Editor’s Letter
2014 Special
Cybercrime Edition We would like to firstly wish all our readers a happy 2014! In this edition we look back at 2013 to see which of the predictions made at the beginning of 2013 actually came true. We also look at the top 10 cyber news highlights for 2013. Indeed 2013 was a year jam packed with cyber security events and in 2014 it shows no signs of decreasing! Several experts have made predictions for 2014 which paint a picture of “doom and gloom” but we are certain that if we all work together we will be able to overcome anything the cybercriminals may have up their sleeves. “As the world is increasingly interconnected, everyone shares the responsibility of securing cyberspace.” - Newton Lee author of Counterterrorism and Cybersecurity: Total Information Awareness We hope you enjoy this edition of Cybershield. Regards, Manuel Corregedor Wolfpack Information Risk
Cybershield Magazine • January - March 2014 • Cybercrime • Page 2
Cybershield Magazine Edition 5 - Q1: 2014
Table of Contents
5
CyberCon 2013 Special
Cyber Threat Management Session Cyber Forensics & Incident Management Session Africa Cyber Threat Collaboration
5 18 26
Cyber Threat Management Session
5
Cooked in Africa - by Tomer Teller The POPI Bill and Information Security - by Dr. Dario Milo National Threat Intelligence - by Erez Tadmore Implementing a national cyber security framework - by Bevan Lane Cyber Security Centre of innovation - by Joey van Vuuren Cybercrime & organised criminal enterprises - by Michael Burgin Implementing a National Security Operations Centre - by RajeshGopinath
32
Looking back at 2013 Which 2013 Cyber Security Predictions came true?
International News
2013 The year the world lost its Privacy! Red October Cyber Espionage Cryptolocker Ransomware Biggest DDoS attack in history ! Personal Information Breaches Dexter Malware hits SA Another Obad Year for Android City of Joburg online billing “Hacked” Silk Road Shutdown Apple IOS Vulnerabilities Exposed
5 6 9 10 12 14 15
Africa Cyber Threat Collaboration Session Cybercrime in Africa, a model for collaboration - by Craig Rosewarne Cyber Security Success stories from Nigeria - by David Isiavwe The Post Bank Saga, a police overview - by Brigadier Pieterse
17 18 18 19 21 23 24 26 26 29 31
32 33 33 34 34 35 35 36 36 36
42 37 2014 45
Trust and Privacy
42
Misusing Code Signatures
42
Java zero-day exploits may be less prevalent
42
45 45 46 46
Increase in Watering Hole and Social Media Targeting Attacks
42
Cybercrime that Leverages Unsupported Software, such as Windows XP, will increase
42
47 47
Increase in Cybercrime Activity Related to the World Cup 42
NSA building
48 “Quantum Computer”
Yahoo Ad Network abused to redirect users to malicious websites 48 badBIOS 49
Africa Cyber News
Accreditation of a Cyber Forensic Laboratory - by Shadrack Phophi Computer Forensics Predictions and Reputations - by Robert Lewis Standarising the digital forensics investigation process - by Prof Hein Venter Investigation of Cybercrime, what is the next step - by Paul Wright SARS Electronic Forensic Services - by Gerhard Oberholzer Digital Forensics as a forensics science discipline - by Jason Jordaan Data Analytics - by Yolanndé Byrd
17
Expert Cyber Security Predictions for
The Secret NSA Toolbox Revealed! ‘Implants’ for Cisco, Juniper, Dell, Huawei and HP Intercepting Packages and Manipulating Computers Computer Monitor Surveillance Windows Error Messages Potential Sources of Information Netgear and Linksys Router Vulnerability Discovered Warning: Evidence Found of new and meaner ransomware
Cyber Forensics & Incident Management Session
50
Nigerian Youth Hacker Arrested 50 Nigeria pleas for the 2013 Cyber Security Bill 50 Ghana becomes a major hub for cybercrime 51 Ugandan authorities bust Cybercrime Fraudsters 51 South Africa looking for Skilled ‘cyber warriors’ 52 Concern as cybercrime costs Kenyan firms their profits 53 Cybercrime costs Kenyan Government KSh. 2 billion 53 4 Big South African Companies “Hacked” 54
Increase in Ransomware
43
APTs will meet financially motivated malware
43
New Methods will be discovered to Bypass Automated Sandboxing
43
Dev-Ops Security Integration Fast Becoming Critical 43 Android malware, increasingly complex, seeks out new targets
44
Increase in Firmware Malware, BIOS Malware and 64 bit Malware
44
Detecting advanced malware will take evenlonger than it does now
44
Mobile banking will suffer from more MitM attacks; basic two-step verification will no longer be sufficient.
44
52
South Africa Looking For
Skilled Cyber Warriors!
Cybershield magazine is a quarterly publication owned by Wolfpack Information Risk (Pty) Ltd. No part of this magazine may be reproduced or transmitted in any form without prior permission from Wolfpack. The opinions expressed in Cybershield are not those of the publishers who accept no liability of any nature arising out of or in connection with the contents of the magazine. While every effort is made in compiling Cybershield, the publishers cannot be held liable for loss, damage orinconvenience that may arise therefrom. All rights reserved. Wolfpack does not take any responsibility for any services rendered or products offered by any of the advertisers or contributors contained in the publication. Copyright 2014. E&OE on all advertisements, services and features in Cybershield magazine. Editorial address: Unit A2, Rock Cottage Office Park, Cnr Christian de Wet & John Vorster Roads, Randpark Ridge, Johannesburg, South Africa Enquiries: Telephone - +27 11 794 7322 Advertising - sales@wolfpackrisk.com Content - manuel@wolfpackrisk.com Journalist - shingai@wolfpackrisk.com Design - design@wolfpackrisk.com General queries - admin@wolfpackrisk.com http://www.wolfpackrisk.com/magazine/
Cybershield Magazine • January - March 2014 • Cybercrime • Page 3
CyberCon 2013 Special
Global Cyber Threat activity is on the rise leaving governments and the private sector in Africa extremely vulnerable. Successful international cyber security programmes are recognising the need for increased public private partnerships to deal strategically with all types of cyber threats – cybercrime, cyber espionage and cyber warfare. In order to deal with these issues CyberCon Africa 2013 was held from the 4th to the 6th of November. It brought together leading experts in all cyber threat fields to share their experience in preventing, detecting and responding to cyber attacks. A key focus of the event was to create an environment that will allow cyber security stakeholders to build relationships and incubate initiatives in the field of cyber threat management.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 4
In this edition of Cybershield we bring you all the highlights of the conference.
The conference was divided into three sessions:
Cyber Threat Management Cyber Forensics & Incident Management Africa Cyber Threat Collaboration www.cyberconafrica.org
CyberCon 2013 Special
by Tomer Teller from Check Point Security
Tomer started his presentation by comparing security to cooking as follows: “Security in an organisation is just like cooking: too much ingredients will ruin the dish and so will too little ingredients. Organisations need to ensure they have enough security measures in place in order to protect their business information.” Tomer stresses the need for organisations to ensure they know the steps taken by criminals when attempting to steal information from them. Tomer stated that “In order to catch a criminal you need to act like one” , he then discussed the steps that need to be taken in order to understand how the attacker thinks and / or acts.
This strategy is used to attack a group of people, typically from an organisation that share the same interests. In this attack the criminals determine which sites and / or services their potential victims will most likely visit based on their common interests. They then create compromised websites that their potential victims are likely to find of interest and visit. “In this way, the victim goes to the attacker just as animals go to a watering hole.”
Cyber Threat Management
Cooked in Africa Therefore, it is important that we understand the techniques used to penetrate our organisations and that we be innovative in order to predict how the attackers are going to attack. Step 3: Stay persistent Step 1: Understand mission objective of the criminal Criminals want to steal sensitive information from individuals or organisations. Step 2: Infiltrate the organisation In this day and age it is not enough for cyber criminals to only gather the details of their victims from social media sites. Criminals need to know more information about their possible victims such as the type of device the victim uses and the applications they have installed on their devices. Equipped with this information, the criminals can make use of the appropriate tools that specifically target the devices and / or applications used by the possible victims. The criminals can make use of a single tool to penetrate 1000s of devices in one go. The information gathered from several victims, with regards to what devices and applications they use, assists the criminals to create and deliver more targeted attacks. Tomer stated that an email with an infected attachment is merely not enough for the criminals to meet their goals as such they have started to perform more advanced attacks. One such attack could be, for example, intercepting and compromising the radio frequencies of aircrafts. Additionally, it only takes one compromised device for personal and/or company information to be leaked. Attackers also know that, due to human nature, we all like “freebies” as such they create free versions of paid for legitimate apps and embed malware into these free apps. Similarly, the same thing is done on websites that offer paid for software and / or services for free. In both cases the malware is typically used to steal your personal information. Another strategy used by criminals is known as the “Watering Hole” attack strategy.
Once you have installed malicious software on your computer the criminals will, in most cases, want their malware to be persistent. That is to be able to continue running even if the computer is restarted. Once an infection has taken place you can assume that the attackers have probably compromised your login credentials and other sensitive data. Once they have hacked into one PC in the organisation they can continue to hack into the rest of the PCs. Tomer highlighted several ways to avoid such attacks within organisations. The following points were highlighted: • Admin passwords should not be given to everyone • Organisations should have different passwords across different departments • Management needs to find what is important and build blocks around it He also stresses the point that “Organisations need to understand that security does not have to be expensive, it has to be smart”. Another important suggestion made was that organisations should collaborate and exchange information regarding any attacks they may have suffered. The sharing of such information between organisations will help reduce the number of attacks in the world and assists organisations in taking the right stance to combat cybercrime. He then stated that it is true that “Someone’s pain is someone’s gain”. Lastly, at the end of his presentation he interestingly stated that America fears internal threats and Trojans, whereas South Africa fears zero day attacks and botnets.
PLATINUM SPONSOR - CYBERCON 2013 Check Point Software Technologies Ltd, the worldwide leader in securing the Internet, provides customers with uncompromised protection against all types of threats, reduces security complexity and lowers total cost of ownership. Check Point first pioneered the industry with FireWall-1 and its patented stateful inspection technology.
Today, Check Point continues to develop new innovations based on the Software Blade Architecture, providing customers with flexible and simple solutions that can be fully customised to meet the exact security needs of any organization. www.checkpoint.com
Cybershield Magazine • January - March 2014 • Cybercrime • Page 5
CyberCon 2013 Special
Personal Information Bill and Information Security by Dr. Dario Milo from Webber Wentzel
Dr. Milo described the POPI bill and the consequences of non-compliance with the law. The consequences of not complying are as follows: • • •
10 years in prison for infringements Administrative fines (the most prevalent consequence around the world) up to R10 million Civil law suits may be brought against organisations by individuals/clients (strict liability) if a client incurs any loss as a result of personal information being leaked by a company.
He continued his presentation by giving examples of such incidents: Company
Country
Date
Offence
Sony
UK
January 2013
PlayStations were hacked into which resulted in clients’ credit card numbers getting compromised.
The Presidential
UK
October 2013
There was a suspicious mix up over payments at checkout
NHS Trust
UK
May 2012
Information was stolen and auctioned online by subcontractors
The consequences of such incidents result in large law suits and may lead to harming the reputation of the company. He stressed the point that the protection of people’s information needs to be addressed at all sections in any organisation.
Dr. Milo posed the question: why do we need POPI?
Why do we need POPI?
He gave the following answers to the question: • • •
Constitutional imperative which addresses the right to privacy The right to privacy, specifically informational privacy Balanced with the right to freedom of information and the right to freedom of expression
Section 14 of the Constitution states that everyone has the right to privacy, which includes the right not to have:
Advancements in modern technology: Cloud computing •
• • • •
their person or home searched their property searched their possessions seized the privacy of their communications infringed
One of the main advantages of being POPI compliant is that international organisations in countries that have passed the POPI law can only share information or conduct business with other organisations in countries that have also passed the law. Once POPI comes into law, companies in South Africa will have only 1 year to comply with POPI. The bill will affect suppliers, employers, contractors and employees.
