SlideShare uma empresa Scribd logo

Cyber crimes trends to watch-full book-l

coedfvaliantvoora
coedfvaliantvoora
Educação
1 de 97
99
1 cyber crimes Trends to watch... Dr K Rama Subramaniam Chairman, Valiant Voora Center of Excellence in Digital Forensics, Chennai Director and CEO, Valiant Technologies, India and UAE Adjunct Professor, Department of Criminology, University of Madras
2 First Edition, 2013 Copyright © 2013 Dr. K Rama Subramaniam Author : Dr. K Rama Subramaniam Editor : V Pattabhi Ram Price : Rs.250/- Published by : Valiant Voora Center of Excellence in Digital Forensics 196, Burmah Colony, Perungudi Chennai 600 096 Phone +91 44 2496 7730 Fax +91 44 2496 7740 coedf@valiant-technologies.com Layout & Design : Malaiselvan N, Prime Academy Font : Garamond and Swis721 Cn BT Printed at : Shri Akshaya Graphics, Chennai 600 026 Ph: (044) 2484 3118 Disclaimer: While every effort is taken to avoid errors or omission in this publication, any mistake or omission that may have crept in, is not intentional. It may be taken note of that neither the publisher, nor the authors, will be responsible for any damage or loss of any kind arising to any one in any manner on account of such errors or omissions.
3 Dr. K Rama Subramaniam MBA(UK), Ph.D, FCA, FISC, CISA, CISM, CISSP, CFIP, CEH, CHFI, Security+ Chairman,ValiantVooraCenterof ExcellenceinDigitalForensics,Chennai Chairman, Center of Excellence in Digital Forensics, Chennai Director & CEO, Valiant Technologies - India and UAE. Executive Director, Baker Tilly MKM, Abu Dhabi Adjunct Professor – Dept. of Criminology, University of Madras. Global Chair, International Institute of Certified Forensic Investigation Professionals (IICFIP), USA IBM GIO Alumni. India’s country representative at International Federation of Information Processing (IFIP); serving on their Technical Committee TC-11 dealing with information security& privacy. Awarded the ISC-Prof S S Srivatsava Prize for Excellence in Social Science Research and Teaching. Information security and GRC consultant, audit and assurance professional, trainer and educator for over two decades. Certified and experienced professional in the areas of creating and implementing full cycle business continuity and disaster recovery plans; secure information security architecture; risk management systems and processes; internal controls systems and processes; anti-money laundering processes and frameworks; security audits and certification of network infrastructure, GRC systems, ERP application controls review, multifactor authentication (including PKI and X.509 compliant certification infrastructure); and assurance processes for SOX, COSO, COBIT, ITIL, PCI-DSS, ISM3, ISSAF, ISO-27001, ISO-22301, BS-25999, ISO-31000 and ISO-15408 compliant information security management systems. Trained experts in BCP and DRP domains, risk management and information security domains across Gulf nations, India, Far East and the author
4 Africa and is a consultant to a number of organizations in the commercial, government, armed forces, judiciary and law enforcement segments in these countries. Currently providing consulting support to a number of organizations in the BFSI, Manufacturing and Telecom sector in the GCC countries, Africa and South Asia in the areas of Business Continuity and Disaster Recovery Management Systems, Enterprise Risk management, Information security, Anti Money Laundering, DLP, Audit and Assurance and compliance with norms of various central banks and global ‘best-practices’ framework, Digital Forensics and fraud investigation. Served earlier as Global Chair of the Education and Awareness Principles Expert Group of Globally Accepted Information Security Principles (GAISP), based in the United States and is former Global Chair of the Accreditation Process committee of Open Information Systems Security Group (OISSG), based in the UK where he established their certification and accreditation processes. Charter President of the first chapter of ISSA (Information Systems Security Association) in Asia and also Charter President of ISC2’s first Chapter in India. Served on the boards of Dubai, Chennai and Bangalore chapters of ISACA. Former Managing Director of Thewo Corporate Services based in Lusaka, Zambia; Group Operations Director of Benetone Group of Companies based in Bangkok, Thailand and Commercial Director of Dynaspede Integrated Systems Ltd, based in Mumbai.
5 First word----------------------------------------------------------07 0 Net game from the Net-------------------------------------09 1 Sandy and the Hacker---------------------------------------13 2 PATCO Ruling – Wake up call for banks?---------------19 3 Will the Real Hacker please stand up?--------------------23 4 Juvenile Hackers----------------------------------------------27 5 ZERO IQ…--------------------------------------------------31 6 Operation High Roller--------------------------------------37 7 CITADEL: The collaboration suite of cyber criminals-----------------------------------------43 8 They promised. They delivered!---------------------------49 9 The case of Insider Fraud----------------------------------55 10 Clipping the butterfly’s wings------------------------------61 11 The new threat vector---------------------------------------67 12 … and They are Back Again…Wave 3-------------------71 13 PATCO Ruling reversed??----------------------------------77 14 Digital Forensics – an IT Governance Attribute-------81 15 ICT – Tomorrow is here------------------------------------89 INSIDE
7 first word Cyber Crime was a novelty among criminologists about a decade ago. Today, it is commonplace. The speed of its evolution and the rise in its degree of sophistication has left many wondering about the perspectives of this form of crime. The initial hackers were keener on the kick of playing around with technology. True, in a sense, they too were criminals; but they had no motives of defrauding people. Soon they gave way to organized criminals who saw in this the ultimate dream of the cheat: least risk with highest rewards plus the joy of committing the crime in a comfortable and congenial environment. The risk of getting caught is low due to a number of factors including the not-so-mature digital forensic processes. There is also this issue of privacy and the lack of trans-border cooperation. Secondly, the risk of being punished is still lower due to the significant differences between speed of development in crime sophistication and the legal processes attempting to play catch up. To further minimize the overall risk of crime consequences, the attackers have chosen to work on the most liquid of assets – money in electronic form. The spate of successful attacks on banks and financial institutions in the recent past bear testimony to this shrewd crime risk assessment being carried out by cyber criminals attacking the BFSI sector. During the past few months, I have been writing a regular column commenting on Cyber Crimes and the emerging trends both in Industrial Economist and K-Mart. I have presented those articles in this monograph. The Industrial
8 Economist is a 45-year-old Chennai (India) based business magazine. I am indeed grateful to Mr. S Viswanathan, Editor and Publisher of the magazine for permission to publish these articles. The K-Mart is an Internet only magazine from Prime Academy, the pioneering institution, which is in the Knowledge dissemination space. I am grateful to the Academy for allowing me to publish the articles. I have also presented in this monograph, with substantial modifications, a paper of mine published earlier by ISACA, UAE Chapter. I thank my long-standing friend V Pattabhi Ram, a chartered accountant, for bringing in his editorial skills in giving this monograph its final shape. This monograph would have served a useful purpose if it draws the attention of various stake holders in the cyber crime management cycle, to the need for each of us to play our roles in thwarting the efforts of cyber criminals who take away what genuinely is ours – our money, our privacy, our intellectual property and our freedom on the Net. K Rama Subramaniam rama@valiant-technologies.com
9 0 Net gain from the Net When the history of modern world is written, the world-wide-web will receive a primordial position. For, the Internet has changed our lives the way nothing else has; not even the invention of “fire” that altered forever the lives of our forefathers. Who would have thought that knowledge would be available at the click of a mouse? That, sitting in one part of the world, it would be possible to access, draw, use and return literature available in another part of the world? That, you could sit in the comfort of your study room at home and listen to top global professors deliver talks to you at real time and that you could have two way interactivity with him and with fellow students, again in real time. We today have an entire generation that has not walked into a bank to draw money from a teller; a generation that has not placed an order with a stock broker; that has not stood in a queue at a railway station or a theater to buy a ticket. You
10 can do transactions while on the move. Importantly, the new generation is making friends on the Internet; it’s no more love at first sight, its love first on the site. It’s a wired world. OMG how did we live without the Internet in the pre- Internet days? But like with all things good and beautiful, there is a darker underbelly to the Internet. The massive developments in technology now mean that you can lose everything in a jiffy, and without trace. That wasn’t how it was earlier. Then, if your accounting data had to be lost, someone had to physically carry away the ledger from your office. Or take copious photocopies. Today, he simply has to transfer it on a drive that’s the size of your thumb and no one would be wiser. Yes, valuable data can be stolen with impunity. The new generation criminal is a white collared tech savvy man-next- door. It’s brain power, not muscle power, which wins here. The worst part is that things are getting far more dangerous. Look at some of the remarkable things that have happened. Even as the weather Gods were busy drowning their fury on hapless America hackers were busy trying to break into USA’s pristine banking system. Read about it in Sandy and the Hacker. The irony is that no one was sure what they were upto; namely stealing information or just getting the kick out of a denial or a distributed denial of service attack! Are the bankers careful in ensuring that the customers’ data and money is not lost? Do they take adequate care? Do these meet the test of commercial reasonableness? These are questions that have baulked the customer. In PATCO Ruling – Wake up call for Banks we search for some answers.
11 Even as the ink on the PATCO ruling hadn’t dried, a fresh ruling came that seemed to suggest that the PATCO ruling might not be final. We capture that in PATCO Ruling reversed?? No one seems to be bothered about the dictum that the Apex Court’s verdict is final not because it is right; but it is right because it is final! Hacking is criminal. Yet hackers enjoy a holy halo of being Mr. Brains. There is no naming and shaming when it comes to them. Will the Real Hacker please stand up tells you just that. Worse still, hacking has now become kid’s stuff. In Juvenile Hacker read on to how “illiterate children”, yes illiterate children, in Ethiopia of all places, hacked the Android! And you thought technology was rocket science. Is it possible to track those who steal cards on the Net? The answer is “Yes.” The FBI cracked it with gusto in the Zero IQ case. Criminals go where the money is; bank robbers go online! In a new brand of innovation, money mules are used to do money laundering and it may happen in your account without you even knowing about it. In the end, you may end up in prison for no fault of yours. Operation High Roller has insights into this. You have to be careful about messages that you receive on the Net. This can trap both the amateur and the seasoned security professional. “Citadel” is a case in point. The rogues are becoming increasingly daring. Like in the movies, they promise that they will break into banks and do a DDOS DO YOU KNOW? For the year 1938, Time had chosen Adolf Hitler as the man who “for better or worse” (as Time founder Henry Luce expressed it) had most influenced events of the preceding year. If there is an award for the most important development of the last 100 years that would “for better, not for worse” go to the Internet.
12 at a specified date at a specified time on the Internet; and they deliver on that promise! That’s what we speak in They promised. And they delivered. If they can stirike with a fore-warning I am sure they can do anything. The thief is within. The case of the Insider fraud is a telling story of how a combination of good deterrence and technology that responds to human behavioral tendencies can save our banks millions and increase the sagging confidence in technology systems. Nothing, nothing, is safe; not even supply chain. Read about it in “The new threat vector” to get a ringside view of how cyber infractions have gone beyond computers, Internet, internal networks and wireless applications. Botherds collectively control a mind-boggling 11 million compromised computer systems leading to a staggering loss of over $850 million through stolen credit card and bank account credential and compromised Personally Identifiable Information. On 12th December 12, the FBI had cracked this case thus effectively “Clipping the butterfly’s wings”. On March 12, customers of six major US banks couldn’t bank on the Net. This was the largest number of institutions to be targeted on a single day. For a fuller focus move to … and They are Back Again. How the future would look like is what you get to know in the compulsive read “ICT-Tomorrow is here.” In the end the best way to catch the criminal is to go strong on Digital Forensics. That’s where the future lies. The Internet is a lovely medium. We cannot imagine life without it; for, we are addicted. But there are pitfalls. Yet, we cannot throw the baby along with the bath water. It’s time to build great security that would trap the best of criminals. Are we headed towards it?
13 1 Sandy and the Hacker… LIKE everyone else, the BFSI segment told the world that it had adequate disaster management mechanism to minimize the impact of Hurricane Sandy. Almost every bank revisited the well-articulated publication of the Federal Financial Institutions Examination Council, Lessons learned from Hurricane Katrina: Preparing your institution for a catastrophic event. Just as the bankers were getting prepared to meet any eventuality that Hurricane Sandy may throw out, so were the Hackers. The purpose of their preparedness was, of-course, different. The attackers saw a great opportunity to intrude Sandy took many by storm towards the end of October 2012. Ha, we are referring to Sandy storm (a k a Hurricane Sandy) that swept USA in end October.
14 when the bank was busy fighting the possible consequences of Sandy. Sandy leaves its trail of damage The New York Stock Exchange that generally doesn’t close and definitely not due to inclement conditions, closed for two days. On October 31, when Sandy had weakened, the financial institutions took stock. Secretary of US Homeland Security, Janet Napolitano, told Washington Post, “Right now financial institutions are actively under attack.” That very day also saw the Citigroup experience an online and mobile outage that lasted around an hour. In this background, the following questions deserve a closer look. • Was there a fraud dimension to this outage? • Was this outage planned and executed by hackers knowing well that Citigroup would be too busy recovering from the aftermath of Sandy? • Was this yet another of the distributed denial of service (DDOS) attack continuing the earlier pattern that affected over ten banks? There are multiple views on what brought down the Citigroup’s online and mobile services. One view is that it was a DDOS and a front for attempted fraud. These DDOS patterns point to a pattern of attack when the organization is otherwise busy getting their services back to normalcy. In the context of her stating that financial institutions are actively
15 under attack, Janet Napolitano was asked if the attackers were stealing information or money from the banks. She said “Yes” but quickly added that “I really don’t want to go into that per se. All I want to say is that there are active matters going on with financial institutions.” So, one line of thought is that this DDOS could have, as the driving force, a fraud perpetrated on the assets of the bank. If the attackers had wanted the DDOS attack to divert the attention resulting in less guarded logical perimeter to the bank’s information assets, then they timed it pretty well. The Bank was already busy coming out of the effects of Hurricane Sandy and the attackers brought down the services forcing the bank to thinly spread its response capability. If this DDOS attack is a continuation of the ten earlier attacks on the Banks in the past couple of months, then clearly the intention cannot be fraud. For, the Izz ad-din al-Qassam that claimed responsibility for the earlier attacks wanted to use it as an attention-grabbing tactic and there were no fraudulent intentions. In a Pastebin post, the group said, “Due to approaching Eid and to commemorate this breezy and blessing day, we will stop our attack operations during the coming days”. If this were true, the attack is not part of the series of DDOS by this group. So, does this DDOS point to potential fraudulent intentions rather than being merely hactivism? DO YOU KNOW? Hurricane Sandy was the deadliest tropical cyclone of the 2012 hurricane season. It caused an estimated damage of $75 billion, and to that extent is the second- costliest hurricane in U S history, behind Hurricane Katrina. At least 285 people were killed in seven countries. Because of the widespread damage the storm caused, the media nicknamed it as “Super-storm Sandy”.
16 Mike Smith, a Security Evangelist with Akamai, says that the degree of automation found on DDOS attacks suggests fraud as the motive. Referring to the process where the attackers are looking for targets that have footprints on employees’ desktops, Smith argues that finding such footprints increases the amount of information that can be scanned from the target’s network. This can lead one to the proposition that Citigroup outage on 31 October probably had fraud as the motive and is not a continuation of the earlier DDOS attacks. A counter to this proposition comes from another set of researchers who believe that Hurricane Sandy was responsible for the outage and it is not a DDOS. Their argument: the outage is the result of the impact of Hurricane Sandy on the infrastructure that supported the servers at the Bank. Leading this thought is John Walker, a member of European Network and Information Security Agency (ENISA) security experts’ team. Interdependencies between networks, especially cellular networks and service providers means that when one of them is affected, the others too are and this complicates outages during natural disasters, argues Walker. These dependencies will at best bring down mobile banking as it happened to Citigroup but it cannot account for the outage of on-line systems. To that extent, Walker has some explanations to do if his theory is to be validated. Presenting another dimension to this debate is the data available from the research work at the Nottingham Trent University’s Computing and Informatics Department. Analysis of Internet traffic patterns point to the fact that as Hurricane Sandy was attacking the physical infrastructure of the Banks on the east coast, vectors of cyber attack increased in the Midwest and along the East Coast. On this statistic,
17 Walker agrees that internet traffic data for October 31 suggests that attackers went on to hit institutions that were struggling to recover from the Hurricane. There is a third view; that it is incorrect to pinpoint to any one factor as causing an outage of Citigroup mobile and on-line services. A strong votary of this approach is Matt Wilson of VeriSign. Wilson believes that “there are literally thousands of possible reasons for an outage. Anyone suggesting that it’s DDOS or tied to any particular external event is literally guessing unless Citi verifies it.” Andrew Brent, Citi spokesman declined to comment. The cause of this outage will remain a mystery with multiple evidences pointing to different reasons and it can only be understood when Citi clarifies the cause. The common user of banking services, ones like you and I, are more worried now; if the traffic patterns during the disastrous Hurricane are to be believed, are the banks capable of managing the combined onslaught of future versions of Sandy and the Hacker. DO YOU KNOW? The technology behind the Internet began back in the 1960’s at MIT. The first message ever to be transmitted was LOG. Why? The user had attempted to type LOGIN, but the network crashed after the enormous load of data of the letter G.
18 Do we have to say it? Yes, the world is now in our hands; thanks to the Internet.
19 2 PATCO Ruling – Wake up call for banks? PATCO was obviously happy at the reversal of the order of the District Court’s judgment in a case where PATCO sued their bankers for negligence resulting in ACH and wire fraud related loss of over half a million dollars; $ 588,851 to be precise. The bankers, People’s United, formerly Ocean Bank, contended that they had met the security requirements and that PATCO had agreed to this set of security implementation while signing the electronic banking agreement. In response to PATCO’s specific charge that the Bank did not fully comply with the FFIEC requirements for security of “It is a wakeup call for the Banks”, said Mark Patterson, co-owner of PATCO Construction Inc., while reacting to the judgment of the United States Court of Appeals for the First Circuit in Boston.
20 electronic banking systems, the Bank argued that it had imple- mented serious security and authentication features like: User ID and Password; Device Identification; Risk Profiling; Chal- lenge Question; Dollar Amount Rule; and e-Fraud Network. The lower court accepted this position while dismissing PATCO’s claims against the Bank. The judgment raised a few other questions of law but agreed with what the Bank had done in terms of security as being ‘commercially reasonable.’ The Appeals Court overruled the lower court’s judgment and maintained that the security was ‘commercially unreasonable.’ The fact that this ruling came from a Federal Court is “a big thing” says Avivah Litan at Gartner. The ruling points to the failure of the Bank evidenced in its not implementing the key security measures that are used regularly by the banking community. Namely, Out of Bank Authentication; User Selected Picture function; Tokens; and Monitoring. This is the second case in the recent past when the judiciary has found fault with the Banks for not doing enough to prevent frauds happening via their Net banking system. In the earlier case involving Commercial Bank, the customer Experi Metals Inc. sued the bank for negligence resulting in wire / ACH fraud and the court ordered financial restitution. In PATCO’s case, the Appeals Court applied the test of ‘commercial reasonableness’ as defined in Article 4A of Uniform Commercial Code and ruled against the bank. A close study of this case brings home two important lessons. First, banks must understand the conceptualization of the security measures. Secondly, they must build a process to correctly and completely interpret reports and alerts from the security systems. People’s United had implemented a system
21 that will force the User to go through an additional authentication process when the transaction value exceeds a base value. This had been earlier set to $ 100,000 but was reduced to $ 1. This literally killed its risk scoring system, which considered multiple variables including additional authentication process triggered by values exceeding a cut off amount. As the Appeals Court observed, “When Ocean Bank lowered the dollar amount rule from $ 100,000 to $ 1, it deprived the complex Jack Henry Risk Scoring system of its core functionality.” The lowering of this threshold dollar value resulted in the challenge questions and responses being entered more frequently thus increasing the probability of key loggers capturing it and abusing it. I have seen this happen elsewhere too – implementing security with scant regard to its underlying conceptualization. Recently, I was speaking to a security professional who said she had a very comprehensive password policy in her organization; also a Bank. I was interested and wanted to know details and she rattled off eleven different rules that constituted the password policy. She said that the password had to be changed every thirty days and I asked if she would encourage shorter life for a given password. Her response was typical. She said no one would like to do that since that would be inconvenient. Persistent as I was, I asked what she would do if one were to change it every Monday. She would be happy, she said and I asked if she would be happier if it happened daily. She agreed she would be happier at the stronger security. I pointed to the password history policy of DO YOU KNOW? The lowering of this threshold dollar value resulted in the challenge questions and responses being entered more frequently thus increasing the probability of key loggers capturing it and abusing it.
22 ten past passwords, which was interpreted to mean that the same password would not repeat for 300 days – 30 days and ten unique passwords. But if she permitted change every one day, the password will repeat every 10 days; at least in theory this is possible. And that would defeat the very purpose that it sought to serve! Ocean Bank’s reduction of the threshold amount for further authentication to $ 1 was similar to the password change policy – a clear case of not getting to the grips of the conceptual foundation of the security process. Another view is that any “one-size-fits-all” approach, as it happened in the Ocean Bank case, will not work in security implementations and each security implementation has to be tailor-made. Next, we have the question of interpreting the reports provided by security systems. In the PATCO case, Ocean Bank did not react to the high-risk scores that were generated by the Risk Scoring system in respect of each of the fraudulent transactions. The red flags appear to have made no impact at all. Mark it, the court, the risk score for normal transactions of PATCO had never crossed 214 on a scale of 1-1000. In respect of each of the fraudulent transaction, the risk scoring system had thrown up a risk score around 750. This is surely abnormal compared to the highest score of 214 in the normal course; but these red flags were just ignored. As Joe Burton, a former Assistant US Attorney said: “It’s not enough just to have a generally accepted security procedure in place if that procedure is not implemented in a way that makes sense. That’s the conduct aspect that has to do with the actual security and not just the check-box.” These two factors appear to have weighed heavily in favour of PATCO in the Court of Appeal.
23 3 Will the Real Hacker please stand up? TWO events that happened in December 2012 startled me. First was the release of Version 2.0 of the courseware for “Hackers High School” by ISECOM. The second was Nicholas Negroponte telling the MIT Technology Review Conference about how “illiterate children” in Ethiopia hacked the Android! Both took some time to assimilate since they exposed a totally new dimension to hacking. We will look first at the attempts to sensitize normal computer users to the nuances of hacking. Many people who have been called hackers, especially by the media, or who have gotten in trouble for “hacking” were not, in fact, hackers.
24 All through, we have decried hacking as a crime, an evil attitude, something to be dealt with sternly, etc. I have always spoken about the serious financial damages done to banks by people who hacked into BFSI information systems. Then, why are “Hackers High Schools” being run? Will it generate a new generation of hackers or train a new breed of people with hacking skills? The introduction to “Hackers High School” program has this to say, for a start: Many people who have been called hackers, especially by the media, or who have gotten in trouble for “hacking” were not, in fact, hackers. So, we are now a bit confused and would like to know who are the hackers the society is targeting? The term “hacker” has been understood differently based on the profile of the person who “hacks.” Applied in the computer security context, it retains its notorious connotation of a person who circumvents or damages the controls to gain access to computer resources. In the programming world, a hacker resorts to a non-authoritarian approach to software development, and they are the ones who create and spearhead the free software movement. Interestingly, some even have “Hacker” as a surname. We have Col. Francis Hacker who fought in the English Civil War in the seventeenth century; we have Katrina Hacker, the American figure skater and George Hacker, head of Alcohol Policies Project! The “Hackers High School” project is based on the belief that hacking is research. It is a kind of challenge-response situation where the “hacker” is challenged by network security implementations and wants to know if the system is really secured. This has some similarities to destructive testing of metals to determine how much stress the metal can stand before breaking down. But the comparison stops there. In
25 destructive metal testing, only a small sample is tested while the “hacker” has before him a live production system processing real time data. While the hacking process is sought to be given its due status of legitimacy from a research, the intent is to distinguish between the research-driven hacker and the crime-driven hacker. Hacking with a criminal intent is surely crime, but how do we go about establishing or demonstrating this? We fall back on the extensive judicial thought and pronouncements relating to mensrea and actusrea, the two very important elements in the criminal justice dispensation. Drawn from a complex Latin maxim of common law, mensrea propounds the principle that the act does not make a person guilty unless the mind is also guilty. “Hackers High School” is based on this belief when they teach the young participants the principles of computer architecture, networking and the process of analyzing attacks on systems. Will someone stop with only researching or will they abuse this? That’s hard to answer. But the “Hackers High School” has a point. If you educate the young on the process and perils of attacks on information systems, they tend to keep their systems secure or even end up evangelizing secure computing. The formal and structured exposure to information systems architecture and vulnerabilities is likely to ensure that the participants do not seek this knowledge from those who entice them into becoming malicious intruders. In addition to the guilty mindedness, we have another essential condition DO YOU KNOW? “I’m still a hacker. I get paid for it now. I never received any monetary gain from the hacking I did before. The main difference in what I do now compared to what I did then is that I now do it with authorization.” – Kevin Mitnick
26 to be satisfied for criminal liability, vizactusrea, which refers to the criminal act being actually committed. The project to make the next generation understand the perils of hacking and to orient them towards being better and well informed netizens, steers clear of any possible damage, by taking the participants through a process of discovery, research and understanding the limits. Igetanumberof graduatestudentswhowanttodoInternship with us. The first question I ask them relates to their interest in security, their objective of doing the internship with a security consulting organization, and their expected takeaway at the end. I have more than 85 percent of them telling me frankly that they want to learn hacking! In the same breath, they will also tell me that they want to learn hacking so that they can defend the information assets from being abused. Interestingly, none of these young security aspirants ever told me that they want to understand the network protocols or the IP packet architecture or the realms of cryptography to keep their systems secure. I was recently talking to a group of senior uniformed officers and sprang a surprise by asking all those who have either hacked a system or have at least attempted to hack a system to raise their hands. Understandably, none did. But after some persuasive talk, I got about a dozen of them admitting that they have tried but did not go far. Neither these graduate students nor the officers had malicious intentions, but the attraction to look through a secure network drives many and this attraction will continue unabated. In such a societal context, it will make sense to determine who is a hacker and who is hack-curious.
