Reuters: Beyond the Breach

My piece on disruption in the cybersecurity space. Too many companies and ideas to mention in Reuter-space, but it’s a start.  Thanks to Ian Geohegan, as ever, for his editing touch.  

Beyond the breach: cyberattacks force a defense strategy re-think | Reuters

(Reuters) – A barrage of damaging cyberattacks is shaking up the security industry, with some businesses and organizations no longer assuming they can keep hackers at bay, and instead turning to waging a guerrilla war from within their networks.

U.S. insurer Anthem Inc last week said hackers may have made off with some 80 million personal health records. Also, Amy Pascal said she would step down as co-chairman of Sony Pictures Entertainment, two months after hackers raided the company’s computers and released torrents of damaging emails and employee data.

Such breaches, say people in the industry, offer a chance for younger, nimbler companies trying to sell customers new techniques to protect data and outwit attackers. These range from disguising valuable data, diverting attackers up blind alleys, and figuring out how to mitigate breaches once the data has already gone.

“Suddenly, the music has completely changed,” said Udi Mokady, founder of U.S.-based CyberArk. “It’s not just Sony, it’s a culmination of things that has turned our industry around.”

Worldwide spending on IT security was about $70 billion last year, estimates Gartner. ABI Research reckons cybersecurity spending on critical infrastructure alone, such as banks, energy and defense, will reach $109 billion by 2020.

Several things are transforming the landscape. Corporations have been forced to allow employees to use their own mobile phones and tablets for work, and let them access web-based services like Facebook and Gmail from office computers. All this offers attackers extra opportunities to gain access to their networks.

And the attackers and their methods have changed.

Cyber criminals and spies are being overshadowed by politically or religiously motivated activists, says Bryan Sartin, who leads a team of researchers and investigators at Verizon Enterprise Solutions, part of Verizon Communications. “They want to hurt the victim, and they have hundreds of ways of doing it,” he said in a phone interview.

CLOSING THE DOOR

The result: companies can no longer count on defending themselves with decades-old tools like firewalls to block traffic and antivirus software to catch malware, and then assume all traffic that does make it within the network is legitimate.

Research by IT security company FireEye last month, for example, found that “attackers are bypassing conventional security deployments almost at will.” Across industries from legal to healthcare it found nearly all systems had been breached.

“Once an attacker has made it past those defenses they’re in the gooey center, and getting around is relatively simple,” said Ryan Wager, director of product management at vArmour.

Attackers can lurk inside a network for half a year before being detected. “That’s like having a bad guy inside your house for six months before you know about it,” says Aamir Lakhani, security strategist at Fortinet Inc, a network security company.

Security start-ups have developed different approaches based on the assumption that hackers are already, or soon will be, inside the network.

Canada-based Camouflage, for example, replaces confidential data in files that don’t need it, like training databases, with fictitious but usable data. This makes attackers think they have stolen something worthwhile. U.S.-based TrapX Security creates traps of ‘fake computers’ loaded with fake data to redirect and neutralize attacks.

California-based vArmour tries to secure data centers by monitoring and protecting individual parts of the network. In the Target Corp breach during the 2013 holiday shopping season, for example, attackers were able to penetrate 97 different parts of the company’s network by moving sideways through the organization, according to vArmour’s Wager.

“You need to make sure that when you close the door, the criminal is actually on the other side of the door,” he said.

‘THREAT INTELLIGENCE’

Funding these start-ups are U.S- and Europe-based venture capital firms which sense another industry ripe for disruption.

Google Ventures and others invested $22 million in ThreatStream in December, while Bessemer Venture Partners last month invested $30 million in iSIGHT Partners. Both companies focus on so-called ‘threat intelligence’ – trying to understand what attackers are doing, or plan to do.

Clients are starting to listen.

Veradocs‘ CEO and co-founder Ajay Arora says that while his product is not officially live, his firm is already working with companies ranging from hedge funds to media entertainment groups to encrypt key documents and data.

UK-based Darktrace, which uses math and machine learning to spot abnormalities in a network that might be an attack, has a customer base that includes Virgin Trains, Norwegian shipping insurer DNK and several telecoms companies.

But it’s slow going. Despite being open for business since 2013, it’s only been in the past six months that interest has really picked up, says Darktrace’s director of technology Dave Palmer. 

“The idea that indiscriminate hacking would target all organizations is only starting to get into the consciousness.”

