The ever-evolving cyber criminal
Cybercrime is perhaps the most pressing issue of the 21st century. Though this may be a bold statement, it is one that the public and private sector must resolve to maintain trust in online services.
This article will go some way to explain where the threat of cybercrime lies, what techniques cyber criminals are using, and how to safeguard against attacks.
The unsuspecting citizen
Lack of awareness of the threat landscape is something that industry experts indicate as being the bread and butter to cyber criminals. It is not just the case that the criminals are after your money and details, as one might expect, but very often citizens are unsuspectingly roped into performing tasks such as money laundering for criminals that pose as legitimate businesses, and so effectively become part of the criminal organisational structure.
With new and highly sophisticated methods of attack, even the most IT savvy among us are vulnerable. Education is the mantra of security professionals as this, along with security technology, is the key to minimising the success of organised cybercriminals.
What are the threats?
Michael Hamelin, chief security architect for Tufin Technologies says that: “The security threats of today are a long way from what we had to deal with ten years ago. Today we find a constant wave of cyber criminals assaulting every system and service we have. The truth is, anywhere there is information to steal, or money to be made illegally, we find a new wave of cybercriminals has cropped up.” According to the most recent research by the Office of Fair Trading, cyber criminals cost 3 million United Kingdom consumers to lose a total of £3.5bn through online fraud each year.
Hamelin goes on to talk of the organisational structure of the new cyber-criminals: “The constant onslaught of cybercriminal gangs popping up around the world is truly one of the most amazing side effects of the Internet. We see gangs organising activity in multiple countries simultaneously with skill and ease never before seen. The fact is you will be attacked sometime soon if you haven’t already. It might be an annoying denial of service attack, it may be a botnet inside your network, or it may be a direct attack on the web services. The corporate victims that have had to disclose their losses have shown staggering numbers in real money lost to these new criminal gangs.
“Today’s cyber criminals are well armed; they have skilled tacticians, trained developers, and are capable of writing unique zero-day attacks.
“When we look back at the attacks on corporate systems like Hartland Payment Systems, TJX Co. and RBS WorldPay, we see that criminals have determination and know how to target our sensitive systems. If we look at the RBS WorldPay heist cashers simultaneously hit more than 2,000 ATMs with the fraudulent cards, netting about $9.5 million USD in less than 12 hours.”
The changing cyber criminal
It would appear that industry experts are in agreement. Cyber-criminals are growing and evolving; becoming increasingly organised in their structure, and very commercial with their wares.
A series of predictions by Imperva, data security specialists, has detailed the imminent threats to security in the coming year. The rise in threat is paralleled by the rise in security, showing that cybercriminals are quick to adapt to their surroundings.
Their ninth prediction, of a series of ten, authored by the company CTO Amichai Shulman, states: “In 2011, the cyber crime landscape will change in two ways. First, more and more smaller cyber-gangs will go out of business. Why? Security researchers will continue to look into the hacker operations and will unearth the smaller or less diligent criminals.
“In general, the hacker industry will react by investing more resources in their attack techniques and detection evasion. The hackers that cannot make this investment will go out of business. Other cyber-criminal organisations will ‘buy-out’ other groups or merge their operations with other groups.
“This will lead to the second change. The current powerful cyber-crime organisations will consolidate their power and grow (after all, antitrust laws don’t apply to them).”
What to look out for?
An example of the types of techniques that are increasing, and also growing in sophistication, are variants of the man-in-the-middle (MITM) attack. The public must become aware of this type of attack, and also educated as to how they can prevent it in order to give the cybercriminals as little chance as possible to prey on the ignorance, or indeed, the trusting nature of users – the former and the latter not being mutually exclusive.
Perhaps the most recent, and also incremental, technique that cyber-criminals are using is man-in-the-mobile (MitM0) attacks. Trusteer reported that the hackers behind the infamous ZeuS Trojan have modified their attacking strategy in order to remotely take over smartphones. The Trojan infects a user’s PC and then proceeds to send a false bank authentication request to the user’s mobile number.
