Noted computer security journalist Brian Krebs who wirtes the Security Fix blog and also for the Washington Post has recently chronicled in his blog the escalation of costly cyber security incidents encountered by small and medium businesses. This three part article highlights these developments and suggests several practical and affordable defensive measures for small and medium businesses. To request a complete copy of the article you can email us: info [at] calyptix [dot] com.
How to protect yourself. Protective measures include implementing sound financial management practices, educating staff and implementing sound IT practices and technologies.
• Reconcile your bank accounts daily. Pay special attention to all online banking and credit card activities, AND including checks generated from online bill pay systems. The victimized companies Krebs interviewed which were most successful in retrieving stolen funds were those who quickly spotted the fraudulent transfers through monitoring account activities. Some crooks taking a page out of the VAR playbook for recuring revenue have set up monthly automatic bill payments - paying themselves via check to some non-descript company at a PO Box to avoid detection form the casusual observer.
• Ask your bank to set up a notification procedure - perhaps approval by phone -- for any transfers or bill payments that fall outside of your normal online banking activity.
• For employees who need to access accounts online, consider setting them up with a separate isolated computer. Noting most attacks have been on Microsoft Windows systems, Krebs suggests using a Mac or Linux system (perhaps even a live CD distribution of Linux). We also invite you to contact us to learn how we can tailor our accessEnforcer to further lockdown a dedicated banking terminal.
• Be wary of unusual experiences when accessing online banking systems including login difficulties or unusual experiences with the bank’s website (e.g. slowness, formatting, color, logos, quality, misspellings, etc.).
• Educate your staff and executives about the risks and best practices for passwords, unsolicited email, unknown website links, software updates and downloads. Make certain to highlight this issue for staff who access online bank accounts; however, once a single workstation is infected anywhere on a network all others may be at serious risk.
• Keep all systems (workstations, servers, network equipment, etc.) promptly patched with all security updates to prevent attacks against security vulnerabilities.
• Implement a coordinated layered security strategy (aka “Defense in Depth”) across the network, including protection at the perimeter (e.g. internet gateway), servers and workstations.
• Implement a stringent perimeter defense that provides visibility into all traffic and utilizes proactive security techniques such as intrusion prevention, web filtering and other techniques to stop invisible network attacks, scans and exploits.
• Eliminate spam and other email from untrusted sources.
• Establish proper reporting and controls to prevent web surfing and software downloads from sites susceptible to malware (e.g. pornography, videos, pirated music and software, etc.).
For additional information, go to www.calyptix.com where you may access a free whitepaper entitled Twelve Security Techniques for Small Businesses.
Tuesday, October 27, 2009
Friday, October 23, 2009
Top 10 things I learned from US Government Trusted Internet Connection Strategy
In July, the Department of Homeland Security updated its Information Security and Privacy Advisory Board on its Trusted Internet Connections (TIC) strategy. I stumbled upon this presentation which provided some insight into the challenges of the federal government for Internet Security.
Here are the top 10 things I discovered when I reviewed it.
1. DO NOT (under any circumstances) share your IT security strategy with the media. All they heard is that the government will only have 50 Internet connections.
2. The plan states "The total number of access points should be less than 50 to the extent practicable." "To the extent practicable" is a legal term that will translate into vulnerabilities. (Page 7).
3. "Practicable" is a term of art that differs depending who you are - agency officials, vendors and politicians. Tax payers are not included.
4. If you can't meet your goals revise them (page 18):
5. The TIC strategy presumes trust among government agencies. Hmmmm...... See item 4 again (and again).
6. Use pictures [with cryptic notes and ambiguous goals] to explain your IT initiatives because everyone will understand at least some part of the picture....and later you can explain it however you want.
7. PowerPoint slides have gone too far if the US government can describe its strategy on just one slide (page 8).
8. Leverage pre-existing brands by using really smart code names like "Einstein" to convey a sense of confidence and to ensure a steady stream of funding resources regardless of results. For instance, the media would have a field day if the program gets cancelled (e.g. Congress Kills Einstein).
