively market for zero-day exploits (unknown vulnerabilities)
The problem with this is that it both increases the malware quality, speeds up the criminal ‘supply chain’ and at the same time spreads the risk among these thieves, meaning it gets harder to catch the culprits. We are in this for the long haul, and we need to step up our game, just like the miscreants have done the last 10 years!
Android Hackers Hone Skills In Russia
The malware business growing around Google Android - now the leading smartphone operating system - is still in its infancy. Today, many of the apps built to steal money from Android users originate from Russia and China, so criminal gangs there have become cyber-trailblazers. More at ComputerWorld.
A Business Savvy Cyber Gang Driving a Massive Wave of Fraud
Rod Rasmussen wrote a great article about one gang that is very busy generating malware: "Tucked away in a small town outside Moscow, Russia one of the world’s most prolific and effective cybercriminals works away on the next version of malicious software that will enable the theft of millions of dollars from unsuspecting victims around the world.
Going by the online moniker of “Paunch,” he is continuously updating his browser exploit software, called "Black Hole" and it is wreaking havoc daily amongst many of the world’s largest brands and government organizations.
His software doesn't actually enable the theft of money, exfiltrate data, or keylog victims as you may suspect, but it is the premier product in the "browser exploit pack" (BEP) software category. These exploit kits are installed onto websites, some compromised, others set up by criminals. Then, when people visit these sites using a vulnerable browser, and large portions of them are, their computers are immediately broken into. This allows for the installation of any kind of malware the exploiter wants to put on them. Often times this will be one of the very latest in crimeware like Zeus, Bugat, or Cridex.
Fave links & Cool Sites
- This week's virtual vacation! Follow Kevin Kelly on his trip through Taiwan, China, Singapore, Burma, India, Korea and Indonesia - all in 90 seconds
- An impressive aerobatics display by jet pilot Michaël Brocard at the largest air show in Switzerland
- A visual explanation of how the Internet actually works. Ride with a packet of data and follow it as it flows from your fingertips, through circuits, wires, and cables, to a host server, and then back again, all in less than a second. Fun to send to your employees
- Richart Sowa lives on an island that that he made himself, using 100,000 discarded plastic bottles as a floating support structure
- Can you predict what the dominant new technology will in 75 years? Belgian visionary Paul Otlet imagined the Internet in 1934!
- Tactical stabbing pen adds handcuff key and other stuff. I got one for Father's day, w00t
- How many hours does it take to make a flamenco guitar? Wow
- Friesian Horses are known to be beautiful, versatile, athletic, kind, willing, and are able to do anything
- Dogs in cars doing what they love to do ... in California
- Philosophers World Cup by Monty Python, now that's a way to play soccer