• • •
Sheer volume of data that is processed on a daily basis The ease with which data can be transferred Ability to transfer data worldwide International trends and the ability to compete globally with the 99 national privacy laws that are currently available • There are 21 privacy bills in South Africa.
GOLD SPONSOR - CYBERCON 2013
Cybershield Magazine • January - March 2014 • Cybercrime • Page 6
FireEye is a leader in stopping the new generation of cyber attacks, such as advanced malware, that easily bypass traditional signature-based defences and compromise over 95 percent of enterprise networks*. FireEye has invented a purpose-built, virtual machine-based platform that provides real-time threat protection to organisations across all major threat vectors and each stage of an attack life cycle. www.fireeye.com
Cyber Threat Management
The Protection of
President Jacob Zuma signed the Protection of Personal Information (POPI) Act and it officially became law as from the 26th of November 2013.
Although, you may have a year to comply it does not mean you should relax, rather start now so that you are fully compliant before POPI starts showing its teeth.
This will now bring South Africa in line with international best practices when it comes to the protection of personal information. POPI regulates how anyone who processes personal information must handle, keep and secure that information.
You should at a minimum do the following:
Although the act has been signed into law a commencement date has not yet been set by the president. The commencement date refers to when POPI will start to apply. All businesses and / or individuals will be given a year from the commencement date in order to comply with the POPI requirements (unless this period is extended which is provided for by the Act). If you or your business process personal information, make sure you understand how POPI affects you and comply as soon as possible because anyone who contravenes POPI may face possible prison terms and fines of up to R10 million.
5. Train your staff – Provide the people identified in the previous step with POPI awareness training which will include aspects of the Act as well as how they store the information and possible attacks such as social engineering etc.
1. Read the Act - Focus particularly on chapter three as it sets out eight conditions for the lawful processing of personal information. 2. Identify Personal Information – Create a list of all the different types of personal information that you process. 3. Check Compliance – See if the information you are processing complies with the conditions for lawful processing (Chapter 3 of the Act) 4. Identify who accesses your information It is important to identify every person in your business that deals with personal information as a slip up by any of them may result in your business not complying with POPI.
The 8 conditions for the Lawful Processing of the Act
6. Protect your devices – Ensure all devices that store personal information are encrypted and password protected. Mobile devices should be able to be remotely wiped in case of theft or if they are lost. 7. Limit physical access – Ensure that physical access to devices that store personal information are tightly controlled by means of access control, CCTV monitoring etc 8. Third party considerations – Create a list of all third parties that may process personal information on your behalf and ensure they are POPI compliant, put contracts in place to this effect.
Cyber Threat Management
WOLFPACK OPINION – UPDATE ON POPI
CyberCon 2013 Special
9. Awareness – Start early with an awareness programme for your staff. Wolfpack have created a range of local animated videos that cover the requirements of POPI as well as other pertinent security awareness topics.
Contact us at info@wolfpackrisk.com for more information or a demo.
He provided the following 8 conditions for the lawful processing of the act: 1) Accountability 2) Processing limitation • Responsible party is accountable for complying with measures which give effect to the conditions. • Cannot contract out of obligations for example, by outsourcing processing of information. • Responsible party is accountable from inception: at the time “purpose and means” of the processing determined. • Responsible party remains accountable throughout the lifecycle of processing. • Process lawfully and in a reasonable manner that does not infringe on the privacy of the data subject i.e. the owner of the information • Personal Information may only be processed if the given purpose is adequate, relevant and not excessive. • Personal Information may only be processed if you have consent: • necessary to carry out actions for conclusion or performance of contract with the data subject • necessary to comply with legal obligation • necessary to protect legitimate interests of a data subject • necessary for the performance of a public law duty by a public body • necessary to pursue legitimate interests of responsible party or third party 3) Purpose specification and Further processing limitation • Personal Information must be collected for a specific, explicitly defined and lawful purpose related to the function or activity of a responsible party. • Steps required to make the data subject aware of the purpose for collection of information. • Retention of records only as long as necessary to achieve the purpose for which it was collected or processed, subject to exceptions such as (i) where required or authorised by law; (ii) reasonably required for lawful purposes; (iii) required by contract between parties; or (iv) consent. • Obligations to delete, destroy or restrict processing. • Any further processing must be “compatible” with the purpose for which the personal information was initially collected.
4) Information quality • The responsible party has the duty to take reasonable practical steps to ensure that personal information is complete, accurate, not misleading and updated where necessary. • Must have regard for the purpose for which personal information is collected or processed further. 5) Openness • The responsible party must take reasonably practical steps to ensure that the data subject is aware of various matters related to collection and processing of their personal information. 6) Security safeguards • The responsible party must secure the integrity and confidentiality of the Personal Information (PI) in its possession by taking appropriate, reasonable, technical and organisational measures to prevent loss, damage, or destruction and unlawful access. In order to do this, the responsible party must: o identify all reasonably foreseeable internal and external risks to PI in its possession or under its control o establish and maintain appropriate safeguards against identified risks o regularly verify that safeguards are effectively implemented o ensure safeguards are regularly updated in response to new risks or deficiencies 7) In doing so, the responsible party must have due regard to generally accepted information security practices and procedures. 8) Data subject participation The data subject is entitled to: • enquire, free of charge, whether his / her PI is being processed • request description of his / her PI • request information about the recipients of his / her PI • challenge the accuracy of their PI • request correction of their information (if inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully) • request deletion Cybershield Magazine • January - March 2014 • Cybercrime • Page 7
CyberCon 2013 Special
Dr. Mario also identified the regional and global risks with regards to POPI, which are as follows: •
•
Personal information may not be transferred to a third party in a foreign country - unless: o The recipient is subject to law, binding corporate rules, or agreement which provides for “adequate level of protection” that effectively upholds the o principles that are substantially similar to the conditions for lawful processing and includes substantially similar provisions relating to the further transfer of personal information to third parties in foreign countries; In terms of the law it is important to consider: o whether the country to which data is being transferred has any data protection laws o if so, what the status of that law is; and o whether the provisions of that law provides adequate protection
It is also worthy to note that countries with no data protection legislation in place – or with bills that have not as yet been enacted into law have a higher risk than those which do. Processing and Compliance Audits
Practical Steps to Avoid Data Breaches
Organisations should do processing and compliance audits by: • Identifying all the collection points of personal information, like websites, application forms, call centres, employment application forms and event attendance sheets. • Identifying personal information being collected and whether it is being collected directly from the data subject or via a third party. • Identifying all purposes for processing both internal and external access (including disclosure) • Identifying when exceptions to conditions for lawful processing apply. • Identifying all purposes for processing both internal and external access (including disclosure) • Identifying when exceptions to conditions for lawful processing apply
In order to comply with the act, organisations need to put in place steps which are practical to avoid any breaches. Dr. Milo suggests that the following steps be followed: • •
• •
Appoint/designate information officers Perform processing and compliance audits Identify responsible persons in the group Identify operators POPI processing awareness
•
Implement training
•
Cybershield Magazine • January - March 2014 • Cybercrime • Page 8
Organisations should review policies and procedures by: • Clearing policies on how auditors will deal with personal information • Clearing the purposes for which personal information will be used/processed • Extending policies to deal with their own human resource records • Providing training on POPI Organisations should ensure that supply contracts have the following clauses: • • • • •
Specific information protection obligations Personal information audit rights Assistance with investigations by the regulator Assistance with data subject access requests Cross-border transfers
Data subject access requests and investigations also need to be established within organisations.
Dr. Milo ended his presentation by posing the following questions for organisations to seriously consider: 1) What do you do if there is a breach of the conditions? 2) How do you deal with the media? 3) How do you deal with the regulator?
Cyber Threat Management
Regional and Global Risks with regards to POPI
CyberCon 2013 Special
Threat Intelligence by Erez Tadmor from RSA Threat Intelligence
Erez opened his talk by stating how cybercrime is now offered on the Internet as a service that is used to conduct malware attacks, data breaches and cash outs (fraud). He identified the following 3 key trends that are occurring in cybercrime: • • •
Cyber Threat Management
National
More intelligent More mobile More disruptive
Cybercrime is becoming “more intelligent” as the underground continues to evolve, providing more unique offerings and services. Additionally, malware strains are being developed and commercialised. Criminals now use exploit kits to exploit devices where computers are now exploited without any interaction from the victim. For example, the subdomain of the LA Times’ news site (offersanddeals. latimes.com) was silently redirecting visitors to a third-party web site retrofitted with the Blackhole exploit kit that used a Java exploit to infect the user. Criminals are now being provided with books on how to launch Botnets, cash-out and other attacks. He highlighted the fact that there is plenty of support for those wishing to commit cybercrimes from “one stop malware shops” to “cyber criminal universities” that provide mentorship for up and coming cyber criminals. There are websites that provide credit cards for sale at $2/card. The price however depends on the type of card and the information being sold. The bank account balances, geographical areas and amounts available in accounts are now readily provided by criminals. There are professional DDOS services for sale at $8/hour depending on targeted websites like those of governments and militaries. Some information that may also be readily available are details/remote access of government agencies and their private documents. Ransomware is also sold by cybercriminals, this attack locks computer screens then demands a ransom (money/payment) to release documents. The most popular one was the ‘Ransomware Trojan’. The criminals, however, are always adapting and changing their tactics.
With the continued adoption of mobility and Bring Your Own Device (BYOD), mobile threats will gain more significance and traction. The mobile phone industry is a fast growing industry with over 1 billion smart phones being manufactured in some years, which is a very high figure compared to the 132 million babies born worldwide per year. This hype has made mobile phones a good target for cybercriminals. In 2013, mobile phone users have been bombarded with a wide range of attacks namely: • • • • •
Premium service abusers Data stealers Adware Malicious downloaders Rooters & Backdoors
A mobile Trojan will trick unsuspecting victims into downloading an application for their mobile phones hence installing the Trojan. Android users have been hit by a Trojan that can even record phone call conversations. Erez gave an example of a website that sells Android SMS interceptors for a fee of $350 per build. The Android mobile phones seem to be the most targeted with 350 000 malicious applications being reported on Android in 2012. In addition to becoming more advanced, cyber attacks have also become more disruptive. Hacktivism will continue to disrupt our businesses with more devices coming online (Internet of Things), the potential for disruption will grow exponentially. Hacktivist groups have already started launching attacks as ‘Anonymous’ and making use of Distributed Denial of Service (DDOS) attacks to expose confidential information of high profile individuals. Interestingly in the United States of America, DDOS attacks are regarded as a form of protest.
GOLD SPONSOR - CYBERCON 2013
RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world’s leading organisations solve their most complex and sensitive security
challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. www.rsa.com
Cybershield Magazine • January - March 2014 • Cybercrime • Page 9
CyberCon 2013 Special
SANS 20 Critical Controls
By Bevan Lane a Certified SANS Community Instructor & Independent Information Security Consultant
Bevan opened his presentation with the following statement:
“Companies are now getting compliant for the sake of being compliant”
He then gave a brief recap on the eyebrow raising case studies of 2013 namely, the Edward Snowden incident, the Dexter virus found on “Point of sale” machines, the Natalie Faye Webb incident, the article by Adam Wakefield that revealed that cybercrime is costing South Africa a billion Rand per year and how cyber criminals are hacking and compromising national infrastructures. He then went on to describe the National Security Framework and what it is. The diagram below shows the different levels of the risk management process from the Senior Executive Level down to the Implementation/Operations Level. Bevan stressed the point that we need to stop people from violating systems and compromising the confidentiality and integrity of our data. Cyber security is complex and becoming even more complicated each day. It is critical that we have priorities! He added some guiding principles that need to be used when prioritising security in an organisation and how defences should focus on addressing the most common and damaging attack activities occurring today, and those anticipated in the near future.