9. When establishing rules for operations be sure to provide absolute clarity (with sufficient loopholes). See page 9 for this excellent example of a bright line rule for HTTP/s connections:
10. Keep your day jobs. The vendor gods (even Lawrence) can not convert this TIC strategy into an SBS wizard [YET!].
Here are the top 10 things I discovered when I reviewed it.
1. DO NOT (under any circumstances) share your IT security strategy with the media. All they heard is that the government will only have 50 Internet connections.
2. The plan states "The total number of access points should be less than 50 to the extent practicable." "To the extent practicable" is a legal term that will translate into vulnerabilities. (Page 7).
3. "Practicable" is a term of art that differs depending who you are - agency officials, vendors and politicians. Tax payers are not included.
4. If you can't meet your goals revise them (page 18):
“Continue to pursue the goal of the Trusted Internet Connection program to reduce the number of government network connections
to the Internet but reconsider goals and timelines based on a realistic assessment of the challenges.” – Cyberspace Policy
Review, 2009
5. The TIC strategy presumes trust among government agencies. Hmmmm...... See item 4 again (and again).
6. Use pictures [with cryptic notes and ambiguous goals] to explain your IT initiatives because everyone will understand at least some part of the picture....and later you can explain it however you want.
7. PowerPoint slides have gone too far if the US government can describe its strategy on just one slide (page 8).
8. Leverage pre-existing brands by using really smart code names like "Einstein" to convey a sense of confidence and to ensure a steady stream of funding resources regardless of results. For instance, the media would have a field day if the program gets cancelled (e.g. Congress Kills Einstein).
9. When establishing rules for operations be sure to provide absolute clarity (with sufficient loopholes). See page 9 for this excellent example of a bright line rule for HTTP/s connections:
"Unless exempted all http/https connections to external systems only allowed by Web proxy."
10. Keep your day jobs. The vendor gods (even Lawrence) can not convert this TIC strategy into an SBS wizard [YET!].
Thursday, October 22, 2009
Part II: Small Businesses under Attack from Organized Cyber Crooks
Noted computer security journalist Brian Krebs who wirtes the Security Fix blog and also for the Washington Post has recently chronicled in his blog the escalation of costly cyber security incidents encountered by small and medium businesses. This three part article highlights these developments and suggests several practical and affordable defensive measures for small and medium businesses. To request a complete copy of the article you can email us: info [at] calyptix [dot] com.
How attacks occur. The victims of this type of fraud have told Krebs different stories, but the basic elements are the same. Malicious software is planted on the company's PC that allows the crooks to gain access to the victim's corporate bank account online. The attackers wire chunks of money to accomplices called “money mules” in the United States who then wire the money to the fraudsters overseas.
Common ploys include email targeting the company’s controller, accounting staff or other high level executives. These email contain a virus-laiden attachment or link to a web site, that when opened, surreptitiously installs malicious software. The malicious software is designed to be undetected and steal passwords and other banking credentials. Once the credentials are obtained and communicated back to the fraudsters, the crooks start transferring small amounts (less than $10,000) out of the account to the “money mules.” The transfers can take the form of wire transfers and even checks paid as online bill payments.
A recent intelligence report circulated among the financial services industry on September 14, 2009 reported one such scheme involving a new series of spam originating from the “Cutwail botnet” - the world's highest volume spam sending botnet (90,000 spam per hour). In this case, the spam purports to come from the U.S. Internal Revenue Service (IRS) and contains a link to the IRS web site. Instead, the link directs the recipient to a site that downloads malicious software. Users are advised to be aware that the IRS does NOT send email to conduct business, and any spoofed emails should be deleted immediately.
Today's underground online fraud economy is a sophisticated international business model equipped with expertise and multi-levels of participants. The lead research at RSA's Anti-Fraud Command Center illustrates the main goals of online fraud as "harvesting" and "cash-out." Harvesting is where criminals target user access credentials by skimming, phishing or Trojans, and cash-out fraudsters are after the profit (money) through e-commerce transactions or online banking transfers using sophisticated malware-mostly Trojans. Online fraudsters collaborate and set up business relationships through online forums to share information, tools and discuss the latest business opportunities.
