Better law enforcement … always good for us?
If law enforcement improves, we will all be safer. Right? Well actually, maybe not.
Online fraud is rampant, and the trends are sinister. However, law enforcement, in collaboration with affected service providers, is making substantial progress in going after criminals. The good guys are now routinely capturing drop boxes (the machines used by phishers to collect stolen user credentials), and are often able to trace attacks back to the likely offenders. Newspapers occasionally run stories about busted crime rings. Crimeware writers spend time in jail. Hopefully, increasing risk of being caught will deter many would-be criminals. But to some extent, it is also changing the nature of the crimes.
If you were in the business of online fraud, what would be your reaction to improved law enforcement efforts? Maybe you would avoid phishing, and instead focus on click-fraud? (That would make sense, since phishing is a criminal act, but click-fraud -- depending on how it is committed -- may simply be a breach of the terms of service.) Or maybe you would be willing to commit crimes, but only if you were almost certain that you could not be traced.
Consider a criminal who wants to attack an organization, let’s call it ABC. We assume that ABC is a publicly traded company. The criminal starts by collecting data about the organization, such as its org chart. That is not so difficult … for example, try googling “at ABC site:linkedin.com” (substituting your favorite organization for ABC) and see if anything shows up. Then, the criminal purchases put options in ABC. That’s a financial instrument whose value increases when ABC’s stock goes down. Then, the criminal unleashes an attack against ABC. Maybe he emails selected employees, spoofing the emails to make them appear to be sent by close colleagues (remember, we assume he knows the org chart). In the emails, the criminal suggests that the recipient reviews some attached powerpoint slides or a word document, where these are infected with crimeware. The attachment does not even have to be of the type that it is claimed, but could simply be an executable. He hopes that the emails get delivered and that somebody falls for the trick. A successfully installed piece of crimeware gets starts digging for confidential information. Maybe some customer records. The crimeware leaks the records onto the web (but does not send it to the criminal in particular). Public outrage ensues, ABC apologizes publicly, their stock drops. The criminal exercises his options and cashes in – but so does everybody else who happened to have put options, so how can you tell who is the criminal, if any one of them?
You can probably imagine a large number of variations on this attack. The bottom line is: vandalism may pay off, and may become part of the monetization game in crimeware, simply because it makes it harder to follow the trail of money. This changes a lot. Today, most security researchers assume a rational adversary, and design security mechanisms based on that assumption. But vandalism is not traditionally seen as rational, and is therefore often overlooked – simply because it is so much harder to deal with.
It is time for us to start thinking about what new monetization techniques criminals may use, and what possible trends in society may affect our bottom-line security -- see my recent post Free iPhones ... then what? for another example of such a connection. And it is time for us to review our existing systems to see what could cause difficulties, and fix those that do.
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
Crimeware: Understanding New Attacks and Defenses
By Markus Jakobsson, Zulfikar Ramzan
Published Apr 6, 2008 by Addison-Wesley Professional. Part of the Symantec Press series.
Enter now! | Official rules | Sample chapter
Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures
By Peter Thermos, Ari Takanen
Published Aug 1, 2007 by Addison-Wesley Professional.
Enter now! | Official rules | Sample chapter
Its a good time to consider
Its a good time to consider previous suggestions on proper email credentials. In other words per this example company ABC would be very smart to create company user credentials for each person. Emails tag this personal credential when mailing internally to each other. If someone is spoofing their "Send From" credentials if theusers cred-key or symbol not accompanying the email. the recipient should know its not legit. Treat the mail as hoax and send off copy to corporate security to investigate. Next step if proven to be found- Persecution
to the spoofer in form of a fine should be granted. Along with 4 persons within this individuals closest members.
Parents family brother sister and closest friend. "You recieved this as a reminder your friend is not an honest
person" As an example. Let the world know these criminals are not inocent as they may claim. Cybercrimes are still a crime. Don't do the crime if you don't wish to the time. Simple. Remember guns don't kill - its the one squeezing the trigger whom kills.
Clever attack. One thing we
Clever attack. One thing we can do is to develop techniques that can secure sensitive data on personal computers or mobile devices used by employees. But I must admit this can only address part of the problem.