27 4 Juvenile Hackers BUT what made me sit up, review and write this column is the profile of the person who successfully hacked into Android. No, it is not the typical geek with his snazzy technology tricks nor is it a serious researcher looking to do a vulnerability assessment of Android in order to strengthen it. It is the most unexpected profile of a hacker – five to seven year olds who had no formal instructions in computing! Yes; it all happened as an unexpected fall out of the OLPC (One laptop per child) project in Ethiopia. Here is what OLPC founder Nicholas Negroponte told MIT Technology Review’s Em Tech Conference: “We left the boxes in the village. Closed. Taped shut. No instruction. No We have heard of Android attacked and hacked a number of times in the recent past. Hacking into the Android is in itself not newsworthy.
28 human being. I thought the kids would play with the boxes! Within four minutes, one kid not only opened the box but found the on/off switch. He’d never seen an on/off switch before in his life. He powered it up. Within five days, they were using 47 apps per child per day. Within two weeks, they were singing ABC songs [in English] in the village. And within five months, they had hacked Android. Some idiot in our organization or in the Media Lab had disabled the camera! And they figured out it had a camera, and they hacked Android.” The findings of the OLPC Project in Ethiopia are indeed an eye-opener. OLPC, started with a view to delivering technology as a means of improving traditional curricula, has been trying to help the kids ‘learn’ rather than ‘read.’ OLPC has realized in their five plus years of work that it is important for the children to learn by teaching themselves. The children really taught themselves and one of the things they taught themselves resulted in hacking the Android! Surely there is no mens rea in this hacking effort by the kid in Ethiopia; so we are not taking that kid Android hacker to court but this sets me thinking of the power of curiosity. This child is unlikely to emerge as a malicious hacker since it has seen the ‘good’ thrill in hacking. It is more likely to channel its energies in the positive aspects of this process rather than try and damage computer systems; or so I would like to believe. Contemporary studies on the anthropology of hacking may take a different position and people like Gabriella Coleman may take a different view. If we went by the popularity of DefCon Kids, in its third year now, it would appear that a large number of those concerned with juvenile hacking strongly believe that it is better to teach
29 them hacking as it happens and also let them understand the perils of indulging in it and the ways to defend against it. But have all those who had learnt hacking as youngsters really used that knowledge for defending their systems against hackers or have they ‘abused’ that knowledge? This takes me back to understanding the myriad of perceptions on hacking. In the last chapter, I had talked of the Hackers High School and wondered if it will provide the desired results it sought to get or would it be a fertile ground for creating a new generation of hackers who have also been taught the traditional approaches to counter the hackers’ exploits. This fear about the fall out of ‘catch- them-young and train-them-correct’ is credible if we were to look at an FBI indictment dated the 26th of June 2012. It names twelve arrested defendants arraigned before the court at the end of a two year undercover operation that is said to have protected over 400,000 potential cybercrime victims and prevented over $205 million in losses. Interestingly, of the 12 arrested, five are in their teens and the rest are just barely above 20. Add to this various high profile minor hackers like ‘Cosmo the God’ who was handed a rather unusual sentence last November. A juvenile court in Long Beach, CA sentenced him to what Sam Biddle, writing in Gizmodo, calls the ‘hacker’s death sentence.’ Cosmo the God, a juvenile who will take six long years to reach his age of 21 for release, has been sentenced “…not to use the internet without prior consent from his parole officer. DO YOU KNOW? OLPC has realized in their five plus years of work that it is important for the children to learn by teaching themselves. The children really taught themselves and one of the things they taught themselves resulted in hacking the Android!
30 Nor will he be allowed to use the Internet in an unsupervised manner, or for any purposes other than education-related ones. He is required to hand over all of his account logins and passwords. He must disclose in writing any devices that he has access to that have the capability to connect to a network. He is prohibited from having contact with any members or associates of UG Nazi or Anonymous, along with a specified list of other individuals. He forfeits all the computers and other items seized in the raid on his home.” Hannah Sweet tweeted in protest: You cannot arrest an idea. Jay Leiderman, a LA attorney who represented alleged members of ‘Anonymous’ opined that they could have locked him up for three years straight and then released him on juvenile parole; but to keep someone away from the Internet for six years seems unduly harsh. Now this brings us to the voices being heard around the globe for a revisit of Sentencing Guidelines, particularly when it concerns cyber criminals. Today, there is no clarity on the considerations that will guide punishing cyber criminals. Three years ago, I pleaded at the International Criminology Congress in Stockholm for the judiciary to recognize that the cyber criminal is not to be locked up as a traditional criminal as his competencies and skills can be used while still being sentenced. Moreover, he can be made to be a useful member of the society after release. Leiderman argues,“At some point after getting on the right path, he could do some really good things.” Sentencing juvenile cyber criminals by asking them not to connect to the Internet is viewed by some as the equivalent of taking away Mozart’s piano.
31 5 ZERO IQ… US MAGISTRATES issuing warrants of arrest is nothing new but this warrant was for a cyber crime against a named individual; something not often done in view of the many difficulties encountered in identifying the accused. Jarand Moen Romtveit, a Norwegian now in the FBI net, also known as ‘Zero’ or ‘ZeroIQ’ in the underground carding forums, ran a successful underground shop; selling stolen credit cards. He can be regarded as a small player in the underground economy that has both one-man enterprises On 20 June 2012, a magistrate in the Southern District of New York issued a warrant of arrest against a person whose nick name, amongst others, was ZeroIQ.
32 like Jarand’s as also multi-men unincorporated enterprises, whose owners are hard to identify. FBI carried out a well-orchestrated sting operation that trapped Jarand. This case raises the question: “on the Internet, how anonymous can anonymous be?” Somewhere down the line, the FBI succeeded in piercing the veil of anonymity afforded by the Net. That process is interesting as it reinforces the overarching human failings that neutralise the anonymity offered by technology. The trap and the crime FBI set up an undercover carding forum enticing all players in the stolen credit card business to use it as an electronic clearing house to offer, discuss and put through deals in stolen credit cards and bank account information. It is not known how many could FBI, successfully entice to use their underground forum but they surely succeeded in getting Jarand hooked to it. Not only did Jarand advertise his stolen credit card information for sale but also got dangerously close to the administrator of the forum, who was a special agent of the FBI. One wonders, how stupid one can get. Jarand would ‘brute force’ his way through password protected databases of credit cards. He brute - forced through hotels and restaurant data bases that had customer credit card details and in a couple of instances, he also successfully bypassed the security perimeter of banks to go beyond credit card numbers – he got through to account holder information. He also managed to penetrate through web site security and collected information stored on web back-ends. Being a one man show, he had limited time and
33 resources at his disposal and traded in batches of 30 to 40 credit cards. The underground carding forum run by FBI collected the IP addresses from which each of the participants logged in and communicated with the forum. As part of the pre-condition for registration at the forum, a valid e-mail ID was required to which was sent the validation code. Jarand used a valid mail ID and that contained some pointers to his identity. This was his second give-in; the first being his misjudging the carding forum administrator’s true identity. FBI continued to keep an active conversation going with Jarand and moved to a point where the accused started sharing his attack screen shots with the carding forum administrator, namely the undercover FBI agent. He threw caution to winds and at once shared his Facebook page with the FBI agent who continued to pose as the organiser of the underground carding forum. The noose tightens The FBI started to tighten the noose around Jarand’s neck by offering him an Apple laptop in return for his giving valid stolen credit card ‘dumps;’ i.e., complete information available on the magnetic strip on the reverse of the credit cards. Jarand walked into the trap by giving them the relevant details. The FBI had its authenticity verified with the card Brute force attack It is a listing of commonly used passwords. The programme tries these and also runs through combinations of letters and numbers until it gets a match. These attacks can take several hours, days, months, and even years to run. It depends on how complicated the password is and how well the attacker knows the target.
34 issuing company and more than 80 per cent of the ‘dumps’ data sent in by Jarand were found to be “valid, current and with credit available for use.” The FBI then alerted the card issuers, who in turn cautioned the card holders of the compromise and replaced their cards. To trap Jarand fully and to establish his identity, the undercover agent wanted him to pay for the shipping of the laptop which is done through Western Union and the remitter details match with what FBI already knows about Jarand. The laptop is delivered to an address mentioned by Jarand and with the help of Norwegian police, it is established that a person by name Jarand Moen Romtveit actually lives at the place where the laptop was delivered. The courier who delivered the laptop to Jarand identifies him from a photograph of Jarand picked up from publicly available sources in Norway. Jarand is completely identified as the person who trades as ‘ZeroIQ’ on the undercover carding forum established by FBI. Special agent John Leo Jr. appeals to US Magistrate Andrew J Peck for a warrant of arrest of Jarand Moen Romtveit, which was readily issued. Lessons and questions This case brings both the “painstaking investigation” by the Special Agent John Leo and the ‘behaviour’ of Jarand. Crime risk theory in criminology tells us that every criminal carries out a risk assessment of his proposed action. Theory argues that every criminal assesses the risks involved in the proposed action barring spur of the moment crimes which have more to do with an unstable mind that was emotionally disturbed
35 at the point of crime. In the case of cyber crimes, one of the factors that is favorable to committing crime and hence weighs heavily when assessing the risks involved, is the anonymity over the Internet. Jarand gave in and vindicated Edmond Locard who famously said, “every contact leaves a trace.” This is often quoted by crime investigators who say: “every criminal leaves some evidence.” Surely, law enforcement has reason to cheer after arraigning Jarand but a number of issues will remain difficult to resolve when dealing with cyber crimes. First, will be the difficulty in piercing the veil of anonymity that the Internet so conveniently offers since not all who use the Internet’s underground economy are as gullible as Jarand. We cannot resist wondering whether his Net name ‘ZeroIQ’ was a premonition of how he would behave! Second, is the growing interest in the underground economy with some ‘entrepreneurs’ having established manufacturing facilities for card skimming devices and are exporting it worldwide. Third is something that can be dangerous – the shift in control over cyber crimes from techies and script kiddies to organised crime gangs. This brings in the power of money, reach and silencing to the otherwise technology centric activity – cyber crimes. DO YOU KNOW? It was G K Chesterton who said: “It isn’t that they can’t see the solution. It is that they can’t see the problem.” That’s increasingly true today of quite a few problems that we face on the Internet.
36 “The battle between the cyber cops and the cyber criminals is a mind game; like the game of chess.”
37 6 Operation High Roller YEARS ago, Willie Sutton, who had robbed US $2 million during a criminal career that spanned four decades when asked, “Why did you rob the bank?” famously told journalist Mitch Ohnstad, “Because, that is where the money is!” Prof. Helmbrecht was responding to a new form of online robbery happening in the banking systems called ‘High Recently, Prof. Udo Helmbrecht, Executive Director of the European Network and Information Security Agency (ENISA), did a Willie Sutton when he said, “Criminals go where the money is; Bank robbers go online.”
38 Roller,’ a term borrowed from the gambling world. High Rollers refer to those playing for very high stakes. In the online banking world, High Rollers are those who maintain large balances in their accounts. Money mules... Manipulating and stealing using online transaction systems are not new; but what is now making news is that the attackers are becoming selective in their approach. They are looking into account balance databases and targeting only those whose balances are above a threshold that each hacker sets for himself. The second unique characteristic of High Roller attacks is the significant increase in the automation of the whole process and the use of anonymous mule accounts to transfer and forward the ill-gotten money. The shift to reliance on server side manipulation, in contrast to earlier client side manipulation, marks the third deviation from traditional online stealing. The rapidity of shift in the command and control centres used for the attack is the fourth significant differentiator of this new generation attack. In the sixty days before the attack landed on the laps of the US banking system, the domain from where attacks originated was first registered in Ukraine and later reconfigured to point to an ISP in Russia; then moved to an ISP in Arizona; shifted to Brazil and returned to California from where a victim bank in Ohio was successfully compromised. Each of these shifts involved identification and control of active and passive mule accounts, or money mules as they are more popularly referred to.
39 Dissecting Operations High-Roller A research report titled “Dissecting Operations High Roller” released by Guardian Analytics and McAfee is the first available comprehensive study on Operations High Roller. This report released in June 2012 points to successful on- line heist in Italy, Germany and Netherlands later spreading to the United States. As we carefully analyze the timeline of successful attacks being identified, we see the degree of attack sophistication and value-at-loss increasing with passage of time. In the Italian attack, the attackers transferred a small fixed percentage of the balance; around 3 per cent or a fixed sum of roughly €500 to bank accounts from where it was instantly withdrawn. Emboldened by the success in Italy, the stakes were upped in Germany. Available log analysis of attack data point to Money Mules A “money mule” is a person, an intermediate, that receives potentially illegally obtained money from someone and redirects them to someone else. Of course, the intermediary receives a share of the transaction. In other words, this is nothing else than money laundering. The basic process of muling is relatively simple: • job advertisement offers work as ‘financial agent’ or similar service • job seeker signs up and opens, or allows access to, domestic bank account • fraudsters transfer money from scam victims to job seeker’s account • job seeker transfers money to fraudster overseas • job seeker receives ‘commission’ • job seeker is open to prosecution by domestic authorities for money laundering
40 the compromise of 176 accounts covering multiple banks and the average amount involved in the illegal transfer was €5499. The average balance in the compromised accounts was €47,924. The attack on the German Banks resulted in a total transfer of about a million Euros to various mule accounts, mostly in Portugal, Greece and the UK. March 2012 saw a concerted attack on two Dutch banks and this time the attack came from servers hosted within the US. The stakes were significantly higher and the amount of transfers initiated to the mules aggregated €35.5 million. The attackers had shifted their focus from high net worth individuals to corporate accounts, the primary benefit being higher threshold for corporate transactions contained in anti-money laundering legislations and lesser propensity to scrutiny since corporate accounts have a large number of transfers happening on a regular basis. The server which was used to attack the banks in Netherlands were also used to attack US banks, where 109 accounts were reportedly compromised, though we have no details of the aggregate amount involved in the fraud. These fraudulent transactions elicited different kinds of responses from various stakeholders. One set of security professionals argue that High Roller fraud is old hat and that it is just a more sophisticated version of known on-line heists. Another set of professionals say that this represents a new genre of on-line banking frauds since the attack processes used are significantly superior to the current knowledge and skills available.
41 Infection of PCs In response to these developments, ENISA has issued an advisory to European banks containing three very significant recommendations. The first is both important and interesting. It said that for a bank it is safer to assume that all of its customers’ PCs are infected – and the banks should therefore take protection measures to deal with this. This blanket assumption on the possible infection of all of the customers’ PCs may sound to be a good security precaution but it deviates from the principle that is generally used to build end-to-end security mechanisms viz., the user has a role to play in protecting his end of the network and that his contributory negligence in deviating from secure practices can leave him with no recourse to relief in the case of an on- line fraud. However, even before ENISA had recommended that banks should assume that all PCs should be treated as infected, judicial pronouncements have been moving in this direction where greater responsibility is cast on the bank to the extent of obligating them to monitor customer transactions and to act on pointers to fraud. Do banks monitor? Experi-Metals sued Comerica Bank in Michigan last year in a case where fraudsters tried to move millions of dollars from Experi-Metals account to mules in East Europe in a matter of few hours. By the time the bank’s fraud monitoring unit neutralised the attack, a sum of US $560,000 had been Top Hosting Countries The U.S. saw an increase of ten per cent in the number of phishing attacks it hosted in May – increasing to 66 per cent, or two out of every three attacks. Brazil remained a top host with nine per cent and Germany with four percent.
42 transferred. It was J P Morgan Chase that alerted Comerica about abnormal transactions going through their servers and ending up in East Europe. Fraudsters used J P Morgan servers since being a much larger institution, the transfers could go unnoticed. Ruling in this case, Judge Patrick Duggan of the U.S. District Court for the Eastern District of Michigan said that the bank should have done a better job of stopping the fraud. A bank dealing fairly with its customers, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier,” said the Judge and asked Comerica to cover the losses. Losing battle on fraud prevention? With this judicial thought process and the advice of ENISA, a clear shift is happening; the responsibility will be fixed for on-line frauds in the future. Even assuming that banks build an end-to-end security process, it will be impossible to do anything meaningful, unless there is far more international cooperation enabling quick shutting down of command and control centers used by fraudsters. These centers have been moving across nations making it almost impossible for tracking them down. Are we heading towards a losing battle with the on-line banking fraudsters or will these developments motivate the banks to put in place a more robust fraud prevention system without making any assumptions regarding end-user role in fraud prevention? It is becoming increasingly clear that banks need to fight the battle both technologically and legally, cutting across national boundaries.
43 7 CITADEL: The collaboration suite of cyber criminals IN AUGUST 2012, the Federal Bureau of Investigation (FBI) sounded a stern alert about Citadel. Based on references from IC3 (Internet Crime Complaints Center), FBI warned of a new ransomware called Reveton delivered through the malware platform Citadel. IC3 describes the threat as: “The ransomware lures the victim to a drive-by download website, at which time the Cyber criminals are beginning to have a ball. They are not only able to hoodwink the lay user. They are even able to stump the tech savvy player. Welcome to a cyber crime collaboration suite – Citadel.
44 ransomware is installed on the user’s computer. Once installed, the computer freezes and a screen is displayed warning the user they have violated United States Federal Law. The message further declares that the user’s IP address was identified by the Federal Bureau of Investigation as visiting child pornography and other illegal content”. Warning of fine and failterm! An infected web user gets a message that reads something like the following: “Your IP address is: xxx.xxx.xxx.xxx. Your location is identified as: xxxxx. Your PC is blocked due to at least one of the following reasons: You have been viewing or distributing prohibited porno- graphic content (child porno etc.) thus violating Article 202 of Criminal Code of United States of America. Article 202 provides for deprivation of liberty for four to twelve years. Illegal access has been initiated from your PC with or without your knowledge or consent. Your PC may be infected by malware, thus you are violating the law on Neglectful use of Personal Computers, Article 210 of the Criminal Code which provides for fine up to $ 100,000 and/or deprivation of liberty for four to nine years.” Typical users are worried, particularly when they find that their location is correctly identified in the message and for a tech savvy user, he sees his IP address accurately mentioned in the notice. The typical user panics and goes on to reading the message further which identifies his residence, state and directs him to pay a penalty, offering relief from jail term
45 being first time offence. The fine, ostensibly paid to the US Department of Justice, is to be paid using a pre- paid card service which has to be purchased using the computer user’s credit card or through an on-line bank transfer. This is the icing on the cake for the cyber criminal. The ransom ware has already installed a key logger that captures the banking and credit card credentials and passes it on to the perpetrator of this attack. In other words, the victim pays a ‘fine’ and also offers his banking and credit card credentials to the attacker. Why not ignore? Why not ignore the warning message and go on as though nothing happened? Here’s why. The computer freezes with the display of the warning message and gets back to normalcy only when the ‘fine’ is paid to the attacker who successfully masquerades as US Department of Justice collecting the ‘fine.’ Some security vendors who have started researching the traffic and the process tell us something very interesting. They have found some traffic is encrypted to ensure that usage of digital forensic techniques to trace the origin becomes difficult. If we were to agree with Etay Maor who heads RSA’s Fraud Action Research Lab, this “is a technically advanced Trojan” that combines the lethal powers of ransomware and stealth access to banking credentials. BE AWARE Even if you are able to unfreeze your computer on your own, the malware may still operate in the background. Certain types of malware have been known to capture personal information such as user names, passwords, and credit card numbers through embedded keystroke logging programmes.
46 Can users be so very naïve to fall for this? Quite a few considerations come up. One, the message appearing on victim screens looks real. There isn’t any sign of it being a fake. Secondly, the infected computers do not give you the choice of ignoring it since the system freezes and can be brought back to normalcy only upon paying the ‘fine.’ Thirdly, as the victim is contemplating doing something smart to thwart the attack, the Trojan is already searching for stored credentials. Fourthly, the correct location and IP address of the victim displayed on the message unnerves even some of the tougher victims who start thinking what if this were really from FBI. Fifthly, if the victim does decide to pay the ransom, he is forced to use a prepaid card service which collects the credit card bank log-in and transactions credentials and passes it on to the cyber criminals. After paying the ‘fine’ and having the computer system unfreeze, what is the guarantee that the key logger that was clandestinely installed on the system has been removed? Users had tried to remove the Trojan using known methods of malware removal. But to their discomfort, an FBI advisory on Citadel issued in third week of August has this to say: “Be aware that even if you are able to unfreeze your computer on your own, the malware may still operate in the background. Certain types of malware have been known to capture personal information such as user names, passwords, and credit card numbers through embedded keystroke logging programmes.”
47 A lethal combination... Avivah Litan, a financial fraud analyst with Gartner has a different perspective. She says that the attack methods are not uniquely different from traditional key-logger and Zeus methods. But, says Litan, what is lethal here is the combination and packaging of various tried-and-true hacking techniques. So, how do we sort this issue? The solution has to be a combination of higher degree of awareness and significant strides to be made in Trojan research and creating anti-malware solutions. I personally feel that the best of technology will not work till the user knows quite a bit more about the system; connectivity to internet and his vulnerability. I recently showed a screenshot of a Revton infected system to five people; each a successful and distinguished person and got interesting responses. A common response was to point to the captured IP address and location and say that clearly indicates how well FBI was monitoring illegal activity. When informed that whenever they book an airline ticket on-line, the ticket states that the booking was done from a given IP address and also showed them the simple process DO YOU KNOW? The very first spam mail was sent in 1978. That year DEC released a new product. An innovative DEC marketer sent a mass email to 600 users and administrators of the ARPANET (the precursor of the Internet). The poor guy who had typed it all in didn’t understand the system, and ended up typing the addresses first into the SUBJECT:, which then overflowed into the TO: field, the CC: field, and finally into the email body too! The reaction of the recipients was much the same fury as users today. It wasn’t until later though that the term “spam” would be born.
48 to determine geographical location using their log in, they said they knew it since they have seen it on their e-tickets! Despite this knowledge, they credited FBI with monitoring illegal activity effectively. Do we not have a very strong case for massive increase in awareness among users of on-line services?
49 8 They promised. They delivered! AND THAT was exactly what many said when the Regions Financial Corporation was successfully attacked by a Distributed Denial of Service (DDOS) attack on 11 October 2012. They were the eighth in a series of DDOS attacks that had happened since the last week of September. What stands out in this attack is that this is last reported in a series of three “announced” attacks. This follows what happened in late September and early October when four large banks suffered DDOS attacks – Bank of America, If you promise, you must deliver on the promise. Atleast that’s what the customer expects. But what if you promise a damage? Would the victim be happy if you deliver?
50 Chase Bank, Wells Fargo and PNC Bank. This list by itself would have created some sensation; the four banks suffered DDOS attacks and were brought down, albeit for a few hours, in a short span of two weeks. What happened as a follow-on is not just sensational but disturbing, to say the least. A hitherto unknown group Izz ad-Din al-Qassam, claimed credit for these four successful DDOS attacks on American Banks. The group would probably have got some press coverage and a bit of attention had they stopped just there. They did something further that amazed cyber crime analysts. On 8 October, this group posted a warning that it will hit Capital One on 9 October, bring down Sun Trust on 10 October and attack Regions Bank on the 11th. And they delivered precisely on their promise. ‘It is Down Right Now,’ an outage monitoring site published the following status graph on Regions Bank pointing to the precision in the timing of the attack, as warned by this group. The bars in the table indicate the time taken by the server to respond to a ‘ping’ or connect request by a user. The smaller the bars, the faster the response time. Zero value bars, as it happened on 11 October between 10.09 and 14.14 PST
51 indicate there was no response or the server was down and inaccessible. To help interpret the chart better, I ran a tool to find how quickly the website www.industrialeconomist.com is responding to user requests and got an average ping response time of 651.61 ms over a four hour period. Compare this with the average of ping response time of 1,065.42 ms for Regions Bank website. This establishes that the Regions web response was still pretty bad even after ostensibly recovering from the attack; at half the speed of response of the website of Industrial Economist! Site Down, another site that monitors global sites and their accessibility, reports that Regions Bank site was completely reset only at 07.05 PST on 12 October. There are, therefore, multiple independent confirmations that Regions Bank was successfully brought down, as cautioned by Izz ad-Din al-Qassam. As the banking community is eagerly waiting to see who the next target is and awaiting their announcement, Izz ad-Din al-Qassam has stated that it is now spending time on planning for the attacks over the next few weeks raising the anxiety levels among cyber crime DO YOU KNOW? Consultants believe in under-promise and over-deliver. Marketers too should follow that. Let me give you an example. Suppose on a scale of 10 you promise to deliver 8 but end up delivering 7. The customer is unhappy. However, if on the same scale of 10 you promise 5 but deliver 6, the customer is happy. Notice, that in the first case you delivered 7 and in the second you delivered 6; yet the customer satisfaction levels in the second is higher. Phew! Twenty hours of video from around the world are uploaded to YouTube every minute. The first ever YouTube video was uploaded on April 23rd 2005,by Jawed Karim (one of the founders of the site) and was 18 seconds long, entitled “Me at the Zoo”.