SILVER SPONSOR - CYBERCON 2013
He provided the following guiding principles: • • • • •
Enterprise environments must ensure consistent controls across an enterprise to effectively negate attacks. Defences should be automated where possible, and periodically or continuously measured using automated measurement techniques where feasible. To address current attacks occurring on a frequent basis against numerous organisations, a variety of specific technical activities should be undertaken to produce a more consistent defense. Root cause problems must be fixed in order to ensure the prevention or timely detection of attacks. Metrics should be established that facilitate common ground for measuring the effectiveness of security measures, providing a common language to communicate about risk.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 10
Magix Security is a South African company which delivers comprehensive and trusted Cybercrime Defence and Detection services to address, manage, and contain the risks and potential damage posed through the misuse of applications, or other IT information assets, by employees and/ or third parties. www.magix.co.za
Cyber Threat Management
Implementing a National Cyber Security Framework:
CyberCon 2013 Special
Bevan introduced the SANS 20 Critical Controls and broke them down as follows: Controls 1 to 4’s effect on attack mitigation is very high and should be taken very seriously in their implementation within organisations. The effect on attack mitigation differs with different critical controls as shown in the last column in the table below. Controls 1 and 2 urge organisations to create an inventory of all their software and devices. For example, Microsoft Windows, Samsung Galaxy S etc. Controls 3 to 7 place an emphasis on how to protect the items listed as part of Controls 1 and 2. Organisations should ensure that the configurations for hardware and software on laptops, workstations and servers are secure. Additionally, continuous vulnerability assessments and remediation must be done.
Cyber Threat Management
Bevan explained that, as shown in the figure below, the controls are designed to thwart certain computer attacker activities.
Controls 8 and 9 stress the importance of data, people and the data recovery capability of an organisation. An organisation should conduct security skills assessments amongst their employees and provide training to keep their employees current with the latest technologies and how they work. Controls 10 to 13 and Control 19 are based around securing the network and / or networked devices. Control 14 shows the importance of maintaining, monitoring and analysing security audit logs. Controls 15 to 17 show that account control and monitoring are important. Controls 18 and 20 show that response is vital in any organisation and so are penetration tests and red team exercises.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 11
CyberCon 2013 Special
Of Innovation
by Joey van Vuuren from the CSIR
Joey began her presentation by posing the question:
“How will South Africa combat the Cyber Challenge?” She then stated the need for a cyber security centre of innovation in South Africa. A couple of other countries already have these centres in place. She briefly discussed the following examples: International Cyber Security Centres NexGen Cyber Innovation and Technology Center • • •
•
•
Designed for cyber research and development, customer or partner collaboration and innovation. Leverages existing Lockheed Martin and partner capabilities in addition to developing the most innovative new cyber solutions and prototypes to meet customers’ unique needs. Is fully equipped for live cyber technology exercises and demonstrations to help customers integrate solutions and test them in environments that are representative of their missions. Has alliances with APC by Schneider Electric, CA, Cisco, Dell, EMC Corporation and its RSA Security Division, HP, Intel, Juniper Networks, McAfee, Microsoft, NetApp, VMware and Symantec. Is connected to laboratories and development centers worldwide.
Cyber Innovation Center Bossier City, Louisiana • •
•
The Research Institute in the Science of Cyber Security (RISCC) was established by Government Communications Headquarters (GCHQ), and led by the Engineering and Physical Sciences Research Council (EPSRC) and the Department for Business Innovation and Skills (BIS). The institute is based in London and will work alongside 7 universities to: • Enhance the UK’s cyber knowledge base through original research • Provide top quality graduates in the field of cyber security • Support GCHQ’s cyber defense mission • Drive up the advancements and the level of innovationt The Academic Research Institute has been established to conduct research into Automated Program Analysis and Verification. It also has partnerships with government, academia and industry to make the UK more resilient against cyber attacks. In addition it focuses on building cross-cutting knowledge, skills and capability for the UK to underpin all cyber security objectives and cyber security Technologies
The Hague Security Delta (HSD) Cyber security centre:
A not-for-profit corporation in National Cyber Research Park with high-speed connectivity to the Internet, LMI, HiWAE, GVNet and classified networks. Established to foster collaboration, accelerate technology transfer and develop the necessary workforce to meet the growing cyber demands. In order to achieve this they partner with government, industry research and academia. Has the National Integrated Cyber Education Research Center (NICERC) which is a Center of Academic Excellence responsible for building a sustainable knowledge-based workforce that can support the needs of government, industry, and academia. The center is supported by the Department of Homeland Security.
•
•
•
Provides collaboration between research, academia and industry. For example, twenty-two consortia applied for cofinancing their innovation project by the HSD Development Fund. In the Serious Gaming Lab, professionals and top managers gain value from working in a familiar, challenging and real environment. They gain new experiences, insights and knowledge with respect to security. Initiatives include the establishment of a Cyber Security Academy which will be a communal place, a ‘campus’, where professionals, researchers and students meet for education, research and sharing expertise in the field of cyber security.
SILVER SPONSOR - CYBERCON 2013 For more than 28 years, Dell has empowered countries, communities, customers and people everywhere to use technology to realize their dreams. Customers trust us to deliver technology solutions that help them do and achieve more, whether they’re at home, work, school or anywhere in their world. Learn more about our story, purpose and people behind our customer-centric approach. www.dell.co.za
Cybershield Magazine • January - March 2014 • Cybercrime • Page 12
Cyber Threat Management
Cyber Security Centre
CyberCon 2013 Special Cyber security Centre for Innovation South Africa (Pending) South Africa has also been considering opening its own centre and offer services similar to those in overseas countries. The centre will entail, government research, higher education and industry/business. The collaboration between industry, universities and government will help in addressing advanced cyber threats and assist in building a sustainable knowledge-based workforce that supports the needs of government, industry, and academia. Joey explains how research, higher education and businesses will benefit from each other once the centres are established.
The diagram below illustrates these benefits:
Research and Technology Business opportunities point to new research avenues
New knowledge is the source of innovation
Skills are key input to research and development
Cyber Threat Management
She further explained how these centres have something in common which is partnerships and focus. They have partnerships between business / industry, academia, government and research institutions. They focus on collaboration with industry, education, cyber research and innovation. Joey also mentioned the International Multilateral Partnership Against Cyber Threats (IMPACT) which is the cyber security executing arm of the United Nations’ specialised agency - (ITU). IMPACT is said to be the world’s first UN-backed comprehensive alliance against cyber threats. The partnership brings together governments, academia and industry experts to enhance the global community’s capabilities in dealing with cyber threats. The ITU-IMPACT’s global headquarters are in Malaysia and have 144 countries in the coalition. Its global partnership now embraces over 200 industry, academia and international organisations.
New knowledge improves education
Skills are a key input to innovation
Business
Higher Education
Knowledge of new market development is important for education
Advanced Cyber Security Centre (ACSC): •
Launched and supported by Mass Insight Global Partnerships and hosted at The MITRE Corporation (US funded research and development centre), is a next-generation collaboration of industry, university, and government research partners. • Brings together expert practitioners and researchers to conduct threat analysis and share best practices under a Non-Disclosure Agreement. • Develop R&D solutions to improve cyber defence and address cyber security gaps. • Graduate education opportunities for new talent in the cyber security field. • Work groups: • Threat evaluation (Information Sharing) • Research and Education • Policy/Leg Joey feels that collaboration is the key as no single organisation can respond effectively because: • • •
Attacks are increasing in sophistication. Current solutions are not adequate. Organisations want to increase the training sophistication of their employees’ skills and solutions.
and
Additionally, the centre must be a world-class centre designed for cyber research and development, customer and partner collaboration and innovation. The centre must be fully equipped for live cyber technology exercises and demonstrations required by industry and must be the able to do safe testing in both simulated and real world environments. The envisioned key activities for Information Sharing are to: • • •
Identify new threat indicators Share best practices Build cross sector networks and personal relations
Key activities for education are: • • • •
Development of a knowledgeable cyber workforce Availability of bursaries, internships and studentships Formal qualifications Awareness
Key activities for research and development are: • • •
Address advanced cyber threats To be funded by government, industry and the National Research Foundations (NRF) Support for policy development and legislation
The programme will contribute to the organisation’s knowledge and deliver defensive strategies. The functions of the centre will be to: •
• • • •
Bring together expert practitioners and researchers to conduct threat analysis and share best practices under a Non-Disclosure Agreement including technical exchange meetings that can build personal relationships among frontline cyber operations staff. The centre will coordinate these collaborations. Launch a secure Cyber security Web Portal to enhance information-sharing and access to key data. Develop R&D solutions to improve cyber defences and address cyber security gaps. Expand education opportunities for building capacity in the cyber security field. Develop new qualifications and certifications
Joey further stated the timelines and the short, medium and long term goals. At the end of her presentation Joey made the following points: • Interest of academia and business/ industry in such a centre is important. • Who can / will support such an initiative? • Such a centre will need to be accredited with IMPACT for international cooperation.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 13
CyberCon 2013 Special
& organised criminal enterprises. by Michael Burgin from the US Secret Service
“Cybercrime is now more lucrative than the drug trade, it is now more lucrative to steal online than on the street” Michael began his presentation by stating that today’s cyber criminals are now experts in stealing data, speak a common language, have professional security and are constantly evolving. The growing threat is that the criminal networks are highly organised and have a fusion of criminal communities that consist of card fraudsters, hackers, spammers and bot herders. He gave an example of such websites with reference to the number one carding site in the world and the public face of their infrastructure which is the Russian speaking only site called Mazafuka. The site also sponsors a popular Dance TV show, which is similar to Dancing with the Stars, which indicates that such companies in Russia may be regarded as being acceptable in society and actually seen as part of their culture. There is also an army of online criminals who specialise in different cybercrimes and sell information to interested parties at varying prices. “The carding underground world continues to grow fuelled by a stream of illicit activities” Michael feels that people should be concerned because the money that is stolen is used to fund illegal activities such as drug trafficking, terrorism, military conflicts and to purchase illegal weapons. In his closing remarks he said:
EXHIBITORS- CYBERCON 2013
“A global problem requires global cooperation”.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 14
Cyber Threat Management
Cybercrime
CyberCon 2013 Special
National Security Operations Centre
by Rajesh Gopinath from Paladion
Rajesh’s presentation was based on 6 important lessons
Lesson 1 – It’s not just log monitoring! Lesson 2 – Monitoring perimeter devices is not enough Lesson 3 – Security Information and Event Management (SIEM) is not a magic box! Lesson 4 – Monitor only relevant events Lesson 5 – Enroll your assets into the right “security program” Lesson 6 – Perform historical risk analysis
Cyber Threat Management
Implementing a
Lesson 1: It’s not just log monitoring! Rajesh began by showing a SQL injection alert example as the problem and discussed how to handle it. Step 1: Be aware of the alert notification displayed on the console:
Step 2: Analyse the notification. Step 3: Notify your IT department. The problem is that: • No analysis capability exists to check if the alert is actually a real threat • Customers consider this as yet another alert in a slew of false positives • No information of existing alerts exists as such the severity of the alert cannot be increased therefore the customer is unable to take remediation action when a real threat is detected. He goes on to state that, “Monitoring parameters is not enough”. He urges organisations to BREAK the silos and make security operations more integrated.