The sophistication of the malicious software varies and can be extremely difficult to detect. For instance, one data-stealing Trojan program known as "Zeus" allows the attacker to change the display of a bank's login page as a victim is entering their credentials. For example, when a victim submits his one-time password along with his credentials, the malware may force the browser to return a counterfeit page (still showing the bank's domain name in the URL bar) stating that the bank's site is down for maintenance, please try back again in 15 minutes. Meanwhile, those credentials are not submitted to the bank but instead sent to the attackers. While the unwitting victim waits as instructed, the thieves use the intercepted credentials to log in as the victim and initiate unauthorized transfers from that account.
Part III: Practical steps to take.
How attacks occur. The victims of this type of fraud have told Krebs different stories, but the basic elements are the same. Malicious software is planted on the company's PC that allows the crooks to gain access to the victim's corporate bank account online. The attackers wire chunks of money to accomplices called “money mules” in the United States who then wire the money to the fraudsters overseas.
Common ploys include email targeting the company’s controller, accounting staff or other high level executives. These email contain a virus-laiden attachment or link to a web site, that when opened, surreptitiously installs malicious software. The malicious software is designed to be undetected and steal passwords and other banking credentials. Once the credentials are obtained and communicated back to the fraudsters, the crooks start transferring small amounts (less than $10,000) out of the account to the “money mules.” The transfers can take the form of wire transfers and even checks paid as online bill payments.
A recent intelligence report circulated among the financial services industry on September 14, 2009 reported one such scheme involving a new series of spam originating from the “Cutwail botnet” - the world's highest volume spam sending botnet (90,000 spam per hour). In this case, the spam purports to come from the U.S. Internal Revenue Service (IRS) and contains a link to the IRS web site. Instead, the link directs the recipient to a site that downloads malicious software. Users are advised to be aware that the IRS does NOT send email to conduct business, and any spoofed emails should be deleted immediately.
Today's underground online fraud economy is a sophisticated international business model equipped with expertise and multi-levels of participants. The lead research at RSA's Anti-Fraud Command Center illustrates the main goals of online fraud as "harvesting" and "cash-out." Harvesting is where criminals target user access credentials by skimming, phishing or Trojans, and cash-out fraudsters are after the profit (money) through e-commerce transactions or online banking transfers using sophisticated malware-mostly Trojans. Online fraudsters collaborate and set up business relationships through online forums to share information, tools and discuss the latest business opportunities.
The sophistication of the malicious software varies and can be extremely difficult to detect. For instance, one data-stealing Trojan program known as "Zeus" allows the attacker to change the display of a bank's login page as a victim is entering their credentials. For example, when a victim submits his one-time password along with his credentials, the malware may force the browser to return a counterfeit page (still showing the bank's domain name in the URL bar) stating that the bank's site is down for maintenance, please try back again in 15 minutes. Meanwhile, those credentials are not submitted to the bank but instead sent to the attackers. While the unwitting victim waits as instructed, the thieves use the intercepted credentials to log in as the victim and initiate unauthorized transfers from that account.
Part III: Practical steps to take.
Tuesday, October 20, 2009
Part I: Small Businesses under Attack from Organized Cyber Crooks
Noted computer security journalist Brian Krebs who wirtes the Security Fix blog and also for the Washington Post has recently chronicled in his blog the escalation of costly cyber security incidents encountered by small and medium businesses. The most costly involve looting bank and payroll accounts. The absence of notoriety of these incidents compared to large-scale breaches at big retailers does not minimize the impact on the victims. This three part article highlights these developments and suggests several practical and affordable defensive measures for small and medium businesses. To request a complete copy of the article you can email us: info [at] calyptix [dot] com.
Incidents highlighted by Krebs include:
• Gainesville, Ga.-based Slack Auto Parts, lost nearly $75,000 in July 2009 when fraudsters used malware to steal the company's online banking credentials and distribute the funds to six money mules around the country.
• JM Test Systems, an electronics calibration company in Baton Rouge, La., lost almost $100,000, after thieves used malicious software to send a series of payments under $10,000 each to at least five co-conspirators around the country, who then wired the money on to fraudsters in Russia.