52 watchers and ensuring that a few IT and Web administrators have sleepless nights. What does the attacking group want to achieve or what do they want to convey? The claim is that they are upset over the Anti-Islam movie trailer run on YouTube. This is quite understandable but a few cyber crime analysts have other versions for the attack motive. One such view comes from Gartner analyst Avivah Litan who points to “anecdotes about money loss during these attacks. Example: through calls to call centres to get wire transfers done while the website is down.” In an interview earlier this year, she had cautioned about not being in full conformance with the updated authentication guidelines of FFIEC and predicted that the new attack vectors will wait for websites to be down and use employee accounts as access points in addition to call centres becoming the preferred route for illegal money transfers. Has this DDOS attack on the eight banks actually resulted in any fraudulent activity or has it just been an attention directing technique for a cause dear to the group that has claimed responsibility for these attacks? As of now, none of the victim banks have reported any fraud during or related to these outages. One common view is that even if the banks did find that a breach had occurred, they are unlikely to share it with the public. At best they could be talking to law enforcement. Not disclosing the real consequences of an attack is a standard practice in financial institutions since such disclosure will seriously jeopardise their credibility and credit worthiness.
53 Not just financial institutions; it appears to be the norm for almost all organisations that are victims of cyber attacks. More evidence of this attitude of not disclosing cyber attacks can be found in the various annual surveys on cyber crime, conducted by the Computer Security Institute (www. gocsi.com). This is perhaps natural. Who will like to come forward to say that she has been assaulted? The Jester, a well-known and controversial hacker has spoken of an interesting dimension to these attacks. He opines that anonymous has provided technical support to Izz ad-Din al-Qassam to launch the successful attacks. He has talked of the owner of a pay-per-use DDOS system claiming that members of Anonymous had used his system to support the recent DDOS attacks on the eight US banks. The Jester goes on to allege that Anonymous are actually offering this service to the highest bidder which till now happens to be Izz ad-Din al-Qassam, implying that the real force behind the attacks is Anonymous. As analysts are asking for more stringent regulatory controls over the banking system and FFIEC pushing for such enhanced controls at least at the technology level, there is a DO YOU KNOW? Of the 247 BILLION email messages sent every day, 81% are pure spam. According to legend, Amazon became the number one shopping site because in the days before the invention of the search giant Google, Yahoo would list the sites in their directory alphabetically. Google estimates that the Internet today contains about 5 million terabytes of data (1TB = 1,024GB), and claims it has only indexed a mere 0.04% of it all! You could fit the whole Internet on just 200 million Blu-Ray disks!
54 voice of dissent heard at Washington DC. Jamie Dimon, a well - known Banker and Chairman and CEO of JP Morgan Chase, spoke before the Council of Foreign Relations where he strongly criticised regulators for inhibiting business. The Press quickly surmised his views as that coming from a person who, while denying any interest in becoming the Treasury Secretary, actually spoke like one! I have heard this from many of my banking clients who keep telling me that the cost of technology use is stringent controls that can stifle growth. I keep repeating today’s banking technology has resulted in higher customer empowerment and the computer cannot distinguish between a good and a bad customer to be empowered. This justifies the need for greater blanket controls. Izz ad-Din al-Qassam’s successful, time-tabled attacks on eight well - known US banks vindicates the long held belief of many of us that banks need to do more in rolling out and enforcing stringent technology controls to protect their customers.
55 9 The case of Insider Fraud RECENTLY in a round table session at a professional body, a member from the audience asked me if there is any cyber threat that existed across sizes and geographies. I would have probably thought for a while before answering this question, but for the fact that the response was glaring at me from what has been shaking us up in the recent past – Insider Fraud. The series of sentencing of senior former managers of banks in the US has made many sit up and wonder what was happening behind the scenes at the banks A combination of good deterrence and technology that responds to human behavioural tendencies can save our banks millions and increase the sagging confidence in technology systems.
56 and financial institutions. The cases coming to light now don’t fit into any size. At the lower end, we have Willard Scott, former President of Texas’ Huntington State Bank, pleading guilty to a charge of $7400. At the end we have the mammoth embezzlement of $22 million, over an eight-year period by Gary Foster, former employee of Citigroup’s treasury finance department. Willard Scott did it as a single transaction, while Gary Foster did it over eight years. In between these, there are many others. Matthew Walker perpetrated a 16 month operation at Farmers and Merchants Bank in California where he was Vice President and netted $2 million. We then have Barbara Rechtzigel charged with stealing hundreds of thousands of dollars from Minnwest Bank, over 14 years! Insider threats... At almost the same time these startling revelations were trying to shake our belief that banks have strong internal control systems. Software Engineering Institute of Carnegie Mellon University published their findings of research into the Insider Threats in the US Financial Services Sector. An Insider Threat needless to say is one that comes from people within the organization; like employees, present and former; contractors or business associates, with access to the company’s security practices, data and computer systems. This fairly elaborate study sought to answer one key question, viz. What are the observable technical and behavioural precursors of insider fraud in the financial sector and what mitigation strategies should be considered as a result? The
57 study presents six substantiated findings and two of them are of interest and concern. The low and slow fraudsters... Firstly, the study finds that fraudsters who adopted the “low and slow” approach inflicted more damage and went undetected for longer periods of time. Secondly, the means adopted by insiders were not technically very sophisticated. The combination of these two attributes kept the crime activity under wraps as far as normal fraud investigations were concerned. To use a technical jargon, the clipping levels were understood by the perpetrators of fraud and they operated well within it, thus escaping detection by fraud radar systems. This may be a valid finding of the research survey by Carnegie Mellon but if we looked at Gary Foster, he appeared to have gone well past the clipping levels: between July and December 2010, he moved around $14 million from the bank’s debt adjustment account to the cash account and from there, he made eight separate wire transfers to his personal accounts maintained outside the bank. This should surely have raised a whole series of red alerts as most analysts, including Shirley Inscoe, believe. But it didn’t. Inscoe who authored the widely read book Insidious: How Trusted Employees Steal Millions and Why it’s so hard for Banks to Stop them says that “Citi is not alone. Most banks have done a poor job of keeping with internal threats.” According to the
58 FBI indictment, Foster allegedly used his knowledge of the bank operations to commit the ultimate inside job. United States Attorney Lynch expressed her appreciation to Citigroup which brought the matter to the attention of the FBI and the US Attorney’s office. Some eyebrows went up. Reporting a crime is normal and natural and will such a normal and natural action warrant an appreciation from the United States Attorney? Reporting insider fraud has not reached a point of full reporting. The Association of Certified Fraud Examiners (ACFE) in their 2012 report to the Nation state that many of the victims do not report fraud cases to Law Enforcement. John Warren, Vice President and General Counsel at ACFE feels that the “many institutions don’t report these crimes to law enforcement, in part because they fear reputational damage.” Carnegie Mellon report referenced earlier agrees on the lack of reporting, but points out that fear of reputational damage is only part of the reason for non-reporting. In many cases, the victim organisation may not have enough and relevant details to relate a fraud to specific individual or a group. This adds to the reluctance to report an insider fraud. Based on a sample of 80 cases, the Carnegie Mellon study also points to another disquieting trend. The average time taken to detect an insider fraud from the time of its start is 32 months and where reported, it has taken another five months to complete the process; a total of around three years to report a fraud since the time it started! Without considering what such long elapsed time could do to evidence; particularly when they are digital in nature, we need to ask if early detection could not have arrested significant damage to the bank’s assets quite early in the fraud cycle.
59 Why no early warning systems? The one question on everyone’s mind is why can’t the players in the BFSI segment put in some early warning systems?Theuseof anomalydetection systems and behavioural analytics can surely detect potentially fraudulent events in real time or near real time. But the problem often occurs due to the way we have designed most internal controls. For instance, if the detection system is programmed to raise an attention directing flag when the amount involved exceeds a given amount, the insider plays within that amount to escape attention since the insiders know those thresholds. Technology implementation in fight- ing frauds must be combined with appropriating non-technology prac- tices like segregation of duties; peri- odic audits and reduced time between audit findings and implementation of correction mechanisms. While these will not totally eliminate insider frauds, it will bring them to light fast- er than the current average lead-time of 32 months, if the sample chosen is representative of the population. DO YOU KNOW? An insider may attempt to steal property or information for personal gain, or to benefit another organization or country. A report published in July 2012 on the insider threat in the U.S. financial sector says 80% of the malicious acts were committed at work during working hours; 81% of the perpetrators planned their actions beforehand; 33% of the perpetrators were described as “difficult” and 17% as being “disgruntled. The insider was identified in 74% of cases. Financial gain was a motive in 81% of cases, revenge in 23% of cases, and 27% of the people carrying out malicious acts were in financial difficulties at the time.
60 Surely, we cannot have technology, deterrence or other forms of control to eliminate all insider frauds but a combination of good deterrence and technology that responds to human behavioural tendencies can save our banks millions and increase the sagging confidence in technology systems.
61 10 Clipping the butterfly’s wings THESE BOTHERDS (called so in line with shepherds and cowherds since they ‘herd’ Bots) collectively and effectively controlled a mind-boggling 11 million compromised computer systems. Their actions resulted in a staggering loss of over $ 850 million through stolen credit card and bank account credentials and compromised Personally Identifiable Information (PIIs). Bots is an abbreviation referring to robot network. These consist of compromised computer systems and are often On the rare date 12-12-12, the FBI announced that it had cut off the wings of the ‘Butterfly.’ It announced the arrest and arraignment of a group suspected of running the Butterfly Botnet.
62 used by cyber criminals for a variety of activities with varying degree of criminality, resulting in different kind and amount of losses to the owners of the compromised systems. Bots are the favourites for executing distributed denial of service attacks or DDoS attacks; send spam e-mails, conduct underground criminal activity and malware distribution. This list is not exhaustive as botherds are quite innovative in the usage of their ‘assets.’ Facebook - an easy target... At this stage let us introduce Facebook. The very mention of Facebook conjures up different reactions in different minds. The trendy see it as a way of keeping in touch; the tech savvy see it as a mixed bag with significant potential for loss of PIIs; the marketing professional sees its great opportunity to reach out while some security conscious are sceptical – for valid and perceived reasons. With a billion messages flowing through Facebook on a monthly basis, this social networking site has also been a favourite spot to harvest PIIs; both directly and indirectly. Between 2010 and 2012, it was estimated that over a million Facebook accounts were compromised using variants of Yahoo malware and these compromised accounts were linked to Butterfly Botnet. Facebook is acknowledged
63 for helping the law enforcement in cracking down on those who hacked into the user accounts resulting in the successful crackdown on Butterfly Botnet. And to many Facebook has really and truly made the world a global village that helps connect people in real time. Butterfly Botnet... Butterfly Botnet is the latest in a family of abuse of compromised computer systems for fraudulent purposes. Starting off with Ramnit in early 2010, we saw the ZeuS Facebook worm recking havoc in mid-2011 and now we have the notorious gang of 10 herding the Butterfly Botnet. When we all screamed at ZeuS Facebook worm having supposedly infected over 45,000 Facebook users, the number pales into insignificance when we see 11 million compromised systems in the Butterfly Botnet. Almost 70 per cent of the infection by Ramnit happened on UK users of Facebook; around 26 per cent were French while the balance 4 per cent were in other countries. After this was the famous taking down of the Zeus malware, in a dramatic move that involved the US Marshals. This operation was carried out when the U.S. District Court for the Eastern District of New York approved the operation while ruling on a plea by Microsoft and its partners to seize the computers and sue a John Doe (as-yet-unnamed) defendant. The operational portion of the Court order speaks volumes of the way the judiciary has considered the intricacies in a search and seizure DO YOU KNOW? At 1:21:02 am, people celebrated the second, which marks a date-time combination which will be read the same both backwards and forwards. 2012-12- 12 1:21:02.
64 operation involving high technology that has the potential to move the malware across the internet anywhere, anytime. A forensic icing on the cake... The order, in part, said that “the United States Marshals and their deputies shall be accompanied by plaintiffs’ attorneys and forensic experts at the foregoing described seizure, to assist with identifying, inventorying, taking possession of and isolating defendant’s’ computer resources, command and control software, and other software components that are seized.” Interestingly, the Court also asked the Marshals to preserve up to four hours of Internet traffic before disconnecting the computers from the Internet. This was a forensic icing on the cake, in the court order. Microsoft had been instrumental in taking down three Botnets earlier. The operation of bringing down of Botnets driven by the ZeuS and its variants was very different from the three earlier operations due to three factors; firstly, it was not an action by only Microsoft – there were partners who closely cooperated with Microsoft. The partners were Information Sharing and Analysis Center, a trade group representing 4,400 financial institutions, and NACHA, the Electronic Payments Association, which operates the system for electronic funds transfer. Secondly, the objective of this action was different from the earlier actions. The earlier actions of taking down the three Botnets were aimed at shutting them down. In this case, in the words of the initiators of the action, “the goal here was not the permanent shutdown of all impacted targets. Rather, our goal was a strategic disruption of operations to mitigate
65 the threat in order to cause long- term damage to the cybercriminal organisation that relies on these botnets for illicit gain.” This thought process, commonly referred to as “Hack Back” or “Getting even with the Cyber Scum,” is gaining popularity though it is not accepted by everyone as the best solution to fight cyber criminals. Thirdly, the law suit, instead of merely accusing the three accused John Doe, goes on to introduce an unknown corporate entity and claim that the three accused formed “The Zeus Racketeering Enterprise” for the purposes of squandering the resources of compromised computers. As an example, it is alleged that spam emails infringing NACHA’s trademarks were as high as 167 million emails in a 24-hour period in contrast to the normal volume of 1500 outbound emails per day! So, what do we learn from this? As always, we are back to the same music – the users of Internet connected computing equipment need to exercise more caution than what they are now used to. Attempts by different organizations in making the users security-conscious are showing some results; but they remain ‘some’ results. An idea gaining ground globally is to catch’em young. Many organisations are working on these using different approaches. One set of people are looking at empowering the school goers with a good grounding in hacking process so that DO YOU KNOW? 12 has been a significant number since its creation. 12 months in the year, 12 hours of night and day, 12 astrological signs, 12 Olympic gods and goddesses, 12 days of Christmas, and Shakespeare’s Twelfth Night.
66 they identify any attempt to compromise their computers and negate it. This appears to be the philosophy behind running the Hacker High Schools (HHS), an initiative by a few not- for-profit bodies in North America. Another approach is to teach the school goers and their parents various Safe Surfing Options (SSO), an approach preferred by ISC2, the global certification body for Security Professionals. It surely emerges that there is an urgent need to catch the young users and get them to grow with a mindset that combines security, caution and the ability to balance between the convenience of the ubiquitous Net and its inherent risks.
67 11 The new threat vector WHEN WE TALK of cyber infractions and frauds, we have traditionally looked at computers, internet, internal networks and wireless applications to find the threat vectors. We then added ‘people’ as another threat vector and started focusing all research and development efforts at handling the devastating consequences of a combination of these threat vectors exploiting a whole range of vulnerabilities. The likes of Stuxnet were still operating within the contours of these threat vectors until we woke up recently to a series of threats that emanate from a hitherto unknown origin – supply chain. We woke up recently to a series of threats that emanate from a hitherto unknown origin – supply chain. And that’s catastrophic.
68 We had heard stories of malware embedded in printers during the recent Gulf war but these accusations were dismissed as technology fairy tales. Of late, the consequences of security compromise via supply chain embedded threats is a reality. The attack vectors have always looked for new attack paths and such a search yielded the desired results when Stuxnet infected SCADA systems that were till then thought to be invincible. Now a larger scale exploit is on the anvil with the attackers using various unprotected parts of the supply chain to embed the malware or other forms of threats. Security threat by Chinese telecom companies In October 2012, a special investigative report by the Permanent Select Committee on Intelligence of the US House of Representatives addressed the specific threat to US Security posed by Chinese Telecom companies in general and two companies in particular – Huawei and ZTE. Apart from a number of recommendations, it carries a strongly worded advice to the US companies to avoid Chinese networking hardware. Should the users be worried only about the Chinese networking hardware or take precautions about any hardware coming in for use in critical infrastructure, is a question that deserves consideration. It is possible that there are other groups who are either actually doing or are planning to use the supply chain vulnerabilities to introduce spyware or newer genre of threats. Supply chain led threats Since 2005, several countries have taken a clear call on combating supply chain led information threats by effecting seizures of counterfeit networking hardware and other
69 telecom components. This exercise was built around the faith that any product with a malicious payload will only come via deployment of counterfeit components. The 2011 operation of seizing US$ 143 million worth of counterfeit networking and telecom components by the US authorities lend credence to the belief that spread of malicious hardware happens via counterfeit. That belief has been busted by the findings in the October 2012 report where it is found that even companies that sell apparently genuine products may infect their components with undesirable malware. When supply chain is totally insecure While these reports point a finger to China for supply of counterfeit or malware infected components, the Chinese computer market itself is battling counterfeits locally. When Microsoft successfully launched an all-out effort to eliminate Nitol Botnets, they got trusted people to go out and buy laptops and desktops in China and of the 20 systems they procured, all had some counterfeit component. Each of these purchased systems had been configured in such a way to reduce security and four of these systems already had malware installed! Just imagine you are getting a brand new computer system with all its box seals in tact and find that you are starting off with a low security configuration along with an embedded malware. The worst part of this scenario is that many of the users may not be aware of this scenario and will be happily typing away on their keyboards not knowing they are vulnerable to become either zombies DO YOU KNOW? We can be hopelessly wrong. Like: 9 out of 10 people believe Thomas Edison invented the light bulb. This isn’t true; Joseph Swan did.
70 or are otherwise vulnerable to attack and damage. This scenario is well summarised by Boscovich who said that the “supply chain is broken; it is totally insecure, and it is easy for criminals to inject what they want into that supply chain.” Three point response How does the business react to insecurity of supply chain? A report published Georgia Tech Information Security Center and Georgia Tech Research Institute has classified the responses into three categories. First, we have a majority of the companies who do nothing about it other than to limit their purchases to what they regard as ‘trusted’ vendors. Secondly, a small number of companies carry out random tests on devices and determine if there are any indications of serious forms of vulnerabilities. Depending on the test results, further action is initiated. Thirdly, a very small number of companies are taking a paranoid approach of not trusting the supply chain at all. Their security stance is based on the premise that any device that comes through the front door has already been compromised. These companies continuously monitor the devices for abnormality. Andrew Howard of Georgia Tech Research Institute perhaps had the most realistic of assessment when he said: “This is a problem that is extremely expensive and difficult to solve. Solve may not even be the right word.” I sincerely hope that what Howard said later does not become a reality. “It is going to take a bad event to have the momentum necessary to fully tackle the problem.” One silver lining here is that the problem appears to have been recognized though it is too ubiquitous in its reach for any one set of stakeholder to manage it completely.
71 While Herberger refused to name these six banks citing confidentiality clauses in his company’s agreement with the Banks, there were others who pointed to the targets. Keynote Systems, which monitors Internet and Cloud services said that traffic pattern analysis point to the online outage suffered by JP Morgan Chase, BB&T and PNC on March 12. All the Banks that appear to have been attacked On March 12, customers of six of the major US Banking institutions experienced disruption to their Net banking services and if Carl Herberger of Radware is to be believed, this is the largest number of institutions to be targeted on a single day. 12 … and They are Back Again… Wave 3
72 and compromised had refused to comment about the attacks and also refused either to confirm or to deny the attacks. While the suspected victim Banks formally refused to comment, the first indication of something going wrong came from Chase Services tweet. A tweet on Chase Twitter Feed said on March 12 “*ALERT* We Continue to work on getting Chase Online back to full speed. In the meantime, pls. use Chase Mobile app or stop by a branch.” The next day, Chase tweeted “We’re sorry it was such a rough day and we really appreciate your patience.” This is yet perhaps the most direct admission of any of the victims that they were attacked. Keynote Systems gave more precise data on the attacks later in the day. They said that the outage at Chase resulted in a nearly 100 percent failure between 2pm and 11pm ET. BB&T suffered outage between 12.30pm and 2.30 pm ET and also later in the day at 5.30 pm ET, thought this was a brief interruption. PNC’s site was down for about 30 minutes at 3.30 pm ET on the same day. Keynote Systems however said it was not commenting on the cause of the downtime; it could only confirm the outage. Commenting on these attacks, Harberger felt that “the thing that’s kind of frustrating to all of us is that we are six months into this and we still feel like this is a game of chess.” He wondered how is it that an industry that has been adorned with so many resources – with more than any other industrial segment in the US missed the threat of hacktivist concerns? On the day of the attack - March 12, the hactivits group Izz al-Din al-Qassam Cyber Fighters (IDQ) said in a
73 Pastebin post that the third phase of their attacks against the US banking institutions was about to begin. This group claimed in that post that they were waging the attacks against US banking institutions over a Youtube video deemed offensive to Muslims. IDQ identified nine targets for their Phase – 3 attacks that started on March 12: Bank of America, BB&T, Capital One, Chase, Citibank, Fifth Third Bancorp, PNC, Union Bank and US Bancorp. I had written earlier about the successful attacks by IDQ who had used DDOS to disrupt the on-line services of Banks in the US. The group’s posts in Pastebin had then claimed that these attacks were attention-directing methods to warn the US powers-that-be to remove a particular movie and all its clippings from the Internet since this movie was offending the religious sentiments of Muslims. Other forms of protests were witnessed across the globe on the same issue and the offending movie did find its way out. Every group that had protested triumphantly claimed a causa proxima between their protest and the movie going out of the Internet. So did IDQ Cyber Fighters and they declared a cease fire. DO YOU KNOW? The most common form of “cyber terrorism” is a DDOS, or Distributed Denial of Service attack, whereby thousands of systems around the world simultaneously and repeatedly connect to a website or network in order to tie up the server resources, often sending it crashing offline. Anonymous released a tool this year that users could download and set on autopilot to receive attack commands from a remote command source. Similar DDOS attacks are often performed by the use of malware installed on users computers without their knowledge.
74 Was their ceasefire because they felt satisfied or was it to regroup and collect more strength to attack? The current phase of attack points to their ceasefire being a planned retreat to re-build their strongest weapon – the Brobot. This is said to be a 9,000-bot Botnet. While no precise numbers are available, industry experts like Avivah Litan of Gartner and Dan Holden of ASER agree that it is close to 9,000 bots. During the ceasefire, the hactivist group appears to have learnt a lot about the defense strategies and capabilities of the Banking institutions. When they declared cease fire since the offensive movie went out of the Internet, what made them come back? Did they have a different demand? They are saying now that small clippings of the movie that hurt the Muslims are still on the Internet and they demand that it be totally removed. TheattacksduringOperationAbabilPhase-3,asthehactivists called their latest action, demonstrated two things; the attacks used more sophisticated methods than was used in earlier attacks and more importantly they deployed different attack methods on different targets. This is in striking contrast to their earlier attacks that saw the same attack vector used on all targets. This change in attack strategy makes it difficult to collaborate and share knowledge on counter measures, which was done successfully during earlier attacks. Another aspect of these attacks that warrants attention is that most attacks appear to have come from previously unknown Internet Protocol addresses, which is a clear indication that the Brobot is growing. It is still some wonder how the hactivists could put together a 9,000-bot Botnet that could he used to attack frontline banking institutions. If they had marshaled 9,000 bots in the short duration of their ceasefire
75 lasting less than two months, it speaks volumes about how vulnerable the Internet user community is. Yet another angle being actively considered by investigators is to determine if there could be reasons other than what is ostensibly stated by those claiming responsibility for the DDOS attacks. There had been instances of using Botnets to launch an attack on financial services companies as a means to distract them from focusing on a fraud that had been committed. Crime management professionals know that the longer investigators take to start serious evidence search and forensic analysis, the better is the chance for the perpetrator of fraud to get away scot free or significantly reduce the availability of incriminating evidence. While no source has suspected IDQ of adopting their DDOS attacks as a smokescreen for fraud, there are serious concerns about using DDOS as a means of fraud cover- up. The National Credit Union Administration has recently advised Credit Unions in the US to be cautious against “DDOS attacks (that) are often waged as tools of distraction to conceal fraud.” The concern of Richard Reinders, Head of Information Security at Lake Trust Credit Union points to this thought process gaining currency. “DDOS attacks may also be paired with attempts to steal member funds or data” said Reinders. Whatever be the real or apparent driving factor behind IDQ’s Ababil Phase-3, the fact remains that the perpetrators of security infractions have once again gained a victory by breaking into the fortresses within which we all want to believe that banks are located.
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l

