In my copious amounts of spare time one of the things that I like to put thought into is where I believe the Threat Landscape is headed. Even in just the last 10 years since the Melissa virus (yes, I know viruses extend quite a bit further back than that. I'm just using this as a reference point) we've gone from mass mailing viruses to network worms that run through your network compromising any vulnerable host as quickly as it can to social engineering tricks that sometimes even make it difficult for the trained professional to tell whether something is real or fake.
So, the question that I pose to myself is "What's Next?" Taking even just the events of the last decade into account, where are we headed for the next few years? Some of this is obviously hard to determine because that also involves being able to forecast what new technologies will be released, but we can start to make some assumptions based off of what is available today.
Since this is a blog post, I'll try to keep this relatively brief. Maybe it is something that I can submit as an article to some technology pub as a full byline article (Here's a free plug for the folks over at (IN)Secure Magazine, who just released Issue 22 today. I like them and I've had the opportunity to write for them twice now) at some point soon.
Some things to think about:
-- The Insider Threat
Especially given the current economic conditions and the uneasiness around many offices around the country as to whether or not their companies will remain viable, organizations need to be ever cognizant of the data that is leaving their organization. Given that the latest USB 3.0 spec that was released in November 2008 allows for data transfer speeds at about 5Gb per second sensitive, proprietary corporate data can be pulled off a company's network an onto a thumb drive faster than ever before. Couple that with the number of disgruntled employees who either see the writing on the wall for their own jobs or who are upset at benefit and wage freezes/cutbacks, and you have a dangerous cocktail for data theft. We need to make sure we are putting as much focus on protecting our sensitive assets from insiders who much more easily have access to proprietary data as we do keeping the external threats at bay.
-- VoIP
Voice over Internet Telephony technologies are being adopted at an ever increasing rate. This is happening not only in the enterprise space, but in the consumer market. Services like Vonage make it easier than ever for people to have portable phone numbers so that they can be easily reachable at local numbers by family members out of state. VoIP implementations at organizations are also becoming ever popular as well. As these technologies become more widely adopted we have started to see hints of what abuse of these tools might look like. Throw away phone numbers used to make spam phone calls have started to become more common. There are services available online which allow you to purchase throw away numbers in blocks. Spammers and can use and abuse these numbers just like they do IP addresses now.
Another thing to watch out for is the compromise of VoIP systems as vulnerabilities start coming out in larger quantities. Threats like direct voicemail injection will become another method that cyber criminals will use in order to get advertisements delivered to end users. As the social engineering used in these threats improves, they could easily be used to steal personal identities and corporate data.
-- Mobile Malware
Let's face it. The phones that we carry in our pockets are little personal computers. Although they lack the computing power of the quad-core processors now becoming commonplace on personal computers, they are another "always connected" device that people always have turned on. I think the only time that I turn mine off on a weekly basis is when we are doing our weekly recording of the Security Buzz podcast, and that is mainly because the GSM buzz wreaks havoc with the microphones (and our Executive Producer's headphones :) ). As mobile phone manufacturers have opened up their APIs to developers to create third party applications, they will need to be ever diligent in their QA processes to make sure that applications don't get posted to their distribution channels that contain some form of malware or open up a trojan backdoor to the device. The mobile phone industry is growing by leaps and bounds with the addition of new, better, more feature rich smartphones entering the market. The smartphone market is too large of a target for cyber criminals to ignore, especially if you consider the value of the data that we are now storing on these devices. Secure sandboxing of third party applications is a must, but that is only a start. Only hundreds of mobile malware variants exist today (compared to the approximately 1 every 4 seconds that is released for PCs), but that number is slowly growing and as hackers pay more attention to how they can penetrate mobile devices, that number is sure to only increase.
-- Social Networking
Social networks provide an interesting shift in the information sharing game because the rules that typically govern what personal data people are willing to share seem to have gone out the window. This has really opened the door for cyber criminals. With the data that is now available online through the use of social media sites like Facebook, Myspace, and Twitter criminals can much more easily target attacks to specific individuals or groups of individuals using data made available via public profiles or geolocation tools that map your IP address to what town you live in (or near) so that they can deliver compelling content which direct you to malware infected downloads (ala the Waledac botnet). The Web of Trust that exists between users on social networking sites is being actively exploited regularly by hackers looking to take advantage of the fact that users will click on whatever their friends send to them. It's already been proven that people will click on links and open attachments from people they don't know so why would they judge more closely the content from those that they do.
