Software | Securing the Human Operating System

“Watering Hole” Cyber Crime Tactics

July 2, 2019July 1, 2019

by Eric Schnell at 4:50pmJuly 1, 2019

20 years ago cybercriminals only used a few techniques to lure in potential victims. One was sending an email with the subject line of “ILOVEYOU” which contained an attachment that was a virus/worm which infected the user’s machine. The second was sending messages sent from from a Nigerian prince, who offers a share of a huge investment opportunity and then asks for your bank account number so they can transfer the money to you for safekeeping – for a small advance payment to cover the transfer expense.

Over the past two decades Cybercriminals have gotten very sophisticated in their tactics. One methodology targets specific individuals in an organization to unknowingly allow the criminal to gain access to the organization’s computer network. The tactic called the “watering hole” attacks an organization by compromising a web site that the target would generally trust – a watering hole.

To be able to identify a watering hole to bait the criminal first needs to deploy any number of commonly used tracking tools, like KISSmetrics or AddThis, to see which web sites are being accessed by the employees of an organization. This gives the criminal a map of the sites for them to target vulnerable sites for infiltration, those which don’t have strict security. The criminal then plants malicious code on the watering hole site and simply waits for users to revisit the site(s).

Once users begin visiting the watering hole their device is scanned to look for known security vulnerabilities. Any device identified as having a vulnerability the criminal uses the “drive-by” downloading technique, meaning the criminal doesn’t even need to have the visitor click on a link or download any files. Instead, malicious code like Remote Access Trojan (RAT) is downloaded in the background. When the code is run it scans for additional vulnerabilities with an exploit code deployed that carries out the real intended network attack is delivered an executed.

Are Your Online Activities Being Tracked? (Spoiler: Yes)

October 5, 2018October 5, 2018

by Eric Schnell at 5:46pmOctober 5, 2018

Ever do a search on Amazon and then have the same exact product you were looking at pop-up as an ad on a web or social media site? The reason this happens is in part to the fact that most Internet web-based services and Internet service providers actively monitor your network traffic.

This is not as nefarious as it seems but your browsing habits are for sale and are highly valued by retailers and marketing companies. Very often an individual actually has consent to some level of tracking by simply agreeing to use a service. Still, there are ways you can limit what information about your online habits that your web browser is exposing.

One quick way is by using the Electronic Frontier Foundation’s (EFF), a San Francisco-based digital-rights advocacy group, site called Panopticlick. This site evaluate’s your web browser’s privacy quickly and non-invasively and then provides suggestions on how to limit the about on information which is leaking out.

The EFF provides a description of Panopticlick in a blog post. What Panopticlick does is to check your browser for four types of browser security. Does the browser:

Block tracking ads, which harvests information from your browser without consent.
Block invisible trackers, which are protocols sites implement to harvests user data, again without consent)
Allows ads and scripts from third parties.
Blocks fingerprinting, which identifies a user based on unique browser data.

While there are plenty of browser exertions out there that help to block trackers, the EFF promote their Privacy Badger. It should also be noted that Panopticlick site only scans for those security issues the Badger mitigates. Still, using the EFF scanning service and the extension is a great start to better privacy!

Ransomware

July 7, 2018July 18, 2018

by Eric Schnell at 3:26amJuly 18, 2018

Ransomware is a fast growing cybercrime. The most common ransomware technique involves locking your computer to prevent you from accessing it until you pay a ransom. While this digital extortion racket is not new, cybercriminals have improved on how the scheme works with the creation of cryptware, which encrypts the files on the computer using a private key that only the attacker possesses.

The beginnings of ransomware could be traced to floppy disks being sent to individuals inviting them to take a survey assessing their risk of contracting AIDS. When the disk was inserted, its software locked their computers and demanded $189 in cash be sent to a P.O. box in Panama.

Ransomware victims range from large corporations, to hospitals, small and medium enterprises, to individuals.

Instead of a single or group of cybercriminals writing ransomware and distributing it themselves, ransomware authors will open their code for use by other cybercriminals. According to a McAfee-CSIS report more than 6,000 illegal online marketplaces now sell ransomware products and services, offering more than 45,000 different products! Ransomware-as-a-Service (RaaS) allows authors to set up platforms where others can modify and deploy to their own targets.