Recomendados

Privacy awareness full book-l
Privacy awareness full book-lPrivacy awareness full book-l
Privacy awareness full book-lcoedfvaliantvoora
 
Cyber police an idea for securing cyber space with unique
Cyber police an idea for securing cyber space with uniqueCyber police an idea for securing cyber space with unique
Cyber police an idea for securing cyber space with uniqueBaharul Islam
 
Iot privacy vs convenience
Iot privacy vs convenienceIot privacy vs convenience
Iot privacy vs convenienceDon Lovett
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaDinesh O Bareja
 
Community Disaster Incident Response
Community Disaster Incident ResponseCommunity Disaster Incident Response
Community Disaster Incident ResponseDinesh O Bareja
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
Indonesia Netizen Facts (October - December 2016)
Indonesia Netizen Facts (October - December 2016) Indonesia Netizen Facts (October - December 2016)
Indonesia Netizen Facts (October - December 2016) ICT Watch
 
Dinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteDinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteSandraPaiva
 

Recomendados

Privacy awareness full book-l
Privacy awareness full book-lPrivacy awareness full book-l
Privacy awareness full book-lcoedfvaliantvoora
 
Cyber police an idea for securing cyber space with unique
Cyber police an idea for securing cyber space with uniqueCyber police an idea for securing cyber space with unique
Cyber police an idea for securing cyber space with uniqueBaharul Islam
 
Iot privacy vs convenience
Iot privacy vs convenienceIot privacy vs convenience
Iot privacy vs convenienceDon Lovett
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaDinesh O Bareja
 
Community Disaster Incident Response
Community Disaster Incident ResponseCommunity Disaster Incident Response
Community Disaster Incident ResponseDinesh O Bareja
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
Indonesia Netizen Facts (October - December 2016)
Indonesia Netizen Facts (October - December 2016) Indonesia Netizen Facts (October - December 2016)
Indonesia Netizen Facts (October - December 2016) ICT Watch
 
Dinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteDinis Cruz IBWAS'10 Conference Keynote
Dinis Cruz IBWAS'10 Conference KeynoteSandraPaiva
 
Security
SecuritySecurity
SecurityBob Cherry
 
Malware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest ThreatMalware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest ThreatChris Ross
 
Bug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentBug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentDinesh O Bareja
 
Cybertort Imp Slides For Pub. Internet
Cybertort Imp Slides For Pub. InternetCybertort Imp Slides For Pub. Internet
Cybertort Imp Slides For Pub. InternetProf. (Dr.) Tabrez Ahmad
 
Cybertorts
CybertortsCybertorts
Cybertortspanabaha
 
Fingerpay
FingerpayFingerpay
FingerpayAnand B
 
September 2021: Top 10 Read Articles in Network Security and Its Applications
September 2021: Top 10 Read Articles in Network Security and Its ApplicationsSeptember 2021: Top 10 Read Articles in Network Security and Its Applications
September 2021: Top 10 Read Articles in Network Security and Its ApplicationsIJNSA Journal
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Is Big Data A Risky Business in Isaca Journal
Is Big Data A Risky Business in Isaca JournalIs Big Data A Risky Business in Isaca Journal
Is Big Data A Risky Business in Isaca JournalTushar Kale
 
Module 9 (social engineering)
Module 9 (social engineering)Module 9 (social engineering)
Module 9 (social engineering)Wail Hassan
 
Research on Privacy Protection in Big Data Environment
Research on Privacy Protection in Big Data EnvironmentResearch on Privacy Protection in Big Data Environment
Research on Privacy Protection in Big Data EnvironmentIJERA Editor
 
July 2021 - Top 10 Read Articles in Network Security & Its Applications
July 2021 - Top 10 Read Articles in Network Security & Its ApplicationsJuly 2021 - Top 10 Read Articles in Network Security & Its Applications
July 2021 - Top 10 Read Articles in Network Security & Its ApplicationsIJNSA Journal
 
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...Dana Gardner
 
Insecure mag-33
Insecure mag-33Insecure mag-33
Insecure mag-33cheinyeanlim
 
Wk online trust solutions overview january 2012
Wk online trust solutions overview january 2012Wk online trust solutions overview january 2012
Wk online trust solutions overview january 2012Creus Moreira Carlos
 
Social engineering
Social engineeringSocial engineering
Social engineeringBola Oduyale
 
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...dmenken60
 
Wk4 project
Wk4 projectWk4 project
Wk4 projectToby Edwards
 
Data mining applied about polygamy using sentiment analysis on Twitters in In...
Data mining applied about polygamy using sentiment analysis on Twitters in In...Data mining applied about polygamy using sentiment analysis on Twitters in In...
Data mining applied about polygamy using sentiment analysis on Twitters in In...journalBEEI
 
Raise The Cybersecurity Curtain. Predictions 2021
Raise The Cybersecurity Curtain. Predictions 2021Raise The Cybersecurity Curtain. Predictions 2021
Raise The Cybersecurity Curtain. Predictions 2021Ludmila Morozova-Buss
 
2014 Conference Brochure - GRC 2.0 Breaking Down the Silos
2014 Conference Brochure - GRC 2.0 Breaking Down the Silos2014 Conference Brochure - GRC 2.0 Breaking Down the Silos
2014 Conference Brochure - GRC 2.0 Breaking Down the SilosNeil Curran MSc CISSP CRISC CGEIT CISM CISA
 
Cyber crime
Cyber crimeCyber crime
Cyber crimepraveen1792
 

Mais conteúdo relacionado

Mais procurados

Malware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest ThreatMalware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest ThreatChris Ross
 
Bug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentBug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentDinesh O Bareja
 
Cybertorts
CybertortsCybertorts
Cybertortspanabaha
 
Fingerpay
FingerpayFingerpay
FingerpayAnand B
 
September 2021: Top 10 Read Articles in Network Security and Its Applications
September 2021: Top 10 Read Articles in Network Security and Its ApplicationsSeptember 2021: Top 10 Read Articles in Network Security and Its Applications
September 2021: Top 10 Read Articles in Network Security and Its ApplicationsIJNSA Journal
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Is Big Data A Risky Business in Isaca Journal
Is Big Data A Risky Business in Isaca JournalIs Big Data A Risky Business in Isaca Journal
Is Big Data A Risky Business in Isaca JournalTushar Kale
 
Module 9 (social engineering)
Module 9 (social engineering)Module 9 (social engineering)
Module 9 (social engineering)Wail Hassan
 
Research on Privacy Protection in Big Data Environment
Research on Privacy Protection in Big Data EnvironmentResearch on Privacy Protection in Big Data Environment
Research on Privacy Protection in Big Data EnvironmentIJERA Editor
 
July 2021 - Top 10 Read Articles in Network Security & Its Applications
July 2021 - Top 10 Read Articles in Network Security & Its ApplicationsJuly 2021 - Top 10 Read Articles in Network Security & Its Applications
July 2021 - Top 10 Read Articles in Network Security & Its ApplicationsIJNSA Journal
 
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...Dana Gardner
 
Wk online trust solutions overview january 2012
Wk online trust solutions overview january 2012Wk online trust solutions overview january 2012
Wk online trust solutions overview january 2012Creus Moreira Carlos
 
Social engineering
Social engineeringSocial engineering
Social engineeringBola Oduyale
 
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...dmenken60
 
Data mining applied about polygamy using sentiment analysis on Twitters in In...
Data mining applied about polygamy using sentiment analysis on Twitters in In...Data mining applied about polygamy using sentiment analysis on Twitters in In...
Data mining applied about polygamy using sentiment analysis on Twitters in In...journalBEEI
 

Mais procurados (19)

Security
SecuritySecurity
Security
 
Malware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest ThreatMalware & Data Breaches: Combatting the Biggest Threat
Malware & Data Breaches: Combatting the Biggest Threat
 
Bug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentBug Bounty Programs : Good for Government
Bug Bounty Programs : Good for Government
 
Cybertort Imp Slides For Pub. Internet
Cybertort Imp Slides For Pub. InternetCybertort Imp Slides For Pub. Internet
Cybertort Imp Slides For Pub. Internet
 
Cybertorts
CybertortsCybertorts
Cybertorts
 
Fingerpay
FingerpayFingerpay
Fingerpay
 
September 2021: Top 10 Read Articles in Network Security and Its Applications
September 2021: Top 10 Read Articles in Network Security and Its ApplicationsSeptember 2021: Top 10 Read Articles in Network Security and Its Applications
September 2021: Top 10 Read Articles in Network Security and Its Applications
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-final
 
Is Big Data A Risky Business in Isaca Journal
Is Big Data A Risky Business in Isaca JournalIs Big Data A Risky Business in Isaca Journal
Is Big Data A Risky Business in Isaca Journal
 
Module 9 (social engineering)
Module 9 (social engineering)Module 9 (social engineering)
Module 9 (social engineering)
 
Research on Privacy Protection in Big Data Environment
Research on Privacy Protection in Big Data EnvironmentResearch on Privacy Protection in Big Data Environment
Research on Privacy Protection in Big Data Environment
 
July 2021 - Top 10 Read Articles in Network Security & Its Applications
July 2021 - Top 10 Read Articles in Network Security & Its ApplicationsJuly 2021 - Top 10 Read Articles in Network Security & Its Applications
July 2021 - Top 10 Read Articles in Network Security & Its Applications
 
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
 
Insecure mag-33
Insecure mag-33Insecure mag-33
Insecure mag-33
 
Wk online trust solutions overview january 2012
Wk online trust solutions overview january 2012Wk online trust solutions overview january 2012
Wk online trust solutions overview january 2012
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...
Cyber Security For Law Firms - February 2015 -Westchester County Bar Associat...
 