Lesson 2: Monitoring perimeter devices only isn’t enough! Organisations should understand that the threats are not just at the perimeter level. It is also crucial to monitor other critical servers’ databases and security devices. It is disturbing to know that according to research conducted in 2012, “A single insider-malicious incident exposed 150 million records!” It is important to note that: • •
According to Michael DuBose, former head of cyber-crimes division in the U.S. Department of Justice, “Employees pose the greatest risk to a company’s data”. 75% of Internet Vulnerabilities are at the Web Application Layer
Cybershield Magazine • January - March 2014 • Cybercrime • Page 15
CyberCon 2013 Special People should understand that Security Information and Event Management (SIEM) cannot solve all the problems. SIEM is a term for software and product services that combine security information management and security event management. SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. It can be sold as software, appliances or managed services, and can also be used to log security data and generate reports for compliance purposes. SIEM can be used for the following: • Data Aggregation • To show correlation • Alerting • To monitor dashboard compliance • Retention
He gave a scenario in which a Customer complained that: “Yesterday, I had a vendor conduct a pentest. Why didn’t I receive any alerts?” On analysis they found: • IPS/IDS logs were monitored but not configured properly • Web servers were targeted primarily but there was no Web Application Firewall available to generate alerts Rajesh said that it is important to understand that SIEM is an aggregation and correlation engine and without data, these features do not work. The following data sources are required:
Rajesh stresses that the above is not enough and that organisations and individuals should also invest in the following solutions: • Data Loss Prevention (DLP) • Web Application Firewall (WAF) • Database Activity Monitoring (DAM) • Intrusion Detection and Prevention (IPS/IDS)
• • • • •
DLP to detect data leakage events IPS/WAF to detect external intrusion DAM to detect fraudulent activities on databases Network anomaly detection tools to detect malware Vulnerability scanners to correlate threats and vulnerabilities
Having multiple systems, software applications and security technologies in place and knowing how to implement them is important and may ensure effective security and investigations.
Lesson 4: Monitor only relevant logs
For example,
It is crucial that organisations enrol their assets into the right ‘security programs’ because different assets need to be treated differently.
Windows events – Enabling all logging will result in 800,000 events being generated per day – Enabling optimal logging will result in a 120,000 events being generated per day Given the figures above, 90% of the logged events are noise. It is important to select and only monitor the important events. The issues with monitoring all events is that it negatively affects the performance of the SIEM solution. Additionally, too much noise makes it difficult to focus on the real threats.
Rajesh stated that the problem is that we treat all assets the same and there are also no continuous vulnerability assessments of assets/ programs. Often there are multiple logins in organisations which are monitored.
Lesson 5 – Enrol your assets into the right “security program” He highlighted the fact that most of the assets are not tested at all or assets are all being treated the same, even though they are different. Rajesh points out that organisations should create security programs based on the risk profile of each asset. Such security programmes allow for the coverage of all assets and reduces adhoc activities. They also
ensure the continuity of security protection and proactive detection. Below is a table that an organisation can use to better structure their security programmes by allowing them to categorise their assets based on their risk profile.
Sample of threat management programme: Asset value
Real time event Log management Alerting (Hrs/days) monitoring
Critical
YES
YES
24/7
High
YES
YES
24/7
Medium
YES
YES
8/7
Low
NO
YES
Only logging
Sample of vulnerability management program: Applications Category of assets
Code review
Gray box Pentest
Scan
High
Annual
Half yearly
Monthly
Medium
N/A
Annual
Quarterly
Low
N/A
Once in 2 years
Half yearly
Lesson 6 – Perform historical risk analysis Rajesh made use of a real life scenario in order to demonstrate how to perform a historical risk analysis. An organisation had over 100 corporate PCs infected by malware
What they realised is that a historical risk analysis was required and a historical trend analysis in order to determine the occurrence, mitigation and prevalence of the malware infection.
On analysis they found:
In conclusion, Rajesh left the audience with the following important points:
• • • •
Malware had infected the PCs Low traffic malware communications were noticed to other PCs in different segments Low traffic communication to external IP addresses were also found There were no real time alerts in place to capture such communications
Cybershield Magazine • January - March 2014 • Cybercrime • Page 16
• • • • •
Perform a thorough risk analysis A Security Operations Centre is not just for log monitoring Threats are not just at the perimeter Adoption of other security technologies is important for effective threat detection Choose the right security programme for your assets.
Cyber Threat Management
Lesson 3: SIEM is not a magic box!
CyberCon 2013 Special
Cyber Forensic Laboratory in terms of ISO 17025
by Shadrack Phophi from SANAS
Shadrack spoke about the South African National Accreditation System (SANAS) which is recognised, by the South African government, as the only National Accreditation Body responsible for granting accreditation to forensic laboratories. The accreditation provides assurance that the tests are done competently and that the outcomes are consistent.
Shadrack explained that the ISO/IEC 17025 defines the general requirements for the competence of testing and calibration of laboratories. The scope of ISO/IEC 17025 is to “…demonstrate that they (laboratories) operate a quality system, are technically competent, and are able to generate technically valid results”. The ISO/IEC 17025 “specifies the general requirements for the competence to carry out tests and/or calibrations including sampling”. SANAS assess and accredit directly against ISO/IEC 17025. Shadrack also pointed out that ISO17025 is said to be based on laboratory activities whilst ISO17020 deals with the activities at a crime scenes and forensic testing.
In order to be accredited by SANAS a laboratory must pass certain tests. The tests look at several factors such as: training and authorisation of staff, maintenance of equipment, calibration of equipment (where relevant), use of appropriate reference materials, provision of guidance for interpretation, checking of results, testing of staff proficiency and recording of equipment or test performance. The tests given are in line with internationally recognised standards which allows for the comparability of the quality of evidence presented in cross border cases. Additionally, independent assessments are conducted by a competent third party. By successfully passing the tests a laboratory demonstrates their continuing technical competence and impartiality. This in turn increases the customer’s confidence in the organisation and by doing so reduces risk.
Cyber Forensics & Incident Management
Accreditation of
The competence of the laboratory also needs to be assessed through witnessing or vertical assessment, which includes assessing equipment, personnel, the environment and test methods. Shadrack identified the following factors that are used to determine the technical competence of a laboratory: • Qualifications, training and experience of the staff • Correct equipment – properly calibrated and maintained • Adequate quality assurance procedures • Proper sampling practices • Appropriate and valid testing procedures and methods • Traceability of measurements to national standards • Accurate recording and reporting procedures • Suitable testing Shadrack identified the following benefits of using accredited laboratories: • Increase confidence in data that is used to establish baselines which are analysed and used to drive decisions • Reduce uncertainties about decisions and increase public confidence in the laboratory because accreditation is a recognisable mark of approval • Eliminate redundant reviews and improve the efficiency of the assessment process (which may reduce costs). The benefits of an organisation partnering with SANAS: • Helps regulators to verify competence and reduce risk • Becoming a stakeholder of SANAS • International recognition • Taking advantage of the training offered by SANAS Shadrack ended his presentation by stating what SANAS is NOT : • It is not merely a means of registering or listing someone or something • It is not a management system review dressed up with some scientific and technical elements • It is not the recognition of future capabilities • It is not the recognition of an individual’s qualifications • It is not a broad approval of everything a laboratory might do
Cybershield Magazine • January - March 2014 • Cybercrime • Page 17
CyberCon 2013 Special
Perceptions and Reputations
by Robert Lewis from Barclays UK
Robert opened by stating that he had read an article stating that “Africa has a bad reputation internationally with regards to cybercrime, has poor forensic investigations and is overrun with corruption”. However, he personally does not agree with these perceptions and in his talk goes on to discuss how such perceptions can be changed. He stated that cybercrime is a national crisis costing the country a billion Rand per annum. The FBI lists South Africa as the sixth most active country where cybercrime took place. In two to three years it was estimated that the proceeds from cybercrime would outweigh those from all other forms of crime combined. With regards to skill/ staff shortages, Robert went on to say that 300+ vacancies have been identified. There are multiple job sites listing vacancies. It was acknowledged that a shortage of experienced computer forensics, incident handlers and secure software coding skills are in short supply. He further stated that Africa is in dire need of training and that “Forensics needs to collaborate with other departments in the organisation, for example, HR, law, business analysts and others. This move will help organisations save money if they invest in the right tools. Companies should not wait to react to an incident and structures should already be in place. Reaction costs more money than prevention.” Robert goes on to provide some structures that need to be considered for maintaining your reputation: • Trust – policies, procedures and processes • Corruption – whistle blowing hotlines • Staff Abilities – what are their skills? • Training – internal providers, bespoke courses • External Vendors – question, visit, challenge and validate • Recruitment – role profiles defined • Software Suppliers – ask, challenge and contractual obligations • Future technology – Needs to be tried and trusted
Standardising the Digital Forensic Investigation Process: ISO 27043 & ISO 27037 Overview Prof. Venter highlighted the importance of the ISO process for standardisation and indicated that is a very rigorous process. He discussed the ISO structure in terms of what sub-committees and work groups exist as part of it. He indicated that there is a need to standardise the digital forensic investigation process because there are disparities in the current models that are used. Furthermore, current models do not cover the forensic readiness process i.e. the proactive aspect.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 18
By Prof Hein Venter from the University of Pretoria
Prof. Venter stated that the ISO/IEC 27043 is an ‘umbrella standard’. One can say that ISO/IEC 27043 covers the width, whilst 27037 (and the others) cover the depth. ISO/IEC 17025 shows the general requirements for the competence of testing and calibration laboratories. Prof. Venter stated that the standardisation process started in October 2010 and the standard is expected to be published early in 2015.
Cyber Forensics & Incident Management
Computer Forensics,
CyberCon 2013 Special
- What is the Next Step? by Paul Wright from Access Data
A very catchy phrase was stated by Paul at the beginning of his presentation, ‘You can buy all the tools you want, but if you do not have the foundation stone it doesn’t work’. The statement got the audience thinking. The foundation stones he spoke about were: • • • • •
Digital intelligence Partnerships eCrime Prevention and Education The closing of electronic voids (eVoids) Incident response and forensic capability
Emphasis is also placed on the importance of analysing information shared by employees in your organisation. The websites they visit the most and the information sent out should be analysed. It is important for organisations to let their employees know that they should not share too much information. Intelligence gathering tools like Maltego can be used to gather information on entities as well as the following intelligence sources:
A brief overview of each foundation stone is provided:
Digital intelligence Paul encouraged organisations to conduct intelligence analysis at all times. The criminals can attack at any point. Which may be through your employees/previous employees or even external suppliers or business partners. It is of paramount importance for organisations to know the following: Employees and Suppliers • • •
Who is an employee Who is a supplier Which employees have resigned
Public Sector and Private Sector Organisations should have solid information on the repercussions of cybercrimes and how to handle such cases in terms of: • Prosecution, disruption and dismantlement • Control, reputational damage, financial loss and downtime • Intelligence
•
Verizon Data Breach Report
•
Computer media
•
Pro-active use of Cyber Security tools
•
Real world intelligence
•
Human intelligence sources
•
Partnerships, both internal and external
•
Incident response
•
Open source harvesting of the Internet
Cyber Forensics & Incident Management
Investigation of Cybercrime
Paul ended the discussion regarding digital intelligence by saying “Criminals share intelligence, and we need to do the same”.
Partnerships Paul spoke of cases where collaboration between different organisations resulted in large criminal entities being taken down which demonstrated the importance of working as a team to tackle cybercrime and catch cybercriminals.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 19
CyberCon 2013 Special
eCrime Prevention and Education There are most likely very few organisations that check for eCrime prevention and if they are aligned to the policies. New employees should be told what to do and what not to do. Organisations should enrol employees and educate them on eCrime. Organisations should strive to do the following: •
Educate their employees
•
Monitor and control USBs and other external computer media
•
‘Harvest’ Intelligence off the Internet
•
Ensure processes are aligned to their policies
•
Essentially, organisations should know that eCrime prevention will reduce the likelihood of a cybercrime taking place.