Having obtained this information, the hacker sends a text message to the user asking them to download a ‘digital certificate’ which actually installs an applet that blocks sensitive information, such as bank details, and instead diverts the details to the hacker’s own device. Essentially the hacker takes over the banking session and can then initiate transactions. Any authentication that the bank needs verifying is sent via SMS to the hacker, who then proceeds to send the previously stolen details to complete the transaction.
The reason why this type of attack is more troubling than other techniques is that authentication via Smartphones, two-factor authentication i.e. mother’s maiden name and place of birth, and other remote devices, was initially seen as a solution to Man-in-the-Browser (MitB) and other Man-in-the-Middle (MitM) type attacks. As is usually the case, the baton is passed to the next innovative hacker, leaving security experts to wait for theirs in the form of a vendor released patch or solution.
Organisations must recognise that, amongst their user base, there will always be some people whose machines and devices will have been compromised. Using active technologies like secure browser services, the communication channel with the customer can be secured, whether that channel operates across the regular internet or in the case of mobile phones via the mobile Internet and/or text channels. Only then should this be used for transactions and authentication.
Experts are keen to emphasise that current protection software is effective, but also that hackers can often take advantage of a user’s lack of awareness. It is all well and good having the electronic equivalent of bolts, chains, and deadlocks on your door, but if a burglar can simply put on a convincing disguise, in order that you let him in, the technology in place is rendered useless. Education is the key. Being aware of your bank’s correct verification procedure, for example, is the kind of knowledge that can prevent you from unsuspectingly opening the door for cyber criminals.
Educating the public
Professor John Walker, a member of ISACA, notes that there is very little in the news about what organisations and crime prevention agencies are doing to combat cybercrime. He says, in reply to the question of how large the problem of cyber crime is: “Take whichever number you see and double it and you might be approaching the right number.” Considering the public’s lack of awareness, paired with the rising threats cited above, the seriousness of the situation should be apparent.
Walker believes that a national campaign, akin to the anti-smoking movement, should be implemented to gain the attention of the general public.
From children to the elderly, it is vital that every user of technology understands the dangers that lie in wait as cybercriminals do not discriminate between victims.
The line between the public and private sector, with regards to security has now become somewhat blurred. Users often use personal hardware such as USB sticks and smartphones to carry their organisation’s sensitive data, and also their own. Similarly, employees may also use work-supplied devices for personal activities such as banking and online shopping. So the aforementioned line is in a constant state of flux.
Sean Glynn, vice president of product marketing for Credant, who are endpoint data security specialists, said: “No longer restricted to laptops and mobile phones, a growing trend is for employees to take advantage of the latest must-have gadget, even using personal devices to supplement company owned technology, to maintain contact while out of the office.
Whilst memory sticks are arguably still the weapon of choice, even those whose primary purpose isn’t data storage are being used to conceal sensitive information – from iPods to digital cameras and netbooks – anything with a digital memory capacity.”
What this potentially means for hackers is that they can be doubly rewarded with personal user details and an organisation’s sensitive data.
A spokesperson for Lieberman Software said: “According to many security experts, the most prevalent IT security threat arises from negligent insiders. Malicious hackers prey upon enterprise users with the knowledge that no matter how many times your employee may hear about security policies and risks, eventually that user will click a questionable link on Facebook, respond to a phony e-mail from Her Majesty’s Customs & Excise, or be duped by a targeted spearphishing attack.”
Professor John Walker sees the solution to this problem as being a way of emphasising the ultimate repercussions of ineffectual security on employees’ own lives. When a user considers, for example, the possible side-effects of something as elementary as unsecured browsing in the workplace – compromised personal information being the most salient – they begin to get an idea of the damage that can be wrought on their personal lives.
Examples such as this should be held up as a testament to how an individual’s personal habits can compromise both their own security, and also their organisation’s.
The line between the two is fickle as it is essentially the user that draws it, protracting and contracting it, according to their activity at any given time.
It is plain to see that education must spread its light on all sections of society in order to combat the malevolent shadow that keeps us in the dark.
Organisations that want to learn more about securing themselves from Cybercrime will find it useful to visit Infosecurity Europe which takes place at Earls Court, London, from 19-21 April 2011. For free entry and further information about Infosecurity Europe, visit the website at www.infosec.co.uk. Pre-register today and avoid the £20 booking charge for those who miss the deadline and need to register at the door.