-- Political Hacktivism
Recently cyber criminals have picked up the pace a bit with respect to using online resources like social networking sites to quickly spread political messages in order to help them spread propaganda and recruit people to fight for their cause. Due to the sensitive nature of political issues and the passion that people have for them, social engineering techniques like creating highly controversial views on sensitive topics is something that cyber criminals will latch onto in order to get people to react quickly and irresponsibly to either open attachments or visit websites that they would normally scrutinize more closely.
These are only a small sampling of what I believe we will be encountering as we move forward (I didn't even go into the increased prevalence of compromise of legitimate web sites, and the further use of file sharing services, and calendar spam!), but they are things that we will need to keep top of mind as we look toward what threats are coming down the road. Hackers will go where the money is and the money is where the people are. So, whether it is Twitter, MySpace, Facebook, email, instant messenger, or our phones, criminals will leverage whatever technology is available because in their eyes the goal is to make money regardless of the available technologies, and if one person can be the one to figure out how to exploit a technology for their own financial gain before the others they'll end up getting the lion's share of the notoriety as well as beat defense mechanisms to the punch.
Research was published yesterday coming out of Carnegie Mellon University that states that the number of potential combinations of what your social security number could be is limited based on publicly available information such as your birth place and date.
This is significant because places like financial and educational institutions (among others) frequently use the SSN as either a method of verifying who you are over the phone or as a method of authentication on web sites greatly increasing risk of identity theft. As a side note, organizations like the American Health Information Management Association (AHIMA) published an article back in 2006 recommending against using SSNs as an identifer in systems that contain health care data.
According to the research, you "could identify in a single attempt the first five digits for 44 percent of deceased individuals who were born after 1988 and for 7 percent of those born between 1973 and 1988. They were able to identify all nine digits for 8.5 percent of those individuals born after 1988 in fewer than 1,000 attempts". In the instances where the first 5 digits of a 9 digit SSN could be identified in the first attempt, this narrows the number of possibilities of what your SSN could be down to only 10,000, which is essentially the same as being able to determine someone's 4-digit PIN. Trivial by today's technology standards. Since the Social Security Administration's Death Master File can be purchased online for about $7,000 (if you live in the US, Canada, or Mexico; about $15,000 otherwise) according to Steve Goldsby's blog this cost could easily be recouped after only a few identity thefts. This is pretty good ROI for cyber criminals despite the up front cost.
Is It Too Little, Too Late?
In a story released a few days ago, BITS (Banking Infrastructure and Technology Services) released a paper titled "Email Sender Authentication Deployment" focusing primarily on how financial institutions can implement DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) technologies to authenticate mail coming from their domains as opposed to spoofed emails sent by spammers.
In a release done by the Online Trust Alliance (OTA) in 2008, it was reported that 51% of the Fortune 500 consumer facing brands, 52% of the Fortune 500’s consumer-facing financial service brands, and 54% of the Internet Retailer top 300 brands were currently authenticating their email.
Many major financial insitutions are on-board this bandwagon as well, but clearly there is room for improvement. As pointed out by Paul Smocer, VP of Security for BITS, only about 10-15% of BITS 100 members are currently using any form of email authentication. A statistic that seems to be quite different than the adoption rates of F500 brands. For those who haven't yet implemented sender authentication, BITS has released this guide to help financial institutions understand the business value in the implementation of these solutions.
Will SPF and DKIM stop spoofing? No, but what they will do is help email receivers to identify messages that are actually being sent by a financial institution like Bank of America versus an email that was sent by a spammer to merely look like an official BofA message in an attempt to steal someone's identity or web site login credentials.
The question that I would pose here is that for the increased consumer confidence that is attempting to be fostered by using email authentication technologies, is it too little too late? I've heard people from some of the largest banks in the country state that their studies have found that many of their own customers don't even open email from them anymore or have moved away from online banking entirely solely because of their concerns of having their identities stolen. In their eyes, it is easier to avoid the potential for risk entirely (even if it costs additional fees to walk into a branch to conduct business) by not even dealing with their bank via online means. This is because they cannot distinguish between legitimate communications from their bank and what is being sent by cyber criminals.
Trust is very hard to earn and even more difficult to re-establish once lost, especially if you are dealing with matters involving someone's wallet. To that point, when I think about where we are today with the low level of trust that users have overall with email as a communication and marketing vehicle, I believe that as an industry that we should be doing everything that we can to help email senders and receivers proactively identify malicious email, but users might be too jaded to care.