The Closing of Electronic Voids (eVoids) An eVoid refers to any openings that may be infiltrated by cyber criminals, in order to close eVoids organisations should be aware of the following: The unknown: • Do you know where your data is? • Do you know who has access to your system? • Do you know your network and what systems you have? The future: • Need to have a 360 degree view • Data will become more volatile • Data in motion & • static data
Incident response and forensic capability Paul states that, “Organisations should find gaps, assess them and work on them”. Cyber Security can be challenging when being applied to non-traditional environments so organisations should conduct a cybercrime gap and impact analysis. Organisations get it wrong by juggling several disparate products, for example network analysis, computer analysis, malware analysis and log analysis. They also have disparate teams that do not collaborate with each other like the computer forensics, information compliance, malware and network security teams. Some organisations do not even know who owns their network! Some are owned by external service providers, which increases the risks of cyber attacks and data breaches. Organisations should rather build a multi-team collaboration like the one below:
Paul’s closing words were that, “Organisations need to have the foundations in place”. By having foundations in place, they may reduce their chances of data breaches and financial losses.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 20
Cyber Forensics & Incident Management
Continued from page 19
CyberCon 2013 Special
www.sars.gov.za
First Responder Vehicle by Gerhard Oberholzer (Obi) from SARS
Obi opened by providing some exciting news that Computer Forensics and SARS’s Computer Forensic Labs are building on SARS’ modernisation agenda to establish a National capacity to support SARS with computer forensic investigations and tools to assist in the analysis of data.
Cyber Forensics & Incident Management
Electronic Forensic Services
SARS Mobile Lab The steps are as follows: Computer Forensics entails the collection, extraction, preservation and analysis of electronic data to support a wide range of applications, including:
• Civil litigation and debt recovery • Criminal prosecutions • Disciplinary actions He went on to provide some important and useful information with regards to the steps taken against those who are not compliant when it comes to paying tax.
Step 1: Notification of audit In the normal case of conducting an audit on a taxpayer, a Notification of Audit is sent to the taxpayer and the taxpayer is required to provide copies of the relevant material within 21 business days from the date of this letter. The Notification of Audit Letter must display the scope and initial basis of the audit. Should SARS not receive the requested information, or if additional information is required, a Request for Relevant Material can be sent to the taxpayer. If the requested information is not provided, within 21 business days from the date of this letter, a search and seizure warrant may be issued. The ‘‘relevant material’’ is described as any information, document or “thing” that is foreseeably relevant for tax risk assessment, assessing tax, collecting tax, showing noncompliance with an obligation under a tax act or showing that a tax offence was committed.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 21
CyberCon 2013 Special
“A senior SARS official (SSO) may, if necessary or relevant to administer a tax Act, authorise an application for a warrant under which SARS may enter a premises where relevant material is kept to search the premises and any person present on the premises and seize relevant material.”
EFS Mobile Scanning
If the search and seizure warrant is issued the SARS officials will visit the premises using the SARS mobile lab. The SARS mobile lab is a state of the art vehicle that can be used to create images of devices on site and scan documents. The SARS mobile lab also has its own power supply and is a fully functional mobile scanning solution that makes use of laptops and mobile scanners. The mobile lab is equipped with cameras that record all procedures followed during investigations which may be used at a later stage should the evidence and /or process used be disputed. SARS currently has forensics labs in Durban, Cape Town and Johannesburg only. Additionally, SARS will be introducing a mobile lab (first response vehicle) to carry out the following: Data collection
Collect data when auditing a taxpayer
Data extraction
Extract and convert collected data into a usable format for the Auditor
Data analysis
Conduct complex data analytics on collected data
Document scanning
OCR (Optical Character Recognition) and data extraction from printed and scanned PDFs
Computer forensics
Imaging and extraction of data during a search and seizure
Information security
Safeguarding of taxpayer information
The public are urged to make use of the services provided and cooperate in order to avoid further legal action being taken against them.
Step 3: Issuance of warrant A judge or magistrate may issue the search and seizure warrant if they are satisfied that there are reasonable grounds to believe that the person failed to comply with an obligation imposed under a Tax Act, or committed a tax offence and relevant material is likely to be found on the premises specified. A search and seizure warrant that is issued must contain the following: The alleged failure to comply or offence that is the basis for the application
Inside the mobile lab
Cybershield Magazine • January - March 2014 • Cybercrime • Page 22
•
The person alleged to have failed to comply or to have committed the offence
•
The premises to be searched and the fact that relevant material is likely to be found on the premises.
Some of the equipment in the SARS Mobile Lab
Cyber Forensics & Incident Management
Step 2: Search and seizure - Application for warrant
CyberCon 2013 Special
as a forensics science discipline
by Jason Jordaan from the Special Investigating Unit (Cyber Forensic Laboratory)
Jason began his presentation by talking about how to assess a scene. When it comes to investigations, he states that the incident scene, suspect and victim make up evidence when assessing a scene. In a digital forensics investigation strict procedures and techniques must be followed to allow the results of the investigation to be entered into a court of law.
Computer forensics seeks to introduce cohesion and consistency to the wider field of extracting and examining evidence obtained from a computer at a crime scene. In particular, the extraction of evidence from a computer is performed in such a way that the original incriminating evidence is not compromised.
Computer forensics is a forensic science which can be defined as: • • •
The examination, evaluation, and explanation of evidence in law The application of science to the investigation and prosecution of crime, or the just resolution of conflict. The use of science and technology to investigate and establish facts in criminal or civil courts of law.
Pure Science Applied to Investigations
Diverging disciplines Jason stated that current digital forensics is diverging in two different directions as follows: • •
Digital forensic science: a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital investigation: a process used to answer questions about digital states and events.
The current practice involves investigations which are conducted at a large scale followed by limited digital forensics. However, with time, Jason sees this practice evolving and leading to digital investigations occurring after the basic investigation as shown in the diagram on the right.
Pure Science or Investigation Hybird
Forensic Science
The different types of forensic science can be seen in the figure on the right When talking about the forensic science elements, Jason included the following: • Knowing the hypothesis or question to be tested. • Establishing that the items provided are suitable for the requirements of the case at hand. • Confirming that the type of examination has been correctly selected. • Confirming that the examination has been carried out competently. • Summarising and collating the results of the examination. • Interpreting the results of the examination in accordance with established scientific principles. • Considering any alternative hypothesis. • Preparing a report or affidavit based on the findings of the examination. • Presenting evidence in court. • Ensuring that all documentation used in the complete process is fit for the purpose it is intended for. • Ensure that the findings are repeatable. • Ensure that the methods and tools used are validated. • Ensure that the results have been verified. Jason then spoke about scientific evidence, how it came about and how it works. Digital forensics has traditionally been considered as scientific
Investigation Methods Developed Into Science
Cyber Forensics & Incident Management
Digital Forensics
evidence. Scientific evidence can have a significant influence in court by virtue of it being “scientific”. Because of power of science to persuade, courts are said to have began to become wary of accepting scientific evidence and as such have started to assess the validity of scientific processes before accepting the results. The Supreme Court may order federal trial judges to be the “gatekeepers” of scientific evidence. Trial judges will then evaluate expert witnesses to determine whether their testimony is both “relevant” and “reliable”; a two-pronged test of admissibility. The relevancy of a testimony refers to whether or not the expert’s evidence “fits” the facts of the case. In order for the testimony to be considered reliable, the expert must have derived his/her conclusions using the scientific method. He described how the Daubert standard scientific evidence is evaluated by using the following criteria: • Has the theory or technique been tested, or can it be tested? • Is there a high known or potential rate of error, and the existence and maintenance of standards controlling the technique’s operation? • Has the theory or technique been subjected to peer review and publication? • Does the theory or technique enjoy “general acceptance” within the relevant scientific community?
Digital Forensic Science
Current Digital Forensics
Digital Investigation
In his closing remarks, Jason stated that digital forensics as we currently know it is evolving, and this evolution matches the evolution of other forensic science disciplines. Digital forensics is recognised formally as a forensic science, but not all current digital forensic practices fall within the ambit of forensic science. The solution is a divergence of the current digital forensics field into two disciplines, namely digital forensic investigation which is a subset of forensic investigation, and digital forensic science which is a subset of forensic science.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 23
CyberCon 2013 Special
by Yolandé Byrd from FACTS Consulting
Yolandé began her presentation by posing the question:
“Are organisations doing enough?” She then went on to provide statistics that show that in some cases in Europe there are high numbers of corruption which is a cause for concern. The statistics can be seen below:
She then discussed the Siemens Scandal case study. Siemens is said to have created slush funds to bribe foreign officials to secure contracts. This scandal led to: • • • • •
€450 million lost €420 million in bribes payout €30 million in fines and taxes 200 government personnel being implicated 5 employees indicted
After reviewing the case study, Yolandé posed the same question again,
“Are organisations really doing enough?” She highlighted that the PWC survey showed that about 41% of incidences were detected by mistake and by tip-offs
Below is a graph that shows the 2012 Association of Certified Fraud Examiners (ACFE) report: Yolandé livened her presentation when she asked the attendees to open a link and register their personal details before asking a series of questions. After each question, the participants would get the opportunity to view the statistics of the answers given on a pie chart. At the end of the fun activity she let the participants know that the information provided had been stored in a structured database – ready to use and ready to apply data analytics on.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 24
Cyber Forensics & Incident Management
Data Analytics
CyberCon 2013 Special
Organisations should conduct continuous monitoring of their systems because: “When someone commits an act of fraud, there is invariably a record of their actions or an indicator of their deceit. Applied on a continual basis through continuous auditing or monitoring, detective measures can become preventative in nature. When it’s known that activities are being monitored 24/7, an environment is created where the risk of getting caught outweighs the possible gains.” The analytics can be used as a way of monitoring activities within an organisation like: • Procurement • HR/Payroll • Financial statement fraud • External fraud (medical aids, insurance and banking) • Pyramid/Ponzi schemes
Cyber Forensics & Incident Management
The audience were astonished at the information that she had collected during the activities. She had statistics on the type of devices used by the audience to participate in the activities. She had statistics on the websites that the participants had visited a couple of days before. This served as a wake-up call to the audience on what sort of information criminals can get once they (unsuspecting victims) visit or enter their personal details into a spoofed or hacked website.
There are different types of analytics namely, exception reporting / “red flags”, trend analysis, reconciliation, relationship links, analysis of unstructured data and quantification of losses. Yolandé urges organisations to conduct analysis on anything that can be linked and anything with data. It is also advisable for organisations to rate suppliers according to the risks they may pose. In order to deal with fraud a tactical approach needs to be taken as follows: • Review of available audit logs • Start behavioural analysis of internet activity for profile purposes • Determine probabilities of most likely suspects • Determine expected system count Yolandé made it clear that is important to review and audit all logs as they could result in: • Finding evidence of hacking research and tools • Finding evidence of illegal downloading of copyright content (torrenting) • Finding evidence of access to inappropriate content Yolandé said that the most interesting search term she found in log files was that someone Googled “how to whiten your armpit”! In conclusion, Yolandé advised companies to put continuous monitoring in place to detect fraud because there will always be a record of the action that leads to the fraud or an indication of the attacker’s intent to commit fraud. The continuous monitoring can be achieved by making use of data analytics that can be used to identify things such as two suppliers sharing the same address. She also stated that although data analytics can be applied to any area of an organisation, the focus should be on the procurement and HR departments due to the fact that the majority of fraud happens in these departments.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 25
CyberCon 2013 Special
by Craig Rosewarne from Wolfpack Information Risk
In his opening remark Craig stated that there are threats and opportunities facing Africa in dealing with the cyber threat. The following question was posed: what is cyber security and what is its relation to other security domains? Craig responded to the question saying that cyber security entails information security, that is, ICT security and critical information infrastructure protection, network security and internet security. He went on further to state that there are different motives around cyber threats. These motives are closely tied to cyber espionage, cybercrime and hacktivism.
Craig referred to the Verizon 2013 Data Breach Investigations report which analysed: • •
Over 47000 security incidents 621 Confirmed data breaches
Craig explained that attackers (cyber actors) differ across the industries and regions of operations just as their attacks are different, targeted assets and desired data. Below is a table that describes the possible motivations and tactics behind attacks.