Phishy Facebook Emails

Facebook phishes are getting better. Compare this one:

facebook real

and this:

facebook scam

Notice how the key bit, supposedly defining that it’s a legit email, is successfully and convincingly faked: image

The only difference that stands out is the domain: facebookembody.com. Although Google classified it as spam they didn’t warn that it would go to a website that contains malware. So be warned. Notification emails aren’t such a good idea anymore, if they ever were.

Whaling in Singapore?

Singapore appears to be the source of a virus cleverly designed to hoodwink U.S. executives by appearing to be an emailed subpoena which mentions them by name, as well as their title.

The SANS Storm Center said three days ago that

We’ve gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case. It then asks them to click a link and download the case history and associated information.

One problem, it’s total bogus. It’s a “click-the-link-for-malware” typical spammer stunt. So, first and foremost, don’t click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It’s very highly targeted that way.

The report says that the server that the trojan reports back to is “hard-coded to an ISP in Singapore at this time,” from where, according to Ars Technica, it “steals copies of any security certificates installed on the system.”

(This, by the way, is calling whaling, since it is like phishing but is more targeted, and going for bigger phish, so to speak.)

The Inquirer says that the web servers delivering the emails are based in China, and, in language too loose to take seriously, “the cyber ruffians who later nefariously take control of the victims’ computers, based in Singapore.”

There’s no evidence the “cyber ruffians” are based in Singapore, as far as I can work out. The only possible connection could be the English and errors in the emails, which, John Markoff of the NYT reports, “led several researchers to believe that the attackers were not familiar with the United States court system and that the group might be based in a place that used a British variant of English, such as Hong Kong.”

That said, just because an ISP may have been compromised doesn’t mean that those involved are physically located in Singapore. Indeed, it would seem very unlikely they are; if they’re smart enough to launch an attack like this, you’d have to bet against them being anywhere near the ‘command and control’ center itself.

Still, it’s unsettling that an ISP may have been compromised. So far we don’t know much more, though I’ve put in requests for more information. (The source of the information about Singapore appears to have come from someone at Verisign, whose Asian PR address bounces. So don’t expect something anytime soon.)

Backed Up? Or Cracked Up?

image

There’s quite a commotion online about a program called g-archiver that promises to back up your Gmail account, but in the process apparently harvests all users’ Gmail usernames and passwords, and mails them to a separate Gmail account.

This is indeed scary, although it’s possible that the person behind it wasn’t collecting the passwords for nefarious purposes. But it highlights some important issues that we tend to overlook in this Web 2.0, mashup age:

  • Your online email account is more vulnerable than an offline one (by which I mean, storing your old emails online, rather than downloading them to your computer and deleting the online copy.) In this sense, POP is good, IMAP and webmail bad.
  • If you give your username and password to third parties, i.e., those who access your account on your behalf, you need to be more rather than less careful than with the original service. For example, services like Plaxo allow you to access your other accounts but will inevitably require you to enter your username and password, which will be stored on their server.

On top of that, it’s intriguing to take a look at how legitimate this one program appears, and how little those websites helping in its distribution have vetted it. I found copies at Download.com (owned by CNET), despite a commenter pointing out it steals passwords, Shareware Junkies, BrotherSoft, Softpedia, ZDNet, Download3000, FreedownloadsCenter, the excellently named Safe Install and Filedudes.

Just out of interest, G-Archiver is apparently the work of a company called MateMedia, which registered the website hosting the software. An interview with the company’s president, Russ Mate, is here.

A message on the original blog post purporting to be from Mr. Mate says “MateMedia is a legitimate company and we are absolutely horrified that this has occurred”, and will be notifying any download sites hosting the software to “remove it immediately.”

That clearly hasn’t happened yet, but neither has the company removed it from its own website, at the time of writing. (Seeing the software alongside tools like FriendTools, which automates adding friends and comments for MySpace spammers, or TubeAdder, which does the same thing on YouTube, might give a prospective user pause for thought.)

My rules of thumb:

  • Never download software without visiting the author’s original site, and finding out who produced it. This applies to Facebook apps as well. (In G-Archiver’s case, there is no contact page.)
  • Think hard before you give your email password to any service, however legitimate. It’s not so much about losing your email password but about all the other passwords and personal data that a bad guy could access inside your email account.

As Web 2.0 involves more and more cross-pollination of information, so we need to be smarter about who we give our passwords to, and what information we store behind those passwords, both in email and in social networking accounts.