Wk4 project
Wk4 projectWk4 project
Wk4 project
 
Data mining applied about polygamy using sentiment analysis on Twitters in In...
Data mining applied about polygamy using sentiment analysis on Twitters in In...Data mining applied about polygamy using sentiment analysis on Twitters in In...
Data mining applied about polygamy using sentiment analysis on Twitters in In...
 

Semelhante a Cyber crimes trends to watch-full book-l

Raise The Cybersecurity Curtain. Predictions 2021
Raise The Cybersecurity Curtain. Predictions 2021Raise The Cybersecurity Curtain. Predictions 2021
Raise The Cybersecurity Curtain. Predictions 2021Ludmila Morozova-Buss
 
Cyber Impact of Fake Instagram Business Account Identify Based on Sentiment A...
Cyber Impact of Fake Instagram Business Account Identify Based on Sentiment A...Cyber Impact of Fake Instagram Business Account Identify Based on Sentiment A...
Cyber Impact of Fake Instagram Business Account Identify Based on Sentiment A...IRJET Journal
 
dynamo-smb-ebook-volume-2.pdf
dynamo-smb-ebook-volume-2.pdfdynamo-smb-ebook-volume-2.pdf
dynamo-smb-ebook-volume-2.pdfssuser0eb436
 
How To Summarize An Article In Apa Format. Exam
How To Summarize An Article In Apa Format. ExamHow To Summarize An Article In Apa Format. Exam
How To Summarize An Article In Apa Format. ExamCrystal Carter
 
Why do women love chasing down bad guys?
Why do women love chasing down bad guys? Why do women love chasing down bad guys?
Why do women love chasing down bad guys? SITA
 
Conference on Digital Forensics & Cyber Security 2016
Conference on Digital Forensics & Cyber Security 2016Conference on Digital Forensics & Cyber Security 2016
Conference on Digital Forensics & Cyber Security 2016Kayisa Herman Dube
 
The Technology Development Of The Global Network
The Technology Development Of The Global NetworkThe Technology Development Of The Global Network
The Technology Development Of The Global NetworkCandice Him
 
Cybersecurity report
Cybersecurity reportCybersecurity report
Cybersecurity reportKevin Leffew
 
Cybersecurity: Protecting Local Government Digital Resources Report
Cybersecurity: Protecting Local Government Digital Resources ReportCybersecurity: Protecting Local Government Digital Resources Report
Cybersecurity: Protecting Local Government Digital Resources ReportSamantha Wagner
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Davide Cioccia
 

Semelhante a Cyber crimes trends to watch-full book-l (15)

Raise The Cybersecurity Curtain. Predictions 2021
Raise The Cybersecurity Curtain. Predictions 2021Raise The Cybersecurity Curtain. Predictions 2021
Raise The Cybersecurity Curtain. Predictions 2021
 
2014 Conference Brochure - GRC 2.0 Breaking Down the Silos
2014 Conference Brochure - GRC 2.0 Breaking Down the Silos2014 Conference Brochure - GRC 2.0 Breaking Down the Silos
2014 Conference Brochure - GRC 2.0 Breaking Down the Silos
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016 CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016
 
CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016 CYBER THREAT FORCAST 2016
CYBER THREAT FORCAST 2016
 
Cyber Impact of Fake Instagram Business Account Identify Based on Sentiment A...
Cyber Impact of Fake Instagram Business Account Identify Based on Sentiment A...Cyber Impact of Fake Instagram Business Account Identify Based on Sentiment A...
Cyber Impact of Fake Instagram Business Account Identify Based on Sentiment A...
 
dynamo-smb-ebook-volume-2.pdf
dynamo-smb-ebook-volume-2.pdfdynamo-smb-ebook-volume-2.pdf
dynamo-smb-ebook-volume-2.pdf
 
How To Summarize An Article In Apa Format. Exam
How To Summarize An Article In Apa Format. ExamHow To Summarize An Article In Apa Format. Exam
How To Summarize An Article In Apa Format. Exam
 
Why do women love chasing down bad guys?
Why do women love chasing down bad guys? Why do women love chasing down bad guys?
Why do women love chasing down bad guys?
 
OS17 Brochure
OS17 BrochureOS17 Brochure
OS17 Brochure
 
Conference on Digital Forensics & Cyber Security 2016
Conference on Digital Forensics & Cyber Security 2016Conference on Digital Forensics & Cyber Security 2016
Conference on Digital Forensics & Cyber Security 2016
 
The Technology Development Of The Global Network
The Technology Development Of The Global NetworkThe Technology Development Of The Global Network
The Technology Development Of The Global Network
 
Cybersecurity report
Cybersecurity reportCybersecurity report
Cybersecurity report
 
Cybersecurity: Protecting Local Government Digital Resources Report
Cybersecurity: Protecting Local Government Digital Resources ReportCybersecurity: Protecting Local Government Digital Resources Report
Cybersecurity: Protecting Local Government Digital Resources Report
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server
 

Último

Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 

Último (20)

Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 

Cyber crimes trends to watch-full book-l

  • 1. 99
  • 2. 1 cyber crimes Trends to watch... Dr K Rama Subramaniam Chairman, Valiant Voora Center of Excellence in Digital Forensics, Chennai Director and CEO, Valiant Technologies, India and UAE Adjunct Professor, Department of Criminology, University of Madras
  • 3. 2 First Edition, 2013 Copyright © 2013 Dr. K Rama Subramaniam Author : Dr. K Rama Subramaniam Editor : V Pattabhi Ram Price : Rs.250/- Published by : Valiant Voora Center of Excellence in Digital Forensics 196, Burmah Colony, Perungudi Chennai 600 096 Phone +91 44 2496 7730 Fax +91 44 2496 7740 coedf@valiant-technologies.com Layout & Design : Malaiselvan N, Prime Academy Font : Garamond and Swis721 Cn BT Printed at : Shri Akshaya Graphics, Chennai 600 026 Ph: (044) 2484 3118 Disclaimer: While every effort is taken to avoid errors or omission in this publication, any mistake or omission that may have crept in, is not intentional. It may be taken note of that neither the publisher, nor the authors, will be responsible for any damage or loss of any kind arising to any one in any manner on account of such errors or omissions.
  • 4. 3 Dr. K Rama Subramaniam MBA(UK), Ph.D, FCA, FISC, CISA, CISM, CISSP, CFIP, CEH, CHFI, Security+ Chairman,ValiantVooraCenterof ExcellenceinDigitalForensics,Chennai Chairman, Center of Excellence in Digital Forensics, Chennai Director & CEO, Valiant Technologies - India and UAE. Executive Director, Baker Tilly MKM, Abu Dhabi Adjunct Professor – Dept. of Criminology, University of Madras. Global Chair, International Institute of Certified Forensic Investigation Professionals (IICFIP), USA IBM GIO Alumni. India’s country representative at International Federation of Information Processing (IFIP); serving on their Technical Committee TC-11 dealing with information security& privacy. Awarded the ISC-Prof S S Srivatsava Prize for Excellence in Social Science Research and Teaching. Information security and GRC consultant, audit and assurance professional, trainer and educator for over two decades. Certified and experienced professional in the areas of creating and implementing full cycle business continuity and disaster recovery plans; secure information security architecture; risk management systems and processes; internal controls systems and processes; anti-money laundering processes and frameworks; security audits and certification of network infrastructure, GRC systems, ERP application controls review, multifactor authentication (including PKI and X.509 compliant certification infrastructure); and assurance processes for SOX, COSO, COBIT, ITIL, PCI-DSS, ISM3, ISSAF, ISO-27001, ISO-22301, BS-25999, ISO-31000 and ISO-15408 compliant information security management systems. Trained experts in BCP and DRP domains, risk management and information security domains across Gulf nations, India, Far East and the author
  • 5. 4 Africa and is a consultant to a number of organizations in the commercial, government, armed forces, judiciary and law enforcement segments in these countries. Currently providing consulting support to a number of organizations in the BFSI, Manufacturing and Telecom sector in the GCC countries, Africa and South Asia in the areas of Business Continuity and Disaster Recovery Management Systems, Enterprise Risk management, Information security, Anti Money Laundering, DLP, Audit and Assurance and compliance with norms of various central banks and global ‘best-practices’ framework, Digital Forensics and fraud investigation. Served earlier as Global Chair of the Education and Awareness Principles Expert Group of Globally Accepted Information Security Principles (GAISP), based in the United States and is former Global Chair of the Accreditation Process committee of Open Information Systems Security Group (OISSG), based in the UK where he established their certification and accreditation processes. Charter President of the first chapter of ISSA (Information Systems Security Association) in Asia and also Charter President of ISC2’s first Chapter in India. Served on the boards of Dubai, Chennai and Bangalore chapters of ISACA. Former Managing Director of Thewo Corporate Services based in Lusaka, Zambia; Group Operations Director of Benetone Group of Companies based in Bangkok, Thailand and Commercial Director of Dynaspede Integrated Systems Ltd, based in Mumbai.
  • 6. 5 First word----------------------------------------------------------07 0 Net game from the Net-------------------------------------09 1 Sandy and the Hacker---------------------------------------13 2 PATCO Ruling – Wake up call for banks?---------------19 3 Will the Real Hacker please stand up?--------------------23 4 Juvenile Hackers----------------------------------------------27 5 ZERO IQ…--------------------------------------------------31 6 Operation High Roller--------------------------------------37 7 CITADEL: The collaboration suite of cyber criminals-----------------------------------------43 8 They promised. They delivered!---------------------------49 9 The case of Insider Fraud----------------------------------55 10 Clipping the butterfly’s wings------------------------------61 11 The new threat vector---------------------------------------67 12 … and They are Back Again…Wave 3-------------------71 13 PATCO Ruling reversed??----------------------------------77 14 Digital Forensics – an IT Governance Attribute-------81 15 ICT – Tomorrow is here------------------------------------89 INSIDE
  • 7. 7 first word Cyber Crime was a novelty among criminologists about a decade ago. Today, it is commonplace. The speed of its evolution and the rise in its degree of sophistication has left many wondering about the perspectives of this form of crime. The initial hackers were keener on the kick of playing around with technology. True, in a sense, they too were criminals; but they had no motives of defrauding people. Soon they gave way to organized criminals who saw in this the ultimate dream of the cheat: least risk with highest rewards plus the joy of committing the crime in a comfortable and congenial environment. The risk of getting caught is low due to a number of factors including the not-so-mature digital forensic processes. There is also this issue of privacy and the lack of trans-border cooperation. Secondly, the risk of being punished is still lower due to the significant differences between speed of development in crime sophistication and the legal processes attempting to play catch up. To further minimize the overall risk of crime consequences, the attackers have chosen to work on the most liquid of assets – money in electronic form. The spate of successful attacks on banks and financial institutions in the recent past bear testimony to this shrewd crime risk assessment being carried out by cyber criminals attacking the BFSI sector. During the past few months, I have been writing a regular column commenting on Cyber Crimes and the emerging trends both in Industrial Economist and K-Mart. I have presented those articles in this monograph. The Industrial
  • 8. 8 Economist is a 45-year-old Chennai (India) based business magazine. I am indeed grateful to Mr. S Viswanathan, Editor and Publisher of the magazine for permission to publish these articles. The K-Mart is an Internet only magazine from Prime Academy, the pioneering institution, which is in the Knowledge dissemination space. I am grateful to the Academy for allowing me to publish the articles. I have also presented in this monograph, with substantial modifications, a paper of mine published earlier by ISACA, UAE Chapter. I thank my long-standing friend V Pattabhi Ram, a chartered accountant, for bringing in his editorial skills in giving this monograph its final shape. This monograph would have served a useful purpose if it draws the attention of various stake holders in the cyber crime management cycle, to the need for each of us to play our roles in thwarting the efforts of cyber criminals who take away what genuinely is ours – our money, our privacy, our intellectual property and our freedom on the Net. K Rama Subramaniam rama@valiant-technologies.com
  • 9. 9 0 Net gain from the Net When the history of modern world is written, the world-wide-web will receive a primordial position. For, the Internet has changed our lives the way nothing else has; not even the invention of “fire” that altered forever the lives of our forefathers. Who would have thought that knowledge would be available at the click of a mouse? That, sitting in one part of the world, it would be possible to access, draw, use and return literature available in another part of the world? That, you could sit in the comfort of your study room at home and listen to top global professors deliver talks to you at real time and that you could have two way interactivity with him and with fellow students, again in real time. We today have an entire generation that has not walked into a bank to draw money from a teller; a generation that has not placed an order with a stock broker; that has not stood in a queue at a railway station or a theater to buy a ticket. You
  • 10. 10 can do transactions while on the move. Importantly, the new generation is making friends on the Internet; it’s no more love at first sight, its love first on the site. It’s a wired world. OMG how did we live without the Internet in the pre- Internet days? But like with all things good and beautiful, there is a darker underbelly to the Internet. The massive developments in technology now mean that you can lose everything in a jiffy, and without trace. That wasn’t how it was earlier. Then, if your accounting data had to be lost, someone had to physically carry away the ledger from your office. Or take copious photocopies. Today, he simply has to transfer it on a drive that’s the size of your thumb and no one would be wiser. Yes, valuable data can be stolen with impunity. The new generation criminal is a white collared tech savvy man-next- door. It’s brain power, not muscle power, which wins here. The worst part is that things are getting far more dangerous. Look at some of the remarkable things that have happened. Even as the weather Gods were busy drowning their fury on hapless America hackers were busy trying to break into USA’s pristine banking system. Read about it in Sandy and the Hacker. The irony is that no one was sure what they were upto; namely stealing information or just getting the kick out of a denial or a distributed denial of service attack! Are the bankers careful in ensuring that the customers’ data and money is not lost? Do they take adequate care? Do these meet the test of commercial reasonableness? These are questions that have baulked the customer. In PATCO Ruling – Wake up call for Banks we search for some answers.
  • 11. 11 Even as the ink on the PATCO ruling hadn’t dried, a fresh ruling came that seemed to suggest that the PATCO ruling might not be final. We capture that in PATCO Ruling reversed?? No one seems to be bothered about the dictum that the Apex Court’s verdict is final not because it is right; but it is right because it is final! Hacking is criminal. Yet hackers enjoy a holy halo of being Mr. Brains. There is no naming and shaming when it comes to them. Will the Real Hacker please stand up tells you just that. Worse still, hacking has now become kid’s stuff. In Juvenile Hacker read on to how “illiterate children”, yes illiterate children, in Ethiopia of all places, hacked the Android! And you thought technology was rocket science. Is it possible to track those who steal cards on the Net? The answer is “Yes.” The FBI cracked it with gusto in the Zero IQ case. Criminals go where the money is; bank robbers go online! In a new brand of innovation, money mules are used to do money laundering and it may happen in your account without you even knowing about it. In the end, you may end up in prison for no fault of yours. Operation High Roller has insights into this. You have to be careful about messages that you receive on the Net. This can trap both the amateur and the seasoned security professional. “Citadel” is a case in point. The rogues are becoming increasingly daring. Like in the movies, they promise that they will break into banks and do a DDOS DO YOU KNOW? For the year 1938, Time had chosen Adolf Hitler as the man who “for better or worse” (as Time founder Henry Luce expressed it) had most influenced events of the preceding year. If there is an award for the most important development of the last 100 years that would “for better, not for worse” go to the Internet.
  • 12. 12 at a specified date at a specified time on the Internet; and they deliver on that promise! That’s what we speak in They promised. And they delivered. If they can stirike with a fore-warning I am sure they can do anything. The thief is within. The case of the Insider fraud is a telling story of how a combination of good deterrence and technology that responds to human behavioral tendencies can save our banks millions and increase the sagging confidence in technology systems. Nothing, nothing, is safe; not even supply chain. Read about it in “The new threat vector” to get a ringside view of how cyber infractions have gone beyond computers, Internet, internal networks and wireless applications. Botherds collectively control a mind-boggling 11 million compromised computer systems leading to a staggering loss of over $850 million through stolen credit card and bank account credential and compromised Personally Identifiable Information. On 12th December 12, the FBI had cracked this case thus effectively “Clipping the butterfly’s wings”. On March 12, customers of six major US banks couldn’t bank on the Net. This was the largest number of institutions to be targeted on a single day. For a fuller focus move to … and They are Back Again. How the future would look like is what you get to know in the compulsive read “ICT-Tomorrow is here.” In the end the best way to catch the criminal is to go strong on Digital Forensics. That’s where the future lies. The Internet is a lovely medium. We cannot imagine life without it; for, we are addicted. But there are pitfalls. Yet, we cannot throw the baby along with the bath water. It’s time to build great security that would trap the best of criminals. Are we headed towards it?
  • 13. 13 1 Sandy and the Hacker… LIKE everyone else, the BFSI segment told the world that it had adequate disaster management mechanism to minimize the impact of Hurricane Sandy. Almost every bank revisited the well-articulated publication of the Federal Financial Institutions Examination Council, Lessons learned from Hurricane Katrina: Preparing your institution for a catastrophic event. Just as the bankers were getting prepared to meet any eventuality that Hurricane Sandy may throw out, so were the Hackers. The purpose of their preparedness was, of-course, different. The attackers saw a great opportunity to intrude Sandy took many by storm towards the end of October 2012. Ha, we are referring to Sandy storm (a k a Hurricane Sandy) that swept USA in end October.
  • 14. 14 when the bank was busy fighting the possible consequences of Sandy. Sandy leaves its trail of damage The New York Stock Exchange that generally doesn’t close and definitely not due to inclement conditions, closed for two days. On October 31, when Sandy had weakened, the financial institutions took stock. Secretary of US Homeland Security, Janet Napolitano, told Washington Post, “Right now financial institutions are actively under attack.” That very day also saw the Citigroup experience an online and mobile outage that lasted around an hour. In this background, the following questions deserve a closer look. • Was there a fraud dimension to this outage? • Was this outage planned and executed by hackers knowing well that Citigroup would be too busy recovering from the aftermath of Sandy? • Was this yet another of the distributed denial of service (DDOS) attack continuing the earlier pattern that affected over ten banks? There are multiple views on what brought down the Citigroup’s online and mobile services. One view is that it was a DDOS and a front for attempted fraud. These DDOS patterns point to a pattern of attack when the organization is otherwise busy getting their services back to normalcy. In the context of her stating that financial institutions are actively
  • 15. 15 under attack, Janet Napolitano was asked if the attackers were stealing information or money from the banks. She said “Yes” but quickly added that “I really don’t want to go into that per se. All I want to say is that there are active matters going on with financial institutions.” So, one line of thought is that this DDOS could have, as the driving force, a fraud perpetrated on the assets of the bank. If the attackers had wanted the DDOS attack to divert the attention resulting in less guarded logical perimeter to the bank’s information assets, then they timed it pretty well. The Bank was already busy coming out of the effects of Hurricane Sandy and the attackers brought down the services forcing the bank to thinly spread its response capability. If this DDOS attack is a continuation of the ten earlier attacks on the Banks in the past couple of months, then clearly the intention cannot be fraud. For, the Izz ad-din al-Qassam that claimed responsibility for the earlier attacks wanted to use it as an attention-grabbing tactic and there were no fraudulent intentions. In a Pastebin post, the group said, “Due to approaching Eid and to commemorate this breezy and blessing day, we will stop our attack operations during the coming days”. If this were true, the attack is not part of the series of DDOS by this group. So, does this DDOS point to potential fraudulent intentions rather than being merely hactivism? DO YOU KNOW? Hurricane Sandy was the deadliest tropical cyclone of the 2012 hurricane season. It caused an estimated damage of $75 billion, and to that extent is the second- costliest hurricane in U S history, behind Hurricane Katrina. At least 285 people were killed in seven countries. Because of the widespread damage the storm caused, the media nicknamed it as “Super-storm Sandy”.
  • 16. 16 Mike Smith, a Security Evangelist with Akamai, says that the degree of automation found on DDOS attacks suggests fraud as the motive. Referring to the process where the attackers are looking for targets that have footprints on employees’ desktops, Smith argues that finding such footprints increases the amount of information that can be scanned from the target’s network. This can lead one to the proposition that Citigroup outage on 31 October probably had fraud as the motive and is not a continuation of the earlier DDOS attacks. A counter to this proposition comes from another set of researchers who believe that Hurricane Sandy was responsible for the outage and it is not a DDOS. Their argument: the outage is the result of the impact of Hurricane Sandy on the infrastructure that supported the servers at the Bank. Leading this thought is John Walker, a member of European Network and Information Security Agency (ENISA) security experts’ team. Interdependencies between networks, especially cellular networks and service providers means that when one of them is affected, the others too are and this complicates outages during natural disasters, argues Walker. These dependencies will at best bring down mobile banking as it happened to Citigroup but it cannot account for the outage of on-line systems. To that extent, Walker has some explanations to do if his theory is to be validated. Presenting another dimension to this debate is the data available from the research work at the Nottingham Trent University’s Computing and Informatics Department. Analysis of Internet traffic patterns point to the fact that as Hurricane Sandy was attacking the physical infrastructure of the Banks on the east coast, vectors of cyber attack increased in the Midwest and along the East Coast. On this statistic,
  • 17. 17 Walker agrees that internet traffic data for October 31 suggests that attackers went on to hit institutions that were struggling to recover from the Hurricane. There is a third view; that it is incorrect to pinpoint to any one factor as causing an outage of Citigroup mobile and on-line services. A strong votary of this approach is Matt Wilson of VeriSign. Wilson believes that “there are literally thousands of possible reasons for an outage. Anyone suggesting that it’s DDOS or tied to any particular external event is literally guessing unless Citi verifies it.” Andrew Brent, Citi spokesman declined to comment. The cause of this outage will remain a mystery with multiple evidences pointing to different reasons and it can only be understood when Citi clarifies the cause. The common user of banking services, ones like you and I, are more worried now; if the traffic patterns during the disastrous Hurricane are to be believed, are the banks capable of managing the combined onslaught of future versions of Sandy and the Hacker. DO YOU KNOW? The technology behind the Internet began back in the 1960’s at MIT. The first message ever to be transmitted was LOG. Why? The user had attempted to type LOGIN, but the network crashed after the enormous load of data of the letter G.
  • 18. 18 Do we have to say it? Yes, the world is now in our hands; thanks to the Internet.
  • 19. 19 2 PATCO Ruling – Wake up call for banks? PATCO was obviously happy at the reversal of the order of the District Court’s judgment in a case where PATCO sued their bankers for negligence resulting in ACH and wire fraud related loss of over half a million dollars; $ 588,851 to be precise. The bankers, People’s United, formerly Ocean Bank, contended that they had met the security requirements and that PATCO had agreed to this set of security implementation while signing the electronic banking agreement. In response to PATCO’s specific charge that the Bank did not fully comply with the FFIEC requirements for security of “It is a wakeup call for the Banks”, said Mark Patterson, co-owner of PATCO Construction Inc., while reacting to the judgment of the United States Court of Appeals for the First Circuit in Boston.
  • 20. 20 electronic banking systems, the Bank argued that it had imple- mented serious security and authentication features like: User ID and Password; Device Identification; Risk Profiling; Chal- lenge Question; Dollar Amount Rule; and e-Fraud Network. The lower court accepted this position while dismissing PATCO’s claims against the Bank. The judgment raised a few other questions of law but agreed with what the Bank had done in terms of security as being ‘commercially reasonable.’ The Appeals Court overruled the lower court’s judgment and maintained that the security was ‘commercially unreasonable.’ The fact that this ruling came from a Federal Court is “a big thing” says Avivah Litan at Gartner. The ruling points to the failure of the Bank evidenced in its not implementing the key security measures that are used regularly by the banking community. Namely, Out of Bank Authentication; User Selected Picture function; Tokens; and Monitoring. This is the second case in the recent past when the judiciary has found fault with the Banks for not doing enough to prevent frauds happening via their Net banking system. In the earlier case involving Commercial Bank, the customer Experi Metals Inc. sued the bank for negligence resulting in wire / ACH fraud and the court ordered financial restitution. In PATCO’s case, the Appeals Court applied the test of ‘commercial reasonableness’ as defined in Article 4A of Uniform Commercial Code and ruled against the bank. A close study of this case brings home two important lessons. First, banks must understand the conceptualization of the security measures. Secondly, they must build a process to correctly and completely interpret reports and alerts from the security systems. People’s United had implemented a system
  • 21. 21 that will force the User to go through an additional authentication process when the transaction value exceeds a base value. This had been earlier set to $ 100,000 but was reduced to $ 1. This literally killed its risk scoring system, which considered multiple variables including additional authentication process triggered by values exceeding a cut off amount. As the Appeals Court observed, “When Ocean Bank lowered the dollar amount rule from $ 100,000 to $ 1, it deprived the complex Jack Henry Risk Scoring system of its core functionality.” The lowering of this threshold dollar value resulted in the challenge questions and responses being entered more frequently thus increasing the probability of key loggers capturing it and abusing it. I have seen this happen elsewhere too – implementing security with scant regard to its underlying conceptualization. Recently, I was speaking to a security professional who said she had a very comprehensive password policy in her organization; also a Bank. I was interested and wanted to know details and she rattled off eleven different rules that constituted the password policy. She said that the password had to be changed every thirty days and I asked if she would encourage shorter life for a given password. Her response was typical. She said no one would like to do that since that would be inconvenient. Persistent as I was, I asked what she would do if one were to change it every Monday. She would be happy, she said and I asked if she would be happier if it happened daily. She agreed she would be happier at the stronger security. I pointed to the password history policy of DO YOU KNOW? The lowering of this threshold dollar value resulted in the challenge questions and responses being entered more frequently thus increasing the probability of key loggers capturing it and abusing it.
  • 22. 22 ten past passwords, which was interpreted to mean that the same password would not repeat for 300 days – 30 days and ten unique passwords. But if she permitted change every one day, the password will repeat every 10 days; at least in theory this is possible. And that would defeat the very purpose that it sought to serve! Ocean Bank’s reduction of the threshold amount for further authentication to $ 1 was similar to the password change policy – a clear case of not getting to the grips of the conceptual foundation of the security process. Another view is that any “one-size-fits-all” approach, as it happened in the Ocean Bank case, will not work in security implementations and each security implementation has to be tailor-made. Next, we have the question of interpreting the reports provided by security systems. In the PATCO case, Ocean Bank did not react to the high-risk scores that were generated by the Risk Scoring system in respect of each of the fraudulent transactions. The red flags appear to have made no impact at all. Mark it, the court, the risk score for normal transactions of PATCO had never crossed 214 on a scale of 1-1000. In respect of each of the fraudulent transaction, the risk scoring system had thrown up a risk score around 750. This is surely abnormal compared to the highest score of 214 in the normal course; but these red flags were just ignored. As Joe Burton, a former Assistant US Attorney said: “It’s not enough just to have a generally accepted security procedure in place if that procedure is not implemented in a way that makes sense. That’s the conduct aspect that has to do with the actual security and not just the check-box.” These two factors appear to have weighed heavily in favour of PATCO in the Court of Appeal.
  • 23. 23 3 Will the Real Hacker please stand up? TWO events that happened in December 2012 startled me. First was the release of Version 2.0 of the courseware for “Hackers High School” by ISECOM. The second was Nicholas Negroponte telling the MIT Technology Review Conference about how “illiterate children” in Ethiopia hacked the Android! Both took some time to assimilate since they exposed a totally new dimension to hacking. We will look first at the attempts to sensitize normal computer users to the nuances of hacking. Many people who have been called hackers, especially by the media, or who have gotten in trouble for “hacking” were not, in fact, hackers.
  • 24. 24 All through, we have decried hacking as a crime, an evil attitude, something to be dealt with sternly, etc. I have always spoken about the serious financial damages done to banks by people who hacked into BFSI information systems. Then, why are “Hackers High Schools” being run? Will it generate a new generation of hackers or train a new breed of people with hacking skills? The introduction to “Hackers High School” program has this to say, for a start: Many people who have been called hackers, especially by the media, or who have gotten in trouble for “hacking” were not, in fact, hackers. So, we are now a bit confused and would like to know who are the hackers the society is targeting? The term “hacker” has been understood differently based on the profile of the person who “hacks.” Applied in the computer security context, it retains its notorious connotation of a person who circumvents or damages the controls to gain access to computer resources. In the programming world, a hacker resorts to a non-authoritarian approach to software development, and they are the ones who create and spearhead the free software movement. Interestingly, some even have “Hacker” as a surname. We have Col. Francis Hacker who fought in the English Civil War in the seventeenth century; we have Katrina Hacker, the American figure skater and George Hacker, head of Alcohol Policies Project! The “Hackers High School” project is based on the belief that hacking is research. It is a kind of challenge-response situation where the “hacker” is challenged by network security implementations and wants to know if the system is really secured. This has some similarities to destructive testing of metals to determine how much stress the metal can stand before breaking down. But the comparison stops there. In
  • 25. 25 destructive metal testing, only a small sample is tested while the “hacker” has before him a live production system processing real time data. While the hacking process is sought to be given its due status of legitimacy from a research, the intent is to distinguish between the research-driven hacker and the crime-driven hacker. Hacking with a criminal intent is surely crime, but how do we go about establishing or demonstrating this? We fall back on the extensive judicial thought and pronouncements relating to mensrea and actusrea, the two very important elements in the criminal justice dispensation. Drawn from a complex Latin maxim of common law, mensrea propounds the principle that the act does not make a person guilty unless the mind is also guilty. “Hackers High School” is based on this belief when they teach the young participants the principles of computer architecture, networking and the process of analyzing attacks on systems. Will someone stop with only researching or will they abuse this? That’s hard to answer. But the “Hackers High School” has a point. If you educate the young on the process and perils of attacks on information systems, they tend to keep their systems secure or even end up evangelizing secure computing. The formal and structured exposure to information systems architecture and vulnerabilities is likely to ensure that the participants do not seek this knowledge from those who entice them into becoming malicious intruders. In addition to the guilty mindedness, we have another essential condition DO YOU KNOW? “I’m still a hacker. I get paid for it now. I never received any monetary gain from the hacking I did before. The main difference in what I do now compared to what I did then is that I now do it with authorization.” – Kevin Mitnick
  • 26. 26 to be satisfied for criminal liability, vizactusrea, which refers to the criminal act being actually committed. The project to make the next generation understand the perils of hacking and to orient them towards being better and well informed netizens, steers clear of any possible damage, by taking the participants through a process of discovery, research and understanding the limits. Igetanumberof graduatestudentswhowanttodoInternship with us. The first question I ask them relates to their interest in security, their objective of doing the internship with a security consulting organization, and their expected takeaway at the end. I have more than 85 percent of them telling me frankly that they want to learn hacking! In the same breath, they will also tell me that they want to learn hacking so that they can defend the information assets from being abused. Interestingly, none of these young security aspirants ever told me that they want to understand the network protocols or the IP packet architecture or the realms of cryptography to keep their systems secure. I was recently talking to a group of senior uniformed officers and sprang a surprise by asking all those who have either hacked a system or have at least attempted to hack a system to raise their hands. Understandably, none did. But after some persuasive talk, I got about a dozen of them admitting that they have tried but did not go far. Neither these graduate students nor the officers had malicious intentions, but the attraction to look through a secure network drives many and this attraction will continue unabated. In such a societal context, it will make sense to determine who is a hacker and who is hack-curious.