Motivation and Tactics Organised crime Victim Industry
Finance Retail Food
Region of operation
Eastern Europe North America
Common actions
Targeted assets
Desired data
Staff-affiliated Manufacturing Professional Transportation
Activist Information Public Other services
East Asia (China)
Western Europe North America
Backdoor (malware) Phishing (social) Command/control (malware, hacking) Export data (malware) Password dumper (malware) Downloader (malware) Stolen cards (hacking)
SQLi (hacking) Stolen cards (hacking) Brute force (hacking) RFI (hacking) Backdoor (malware)
ATM POS controller POS terminal Database Desktop
Laptop/desktop File server Mail server Directory server
Web application Database Mail server
Payment cards Credentials Bank account info
Credentials Internal organisation data Trade secrets System info
Personal info Credentials Internal organisation data
Tampering (physical) Brute force (hacking) Spyware (malware) Capture stored data (malware) Adminware (malware) RAM Scraper (malware)
Source: 2013 Verizon Data Space Breach Investigations Report The table shows that attackers attack multinational organisations to small businesses to governments across all industries. He states that,
“Nobody is immune. It’s not just the big boys being targeted but also the small companies with little security in place. Our defences are still not as strong as we think, even though we are now spending a lot of money on security, the criminals are still getting through.” In 66% of cases, the breach was not discovered for months or even years. Statistics show that it takes a shorter time for attackers to plan and action their intrusion, but it takes organisations several months
Cybershield Magazine • January - March 2014 • Cybercrime • Page 26
or even years to discover breaches or attacks. Discoveries of attacks are often made by outsiders - 69% of breaches were spotted by an external party and 9% were discovered by customers.
Africa Cyber Threat Collaboration
Cybercrime in Africa - A model for collaboration
CyberCon 2013 Special
•
The US and UK governments have rated the danger of cyber attacks as a Tier 1 threat
•
The recent 2013 Lloyds Risk Index, conducted with global CEOs, rated cyber risk as the number 3 concern facing corporates today
•
In Africa a shortage of government and private industry stakeholder initiatives increased the risk for local governments, companies and citizens
The 2013/4 Wolfpack SA Cyber Threat Barometer report provides an in-depth study on the current challenges facing South Africa in dealing strategically with the cyber threat. A summary of the challenges found were categorised as follows: Prevent: • Promoting vulnerability and threat management in their organisations/ countries. •
Continuously improving skills of the IT experts, police and prosecutors. Cyber criminals are continuously upgrading and coming up with new ways to penetrate systems, so should our employees and government.
•
Coming up with a National Awareness Programme to educate the normal citizen on how they can avoid becoming a victim of cybercrime. Wolfpack have recently launched a national awareness website www. alertafrica.com to assist in this regard.
Detect: • Organisations have weak fraud detection mechanisms in place which makes it easier for the perpetrators to penetrate systems and steal money. There are no national Computer Security Incident Response Team (CSIRT) currently in place. This leads to large losses as the cyber criminals have ample time to keep hitting one organisation before the incident is responded to. • • There is minimal cross industry collaboration. It would be helpful if organisations from different industries would share information on different attacks and how they responded to them. This would reduce the number of attacks around the continent and help put different systems in place in order to avoid similar attacks.
Investigate: • There is a need for improved/ streamlined processes when investigating cases as well as how to respond after a security or information breach. Most organisations and individuals are not aware of what to do after becoming a victim of cybercrime. Smaller cases are often neglected as they may be graded as easy victims (prone to attacks). These cases may be neglected because less money has been lost compared to those of large multinational companies. •
Africa Cyber Threat Collaboration
Craig goes on to say that the cyber threat is now seen as a strategic priority globally, as can be seen by the following:
Lack of quantitative cybercrime figures makes it difficult for government to prioritise resourcing teams to deal with the cyber threat.
Prosecute: The ECT Act needs to be updated/implemented with regards to recognising the importance of stronger penalties levied on cyber criminals. Dilution of cybercrime cases with common law. It would be ideal to have focused laws for cybercrime.
In the diagram below, all the sections work interdependently. Information risk management should ensure that strategies are implemented and aligned by working with the business strategy team and IT and operations management. The same concept can be applied at a country level. BUSINESS STRATEGY (strategic - what)
GOVERNANCE
INFORMATION RISK MANAGEMENT (tactical - how)
For phase 2, Craig suggested that a common cyber security model may scale for a company / industry / country /continent. He recommends that there should be information governance principles to satisfy business objectives. Information needs to conform to certain control criteria such as:
• • • • •
Strategic alignment Operational efficiency Performance measurement Value delivery Risk management
IT & MANAGEMENT OPERATIONS (monitor independencies)
Cybershield Magazine • January - March 2014 • Cybercrime • Page 27
CyberCon 2013 Special
1. KING III and COBIT 5.0 for Information & IT Governance 2. The suggested best practice for ensuring information and cyber security in your organisation is by using or measuring it against the SANS 20 Critical Controls and ISO 27001/2 3. Lastly, privacy may best be implemented by adhering to the Privacy requirements from laws such as POPI. Organisations should be aware that for security systems to be effective there is a need for all departments and business policies to be considered when implementing security infrastructures.
He then provided an outline for a cyber security model and provided the following national cyber security strategies: • • • • • • • •
Identify and engage stake holders Set the vision, scope, objectives and priorities Develop a clear governance structure Follow a national risk assessment approach Take stock of existing policies, regulations and capabilities Establish trusted information sharing mechanisms Organise cyber security exercises User awareness, training and education programmes
He ended his presentation by referring to how his organisation, Wolfpack Information Risk, has taken a positive step towards educating individuals on cybercrime by launching an information risk skills programme which will provide a highly effective information risk education and awareness programme to attract, assess and continuously develop skills at all levels within an organisation. Below is an outline of some of the local South African initiatives lead by Wolfpack Information Risk: • • • • •
•
Information risk skills programmes through SANS Graduate development programme under the Wolfpack Cyber Academy The launch of an online learning and training simulation (launching in 2014) Cyber emulation “war” game (launching in 2014) Alert Africa portal (http://alertafrica.com) which is a website dedicated to educating citizens on the different attacks, how they work and how to avoid becoming a victim. The website also provides valuable contact details (report to numbers) that one can use when they have been attacked. Cybershield Magazine which is a quarterly digital magazine packed with high quality local and international articles, research and events for the African information security community.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 28
Africa Cyber Threat Collaboration
He then recommended which standards and best practices can be used in an organisation:
CyberCon 2013 Special
– Success Stories from Nigeria
by David Isiavwe from the Union Bank Nigeria
David’s opening statement was that, according to CBN, the banks in Nigeria have lost N14.8 billion ($100 million) to fraud. David began his presentation by providing a brief background on Nigeria stating that it has a cash dependent economy, hence crimes related to credit cards and credit payment systems are low. However, electronic banking is widespread and so is crime in that area. He aired his view on how Nigeria needs to start moving towards using cashless forms of payments such as: Debit/credit/prepaid cards for electronic payments via Point of Sale (POS) terminals and ATMs, Internet banking, mobile payments, direct debits/credits and Auto Clearing House (ACH) payments.
Africa Cyber Threat Collaboration
Cyber Security
He quoted how, according to fraud prevention technology provider Iovation Inc, Africa had the highest online fraud rate in 2012 when compared to other continents. Additionally, based on the data gathered by Iovation, the following countries were victims of online fraud in 2012: •
Africa, 7%, Nigeria and Ghana
•
Asia, 5%, Bangladesh, Vietnam and India
•
South America, 4%, Chile and Brazil
•
Europe, 2%, Poland, Romania and Portugal
•
North America, 1%, Mexico
He also highlighted the fact that the Nigerian Payments System has been greatly improved over the past years with the introduction of a number of initiatives under the Payments System Vision 20:2020 Program which resulted in a significant drop in fraud. The key components of this program are: •
Enlightenment campaign on protection of PIN/card details for cardholders
Implementation o f Nigeria Uniform Bank Account Number (NUBAN) system
•
Establishment of Nigeria Electronic Fraud Forum (NEFF) by the CBN
•
Cheque Truncation Across the country
•
•
Mandatory Compliance with EMV standards
•
Card Fraud Prevention Strategies
Collaboration by Banks, Switches, The Economic and Financial Crimes Commission (EFCC), The Nigerian Communications Commission (NCC), The National Identity Management Commission (NIMC) and other institutions to fight e-payment fraud.
•
Second level authentication for card not present transactions
•
Implementation of Nigeria Central Switch (NIBSS)
•
Implementation of real-time online monitoring tools for PIN entry attempts by Banks
•
Implementation of Mobile Payment Standards and Guidelines on ATM and POS
•
Automatic blocking of cards after three unsuccessful PIN attempts.
•
Operations in Nigeria
•
Limits for card-to-card transfers, POS and web payments.
•
Deployment of new Real Time Gross Settlement (RTGS) System for a Cash-less Nigeria
•
Banks to segregate the process of PIN handling and card activation.
•
Implementation of Instant Payment System
•
Enhanced due diligence on merchants before POS terminals are allocated.
•
Maximum Cap on Cash and Cheque Payments
•
Cybershield Magazine • January - March 2014 • Cybercrime • Page 29
CyberCon 2013 Special
In relation to card fraud density: •
The unregulated nature of the internet, with the vulnerability of online businesses has led to massive cybercrimes globally. These range from identity theft, corporate espionage, fraud, hacking, stolen credit card information, and so on. He highlighted that such crimes may threaten a nation’s security and financial health. If left unchecked, cybercrime could precipitate another global economic crisis!
•
“Undetected financial fraud is one of the greatest risks to an organisations’ viability and corporate reputation, and it has the capability to draw into its sphere all associated people, not only the guilty.” Jeffrey (2005).
•
He then spoke about the global cost of cyber crime by referring to the 2013 Cost of Cyber Crime Study done by the Ponemon Institute (2013) which revealed the following: •
• •
•
•
Average annualised cost of cybercrime per organisation in 2013 was $11.56 million. This is an increase of 26 percent, or $2.6 million, over the average cost reported in 2012. Organisations in defence, financial services, energy and utilities suffered the highest cybercrime costs. The average time to resolve a cyber attack was 32 days, with an average cost incurred during this period of $1,035,769, or $32,469 per day—a 55% increase over 2012’s estimated average cost of $591,780 for a 24-day period. Denial-of-service; web-based attacks and insiders account for more than 55% of overall annual cybercrime costs per organisation. Smaller organisations incur a significantly higher percapita cost than larger organisations. Recovery and detection are the most costly internal activities.
David then took the conference attendees through the fraud trends of 2012 in Nigeria, particularly payment card fraud, where he highlighted the following: •
•
• •
Between Jan-Mar 2012, most of the fraud cases were airtime recharge transactions hence small fraud losses were recorded. Between Apr-Jun 2012, the fraud trend moved to mobile money because it was easier for fraudsters to transfer funds and also buy goods. From Apr-Dec 2012 fraud went up as criminals became more advanced and as banking went online. From Oct-Dec 2012 fraud was very high because people did more shopping around that time in preparation for Christmas which resulted in more cards getting cloned.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 30
•
•
•
Jun-July 2012 had the highest fraud density value because the criminals gained a more in-depth understanding of e-banking, just as the people also started using the e-banking system more. In October 2012 the density increased as there were more sales volumes and a larger number of merchants selling high valued goods. Statistics show that in 2009 ATM cards were easily duplicated as the magnet strip was easily cloned. It became a national emergency when people kept receiving alert messages. In 2010 the Central Bank made it mandatory for all banks to have chip and pin cards. A Risk Rank downgrade on some merchants using the Merchant categorisation in July 2012 helped reduce fraud exposure which in turn brought down the losses incurred from fraud between August and October 2012. Fraud on ATMs locally was not reported in 2012, however, this does not mean there was no fraud on this channel because there was fraud occurring on ATMs in other countries that were not EMV compliant.