Rather than attacking just one device, ransomware worms are self-replicating viruses that embed themselves into parts of a device’s operating system that are run automatically. The worms work their way through networks to lock out many more computers than just the initial target. The WannaCry incident showed how these worms work, and it is likely that we will see more attacks like this.It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.

Cybercrime by the Numbers

June 18, 2018July 18, 2018

by Eric Schnell at 7:58amJuly 18, 2018

https://www.fbi.gov/image-repository/cyber-crime.jpg/@@images/image/high

We read and hear a lot about cyber attacks and the latest threats in the news, seemingly daily. When one takes a look at the numbers the real costs to associated with cybercrime become a real eye opener.

- There are around 3.8 billion Internet users and will grow to an estimated 6 billion by 2020. Each Internet user is seen by cyberthieves as a potential victim.
- Researchers track the quantity of new malware released, with estimates ranging from 300,000 to a million viruses and other malicious software products being created – every day.
- The number of U.S. data breach incidents tracked in 2017 was 1,579. Of those, 21.4 percent involved phishing and 12.4 percent involved ransomware/malware. Unauthorized Access represented nearly 11 percent.
- Nearly 20 percent of data breaches included credit and debit card information. Nearly 158 million Social Security Numbers were exposed.
- Cybercrime is reported to be costing business 600 billion a year. According to CSO, an online magazine for chief security and information officers, cybercrime damage is predicted to reach $6 trillion by 2021.
- The FBI reports $209 million in ransom was paid from ransomware attacks in just the first quarter of 2016, compared to $24 million in ransom payments in all of 2015. Global ransomware damage costs were predicted to exceed $5 billion in 2017.
- Bureau of Justice Statistics (BJS) reports suggest actual losses from identity theft remain relatively small. Only 14% of victims suffered out-of-pocket losses, and of those victims, about half lost $99 or less. The average loss was $1500 per incident.
- The Equifax breach, which exposed the personal data of 143 million US consumers in September 2017, cost the company nearly $90 million in the first four months after discovery.
- Over 40% of US businesses were compromised due to fileless attacks and exploits. The number of fileless attacks are increasing significantly.

Sources:

McAfee CSIS Report: Economic Impact of Cybercrime— No Slowing Down

McAfee Labs Quarterly Threat Report June 2017

Accenture Cost of Cyber Crime Study

FBI Cyber Crime

Identity Theft Resource Center: 2017 Data Breach Year-End Review

Reboot Your Internet Router? Yes! Do This Too

June 1, 2018June 1, 2018

by Eric Schnell at 1:44pmJune 1, 2018

The FBI recently issued an alert about a malware threat that has infected home and small business routers.The threat, called VPNFilter, is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic. The malware targets routers produced by several manufacturers and network-attached storage devices by at least one manufacturer. They include, but not limited to:

Linksys: E1200, E2500, WRVS4400N
Mikrotik: 1016, 1036, 1072
Netgear: DGN2200, R6400, R7000, R8000, WNR1000, WNR2000
QNAP: TS251, S439 Pro, other QNAP NAS devices running QTS software
TP-Link: R600VPN

ALSO: Update the Firmware!

The FBI alter recommended people reboot their Internet routers to help stop spreading the malware. That’s a great start and does’t hurt and takes no time to power cycle. However, to really protect devices one should update the devices’ firmware since few routers update it automatically. Firmware is the router’s operating system.

Updating the firmware is not as difficult as one may think though people may be intimidated or worried they may break it. There are step-by-step guides available which can help one to update the firmware on specific routers.

Resources:

Rick Broida, The FBI says you should reboot your router. Should you? CNET May 31, 2018.

Email: The Cybercrime Gateway

May 3, 2018October 4, 2018

by Eric Schnell at 7:02pmOctober 4, 2018

Billions of email messages are sent each day. The ease of use, speed of transmission, and relative anonymity of email has made it a tool for cyber criminals. One survey indicates that 91% of all cyber crime starts with an email.

Using email to commit cybercrime is almost as old as email itself. While there are many ways email can be expoited, here are the more common ones:

Phishing

The term Phishing is a generic term used to describe the very broad category of email techniques used by cybercriminals. Future posts will go to Phishing techniques in greater detail.