  • 27. 27 4 Juvenile Hackers BUT what made me sit up, review and write this column is the profile of the person who successfully hacked into Android. No, it is not the typical geek with his snazzy technology tricks nor is it a serious researcher looking to do a vulnerability assessment of Android in order to strengthen it. It is the most unexpected profile of a hacker – five to seven year olds who had no formal instructions in computing! Yes; it all happened as an unexpected fall out of the OLPC (One laptop per child) project in Ethiopia. Here is what OLPC founder Nicholas Negroponte told MIT Technology Review’s Em Tech Conference: “We left the boxes in the village. Closed. Taped shut. No instruction. No We have heard of Android attacked and hacked a number of times in the recent past. Hacking into the Android is in itself not newsworthy.
  • 28. 28 human being. I thought the kids would play with the boxes! Within four minutes, one kid not only opened the box but found the on/off switch. He’d never seen an on/off switch before in his life. He powered it up. Within five days, they were using 47 apps per child per day. Within two weeks, they were singing ABC songs [in English] in the village. And within five months, they had hacked Android. Some idiot in our organization or in the Media Lab had disabled the camera! And they figured out it had a camera, and they hacked Android.” The findings of the OLPC Project in Ethiopia are indeed an eye-opener. OLPC, started with a view to delivering technology as a means of improving traditional curricula, has been trying to help the kids ‘learn’ rather than ‘read.’ OLPC has realized in their five plus years of work that it is important for the children to learn by teaching themselves. The children really taught themselves and one of the things they taught themselves resulted in hacking the Android! Surely there is no mens rea in this hacking effort by the kid in Ethiopia; so we are not taking that kid Android hacker to court but this sets me thinking of the power of curiosity. This child is unlikely to emerge as a malicious hacker since it has seen the ‘good’ thrill in hacking. It is more likely to channel its energies in the positive aspects of this process rather than try and damage computer systems; or so I would like to believe. Contemporary studies on the anthropology of hacking may take a different position and people like Gabriella Coleman may take a different view. If we went by the popularity of DefCon Kids, in its third year now, it would appear that a large number of those concerned with juvenile hacking strongly believe that it is better to teach
  • 29. 29 them hacking as it happens and also let them understand the perils of indulging in it and the ways to defend against it. But have all those who had learnt hacking as youngsters really used that knowledge for defending their systems against hackers or have they ‘abused’ that knowledge? This takes me back to understanding the myriad of perceptions on hacking. In the last chapter, I had talked of the Hackers High School and wondered if it will provide the desired results it sought to get or would it be a fertile ground for creating a new generation of hackers who have also been taught the traditional approaches to counter the hackers’ exploits. This fear about the fall out of ‘catch- them-young and train-them-correct’ is credible if we were to look at an FBI indictment dated the 26th of June 2012. It names twelve arrested defendants arraigned before the court at the end of a two year undercover operation that is said to have protected over 400,000 potential cybercrime victims and prevented over $205 million in losses. Interestingly, of the 12 arrested, five are in their teens and the rest are just barely above 20. Add to this various high profile minor hackers like ‘Cosmo the God’ who was handed a rather unusual sentence last November. A juvenile court in Long Beach, CA sentenced him to what Sam Biddle, writing in Gizmodo, calls the ‘hacker’s death sentence.’ Cosmo the God, a juvenile who will take six long years to reach his age of 21 for release, has been sentenced “…not to use the internet without prior consent from his parole officer. DO YOU KNOW? OLPC has realized in their five plus years of work that it is important for the children to learn by teaching themselves. The children really taught themselves and one of the things they taught themselves resulted in hacking the Android!
  • 30. 30 Nor will he be allowed to use the Internet in an unsupervised manner, or for any purposes other than education-related ones. He is required to hand over all of his account logins and passwords. He must disclose in writing any devices that he has access to that have the capability to connect to a network. He is prohibited from having contact with any members or associates of UG Nazi or Anonymous, along with a specified list of other individuals. He forfeits all the computers and other items seized in the raid on his home.” Hannah Sweet tweeted in protest: You cannot arrest an idea. Jay Leiderman, a LA attorney who represented alleged members of ‘Anonymous’ opined that they could have locked him up for three years straight and then released him on juvenile parole; but to keep someone away from the Internet for six years seems unduly harsh. Now this brings us to the voices being heard around the globe for a revisit of Sentencing Guidelines, particularly when it concerns cyber criminals. Today, there is no clarity on the considerations that will guide punishing cyber criminals. Three years ago, I pleaded at the International Criminology Congress in Stockholm for the judiciary to recognize that the cyber criminal is not to be locked up as a traditional criminal as his competencies and skills can be used while still being sentenced. Moreover, he can be made to be a useful member of the society after release. Leiderman argues,“At some point after getting on the right path, he could do some really good things.” Sentencing juvenile cyber criminals by asking them not to connect to the Internet is viewed by some as the equivalent of taking away Mozart’s piano.
  • 31. 31 5 ZERO IQ… US MAGISTRATES issuing warrants of arrest is nothing new but this warrant was for a cyber crime against a named individual; something not often done in view of the many difficulties encountered in identifying the accused. Jarand Moen Romtveit, a Norwegian now in the FBI net, also known as ‘Zero’ or ‘ZeroIQ’ in the underground carding forums, ran a successful underground shop; selling stolen credit cards. He can be regarded as a small player in the underground economy that has both one-man enterprises On 20 June 2012, a magistrate in the Southern District of New York issued a warrant of arrest against a person whose nick name, amongst others, was ZeroIQ.
  • 32. 32 like Jarand’s as also multi-men unincorporated enterprises, whose owners are hard to identify. FBI carried out a well-orchestrated sting operation that trapped Jarand. This case raises the question: “on the Internet, how anonymous can anonymous be?” Somewhere down the line, the FBI succeeded in piercing the veil of anonymity afforded by the Net. That process is interesting as it reinforces the overarching human failings that neutralise the anonymity offered by technology. The trap and the crime FBI set up an undercover carding forum enticing all players in the stolen credit card business to use it as an electronic clearing house to offer, discuss and put through deals in stolen credit cards and bank account information. It is not known how many could FBI, successfully entice to use their underground forum but they surely succeeded in getting Jarand hooked to it. Not only did Jarand advertise his stolen credit card information for sale but also got dangerously close to the administrator of the forum, who was a special agent of the FBI. One wonders, how stupid one can get. Jarand would ‘brute force’ his way through password protected databases of credit cards. He brute - forced through hotels and restaurant data bases that had customer credit card details and in a couple of instances, he also successfully bypassed the security perimeter of banks to go beyond credit card numbers – he got through to account holder information. He also managed to penetrate through web site security and collected information stored on web back-ends. Being a one man show, he had limited time and
  • 33. 33 resources at his disposal and traded in batches of 30 to 40 credit cards. The underground carding forum run by FBI collected the IP addresses from which each of the participants logged in and communicated with the forum. As part of the pre-condition for registration at the forum, a valid e-mail ID was required to which was sent the validation code. Jarand used a valid mail ID and that contained some pointers to his identity. This was his second give-in; the first being his misjudging the carding forum administrator’s true identity. FBI continued to keep an active conversation going with Jarand and moved to a point where the accused started sharing his attack screen shots with the carding forum administrator, namely the undercover FBI agent. He threw caution to winds and at once shared his Facebook page with the FBI agent who continued to pose as the organiser of the underground carding forum. The noose tightens The FBI started to tighten the noose around Jarand’s neck by offering him an Apple laptop in return for his giving valid stolen credit card ‘dumps;’ i.e., complete information available on the magnetic strip on the reverse of the credit cards. Jarand walked into the trap by giving them the relevant details. The FBI had its authenticity verified with the card Brute force attack It is a listing of commonly used passwords. The programme tries these and also runs through combinations of letters and numbers until it gets a match. These attacks can take several hours, days, months, and even years to run. It depends on how complicated the password is and how well the attacker knows the target.
  • 34. 34 issuing company and more than 80 per cent of the ‘dumps’ data sent in by Jarand were found to be “valid, current and with credit available for use.” The FBI then alerted the card issuers, who in turn cautioned the card holders of the compromise and replaced their cards. To trap Jarand fully and to establish his identity, the undercover agent wanted him to pay for the shipping of the laptop which is done through Western Union and the remitter details match with what FBI already knows about Jarand. The laptop is delivered to an address mentioned by Jarand and with the help of Norwegian police, it is established that a person by name Jarand Moen Romtveit actually lives at the place where the laptop was delivered. The courier who delivered the laptop to Jarand identifies him from a photograph of Jarand picked up from publicly available sources in Norway. Jarand is completely identified as the person who trades as ‘ZeroIQ’ on the undercover carding forum established by FBI. Special agent John Leo Jr. appeals to US Magistrate Andrew J Peck for a warrant of arrest of Jarand Moen Romtveit, which was readily issued. Lessons and questions This case brings both the “painstaking investigation” by the Special Agent John Leo and the ‘behaviour’ of Jarand. Crime risk theory in criminology tells us that every criminal carries out a risk assessment of his proposed action. Theory argues that every criminal assesses the risks involved in the proposed action barring spur of the moment crimes which have more to do with an unstable mind that was emotionally disturbed
  • 35. 35 at the point of crime. In the case of cyber crimes, one of the factors that is favorable to committing crime and hence weighs heavily when assessing the risks involved, is the anonymity over the Internet. Jarand gave in and vindicated Edmond Locard who famously said, “every contact leaves a trace.” This is often quoted by crime investigators who say: “every criminal leaves some evidence.” Surely, law enforcement has reason to cheer after arraigning Jarand but a number of issues will remain difficult to resolve when dealing with cyber crimes. First, will be the difficulty in piercing the veil of anonymity that the Internet so conveniently offers since not all who use the Internet’s underground economy are as gullible as Jarand. We cannot resist wondering whether his Net name ‘ZeroIQ’ was a premonition of how he would behave! Second, is the growing interest in the underground economy with some ‘entrepreneurs’ having established manufacturing facilities for card skimming devices and are exporting it worldwide. Third is something that can be dangerous – the shift in control over cyber crimes from techies and script kiddies to organised crime gangs. This brings in the power of money, reach and silencing to the otherwise technology centric activity – cyber crimes. DO YOU KNOW? It was G K Chesterton who said: “It isn’t that they can’t see the solution. It is that they can’t see the problem.” That’s increasingly true today of quite a few problems that we face on the Internet.
  • 36. 36 “The battle between the cyber cops and the cyber criminals is a mind game; like the game of chess.”
  • 37. 37 6 Operation High Roller YEARS ago, Willie Sutton, who had robbed US $2 million during a criminal career that spanned four decades when asked, “Why did you rob the bank?” famously told journalist Mitch Ohnstad, “Because, that is where the money is!” Prof. Helmbrecht was responding to a new form of online robbery happening in the banking systems called ‘High Recently, Prof. Udo Helmbrecht, Executive Director of the European Network and Information Security Agency (ENISA), did a Willie Sutton when he said, “Criminals go where the money is; Bank robbers go online.”
  • 38. 38 Roller,’ a term borrowed from the gambling world. High Rollers refer to those playing for very high stakes. In the online banking world, High Rollers are those who maintain large balances in their accounts. Money mules... Manipulating and stealing using online transaction systems are not new; but what is now making news is that the attackers are becoming selective in their approach. They are looking into account balance databases and targeting only those whose balances are above a threshold that each hacker sets for himself. The second unique characteristic of High Roller attacks is the significant increase in the automation of the whole process and the use of anonymous mule accounts to transfer and forward the ill-gotten money. The shift to reliance on server side manipulation, in contrast to earlier client side manipulation, marks the third deviation from traditional online stealing. The rapidity of shift in the command and control centres used for the attack is the fourth significant differentiator of this new generation attack. In the sixty days before the attack landed on the laps of the US banking system, the domain from where attacks originated was first registered in Ukraine and later reconfigured to point to an ISP in Russia; then moved to an ISP in Arizona; shifted to Brazil and returned to California from where a victim bank in Ohio was successfully compromised. Each of these shifts involved identification and control of active and passive mule accounts, or money mules as they are more popularly referred to.
  • 39. 39 Dissecting Operations High-Roller A research report titled “Dissecting Operations High Roller” released by Guardian Analytics and McAfee is the first available comprehensive study on Operations High Roller. This report released in June 2012 points to successful on- line heist in Italy, Germany and Netherlands later spreading to the United States. As we carefully analyze the timeline of successful attacks being identified, we see the degree of attack sophistication and value-at-loss increasing with passage of time. In the Italian attack, the attackers transferred a small fixed percentage of the balance; around 3 per cent or a fixed sum of roughly €500 to bank accounts from where it was instantly withdrawn. Emboldened by the success in Italy, the stakes were upped in Germany. Available log analysis of attack data point to Money Mules A “money mule” is a person, an intermediate, that receives potentially illegally obtained money from someone and redirects them to someone else. Of course, the intermediary receives a share of the transaction. In other words, this is nothing else than money laundering. The basic process of muling is relatively simple: • job advertisement offers work as ‘financial agent’ or similar service • job seeker signs up and opens, or allows access to, domestic bank account • fraudsters transfer money from scam victims to job seeker’s account • job seeker transfers money to fraudster overseas • job seeker receives ‘commission’ • job seeker is open to prosecution by domestic authorities for money laundering
  • 40. 40 the compromise of 176 accounts covering multiple banks and the average amount involved in the illegal transfer was €5499. The average balance in the compromised accounts was €47,924. The attack on the German Banks resulted in a total transfer of about a million Euros to various mule accounts, mostly in Portugal, Greece and the UK. March 2012 saw a concerted attack on two Dutch banks and this time the attack came from servers hosted within the US. The stakes were significantly higher and the amount of transfers initiated to the mules aggregated €35.5 million. The attackers had shifted their focus from high net worth individuals to corporate accounts, the primary benefit being higher threshold for corporate transactions contained in anti-money laundering legislations and lesser propensity to scrutiny since corporate accounts have a large number of transfers happening on a regular basis. The server which was used to attack the banks in Netherlands were also used to attack US banks, where 109 accounts were reportedly compromised, though we have no details of the aggregate amount involved in the fraud. These fraudulent transactions elicited different kinds of responses from various stakeholders. One set of security professionals argue that High Roller fraud is old hat and that it is just a more sophisticated version of known on-line heists. Another set of professionals say that this represents a new genre of on-line banking frauds since the attack processes used are significantly superior to the current knowledge and skills available.
  • 41. 41 Infection of PCs In response to these developments, ENISA has issued an advisory to European banks containing three very significant recommendations. The first is both important and interesting. It said that for a bank it is safer to assume that all of its customers’ PCs are infected – and the banks should therefore take protection measures to deal with this. This blanket assumption on the possible infection of all of the customers’ PCs may sound to be a good security precaution but it deviates from the principle that is generally used to build end-to-end security mechanisms viz., the user has a role to play in protecting his end of the network and that his contributory negligence in deviating from secure practices can leave him with no recourse to relief in the case of an on- line fraud. However, even before ENISA had recommended that banks should assume that all PCs should be treated as infected, judicial pronouncements have been moving in this direction where greater responsibility is cast on the bank to the extent of obligating them to monitor customer transactions and to act on pointers to fraud. Do banks monitor? Experi-Metals sued Comerica Bank in Michigan last year in a case where fraudsters tried to move millions of dollars from Experi-Metals account to mules in East Europe in a matter of few hours. By the time the bank’s fraud monitoring unit neutralised the attack, a sum of US $560,000 had been Top Hosting Countries The U.S. saw an increase of ten per cent in the number of phishing attacks it hosted in May – increasing to 66 per cent, or two out of every three attacks. Brazil remained a top host with nine per cent and Germany with four percent.
  • 42. 42 transferred. It was J P Morgan Chase that alerted Comerica about abnormal transactions going through their servers and ending up in East Europe. Fraudsters used J P Morgan servers since being a much larger institution, the transfers could go unnoticed. Ruling in this case, Judge Patrick Duggan of the U.S. District Court for the Eastern District of Michigan said that the bank should have done a better job of stopping the fraud. A bank dealing fairly with its customers, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier,” said the Judge and asked Comerica to cover the losses. Losing battle on fraud prevention? With this judicial thought process and the advice of ENISA, a clear shift is happening; the responsibility will be fixed for on-line frauds in the future. Even assuming that banks build an end-to-end security process, it will be impossible to do anything meaningful, unless there is far more international cooperation enabling quick shutting down of command and control centers used by fraudsters. These centers have been moving across nations making it almost impossible for tracking them down. Are we heading towards a losing battle with the on-line banking fraudsters or will these developments motivate the banks to put in place a more robust fraud prevention system without making any assumptions regarding end-user role in fraud prevention? It is becoming increasingly clear that banks need to fight the battle both technologically and legally, cutting across national boundaries.
  • 43. 43 7 CITADEL: The collaboration suite of cyber criminals IN AUGUST 2012, the Federal Bureau of Investigation (FBI) sounded a stern alert about Citadel. Based on references from IC3 (Internet Crime Complaints Center), FBI warned of a new ransomware called Reveton delivered through the malware platform Citadel. IC3 describes the threat as: “The ransomware lures the victim to a drive-by download website, at which time the Cyber criminals are beginning to have a ball. They are not only able to hoodwink the lay user. They are even able to stump the tech savvy player. Welcome to a cyber crime collaboration suite – Citadel.
  • 44. 44 ransomware is installed on the user’s computer. Once installed, the computer freezes and a screen is displayed warning the user they have violated United States Federal Law. The message further declares that the user’s IP address was identified by the Federal Bureau of Investigation as visiting child pornography and other illegal content”. Warning of fine and failterm! An infected web user gets a message that reads something like the following: “Your IP address is: xxx.xxx.xxx.xxx. Your location is identified as: xxxxx. Your PC is blocked due to at least one of the following reasons: You have been viewing or distributing prohibited porno- graphic content (child porno etc.) thus violating Article 202 of Criminal Code of United States of America. Article 202 provides for deprivation of liberty for four to twelve years. Illegal access has been initiated from your PC with or without your knowledge or consent. Your PC may be infected by malware, thus you are violating the law on Neglectful use of Personal Computers, Article 210 of the Criminal Code which provides for fine up to $ 100,000 and/or deprivation of liberty for four to nine years.” Typical users are worried, particularly when they find that their location is correctly identified in the message and for a tech savvy user, he sees his IP address accurately mentioned in the notice. The typical user panics and goes on to reading the message further which identifies his residence, state and directs him to pay a penalty, offering relief from jail term
  • 45. 45 being first time offence. The fine, ostensibly paid to the US Department of Justice, is to be paid using a pre- paid card service which has to be purchased using the computer user’s credit card or through an on-line bank transfer. This is the icing on the cake for the cyber criminal. The ransom ware has already installed a key logger that captures the banking and credit card credentials and passes it on to the perpetrator of this attack. In other words, the victim pays a ‘fine’ and also offers his banking and credit card credentials to the attacker. Why not ignore? Why not ignore the warning message and go on as though nothing happened? Here’s why. The computer freezes with the display of the warning message and gets back to normalcy only when the ‘fine’ is paid to the attacker who successfully masquerades as US Department of Justice collecting the ‘fine.’ Some security vendors who have started researching the traffic and the process tell us something very interesting. They have found some traffic is encrypted to ensure that usage of digital forensic techniques to trace the origin becomes difficult. If we were to agree with Etay Maor who heads RSA’s Fraud Action Research Lab, this “is a technically advanced Trojan” that combines the lethal powers of ransomware and stealth access to banking credentials. BE AWARE Even if you are able to unfreeze your computer on your own, the malware may still operate in the background. Certain types of malware have been known to capture personal information such as user names, passwords, and credit card numbers through embedded keystroke logging programmes.
  • 46. 46 Can users be so very naïve to fall for this? Quite a few considerations come up. One, the message appearing on victim screens looks real. There isn’t any sign of it being a fake. Secondly, the infected computers do not give you the choice of ignoring it since the system freezes and can be brought back to normalcy only upon paying the ‘fine.’ Thirdly, as the victim is contemplating doing something smart to thwart the attack, the Trojan is already searching for stored credentials. Fourthly, the correct location and IP address of the victim displayed on the message unnerves even some of the tougher victims who start thinking what if this were really from FBI. Fifthly, if the victim does decide to pay the ransom, he is forced to use a prepaid card service which collects the credit card bank log-in and transactions credentials and passes it on to the cyber criminals. After paying the ‘fine’ and having the computer system unfreeze, what is the guarantee that the key logger that was clandestinely installed on the system has been removed? Users had tried to remove the Trojan using known methods of malware removal. But to their discomfort, an FBI advisory on Citadel issued in third week of August has this to say: “Be aware that even if you are able to unfreeze your computer on your own, the malware may still operate in the background. Certain types of malware have been known to capture personal information such as user names, passwords, and credit card numbers through embedded keystroke logging programmes.”
  • 47. 47 A lethal combination... Avivah Litan, a financial fraud analyst with Gartner has a different perspective. She says that the attack methods are not uniquely different from traditional key-logger and Zeus methods. But, says Litan, what is lethal here is the combination and packaging of various tried-and-true hacking techniques. So, how do we sort this issue? The solution has to be a combination of higher degree of awareness and significant strides to be made in Trojan research and creating anti-malware solutions. I personally feel that the best of technology will not work till the user knows quite a bit more about the system; connectivity to internet and his vulnerability. I recently showed a screenshot of a Revton infected system to five people; each a successful and distinguished person and got interesting responses. A common response was to point to the captured IP address and location and say that clearly indicates how well FBI was monitoring illegal activity. When informed that whenever they book an airline ticket on-line, the ticket states that the booking was done from a given IP address and also showed them the simple process DO YOU KNOW? The very first spam mail was sent in 1978. That year DEC released a new product. An innovative DEC marketer sent a mass email to 600 users and administrators of the ARPANET (the precursor of the Internet). The poor guy who had typed it all in didn’t understand the system, and ended up typing the addresses first into the SUBJECT:, which then overflowed into the TO: field, the CC: field, and finally into the email body too! The reaction of the recipients was much the same fury as users today. It wasn’t until later though that the term “spam” would be born.
  • 48. 48 to determine geographical location using their log in, they said they knew it since they have seen it on their e-tickets! Despite this knowledge, they credited FBI with monitoring illegal activity effectively. Do we not have a very strong case for massive increase in awareness among users of on-line services?
  • 49. 49 8 They promised. They delivered! AND THAT was exactly what many said when the Regions Financial Corporation was successfully attacked by a Distributed Denial of Service (DDOS) attack on 11 October 2012. They were the eighth in a series of DDOS attacks that had happened since the last week of September. What stands out in this attack is that this is last reported in a series of three “announced” attacks. This follows what happened in late September and early October when four large banks suffered DDOS attacks – Bank of America, If you promise, you must deliver on the promise. Atleast that’s what the customer expects. But what if you promise a damage? Would the victim be happy if you deliver?
  • 50. 50 Chase Bank, Wells Fargo and PNC Bank. This list by itself would have created some sensation; the four banks suffered DDOS attacks and were brought down, albeit for a few hours, in a short span of two weeks. What happened as a follow-on is not just sensational but disturbing, to say the least. A hitherto unknown group Izz ad-Din al-Qassam, claimed credit for these four successful DDOS attacks on American Banks. The group would probably have got some press coverage and a bit of attention had they stopped just there. They did something further that amazed cyber crime analysts. On 8 October, this group posted a warning that it will hit Capital One on 9 October, bring down Sun Trust on 10 October and attack Regions Bank on the 11th. And they delivered precisely on their promise. ‘It is Down Right Now,’ an outage monitoring site published the following status graph on Regions Bank pointing to the precision in the timing of the attack, as warned by this group. The bars in the table indicate the time taken by the server to respond to a ‘ping’ or connect request by a user. The smaller the bars, the faster the response time. Zero value bars, as it happened on 11 October between 10.09 and 14.14 PST
  • 51. 51 indicate there was no response or the server was down and inaccessible. To help interpret the chart better, I ran a tool to find how quickly the website www.industrialeconomist.com is responding to user requests and got an average ping response time of 651.61 ms over a four hour period. Compare this with the average of ping response time of 1,065.42 ms for Regions Bank website. This establishes that the Regions web response was still pretty bad even after ostensibly recovering from the attack; at half the speed of response of the website of Industrial Economist! Site Down, another site that monitors global sites and their accessibility, reports that Regions Bank site was completely reset only at 07.05 PST on 12 October. There are, therefore, multiple independent confirmations that Regions Bank was successfully brought down, as cautioned by Izz ad-Din al-Qassam. As the banking community is eagerly waiting to see who the next target is and awaiting their announcement, Izz ad-Din al-Qassam has stated that it is now spending time on planning for the attacks over the next few weeks raising the anxiety levels among cyber crime DO YOU KNOW? Consultants believe in under-promise and over-deliver. Marketers too should follow that. Let me give you an example. Suppose on a scale of 10 you promise to deliver 8 but end up delivering 7. The customer is unhappy. However, if on the same scale of 10 you promise 5 but deliver 6, the customer is happy. Notice, that in the first case you delivered 7 and in the second you delivered 6; yet the customer satisfaction levels in the second is higher. Phew! Twenty hours of video from around the world are uploaded to YouTube every minute. The first ever YouTube video was uploaded on April 23rd 2005,by Jawed Karim (one of the founders of the site) and was 18 seconds long, entitled “Me at the Zoo”.