David stated that the incidents of cybercrime in Nigeria went down for the following reasons: • • • • • • •
• • • •
Fraud Awareness / Training Activities by Stakeholder Groups – CBN, NCC; E-PPAN, Interswitch, ISSAN and NIBSS in collaboration with the Press. Regulatory framework and close monitoring by the CBN Implementation of strong internal controls by banks and switches – “Living in the minds of the auditees”. Collaboration with law enforcement agencies like EFCC and Nigeria Police Investment in technology solutions like real-time monitoring solutions as well as migration to EMV Tone at the top by Senior management via Ethical Organisational Culture which promotes ethical behaviour, good administrative practices and sound controls. Implementation of Conflict of Interest Policy Code of conduct that sets clear standards of conduct and acceptable behaviour for employees. By conducting pre-employment screening. Increased speed of Fraud Investigations and Collaboration amongst Banks.
On a parting note, David stated that although the spate and incidents of cybercrimes have reduced due to security awareness training, innovative technological controls and collaboration amongst stake-holders, there is still need for cybercrime legislation to be in place to fully combat cybercrime across the continent.
Africa Cyber Threat Collaboration
David posed a question asking why we should combat cybercrime. He responded as follows:
CyberCon 2013 Special
Post Bank Saga
- A police perspective
by Brigadier Pieterse from SAPS Commercial Crime Division: Directorate for Priority Crime Investigation (DCPI)
Brigadier Pieterse feels that those who are part of investigations should enjoy the investigation, manage personal differences, stay focused and remain motivated. Brigadier Pieterse gave a brief background summary on the 2012 Postbank saga: •
• •
•
Postbank primarily host clients from the previously disadvantaged communities/only deals with savings accounts/small investment accounts Post Offices nationally act as branches for Postbank A Postbank account operates in the same manner as an “ordinary” bank account. Some clients prefer to still make use of a Postbank book linked to their account, whilst other customers (account holders) prefer a Postbank card Cards can be utilised as a debit card or be presented at stores for payment on purchases instead of cash
incident occurred. There was a sense that “somebody” did not want it to be known that Postbank had been the victim of cybercrime (possibly concern around internal vulnerabilities being exposed or reputational risk), which resulted in almost a two week delay. Also, there was limited operational assistance from law enforcement during the initial stage of the investigation which caused further delays. The delay led to the cybercrime scene not being known to the investigation team and the forensic analysis caused further delays. He then discussed what challenges are faced by government in developing a National Cyber-security Policy Framework (NCPF). The NCPF seeks measures to: • • •
address national security threats in terms of cyberspace promote the combating of cyber crime build confidence and trust in the secure use of Information and Communication Technology (ICT) develop, review and update substantive and procedural laws to ensure alignment
• On the 3rd of January 2012 Postbank found out that R42 782 500 had been fraudulently deposited into a hundred and three (103) Postbank customer beneficiary accounts. R30 882 800 was unlawfully withdrawn during 5437 ATM’s transactions (in South Africa). The syndicate withdrew the last of its loot at 6:11am on the 3rd of January. The theft occurred over three days.
The NCPF is intended to provide a holistic approach and will be supported by a National Cyber Security Implementation Plan. He then went on to discuss the challenges faced by law enforcement: •
The Sunday Times were told that the syndicate started its operation by opening accounts in post offices across the country late 2012. When the offices closed for the New Year holiday period, the syndicate gained access to a Rustenburg Post Office employee’s computer, linked to the Postbank’s server system and made deposits into the accounts. It also increased limits on the accounts to allow extremely large withdrawals. The Postbank normal ATM daily withdrawal limit is set at one thousand rand (R1 000-), yet it was increased to R500 000 during December 2011 and no red flag was raised! Over the next three days, ATMs in Gauteng, KwaZulu-Natal and the Free State were used to withdraw cash from the accounts. It is apparent that the cyber heist was committed in a sophisticatedand organised fashion, by a group of people operating in a syndicate.
T he “Traditional investigative methodology” approach in addressing the cybercrime threat, does not effectively address the business systems in relation to cyber crime Upsurge in cybercrime within the financial environment poses a threat to South Africa’s democracy and economy Strategies and measures against cybercrime would have to follow a criminal justice rationale, linked to broader crime prevention and criminal justice policies, aimed at contributing to the rule of law and the promotion of human rights
• •
Brigadier Pieterse provided attendees with an overview of the legislative framework available in SA: •
rocedural Law: Criminal investigations and prosecutions in South P Africa undertaken in terms of Criminal Procedure Act (CPA), 1977 CPA probably needs to be amended to fully accommodate implications of Information Technology South African criminal law offers a variety of common-law and statutory offenses, which could be applied to prosecute offenders of cyber crime Most significant legislation in South Africa is undoubtedly the Electronic Communications and Transactions (ECT) Act, 2002 Need to ensure that the legislative framework is addressed in accordance with International legislation
• Brigadier Pieterse goes on to compare the Postbank incident to the Yonkers cyber fraud case which has similar characteristics: •
• • • • •
oth cases are very good examples of how complex (yet simple) B organised crime targeting electronic banking products has become. In both incidents the daily limits were increased. The use of ICT infrastructure to enable large organised crime attacks across borders (transnational) was adopted The ATM was used as the preferred cash out method (also the case in SA) Decentralised attack with as many as 24 countries involved Data theft from processing centres which are not strictly regulated
In the end the PostBank investigative results led to the arrest of 5 individuals. The search/seizure investigating team seized electronic apparatus and evidence. There were some lost opportunities when this
Africa Cyber Threat Collaboration
The
•
• •
In conclusion, Brigadier Pieterse gave some points on what he believes should be the way forward for South Africa: •
•
• •
Successful criminal prosecution by law enforcement agencies and prosecuting authorities depend essentially on the availability of prima facie admissible evidence Develop a strategy to successfully eradicate cybercrime which will contribute to Government’s Delivery Agreement that “all people in south Africa are and feel safe” The Imperative strategy should meet international benchmarked standards and be inclusive of a multi stakeholder approach in design/implementation/management Cybershield Magazine • January - March 2014 • Cybercrime • Page 31
Looking back at 2013
2013
The year the world lost its Privacy!
The top 10 Cyber News Highlights for 2013
The year of 2013 started with Mandiant releasing a report that proved that the United States (U.S.) government, agencies and companies were being spied on by a group from China who Mandiant called APT1. The U.S. Pentagon also released a report where they directly blamed the Chinese government and military for hacks on computers in the U.S. In both cases the Chinese government denied the allegations. The reports resulted in everyone being concerned about state-sponsored attacks out of China, Iran and Syria. However, all of this changed when Edward Snowden who was a contractor for the National Security Agency (NSA) released classified NSA documents that showed that the U.S. government itself was guilty of spying on its own corporations and just about everything and everyone around the globe. “What Snowden released essentially proved to the 10th degree that the U.S. government was itself infiltrating its own corporations and has been eroding the privacy of millions for years already.” —Andrew Storms, a security researcher with CloudPassage
particularly useful at targeting traveling phone users”. •
NSA spied on the communications of the Brazilian and Mexican presidents.
•
Australia Spied On the Indonesian President.
•
NSA spied on French citizens and the Mexican government.
•
Both the G8 and G20 summits that were held in June 2010 in Canada were spied on by the NSA in conjunction with a Canadian partner.
•
The NSA used a computer system called XKeyscore (XKS) to search for and analyse Internet data about foreign nationals across the world. The program is run jointly with other agencies including Australia’s Defence Signals Directorate, and New Zealand’s Government Communications Security Bureau.
•
The NSA have a programme code named PRISM that collects stored Internet communications from companies such as Google and Apple. The stored data is requested from companies under section 702 of the U.S. FISA Amendments Act of 2008 to turn over any data that match court-approved search terms.
•
The British GCHQ makes use of a security electronic surveillance program called Tempora to gain access to large amounts of internet users’ personal data. Tempora uses intercepts on the fibre-optic cables that make up the backbone of the internet to gain access to the users’ personal data. The intercepts are placed in the United Kingdom and overseas, with the knowledge of companies owning either the cables or landing stations
Some of the most interesting accusations from the documents Snowden leaked were: •
The NSA hacked Chinese telecommunication companies and other organisations including a University.
•
The NSA was gathering phone and Internet records of Americans.
•
The NSA introduced a vulnerability which could be seen as a “backdoor” into the Dual Elliptic Curve Deterministic Random Bit Generation algorithm which was adopted by NIST and widely used since 2004. Additionally, it was the default algorithm used in the RSA encryption toolkit. RSA is one of the major encryption providers in the world. The vulnerability supposedly allows a third party to easily attack the encryption protocol and by doing so intercept secure communications.
•
Belgian telecommunications operator Belgacom identified unknown malware on a number of servers and employee computers. Although the malware was never made available for public analysis, it was speculated that the origin of the malware and the attack was the British Government Communications Headquarters (GCHQ) and the NSA. In September Der Spiegel published details from Snowden’s leaks indicating that GCHQ had been behind the hacking in an operation codenamed Op Socialist. According to the information released by Der Spiegel “Belgacom seems to have been targeted because of its GRX service. GRX acts as a hub interfacing different mobile networks, and is therefore
Cybershield Magazine • January - March 2014 • Cybercrime • Page 32
The revelations of what the NSA was doing and the ongoing pressure from law enforcement agencies resulted in two encrypted e-mail providers, Lavabit and Silent Circle, shutting down. Snowden used Lavabit to send secure e-mails and it was speculated that the NSA wanted access to the e-mails in order to track him down after he fled the USA. After Lavabit was shut down its founder, Ladar Levision, was quoted as saying “This is about protecting all of our users, not just one in particular. It’s not my place to decide whether an investigation is just, but the government has the legal authority to force you to do things you’re uncomfortable with”. Due to malware going undetected and the software exploits used by the NSA, a number of questions were raised with regards to the level of cooperation that takes place between security companies and governments. As a result the Electronic Frontier Foundation (EFF), together with 23 other groups, published a letter on the 25th of October asking security vendors a number of questions regarding the detection and blocking of statesponsored malware. It may be true that a large amount of people are willing to give up their personal information on social media networks but are they willing to allow the governments to know everything?
Looking back at 2013
Red October Cyber Espionage The Red October cyber espionage malware was reported to have been in operation for over 5 years. It targeted several organisations around the world including government agencies, critical infrastructure industries and other scientific research organisations. Its main objective was to send confidential information from these organisations to remote command and control servers.
The top 10 Cyber News Highlights for 2013
The Red October malware was highly sophisticated and had several advanced features including a ‘resurrection mode’ that enabled the malware to re-infect computers. Additionally, Red October not only targeted computer systems as a source of information but also mobile devices connected to the victims’ networks. This was a clear indication that cyber criminals are aware that mobile devices are a core component of today’s business environment and contain valuable information. Other Cyber Espionage malware that made headlines in 2013 were NetTravler, Icefog and MiniDuke
Cryptolocker Ransomware Cryptolocker was the biggest ransomware threat of 2013. The malware was able to bypass firewalls, end point protection, anti-malware products and several other security products for weeks. The malware downloads an RSA key from a remote command control server that it connects to using a domain generation algorithm (DGA) that allows it to generate around a 1000 unique domain names per day. A unique key is created for each new victim and only the cybercriminal has access to the decryption keys.
Wolfgang Kandek, CTO of Qualys, warns that traditional defences may not offer much protection against CryptoLocker. The attack does not require any special access or privileges, so it’s very difficult to prevent using standard computer security tactics. He states that “XKCD had it absolutely right in its April 2013 comic strip, and If all my important data is my user data, the malware does not need to escalate to administrator to wreak havoc.”