• Sign Designs, Inc., a Modesto, Calif.-based company that makes and installs electric signs, lost nearly $100,000 on July 23, when crooks used the company's credentials to log in to its online banking account and initiate a series of transfers to 17 accomplices at seven banks around the country.
• On the morning of Aug. 17, hackers broke into computers at the Sanford School District in Sanford, Colorado and initiated a series of bogus fund transfers totaling $117,000 directly out of the school's payroll account.
• In mid-July, computer crooks stole $447,000 from Ferma Corp., a Santa Maria, Calif.-based demolition company, by initiating a large batch of transfers from its online bank account.
Special risks to businesses. Businesses do not enjoy the same legal protections as consumers when banking online. Under state laws, consumers typically have up to 60 days to dispute unauthorized charges. Meanwhile business banking relationships are governed under Article 4 of Uniform Commercial Code which provides commercial banking customers as little as two business days to spot and dispute unauthorized activity. The burden rests on business customers to monitor activities daily if they want to have any chance of recovering unauthorized transfers from their accounts.
Part II: How the attacks occur.
Part III: Practical steps to take.
Incidents highlighted by Krebs include:
• Gainesville, Ga.-based Slack Auto Parts, lost nearly $75,000 in July 2009 when fraudsters used malware to steal the company's online banking credentials and distribute the funds to six money mules around the country.
• JM Test Systems, an electronics calibration company in Baton Rouge, La., lost almost $100,000, after thieves used malicious software to send a series of payments under $10,000 each to at least five co-conspirators around the country, who then wired the money on to fraudsters in Russia.
• Sign Designs, Inc., a Modesto, Calif.-based company that makes and installs electric signs, lost nearly $100,000 on July 23, when crooks used the company's credentials to log in to its online banking account and initiate a series of transfers to 17 accomplices at seven banks around the country.
• On the morning of Aug. 17, hackers broke into computers at the Sanford School District in Sanford, Colorado and initiated a series of bogus fund transfers totaling $117,000 directly out of the school's payroll account.
• In mid-July, computer crooks stole $447,000 from Ferma Corp., a Santa Maria, Calif.-based demolition company, by initiating a large batch of transfers from its online bank account.
Special risks to businesses. Businesses do not enjoy the same legal protections as consumers when banking online. Under state laws, consumers typically have up to 60 days to dispute unauthorized charges. Meanwhile business banking relationships are governed under Article 4 of Uniform Commercial Code which provides commercial banking customers as little as two business days to spot and dispute unauthorized activity. The burden rests on business customers to monitor activities daily if they want to have any chance of recovering unauthorized transfers from their accounts.
Part II: How the attacks occur.
Part III: Practical steps to take.
Monday, October 19, 2009
Email malware leverages Conflicker & Microsoft brands
A quick search of my email quarantine today on AccessEnforcer has confirmed reports from Arbor Networks and UAB cyber security researcher Gary Warner at Cyber Crime and Doing Time that spammers and malware authors are leveraging the public awareness of Conflicker along with the Microsoft brand.
Friday, October 9, 2009
Third Tier Webinar: Behind the SBS 2008 Wizards
Our friends at Third Tier are hosting a webinar next week on Microsoft Small Business Server 2008.
Topic: Behind the SBS 2008 Wizards
Date: Thursday, October 15
Start Time: 12:00 p.m.
End Time: 1:30 p.m.
Presenters: Amy Babinchak and Steve Banks
Learn what is really happening when you run the SBS 2008 wizards.
Please join Third Tier and invite your friends.
To see more details and RSVP, follow this link to the Third Tier Face Book page.
Third Tier provides advanced IT support services to IT professionals, including a full suite of Microsoft products (e.g. SBS, Exchange, Windows Server, Sharepoint, Active Directory, ISA) and Calyptix's AccessEnforcer. Services available through Third Tier provide an affordable, efficient and timely access to high level support for IT Professionals. You can learn more about Third Tier here.
Topic: Behind the SBS 2008 Wizards
Date: Thursday, October 15
Start Time: 12:00 p.m.