Phishing For a Scapegoat

It’s somewhat scary that more than 10 employees of a laboratory that works on security issues (including phishing) could fall for a phishing attack. The Oak Ridge National Laboratory, or ORNL, managed for the U.S. Department of Energy by UT-Battelle, works on science and technology involved in energy production and national security. In late October the lab was targeted from Chinese websites, according to eWeek:

All of the phishing e-mails instructed lab employees to open an attachment for more information or to click on an embedded link. ORNL’s investigators now believe that about 11 staff fell for the come-ons and opened the attachments or clicked on the links. That was enough for the attackers to install keyloggers or other types of malware that gave attackers access to systems and the ability to extract data.

The interesting thing here is whether this was a “coordinated attack” and a “cyberattack” as has been suggested in the media. The Knoxville News Sentinel, for example, quotes lab director Thom Mason as saying, involved the thieves making “approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven phishing e-mails, all of which at first glance appeared legitimate.” Meanwhile this AP article quotes Mason’s memo to employees:

The assault appeared “to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions” in the United States, lab director Thom Mason said in a memo to the 4,200 employees at the Department of Energy facility.

The key here may be that the attackers were after personal information, not military secrets. As John C. Sharp writes:

The headlines keep coming about the news that several high-profile military labs – including some of the world’s leading nuclear research labs – have been compromised by phishing scams. Unfortunately, many of these headlines are missing the point.

Example: In one story published today, PC World claims that Chinese Hackers “launched” a coordinated “major attack” on two US Military Laboratories.

This is almost certainly *not* what happened. According to most of the published data, this was a phishing attack, plain and simple.

The fact is that China’s computers are so insecure that more or less anyone could use them to do more or less anything, from relaying spam to launching phishing attacks. So it’s not proof that China, or even Chinese, were involved just because the IP addresses are Chinese.

Of course, we don’t know for sure what happened yet. But if the attack was enabled by employees clicking on an email attachment or link that originated from a Chinese server, you’ve got to question a) the security training at a place like that, and b) wonder what kind of security filters they have on their servers that would allow such emails to get through, especially given the sheer number of emails that were sent.

Sometimes “China” is a great excuse for all sorts of incompetence and inefficiency, and “sophisticated cyber attack” is just another way of saying “sorry, we haven’t got a clue about all this Internets stuff.”

Oak Ridge Speared in Phishing Attack Against National Labs

Hi, I’m Sheila from Phishers ‘R’ Us

It amuses me that banks talk about security but rarely apply it in a consistent enough way to save people like you and me from getting scammed. Take what just happened to me this morning:

My bank rings me up (the number is a private number so doesn’t show up on my screen, but that doesn’t seem to be unusual anymore; nearly half of the people who call me seem to withhold their number these days. In any case, it’s not hard to fake a callerID.)

The woman on the phone tells me there’s been a problem with my last phonebanking transaction. Before she can tell me more, she asks me to key in my six-digit phonebanking ID, she says. I’m just about to do so, eager to sort out the problem, when I realize that I’ve not confirmed that she is who she says she is. So I ask her:

“Sorry, but I need to confirm who you are first.”

“Yes, I am Sheila and I work for the phonebanking division.”

“Yes, but how do I know you’re Sheila from the phonebanking division, and not Sheila from Phishers ‘R’ Us?”

Clearly Sheila hasn’t faced this kind of situation before.

“Er, well, if you key in your phonebanking ID, I can tell you details about your account, and that will confirm it.”

“Well, it may do, or else it would tell me you’d already succeeding in hacking into my account and were now just toying with me.”

A pause.

“Yes, but the PIN number goes straight into the computer,” says Sheila, a bit nonplussed now.

I try to explain that a) I’m not personally accusing her of being a scammer, only that I have no way of confirming whether she is a bank employee or a clever social engineering fraudster because she called me first and b) that technology makes it eminently possible that someone could capture my six digit PIN if I key into my phone. (A simple decoder attached to the phone will grab the DTMF signals (the beeps when you press a key) and figure out what digits they represent. I didn’t tell this to Sheila because she was already beginning to sense I was a ‘difficult customer.’)