Be on the lookout this morning for a phishing scam floating around Facebook asking you to visit http://areps.at, a domain registered only a few days ago to someone named Andrew Morov out of Russia. (UPDATE 5/21/2009 11:30am MST - According to this CNet article, the domain bests.at is also being used for this scam, registered to the same person as areps.at)
personname: Andrey Morov
organization:
street address: Schelkovskiy proezd d.11 korp.1 kv.3
postal code: 105425
city: Moscow
country: Russland
phone: +74956211281
fax-no: +74956211281
e-mail: ******@nameclub.at
nic-hdl: AM5009456-NICAT
changed: 20090515 15:23:43
source: AT-DOM
Visiting this site will also infect your Facebook profile and cause messages to be sent to your friends inviting them to also visit. Below is a screen shot illustrating the contents of the message you may receive from an infected friend.
If you do receive any of these, contact the person who sent it to you and ask them to change their password ASAP. If you believe that you might have fallen victim to this scam, change your own profile password before whoever has hijacked your account changes it for you and locks you out of your own account!
I thought it was appropriate to issue a "Threat Warning" (ala the National Weather Service) for tax related scams for today and for the coming days and weeks considering today's midnight tax deadline. By a warning I am implying that conditions are ripe for something to occur even though we have not seen anything specific yet.
Considering current economic conditions and the fact that it is likely that more people who owe money are likely to be delinquent in payment this year it is also possible that we might see a new twist this year from: tax filing extension "services" that for a fee will grant you an extension on paying your taxes without additional interest penalties if you do not file on time.
It is also likely that we could see scams like we have seen in years past related to tax refunds that can be received faster if applied to your credit card or purported errors made by the IRS that results in you receiving additional refund money that can be applied to your credit card or directly into your bank account.
Be on the lookout for these and other potential scams spoofing the IRS. It is most important to remember that the IRS does not discuss tax refund related issues directly to consumers over email so if you receive anything like what I have described above in your email box or anything else similar, delete those messages immediately. Our Threat Operations Center is on high alert for any IRS related scams and when any arise we will report them here.
Just about anyone and everyone who is active on the internet is either using, has used, or at least has heard of Twitter, the micro-blogging service that grew in usage by 752% in 2008 and is poised to grow even more in 2009.
As we know, where there are users, there are hackers. Any technology that has grown in popularity at the speed of which Twitter has is certain to become a target for information and money stealing cyber criminals. As such, Twitter has been the target of several application exploits over the last few months including a Samy-like exploit which would force users to follow you, multiple Clickjacking exploits, and two worms dubbed Mikeyy and Stalkdaily just this past weekend.
Funny enough, one of the things that is frequently part of the fallout of numerous security exploits is a drop in brand trust and user confidence. So far, that fallout does not appear to have taken place with Twitter. At least based on the reported numbers, Twitter's growth does not seem to have been hampered at all despite the numerous security flaws that have been patched over the past 8 months. Perhaps this is because there hasn't been a serious incident of data theft or widespread malware infection as a result of one of these exploits. Rest assured, those are coming!
So, what can we learn as a result of Twitter's recent security woes?
I believe that one of the most important lessons to be learned from Twitter is the need to ensure security is being built into your product from the concept and design phases, not after the code has been consumed by the public. This is true for online applications like Twitter as well as boxed software that you buy in the stores. Don't let your customers be your test bed to identify security risks because you can bet that criminals will find them and exploit them before your customers do. At that point you have put your customers at risk also. It is far cheaper and less damaging to your corporate brand and reputation if security risks are identified up front, before any code is launched than to try to retrofit security into a live product.
Up to this point the vulnerabilities exposed on Twitter have largely been considered annoyances. I was unable to find any reports of identity or financial theft as a result of a Twitter exploit, and again perhaps that is why they haven't been placed under the same microscope that Microsoft and Google have been. Don't take these proof-of-concept quality threats lightly though as they could easily have been much more nefarious than they were.
Let's take the Mikeyy worm as a primary example. One of the ways that Mikeyy would spread is by sending Tweets out under the accounts of infected users trying to lure their followers to visit the profile of another Twitter user that exploited a site flaw. Once that page was visited the user's account was hijacked and Tweets would be sent out as them to their followers trying to trick them into clicking also. Rinse and repeat. In this instance the worm was merely spreading out across Twitter to anyone who was fooled into clicking the link presented in the Tweet. What if this link was forwarding unsuspecting users out to a drive by malware site that installed malware like Storm or Conficker? In a previous post we discussed how URL abbrevation services can potentially hide an underlying threat vector to redirect users to malware drive-by or phishing sites. Granted, that example isn't one of a specific Twitter flaw, but it is just another thing that users of the popular service need to be on the lookout for.