End Time: 1:30 p.m.
Presenters: Amy Babinchak and Steve Banks
Learn what is really happening when you run the SBS 2008 wizards.
Please join Third Tier and invite your friends.
To see more details and RSVP, follow this link to the Third Tier Face Book page.
Third Tier provides advanced IT support services to IT professionals, including a full suite of Microsoft products (e.g. SBS, Exchange, Windows Server, Sharepoint, Active Directory, ISA) and Calyptix's AccessEnforcer. Services available through Third Tier provide an affordable, efficient and timely access to high level support for IT Professionals. You can learn more about Third Tier here.
Thursday, October 8, 2009
FBI hauling in Phishing ring
The FBI has just started making arrests in a crackdown on perpetrators of phishing attacks. The current probe targets 100 defendants in U.S. and Egypt. Law enforcement has snared at least 33 culprits in California, Nevada and North Carolina (including a number right here in the Queen City - home of yours truly and Bank of America)and about 45 in Egypt so far. Local Charlotte TV news is all over the arrests but is having trouble articulating the issue.
More details are available from Brian Krebs of the Washington Post here.
The FBI project was code named "Operation Phish Phry." Nearly 20 defendants in the United States remain at large. The FBI said that authorities in Egypt have charged at least 47 indicted co-conspirators there in connection with the scam, which ran from January 2007 through September. It is the largest group of defendants to face charges in a cybercrime case, the FBI told Brian Krebs of the Washington Post.
Krebs research indicates the group is accused of moving more than $1.5 million to dummy accounts.
Gary Warner a noted cyber crimer researcher and blogger from the University of Alabama Birmingham has provided more details on the operation here.
Warner notes that the 85 page indictment, which was presented to a Grand Jury back in February was unsealed once the arrests began, and contains a wealth of information. WIRED Magazine's Threat Level blog was the first to have a copy of the indictment.
Warner notes that the basic charges are:
18 USC S 1349: Wire and Bank Fraud Conspiracy
18 USC $ 1344(1): Bank Fraud
18 USC $ 1028A: Aggravated Identity Theft
18 USC $ 371: Computer Fraud Conspiracy
18 USC $ 1030(a)(4): Computer Fraud
18 USC $ 1956(h): Money Laundering Conspiracy
Warner notes that the addition of the Aggravated Identity Theft charge provides an automatic and non-negotiable +2 years to each sentence, which guarantees none of these people will get a "slap on the wrist", unless the prosecution fails to show they used the identities of at least ten individuals.
A copy of the indictment is available here.
More details are available from Brian Krebs of the Washington Post here.
The FBI project was code named "Operation Phish Phry." Nearly 20 defendants in the United States remain at large. The FBI said that authorities in Egypt have charged at least 47 indicted co-conspirators there in connection with the scam, which ran from January 2007 through September. It is the largest group of defendants to face charges in a cybercrime case, the FBI told Brian Krebs of the Washington Post.
Krebs research indicates the group is accused of moving more than $1.5 million to dummy accounts.
Gary Warner a noted cyber crimer researcher and blogger from the University of Alabama Birmingham has provided more details on the operation here.
Warner notes that the 85 page indictment, which was presented to a Grand Jury back in February was unsealed once the arrests began, and contains a wealth of information. WIRED Magazine's Threat Level blog was the first to have a copy of the indictment.
Warner notes that the basic charges are:
18 USC S 1349: Wire and Bank Fraud Conspiracy
18 USC $ 1344(1): Bank Fraud
18 USC $ 1028A: Aggravated Identity Theft
18 USC $ 371: Computer Fraud Conspiracy
18 USC $ 1030(a)(4): Computer Fraud
18 USC $ 1956(h): Money Laundering Conspiracy
Warner notes that the addition of the Aggravated Identity Theft charge provides an automatic and non-negotiable +2 years to each sentence, which guarantees none of these people will get a "slap on the wrist", unless the prosecution fails to show they used the identities of at least ten individuals.
A copy of the indictment is available here.
Subscribe to:
Posts (Atom)