Scamming

Based on the centuries old Spanish Prisoner, the infamous Nigerian 419 email scam of the 1990’s is still alive and well in one form or another and is a classic phishing scam. It involves promising the potential victim share of a large sum of money, in return for an up-front payment. If someone actually makes the payment, the scammer either invents a series of further fees for the victim to pay or simply disappears.

Spoofing

A spoofed email is one that appears to originate from one source but is actually sent by another. Like Neighbor Spoofing, falsifying the name and / or email address of someone the receiver is likely to know increases the odds the person will respond or take requested action (check out funny joke in the attachment!) It is actually not too difficult to spoof an email adddress using relatively simple tools.

Spreading Trojans, Viruses and Worms

Emails are perhaps the fastest and easiest way to spread malicious code. For example, the Love Bug reached millions of computers within 36 hours back in 2000, all thanks to email. Cybercriminals will bind the malicious code in e-greeting cards, fake virus patches, et and email them in messages which are written in a way to make the reader feel like immediate action is required.

Attachments

Attachments are a very common way to spread malicious code. The rule of thumb is to open only those attachments that you are expecting – even if coming from someone you know (remember: email address spoofing!). File names can been spoofed as well so that an attached file that is actually a computer program can look as though it is a simple word processing file. If you are unsure, contact the person and ask if they sent it.

Links

Don’t immediately click on the link(s) in emails. Keep in mind email spoofing since a message may look like it is coming from someone you know! Hover your curser over any links to double check if the destination URL is what it’s claiming to be. To be extra careful, type out URLs manually instead of clicking links.

Why Do Hackers Hack?

March 7, 2018October 4, 2018

by Eric Schnell at 12:36pmOctober 4, 2018

Photo: https://www.flickr.com/photos/cafecredit/27549356392

The reasons and motivations of hackers engaged in cyberattacks continue to grow. Long gone are the days one could simply say hackers do it for the fun, thrill, or challenge. The new reality is that hackers hack for a variety of financial, political, and ideological reasons. Many people may think they are not an appealing target for a hacker. In fact, hackers can use access to anyone’s accounts or devices as a launching pad with the goal of gaining access to larger networks to discover valuable assets.

Hacking as hobby

Back in the 80’s and 90’s the phrase “hacker” seemed to apply to only one person: Kevin Mitnick. Mitnick first gained notoriety after he gain unauthorized access to Digital Equipment Corporation (DEC) computer network at the age of 16. to copy their software. He was one of the first hackers to be prosecuted under the 1986 Computer Fraud and Abuse Act. While hackers these days generally have other motives some still hack simply to prove they can outsmart government and corporate IT and security by infiltrating their systems.

Hacking to steal or blackmail

Odds are that anyone reading this post has received a letter at some time containing a notification of free credit monitoring due to some sort of security breech. Some hackers will focus on breaking into those systems or devices to infiltrate bank and financial accounts. Others break into systems to install ransomware software that locks a computer or mobile device by encrypting electronic files. Access can generally be reclaimed by paying the ransom.

Hacking to crash a service

The goal of some hackers is to simply crash a system or web site.This goal of such hackers is often not only knock a company’s website out of service for a while, but to cripple the online presence of what is seen as competition. One common technique used is known as a Denial-of-Service attack where the system is flooded with superfluous requests in an attempt to overload it.

Hacking to steal and leak information

The theft and posting of emails on WikiLeaks during the 2016 election will forever leave as a classic example of this type of hack. The goal for these hackers is to steal, publishing, and possibly sell trade secrets as well as exposing activities of governments, organizations, or individuals.

Hacking to expose security flaws

There are some hackers that will actively work to break into systems with the express goal of exposing security holes. The justification for this kind of hacking is to prevent harmful attacks by showing the world how vulnerable our a system, service, or device is to hacking. An example of this type of hack resulted in the discovery and communication of serious security flaws in the software used to register voting tallies in Germany.

Hacktivism

Sometimes, hackers are vigalentes trying to raise awareness about a political issue or wishing to create chaos. These hackers may use any of the above reasons for hacking. An example of hacktivism is the hacking done by Anonymous during the Occupy Wall Street movement.