In its short existence Twitter has almost single handedly revolutionized how we communicate (in 140 characters or less :) ) online. Whether you are using Twitter to communicate with friends from school, family, or professionally to keep up on market trends or as another method to increase your brand awareness (a recent report by comScore said that more than 50% of Twitter users are between 25-54 with most users being on the upper end of that scale), Twitter has stormed onto the social media scene and has already become an important part of how people communicate online. I use it myself. As such, it creates another avenue by which we need to make sure we educate ourselves and our users about the potential for online threats.
Last week Heartland Payment Systems Inc reported a data breach of over 100 million credit card numbers and cardholder names. Monster.com is now also reporting a compromise of passwords, user IDs, names, email addresses, and other PII of an undisclosed number of accounts and is advising all of its users to change their passwords immediately. It's too bad that most of monster.com's users only regularly access their accounts when they are actually looking for a job which means that many may never get the message or take the time to update their password. This leaves a lot of accounts as wide open opportunities for identity and data theft.
Combine all of this news with this report on CNN Money that over 71,400 jobs were lost today alone (when I last looked at the report it was 68,000 so the number is getting larger as the day wears on!) and we have a dangerous cocktail for fraud and fraud victims!
So, it is a given that there will be more (and already has been) fraudulent activity related to the monster.com and Heartland breaches. The bigger problem that comes out of this is that we now have over 71,400 people now trying to figure out how they are going to support their families and themselves while they look for new employment.
These newly unemployed job seekers are now prime targets for cyber crime. Whether it be stock pump and dump scams, fraudulent IRS refunds, phony job announcements (work at home opportunities appearing to come from monster.com?), or "make a quick buck" schemes, people in vulnerable positions are frequently the most likely victims of criminal activity. As such, it is important for everyone to be more diligent than ever in trying to separate the wheat from the chaff as it relates to any kind of "too good to be true" offer. Good social engineering preys on weaknesses and stresses a potential victim's urge to "act now". During times of unemployment or uncertainty your inherent ability to judge is clouded and irrational decisions are often made resulting in more complicated problems. Be educated, be aware, and be diligent. Don't be a victim.
According to this story a laptop that contained approximately 33,000 records of customers of the Clear system (Clear is a for-pay system that allows customers to go through a separate security line at some airports using a smartcard).
Apparently the laptop has been found....in the same room that it was allegedly lost in. The title of the article linked to above is "Laptop Discovery May End SFO Security Scare"....I couldn't disagree more.
If someone unauthorized had access to the room that the laptop was in when it disappeared, that same person had access to put the computer back after they were done with it (stealing data, installing a trojan to steal more data...the list goes on). According to the story customer data on this laptop was NOT encrypted which means anyone who had access to the computer had unfettered access to all of the customer information stored on it which included names, addresses, birth dates, driver license numbers, and passport numbers. Of course, now the TSA is saying that the computers must use encryption, but that is like buying flood insurance while your basement is under 8 feet of water. Too little, too late.
This is a huge black eye for Verified Identity Pass, the company that operates the Clear program. My favorite line in the article is where their CEO Steven Brill states "We don't believe the security or privacy of these would-be members will be compromised in any way." The fact that their CEO would make a statement like that just underscores what little he and his company understand about security and the protection of customer information.
Hopefully this will prompt the TSA into doing a more security oriented deep dive on all of their vendors. It is important for them to know just how many other basements either are currently or are headed for 8 feet of water in their respective basements. As a member of the DHS, the TSA already doesn't have a very good record as it relates to security. Any proactive measures that they can take to ensure the security posture of their organization and the vendors they do business with will help mitigate future high-profile breaches.
Whether it is iPods being shipped with malware, digital picture frames, navigation systems, or hard drives, the number of incidents of electronic equipment being shipped from the manufacturer with malware is disturbing!
How does this happen? This is typically a by-product of PCs that are used for things that are outside their intended business purpose. For example, if a computer's primary business function is to load software onto a digital picture frame or to test the ability of a computer to connect to and transfer files to the frame, then those should be the only parameters by which that machine is used. It should not be used to plug in external USB drives, download videos and music off of the internet, or to surf porn sites. Any of these activities are vectors of unnecessary risk and could end up infecting the PC with malware which will subsequently get passed onto other devices.