In the end I tell Sheila I’m going to call her back, to which she politely agrees. When I later explain to her that the bank should think about plugging the hole in their security fence, she listens politely, thanks me for my feedback, and says:

“One last thing, Mr. Wagstaff. I don’t know if you’ve been told but we’re running a promotion at the moment that for every customer you’re able to bring in you get a $200 gift voucher for redemption at Takashimaya Department Store.”

A bank with its priorities right, it seems.

What amazes me about this is that banks don’t seem to have learned from past mistakes. A few months back I wrote about a scam in Hong Kong which uses exactly this tactic. Fraudsters stole wallets and handbags at a sporting event, removing only the ATM and business cards. The victims then got phone calls the next day pretending they’re from the bank informing them they’ve lost their card, and asking them to approve cancellation of the card by keying in their PIN number.  Voila. If Sheila was Sheila the Scammer, someone would be at least half way into my account by now.

I wish banks would be smarter about this. I wish in particular the banks I use would be smarter about this. Scammers are clever, particular about social engineering — the art of lulling people into a sense of false security. We ordinary people want to please, and we want to help solve a problem, especially if it’s connected to us, so we’re easy prey for someone at the end of the phone offering both.

The lesson is the same as the one I’m always trying to pass on: Don’t give anything to anyone just because they ask you to. Find out first whether they are who they say they are. A realtor asking for a deposit? Show me the documents that prove you are authorized by the landlord. Here to check the meter? Where’s your badge? Valet? How do I know you’re not just a guy in a red jacket and jaunty hat about to steal my car?

Authenticate, authenticate, authenticate. And if it’s someone like a banker, a real estate agent or an official, be hard on them if they seem impatient with your efforts. It’s your money, not theirs.

The Source of the Malware Scourge

Despite appearances, the U.S. is still the most popular place for the bad guys to place their malware code.

StopBadware.org has listed those Internet Service Providers that wittingly or unwittingly host “badware” — an umbrella term for any kind of software that insidiously installs itself on your computer. What’s interesting is that while there is one China company on the list, by far the biggest culprit is one iPowerWeb Inc, based in Phoenix, Arizona, which has more than 10,000 infected sites on their servers. (By comparison, then next biggest culprit has a quarter that.)

Badware is usually installed on a site without the owner’s knowledge, either by exploiting holes in the software that delivers content to the site or hacking into the site by guessing the owner’s password or making use of a hole in the server software. Victims would unwittingly download the badware by either visiting the website in question or be directed there from other websites which had been infected. Here’s a case of a fake MySpace page which lures victims to an iPowerWeb-hosted site where users give up their MySpace password. Interesting detail on how these work is here.

iPowerWeb appear to have a long history of attracting accusations that it doesn’t take this kind of thing seriously. Examples are here, here and here (from two years ago). So far there’s no press statement from iPowerWeb on its website; I’ve requested comment.

The sad thing here is that when Google and organisations like StopBadware find these hacked sites the sites are flagged and removed from Google searches, or else prefaced by a warning page. While this makes sense, it causes mayhem for the owners of these sites who are either not technically savvy enough to resolve the problem, or find themselves in limbo while their site is removed from the list after they’ve cleaned it up. A recent discussion of the problem on the stopbadware Google Group is here. (StopBadware says it will respond to appeals within 10 days and says the time is closer to two.)

One can only imagine the scale of the mess caused by all this. Hosting companies need to be smarter about monitoring this problem they’ll face declining custom or lawsuits.

Loose Bits, Nov 28 2006

From my PR intray, some surprisingly interesting little odds and ends:

LocalCooling is a 100% Free power management tool from Uniblue Labs that allows users to optimize their energy savings in minutes and as a result reduce Greenhouse Gas emissions. The software “automatically optimizes your PC’s power consumption by using a more effective power save mode. You will be able to see your savings in real-time translated to more evironmental terms such as how many trees and gallons of oil you have saved.”

Sim CityElectronic Arts Inc. today announced SimCity for mobile, which “lets mobile phone users create and manage the growth of a living city in the palm of their hands. Originally created by Will Wright, SimCity is now available on major U.S. carriers.” Not sure how this works, as there’s nothing yet on EA’s site. It does sound a bit like milking a cash cow or is it flogging a dead horse? 

free spam filterCyberDefenderFREE is “a full internet security suite that can operate  standalone, or complement existing security software to add an existing layer of early-alert security to the desktop.” As far as I can work out, this is a competitor to Windows Defender although it seems to include a collaborative element, where users report either manually or automatically dodgy software and sites they’ve come across. I think.