  • 52. 52 watchers and ensuring that a few IT and Web administrators have sleepless nights. What does the attacking group want to achieve or what do they want to convey? The claim is that they are upset over the Anti-Islam movie trailer run on YouTube. This is quite understandable but a few cyber crime analysts have other versions for the attack motive. One such view comes from Gartner analyst Avivah Litan who points to “anecdotes about money loss during these attacks. Example: through calls to call centres to get wire transfers done while the website is down.” In an interview earlier this year, she had cautioned about not being in full conformance with the updated authentication guidelines of FFIEC and predicted that the new attack vectors will wait for websites to be down and use employee accounts as access points in addition to call centres becoming the preferred route for illegal money transfers. Has this DDOS attack on the eight banks actually resulted in any fraudulent activity or has it just been an attention directing technique for a cause dear to the group that has claimed responsibility for these attacks? As of now, none of the victim banks have reported any fraud during or related to these outages. One common view is that even if the banks did find that a breach had occurred, they are unlikely to share it with the public. At best they could be talking to law enforcement. Not disclosing the real consequences of an attack is a standard practice in financial institutions since such disclosure will seriously jeopardise their credibility and credit worthiness.
  • 53. 53 Not just financial institutions; it appears to be the norm for almost all organisations that are victims of cyber attacks. More evidence of this attitude of not disclosing cyber attacks can be found in the various annual surveys on cyber crime, conducted by the Computer Security Institute (www. gocsi.com). This is perhaps natural. Who will like to come forward to say that she has been assaulted? The Jester, a well-known and controversial hacker has spoken of an interesting dimension to these attacks. He opines that anonymous has provided technical support to Izz ad-Din al-Qassam to launch the successful attacks. He has talked of the owner of a pay-per-use DDOS system claiming that members of Anonymous had used his system to support the recent DDOS attacks on the eight US banks. The Jester goes on to allege that Anonymous are actually offering this service to the highest bidder which till now happens to be Izz ad-Din al-Qassam, implying that the real force behind the attacks is Anonymous. As analysts are asking for more stringent regulatory controls over the banking system and FFIEC pushing for such enhanced controls at least at the technology level, there is a DO YOU KNOW? Of the 247 BILLION email messages sent every day, 81% are pure spam. According to legend, Amazon became the number one shopping site because in the days before the invention of the search giant Google, Yahoo would list the sites in their directory alphabetically. Google estimates that the Internet today contains about 5 million terabytes of data (1TB = 1,024GB), and claims it has only indexed a mere 0.04% of it all! You could fit the whole Internet on just 200 million Blu-Ray disks!
  • 54. 54 voice of dissent heard at Washington DC. Jamie Dimon, a well - known Banker and Chairman and CEO of JP Morgan Chase, spoke before the Council of Foreign Relations where he strongly criticised regulators for inhibiting business. The Press quickly surmised his views as that coming from a person who, while denying any interest in becoming the Treasury Secretary, actually spoke like one! I have heard this from many of my banking clients who keep telling me that the cost of technology use is stringent controls that can stifle growth. I keep repeating today’s banking technology has resulted in higher customer empowerment and the computer cannot distinguish between a good and a bad customer to be empowered. This justifies the need for greater blanket controls. Izz ad-Din al-Qassam’s successful, time-tabled attacks on eight well - known US banks vindicates the long held belief of many of us that banks need to do more in rolling out and enforcing stringent technology controls to protect their customers.
  • 55. 55 9 The case of Insider Fraud RECENTLY in a round table session at a professional body, a member from the audience asked me if there is any cyber threat that existed across sizes and geographies. I would have probably thought for a while before answering this question, but for the fact that the response was glaring at me from what has been shaking us up in the recent past – Insider Fraud. The series of sentencing of senior former managers of banks in the US has made many sit up and wonder what was happening behind the scenes at the banks A combination of good deterrence and technology that responds to human behavioural tendencies can save our banks millions and increase the sagging confidence in technology systems.
  • 56. 56 and financial institutions. The cases coming to light now don’t fit into any size. At the lower end, we have Willard Scott, former President of Texas’ Huntington State Bank, pleading guilty to a charge of $7400. At the end we have the mammoth embezzlement of $22 million, over an eight-year period by Gary Foster, former employee of Citigroup’s treasury finance department. Willard Scott did it as a single transaction, while Gary Foster did it over eight years. In between these, there are many others. Matthew Walker perpetrated a 16 month operation at Farmers and Merchants Bank in California where he was Vice President and netted $2 million. We then have Barbara Rechtzigel charged with stealing hundreds of thousands of dollars from Minnwest Bank, over 14 years! Insider threats... At almost the same time these startling revelations were trying to shake our belief that banks have strong internal control systems. Software Engineering Institute of Carnegie Mellon University published their findings of research into the Insider Threats in the US Financial Services Sector. An Insider Threat needless to say is one that comes from people within the organization; like employees, present and former; contractors or business associates, with access to the company’s security practices, data and computer systems. This fairly elaborate study sought to answer one key question, viz. What are the observable technical and behavioural precursors of insider fraud in the financial sector and what mitigation strategies should be considered as a result? The
  • 57. 57 study presents six substantiated findings and two of them are of interest and concern. The low and slow fraudsters... Firstly, the study finds that fraudsters who adopted the “low and slow” approach inflicted more damage and went undetected for longer periods of time. Secondly, the means adopted by insiders were not technically very sophisticated. The combination of these two attributes kept the crime activity under wraps as far as normal fraud investigations were concerned. To use a technical jargon, the clipping levels were understood by the perpetrators of fraud and they operated well within it, thus escaping detection by fraud radar systems. This may be a valid finding of the research survey by Carnegie Mellon but if we looked at Gary Foster, he appeared to have gone well past the clipping levels: between July and December 2010, he moved around $14 million from the bank’s debt adjustment account to the cash account and from there, he made eight separate wire transfers to his personal accounts maintained outside the bank. This should surely have raised a whole series of red alerts as most analysts, including Shirley Inscoe, believe. But it didn’t. Inscoe who authored the widely read book Insidious: How Trusted Employees Steal Millions and Why it’s so hard for Banks to Stop them says that “Citi is not alone. Most banks have done a poor job of keeping with internal threats.” According to the
  • 58. 58 FBI indictment, Foster allegedly used his knowledge of the bank operations to commit the ultimate inside job. United States Attorney Lynch expressed her appreciation to Citigroup which brought the matter to the attention of the FBI and the US Attorney’s office. Some eyebrows went up. Reporting a crime is normal and natural and will such a normal and natural action warrant an appreciation from the United States Attorney? Reporting insider fraud has not reached a point of full reporting. The Association of Certified Fraud Examiners (ACFE) in their 2012 report to the Nation state that many of the victims do not report fraud cases to Law Enforcement. John Warren, Vice President and General Counsel at ACFE feels that the “many institutions don’t report these crimes to law enforcement, in part because they fear reputational damage.” Carnegie Mellon report referenced earlier agrees on the lack of reporting, but points out that fear of reputational damage is only part of the reason for non-reporting. In many cases, the victim organisation may not have enough and relevant details to relate a fraud to specific individual or a group. This adds to the reluctance to report an insider fraud. Based on a sample of 80 cases, the Carnegie Mellon study also points to another disquieting trend. The average time taken to detect an insider fraud from the time of its start is 32 months and where reported, it has taken another five months to complete the process; a total of around three years to report a fraud since the time it started! Without considering what such long elapsed time could do to evidence; particularly when they are digital in nature, we need to ask if early detection could not have arrested significant damage to the bank’s assets quite early in the fraud cycle.
  • 59. 59 Why no early warning systems? The one question on everyone’s mind is why can’t the players in the BFSI segment put in some early warning systems?Theuseof anomalydetection systems and behavioural analytics can surely detect potentially fraudulent events in real time or near real time. But the problem often occurs due to the way we have designed most internal controls. For instance, if the detection system is programmed to raise an attention directing flag when the amount involved exceeds a given amount, the insider plays within that amount to escape attention since the insiders know those thresholds. Technology implementation in fight- ing frauds must be combined with appropriating non-technology prac- tices like segregation of duties; peri- odic audits and reduced time between audit findings and implementation of correction mechanisms. While these will not totally eliminate insider frauds, it will bring them to light fast- er than the current average lead-time of 32 months, if the sample chosen is representative of the population. DO YOU KNOW? An insider may attempt to steal property or information for personal gain, or to benefit another organization or country. A report published in July 2012 on the insider threat in the U.S. financial sector says 80% of the malicious acts were committed at work during working hours; 81% of the perpetrators planned their actions beforehand; 33% of the perpetrators were described as “difficult” and 17% as being “disgruntled. The insider was identified in 74% of cases. Financial gain was a motive in 81% of cases, revenge in 23% of cases, and 27% of the people carrying out malicious acts were in financial difficulties at the time.
  • 60. 60 Surely, we cannot have technology, deterrence or other forms of control to eliminate all insider frauds but a combination of good deterrence and technology that responds to human behavioural tendencies can save our banks millions and increase the sagging confidence in technology systems.
  • 61. 61 10 Clipping the butterfly’s wings THESE BOTHERDS (called so in line with shepherds and cowherds since they ‘herd’ Bots) collectively and effectively controlled a mind-boggling 11 million compromised computer systems. Their actions resulted in a staggering loss of over $ 850 million through stolen credit card and bank account credentials and compromised Personally Identifiable Information (PIIs). Bots is an abbreviation referring to robot network. These consist of compromised computer systems and are often On the rare date 12-12-12, the FBI announced that it had cut off the wings of the ‘Butterfly.’ It announced the arrest and arraignment of a group suspected of running the Butterfly Botnet.
  • 62. 62 used by cyber criminals for a variety of activities with varying degree of criminality, resulting in different kind and amount of losses to the owners of the compromised systems. Bots are the favourites for executing distributed denial of service attacks or DDoS attacks; send spam e-mails, conduct underground criminal activity and malware distribution. This list is not exhaustive as botherds are quite innovative in the usage of their ‘assets.’ Facebook - an easy target... At this stage let us introduce Facebook. The very mention of Facebook conjures up different reactions in different minds. The trendy see it as a way of keeping in touch; the tech savvy see it as a mixed bag with significant potential for loss of PIIs; the marketing professional sees its great opportunity to reach out while some security conscious are sceptical – for valid and perceived reasons. With a billion messages flowing through Facebook on a monthly basis, this social networking site has also been a favourite spot to harvest PIIs; both directly and indirectly. Between 2010 and 2012, it was estimated that over a million Facebook accounts were compromised using variants of Yahoo malware and these compromised accounts were linked to Butterfly Botnet. Facebook is acknowledged
  • 63. 63 for helping the law enforcement in cracking down on those who hacked into the user accounts resulting in the successful crackdown on Butterfly Botnet. And to many Facebook has really and truly made the world a global village that helps connect people in real time. Butterfly Botnet... Butterfly Botnet is the latest in a family of abuse of compromised computer systems for fraudulent purposes. Starting off with Ramnit in early 2010, we saw the ZeuS Facebook worm recking havoc in mid-2011 and now we have the notorious gang of 10 herding the Butterfly Botnet. When we all screamed at ZeuS Facebook worm having supposedly infected over 45,000 Facebook users, the number pales into insignificance when we see 11 million compromised systems in the Butterfly Botnet. Almost 70 per cent of the infection by Ramnit happened on UK users of Facebook; around 26 per cent were French while the balance 4 per cent were in other countries. After this was the famous taking down of the Zeus malware, in a dramatic move that involved the US Marshals. This operation was carried out when the U.S. District Court for the Eastern District of New York approved the operation while ruling on a plea by Microsoft and its partners to seize the computers and sue a John Doe (as-yet-unnamed) defendant. The operational portion of the Court order speaks volumes of the way the judiciary has considered the intricacies in a search and seizure DO YOU KNOW? At 1:21:02 am, people celebrated the second, which marks a date-time combination which will be read the same both backwards and forwards. 2012-12- 12 1:21:02.
  • 64. 64 operation involving high technology that has the potential to move the malware across the internet anywhere, anytime. A forensic icing on the cake... The order, in part, said that “the United States Marshals and their deputies shall be accompanied by plaintiffs’ attorneys and forensic experts at the foregoing described seizure, to assist with identifying, inventorying, taking possession of and isolating defendant’s’ computer resources, command and control software, and other software components that are seized.” Interestingly, the Court also asked the Marshals to preserve up to four hours of Internet traffic before disconnecting the computers from the Internet. This was a forensic icing on the cake, in the court order. Microsoft had been instrumental in taking down three Botnets earlier. The operation of bringing down of Botnets driven by the ZeuS and its variants was very different from the three earlier operations due to three factors; firstly, it was not an action by only Microsoft – there were partners who closely cooperated with Microsoft. The partners were Information Sharing and Analysis Center, a trade group representing 4,400 financial institutions, and NACHA, the Electronic Payments Association, which operates the system for electronic funds transfer. Secondly, the objective of this action was different from the earlier actions. The earlier actions of taking down the three Botnets were aimed at shutting them down. In this case, in the words of the initiators of the action, “the goal here was not the permanent shutdown of all impacted targets. Rather, our goal was a strategic disruption of operations to mitigate
  • 65. 65 the threat in order to cause long- term damage to the cybercriminal organisation that relies on these botnets for illicit gain.” This thought process, commonly referred to as “Hack Back” or “Getting even with the Cyber Scum,” is gaining popularity though it is not accepted by everyone as the best solution to fight cyber criminals. Thirdly, the law suit, instead of merely accusing the three accused John Doe, goes on to introduce an unknown corporate entity and claim that the three accused formed “The Zeus Racketeering Enterprise” for the purposes of squandering the resources of compromised computers. As an example, it is alleged that spam emails infringing NACHA’s trademarks were as high as 167 million emails in a 24-hour period in contrast to the normal volume of 1500 outbound emails per day! So, what do we learn from this? As always, we are back to the same music – the users of Internet connected computing equipment need to exercise more caution than what they are now used to. Attempts by different organizations in making the users security-conscious are showing some results; but they remain ‘some’ results. An idea gaining ground globally is to catch’em young. Many organisations are working on these using different approaches. One set of people are looking at empowering the school goers with a good grounding in hacking process so that DO YOU KNOW? 12 has been a significant number since its creation. 12 months in the year, 12 hours of night and day, 12 astrological signs, 12 Olympic gods and goddesses, 12 days of Christmas, and Shakespeare’s Twelfth Night.
  • 66. 66 they identify any attempt to compromise their computers and negate it. This appears to be the philosophy behind running the Hacker High Schools (HHS), an initiative by a few not- for-profit bodies in North America. Another approach is to teach the school goers and their parents various Safe Surfing Options (SSO), an approach preferred by ISC2, the global certification body for Security Professionals. It surely emerges that there is an urgent need to catch the young users and get them to grow with a mindset that combines security, caution and the ability to balance between the convenience of the ubiquitous Net and its inherent risks.
  • 67. 67 11 The new threat vector WHEN WE TALK of cyber infractions and frauds, we have traditionally looked at computers, internet, internal networks and wireless applications to find the threat vectors. We then added ‘people’ as another threat vector and started focusing all research and development efforts at handling the devastating consequences of a combination of these threat vectors exploiting a whole range of vulnerabilities. The likes of Stuxnet were still operating within the contours of these threat vectors until we woke up recently to a series of threats that emanate from a hitherto unknown origin – supply chain. We woke up recently to a series of threats that emanate from a hitherto unknown origin – supply chain. And that’s catastrophic.
  • 68. 68 We had heard stories of malware embedded in printers during the recent Gulf war but these accusations were dismissed as technology fairy tales. Of late, the consequences of security compromise via supply chain embedded threats is a reality. The attack vectors have always looked for new attack paths and such a search yielded the desired results when Stuxnet infected SCADA systems that were till then thought to be invincible. Now a larger scale exploit is on the anvil with the attackers using various unprotected parts of the supply chain to embed the malware or other forms of threats. Security threat by Chinese telecom companies In October 2012, a special investigative report by the Permanent Select Committee on Intelligence of the US House of Representatives addressed the specific threat to US Security posed by Chinese Telecom companies in general and two companies in particular – Huawei and ZTE. Apart from a number of recommendations, it carries a strongly worded advice to the US companies to avoid Chinese networking hardware. Should the users be worried only about the Chinese networking hardware or take precautions about any hardware coming in for use in critical infrastructure, is a question that deserves consideration. It is possible that there are other groups who are either actually doing or are planning to use the supply chain vulnerabilities to introduce spyware or newer genre of threats. Supply chain led threats Since 2005, several countries have taken a clear call on combating supply chain led information threats by effecting seizures of counterfeit networking hardware and other
  • 69. 69 telecom components. This exercise was built around the faith that any product with a malicious payload will only come via deployment of counterfeit components. The 2011 operation of seizing US$ 143 million worth of counterfeit networking and telecom components by the US authorities lend credence to the belief that spread of malicious hardware happens via counterfeit. That belief has been busted by the findings in the October 2012 report where it is found that even companies that sell apparently genuine products may infect their components with undesirable malware. When supply chain is totally insecure While these reports point a finger to China for supply of counterfeit or malware infected components, the Chinese computer market itself is battling counterfeits locally. When Microsoft successfully launched an all-out effort to eliminate Nitol Botnets, they got trusted people to go out and buy laptops and desktops in China and of the 20 systems they procured, all had some counterfeit component. Each of these purchased systems had been configured in such a way to reduce security and four of these systems already had malware installed! Just imagine you are getting a brand new computer system with all its box seals in tact and find that you are starting off with a low security configuration along with an embedded malware. The worst part of this scenario is that many of the users may not be aware of this scenario and will be happily typing away on their keyboards not knowing they are vulnerable to become either zombies DO YOU KNOW? We can be hopelessly wrong. Like: 9 out of 10 people believe Thomas Edison invented the light bulb. This isn’t true; Joseph Swan did.
  • 70. 70 or are otherwise vulnerable to attack and damage. This scenario is well summarised by Boscovich who said that the “supply chain is broken; it is totally insecure, and it is easy for criminals to inject what they want into that supply chain.” Three point response How does the business react to insecurity of supply chain? A report published Georgia Tech Information Security Center and Georgia Tech Research Institute has classified the responses into three categories. First, we have a majority of the companies who do nothing about it other than to limit their purchases to what they regard as ‘trusted’ vendors. Secondly, a small number of companies carry out random tests on devices and determine if there are any indications of serious forms of vulnerabilities. Depending on the test results, further action is initiated. Thirdly, a very small number of companies are taking a paranoid approach of not trusting the supply chain at all. Their security stance is based on the premise that any device that comes through the front door has already been compromised. These companies continuously monitor the devices for abnormality. Andrew Howard of Georgia Tech Research Institute perhaps had the most realistic of assessment when he said: “This is a problem that is extremely expensive and difficult to solve. Solve may not even be the right word.” I sincerely hope that what Howard said later does not become a reality. “It is going to take a bad event to have the momentum necessary to fully tackle the problem.” One silver lining here is that the problem appears to have been recognized though it is too ubiquitous in its reach for any one set of stakeholder to manage it completely.
  • 71. 71 While Herberger refused to name these six banks citing confidentiality clauses in his company’s agreement with the Banks, there were others who pointed to the targets. Keynote Systems, which monitors Internet and Cloud services said that traffic pattern analysis point to the online outage suffered by JP Morgan Chase, BB&T and PNC on March 12. All the Banks that appear to have been attacked On March 12, customers of six of the major US Banking institutions experienced disruption to their Net banking services and if Carl Herberger of Radware is to be believed, this is the largest number of institutions to be targeted on a single day. 12 … and They are Back Again… Wave 3
  • 72. 72 and compromised had refused to comment about the attacks and also refused either to confirm or to deny the attacks. While the suspected victim Banks formally refused to comment, the first indication of something going wrong came from Chase Services tweet. A tweet on Chase Twitter Feed said on March 12 “*ALERT* We Continue to work on getting Chase Online back to full speed. In the meantime, pls. use Chase Mobile app or stop by a branch.” The next day, Chase tweeted “We’re sorry it was such a rough day and we really appreciate your patience.” This is yet perhaps the most direct admission of any of the victims that they were attacked. Keynote Systems gave more precise data on the attacks later in the day. They said that the outage at Chase resulted in a nearly 100 percent failure between 2pm and 11pm ET. BB&T suffered outage between 12.30pm and 2.30 pm ET and also later in the day at 5.30 pm ET, thought this was a brief interruption. PNC’s site was down for about 30 minutes at 3.30 pm ET on the same day. Keynote Systems however said it was not commenting on the cause of the downtime; it could only confirm the outage. Commenting on these attacks, Harberger felt that “the thing that’s kind of frustrating to all of us is that we are six months into this and we still feel like this is a game of chess.” He wondered how is it that an industry that has been adorned with so many resources – with more than any other industrial segment in the US missed the threat of hacktivist concerns? On the day of the attack - March 12, the hactivits group Izz al-Din al-Qassam Cyber Fighters (IDQ) said in a
  • 73. 73 Pastebin post that the third phase of their attacks against the US banking institutions was about to begin. This group claimed in that post that they were waging the attacks against US banking institutions over a Youtube video deemed offensive to Muslims. IDQ identified nine targets for their Phase – 3 attacks that started on March 12: Bank of America, BB&T, Capital One, Chase, Citibank, Fifth Third Bancorp, PNC, Union Bank and US Bancorp. I had written earlier about the successful attacks by IDQ who had used DDOS to disrupt the on-line services of Banks in the US. The group’s posts in Pastebin had then claimed that these attacks were attention-directing methods to warn the US powers-that-be to remove a particular movie and all its clippings from the Internet since this movie was offending the religious sentiments of Muslims. Other forms of protests were witnessed across the globe on the same issue and the offending movie did find its way out. Every group that had protested triumphantly claimed a causa proxima between their protest and the movie going out of the Internet. So did IDQ Cyber Fighters and they declared a cease fire. DO YOU KNOW? The most common form of “cyber terrorism” is a DDOS, or Distributed Denial of Service attack, whereby thousands of systems around the world simultaneously and repeatedly connect to a website or network in order to tie up the server resources, often sending it crashing offline. Anonymous released a tool this year that users could download and set on autopilot to receive attack commands from a remote command source. Similar DDOS attacks are often performed by the use of malware installed on users computers without their knowledge.
  • 74. 74 Was their ceasefire because they felt satisfied or was it to regroup and collect more strength to attack? The current phase of attack points to their ceasefire being a planned retreat to re-build their strongest weapon – the Brobot. This is said to be a 9,000-bot Botnet. While no precise numbers are available, industry experts like Avivah Litan of Gartner and Dan Holden of ASER agree that it is close to 9,000 bots. During the ceasefire, the hactivist group appears to have learnt a lot about the defense strategies and capabilities of the Banking institutions. When they declared cease fire since the offensive movie went out of the Internet, what made them come back? Did they have a different demand? They are saying now that small clippings of the movie that hurt the Muslims are still on the Internet and they demand that it be totally removed. TheattacksduringOperationAbabilPhase-3,asthehactivists called their latest action, demonstrated two things; the attacks used more sophisticated methods than was used in earlier attacks and more importantly they deployed different attack methods on different targets. This is in striking contrast to their earlier attacks that saw the same attack vector used on all targets. This change in attack strategy makes it difficult to collaborate and share knowledge on counter measures, which was done successfully during earlier attacks. Another aspect of these attacks that warrants attention is that most attacks appear to have come from previously unknown Internet Protocol addresses, which is a clear indication that the Brobot is growing. It is still some wonder how the hactivists could put together a 9,000-bot Botnet that could he used to attack frontline banking institutions. If they had marshaled 9,000 bots in the short duration of their ceasefire
  • 75. 75 lasting less than two months, it speaks volumes about how vulnerable the Internet user community is. Yet another angle being actively considered by investigators is to determine if there could be reasons other than what is ostensibly stated by those claiming responsibility for the DDOS attacks. There had been instances of using Botnets to launch an attack on financial services companies as a means to distract them from focusing on a fraud that had been committed. Crime management professionals know that the longer investigators take to start serious evidence search and forensic analysis, the better is the chance for the perpetrator of fraud to get away scot free or significantly reduce the availability of incriminating evidence. While no source has suspected IDQ of adopting their DDOS attacks as a smokescreen for fraud, there are serious concerns about using DDOS as a means of fraud cover- up. The National Credit Union Administration has recently advised Credit Unions in the US to be cautious against “DDOS attacks (that) are often waged as tools of distraction to conceal fraud.” The concern of Richard Reinders, Head of Information Security at Lake Trust Credit Union points to this thought process gaining currency. “DDOS attacks may also be paired with attempts to steal member funds or data” said Reinders. Whatever be the real or apparent driving factor behind IDQ’s Ababil Phase-3, the fact remains that the perpetrators of security infractions have once again gained a victory by breaking into the fortresses within which we all want to believe that banks are located.