As the line between what is known as a PC and what actually runs the same type of software as your PC continues to blur you can expect to see more of these types of incidents occurring. This is unfortunate because as we have become more dependent on technology in our every day lives and as the devices that we used have become more advanced, our level of confidence in those devices to function in a safe, secure, stable manner has declined significantly. These sorts of compromises represent one of the biggest new threats to corporate networks and will be another one of the avenues used more prevalently by cyber criminals to steal sensitive, confidential, and personal information as malware continues its evolutionary process.
Hardly a day goes by anymore where there isn't some sort of breach of confidential data. Whether it is the exposure of almost 40,000 Social Security Numbers of Georgetown University alumni, faculty, and staff or the theft of 35,000 records of current and former customers of T. Rowe Price, or even the well documented theft of over 45M credit and debit card numbers from TJX, data theft is rampant and we still haven't learned our lesson.
No matter how much education you do on security best practices and even if 99.99% of your company follows those practices, it only takes one person making one mistake to cause a potential breach. Although some data breaches are the result of large scale infrastructure weaknesses, a large number of them are also the result of the indiscretion of one person. One person who didn't properly secure an open PC or who didn't properly secure a hard drive with sensitive data can cause the loss of millions of records which can result in untold numbers of identity thefts!
We've said this before, but I absolutely believe it to be 100% true: protect your personal information and monitor your bank accounts and credit cards like the data has already been compromised (because it likely has. The real question is whether or not someone is going to use YOURS). As with many things in life, early detection gives you the best possibility of recovery. You may not be able to prevent damage to your credit or reputation from happening, but there is a lot we can do to mitigate it once it happens.
How at risk are you to be a victim of identity theft?
According to the folks over the Privacy Rights Clearinghouse approximately 165 million data records of U.S. residents have been exposed due to security breaches since January, 2005. In 2007 there have been 278 breaches reported which account for over 75 million records.
Keep in mind that these numbers are for *reported* breaches by companies who are required to report such incidents. This only represents a small percentage of the number of businesses out there who might have your personally identifiable information.
Even if we take the 165M records number as being accurate, this means that we are all roughly at about a 50% risk of having our identities stolen as a result of these breaches! Granted, the information obtained could vary greatly from a hacker only obtaining your name and email address all the way to exposure of credit card numbers and your social security number. Both types are just as dangerous though. For example, if a hacker only obtains your name and email address they could use that information to send legitimate looking phishing messages to your inbox in an effort to get the rest of what they want.
So, what to do if you believe that your identity might have been stolen? Privacy Rights Clearinghouse has a comprehensive guide posted on their website which discusses not only how to pro actively stay on top of your credit (I would also recommend the Identity Theft Resource Center, but also things that you can do to prevent further damage from being done once your information does end up in the wrong hands.
One of the most important things to remember is that just because your data might have been compromised does not mean that you will be a victim of identity theft. Unfortunately, there is little that you can do to prevent this sort of thing from happening, but it is important, however to remain diligent in order to minimize how it will affect you.
With all of the fun and firestorm of PDF spam volumes and Storm worm variants over the past couple of weeks, I hadn't realized that I hadn't posted anything since the CEAS conference!
My friend Carl Herberger me an article the other day regarding so called "revenge packages" being offered by a company whose web site is at confidentialaccess.com (the site has supposedly been changed since the article was written and denies everything stated). I had never seen the site prior to reading the story, but whether or not it is true the point behind the services that were allegedly offered are the more disturbing piece.
According to the article the site offered services by which for as little as $20 per month you could essentially make the life of someone that you don't like absolutely miserable. The article mentions services such as ruining your target's credit rating, or even having fake text messages sent to their significant other containing false accusations of affairs.
I heard on a radio commercial yesterday that someone's identity is stolen every 3 seconds. What I hadn't really considered until reading this article was that this type of criminal activity had now become a commodity.
Sure, there is an underground economy that buys and sells credit cards and bank accounts for a few dollars each, but that's not what I am referring to. Defrauding someone out of some cash because their credit card number was stolen is one thing. Money can be replaced. What is more disturbing here is the possible destruction of livelihoods and families by a neighbor who doesn't like how loud you play your stereo...or more disturbingly someone you have never met before.
I don't mean to sound naive about this, but I hope that this isn't a sign as to where else society will go. It's telling enough that we are already where we are, but it is truly more disturbing to think about what could be next...
|