The downloaded key is then used to encrypt the victims’ data. The cybercriminals give their victims three days to pay the ransom and they reinforce their message with wallpapers that warn the victims that if they don’t pay up in time their data will be gone forever. The cybercriminals, for the victims’ convenience, accept different forms of payment, including Bitcoin. On the positive side if the victim pays the ransom the cybercriminals do provide them with the decryption keys. A recent report from Dell security researchers suggests that the cybercriminals behind CryptoLocker made, on average, $300 000 per day from users paying the ransom to get access to their data again. The most affected countries are the UK and US, followed by India, Canada and Australia. In order to avoid becoming a victim of Cryptolocker or similar ransomware it is important that individuals and businesses always make regular backups of their data. Additionally, ensure that your backups are not connected to the computer as some variants of Cryptolocker will encrypt removable media and network shares too.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 33
Looking back at 2013
Biggest DDoS attack in history ! Several DDoS (Distributed Denial of Service) attacks occurred throughout the year, however, the biggest DDoS attack was directed at Spamhaus in March. Spamhaus is an international non-profit organisation dedicated to battling spam. Several experts have called it the biggest DDoS attack in history. It was estimated that the attack peaked at 300 gigabits per second. Spamhaus CEO Steve Linford told the BBC at the time that the attack had enough force to cause worldwide disruption of the internet.
The top 10 Cyber News Highlights for 2013
CyberBunker which is an Internet Service Provider that allows clients to host any service they like, as long as it does not involve child pornography or terrorism, was suspected of launching the attack. The conflict between CyberBunker and Spamhaus went as far back as 2011, but reached a peak when Cyberbunker was blacklisted by Spamhaus a few weeks before the incident. The owner of Cyberbunker denied responsibility. In order to continue operating Spamhaus mitigated the attack by moving its operations to CloudFlare which is a hosting and service provider known for dissipating large DDoS attacks. The method used by the attackers is known as a DNS reflection attack which involves sending a request for a large DNS zone file to a DNS server. However, the requests are forged so that they appear to come from the IP addresses of the intended victim. Open public-facing DNS servers respond to the request with a large file. The attackers’ requests are only a
fraction of the size of the responses, meaning the attacker can effectively amplify his attack by a factor of 100 from the volume of bandwidth they control. The attack has resulted in more cybercriminals using it due to its effectiveness and ease of implementation. On the positive side the attack has highlighted the problems with open DNS Servers.
Personal Information Breaches In 2013 several organisations were victims of data breaches that resulted in user information getting compromised. The following are the highlights or rather lowlights of such incidents that occured in 2013: •
Cybercriminals gained access to the encrypted passwords of 50 million people who make use of the LivingSocial service. Additionally, the attackers gained access to user names, e-mail addresses and dates of birth of some of its users.
•
Evernote asked its almost 50 million users to reset their passwords following a hacking attempt on their network.
•
Adobe was hacked which resulted in 38 million users’ account IDs and encrypted passwords being stolen. The incident resulted in users having to reset their passwords.
•
Yahoo! Japan reveals that 22 million user IDs may have been leaked after Yahoo detected an unauthorised attempt to access the administrative system of its Yahoo Japan web portal.
•
A bug was discovered on Facebook with the “Download Your Information” tool that allowed Facebook users to access other users’ phone num-
Cybershield Magazine • January - March 2014 • Cybercrime • Page 34
bers or e-mail addresses. It was estimated that 6 million records were accessed in this way. •
A vulnerability in a 3rd party application on Drupal’s servers resulted in usernames, e-mail addresses, country information, and cryptographically hashed passwords being exposed. Drupal made its almost 1 million users of Drupal.org reset their passwords.
•
Hackers gained access to the usernames, email addresses, session tokens and encrypted/salted versions of passwords for approximately 250 thousand Twitter users.
•
Hacker collective ‘Anonymous’ hacked an anonymous whistleblowing website run by the South Africa Police Service (SAPS), revealing the identities of an estimated 6 thousand users and possibly jeopardising their safety. The hack was in response to the massacre of 34 protesting miners at Marikana mines in August 2012.
It is best practice to change your password every few months. Given the incidents that occurred in 2013, users now have no choice but to follow this advise!
Looking back at 2013
Dexter Malware hits SA The Dexter malware was initially discovered by the Israelbased IT security firm Seculert in December 2012. At that time Seculert had estimated that Dexter had infected hundreds of point-of-sale (PoS) systems from businesses in 40 countries. In 2013 a variant of the Dexter malware infected several point-of-sale devices at South African fast-food outlets and it was said that the KFC fast food chain was particularly hard hit. The cybercriminals stole customer card data which cost the local banks tens of millions of rand in what is being described as one of the worst breaches of customer card data in the South Africa’s history.
The top 10 Cyber News Highlights for 2013
The infection was possible because the anti-malware software was not able to detect the new variant of the Dexter malware. It was not clear how the PoS systems got infected, however, when a bank customer presented their card at a fast-food outlet and it was swiped the malware would read the customer’s card number and send the information to the cybercriminals. However, since the Card Verification Value (CVV) numbers on the backs of the cards were not
compromised, it was not possible for the cybercriminals to clone and use the cards to make online purchases. The Payments Association of South Africa CEO Walter Volker said that authorities picked up incidents of South African card numbers, compromised by Dexter, being used to make in-store purchases in the US which lead to arrests. Volker also said “I don’t think there’s any reason for concern, but obviously if you detect something on your statement that you don’t recognise, you should contact your bank immediately”, he also advised any person that has a mag-stripe card to ask their bank to replace it with a chip card.
Another Obad Year for Android In 2013 the most advanced Android malware was discovered named Obad. The malware is multi-faceted as it can send messages to premium rate numbers, download and install other malware, spreads itself using several different methods and can receive commands from remote servers. Obad is a very complex piece of malware and its code is heavily obfuscated. Additionally it exploits three previously unpublished vulnerabilities. One of these vulnerabilities allows Obad to gain device administrator privileges but without it being listed on the device as one of the programs that has these rights. The administrative privileges make it impossible for the user to remove the malware as well as allowing Obad to lock the screen. Obad locks the screen in order to cover up the activities of the malware, specifically, the action of sending itself (and other malware) to nearby devices. In Android 4.3 Google has patched the vulnerability that allows Obad to hide in the device administration list. Obad can distribute itself using Bluetooth, by advertising itself as a legitimate app on a fake Google Play store, by means of spam text messages and through redirection on compromised sites.
It was found that Obad was more commonly distributed using a mobile botnet that was created using different mobile malware as follows: •
The user receives a text message indicating that an MMS was received and provides a link for the user to click on.
•
By clicking on the link the user downloads the Opfake SMS Trojan which when
executed makes contact with the command and control server and instructs it to send an MMS to all of the user’s contacts. The MMS message once again contains a link where the recipient can view the “MMS”
•
By clicking on the link the recipients automatically download the Obad malware. In order for Obad to be installed the user must run the file that was downloaded.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 35
Looking back at 2013
City of Joburg online billing “Hacked” In August the BidorBuy CTO Gerd Naschenweng discovered a security vulnerability in the City of Joburg’s (CoJ) online e-statements system which exposed private invoices that contained residents’ and business’ personal details such as names, addresses, account numbers, PIN codes, and financial details. Naschenweng made the discovery public after several attempts to contact the CoJ were unsuccessful.
The top 10 Cyber News Highlights for 2013
Upon learning about the vulnerability the CoJ took the compromised site “off line” by taking down the site’s DNS settings. However, the site was still accessible using the IP address which meant that the invoices were still accessible to anyone who had the IP address and an Internet connection. The CoJ eventually took the site down which prevented further access to the personal invoices.
Silk Road Shutdown On the 25th of October 2013 a joint operation between the FBI and the Drug Enforcement Agency shut down Silk Road. Silk Road was a black market site that was operated through the TOR onion network and was used to buy and sell drugs, hacking tools and firearms. It was also possible to hire assassins. Silk Road was operating on Bitcoins, which allowed both sellers and customers to remain anonymous. The FBI and DEA seized about 140,000 Bitcoins (worth approximately $56 million) from Silk Road’s operator whose nick name was Dread Pirate Roberts. Ross William Ulbricht is accused by the FBI of being Dread Pirate Roberts and is currently in prison awaiting trial. Also, as part of the Silk Road shutdown, arrests of drug dealers were reported worldwide.
Apple IOS Vulnerabilities Exposed
Cybershield Magazine • January - March 2014 • Cybercrime • Page 36
In 2013 Apple iOS contained several lock screen vulnerabilities that allowed unauthorised users to bypass the lock screen for iPhones and iPads and access user data. The vulnerability existed in iOS 6.x and 7.x. The exploit on iOS 7.x could only be done on iPhone 4S and 5 with the 5S and 5C models being safe. In addition to the lock screen vulnerabilities discovered in 2013, the iPhone 5S Touch ID fingerprint sensor was also hacked within 48 hours after it was released.
Looking back at 2013
In the first edition of Cybershield in 2013 we published a number of predictions made by experts for 2013. The following table summarises the predictions made and indicates if they came true or not.
Prediction
Outcome
Cloud:
In 2013 the number of attacks against end users and administrators with regards to getting their cloud based service credentials did not increase “I expect to see a sharp increase in attacks against significantly i.e. there was nothing to indicate a sharp increase compared end-users and administrators who are accessing and to 2012. controlling cloud based services (both public and private clouds). Much of the focus is on the security of the cloud The sharp increase was in actual fact the other way around i.e. the itself but very often the end-users are left to their own attacks increased against the cloud providers themselves, for example, while connecting from less secure public networks. LivingSocial, Evernote, Twitter, Facebook, Apple and Zendesk were all Administrators in particular will be targeted as they hold attacked and personal user information was stolen. the keys to the cloud-based kingdom.” Therefore this prediction did not come true - Bryce Galbrait
Which Predictions from 2013 came true?
Simulations:
In 2013 several organisations made use of games as a way to educate users in Information Security, particularly in the awareness space as well “Gamification, the application of game design as to train security professionals. techniques to real-world problems, will play a far more important role in Information Security education in the Therefore this prediction came true! coming years.” - Yori Kovichko Innovation:
It is difficult to determine whether or not all companies started to look for alternative security technologies.
“Companies will start looking for alternative security technologies to augment or outright replace many of However, what we can tell is that many vendors released security tools the technologies that have failed time and time again.” that contained more advanced features such as being able to analyse employees’ social media data and track employees via GPS. There were - John Strand also several tools released to deal with Bring Your Own Device (BYOD) and deal with the malware threats. Therefore this prediction came true as several companies looked for solutions to deal with new and emerging threats.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 37
Looking back at 2013
Prediction
Outcome
Metrics:
In 2013 it became clear that security metrics had become too complex for the majority of managers to understand. The only way to address this problem is by giving management metrics that are based on the business context. Paul Proctor in a blog post on Gartner said it best “Very simply put, if you want them to care, you have to give them something that influences their decision making, something that matters to THEM. That means you have to know something about them AND be able to link your metrics to their issues”.
“No profession has ever achieved status and creditability prior to developing effective metrics showing cause and effect, providing reliable prognostication and delivering the information needed by various parts of an organisation to make informed decisions. Information security is no different.
While practitioners frequently lament the profession’s In 2013 a lot of focus, across different organisations, was put into lack of standing with business executives, we continue developing metrics that could be presented to executive management. to fail to provide credible answers to essential questions and reliable evidence for the value of our craft. Most of Therefore this prediction came true! us only provide management with obscure technical measures that do little to provide needed answers, actionable information or comfort, let alone assurance. But relentless pressure to cut costs, to increase both effectiveness and efficiency and do more with less will increasingly drive development and deployment of better metrics in the coming years.” - Krag Brotby
Which Predictions from 2013 came true?
Authentication:
Twitter, Microsoft, Evernote, GitHub, OpenMarket, Apple and several other companies all introduced two factor authentications for their services.
1) serious adoption of multi-factor authentication and 2) focused research info an even more cost efficient yet more secure authentication process in an effort to Research was conducted by several organisations in order to establish eliminate the username/password equation and move better authentication methods. The highlight was when Motorola us to “who you are” authentication systems.” provided details about two new authentication methods that they were developing. - David Hoelzer The first allowed people to put NFC enabled tattoos on their skins as a Password Controls : means for authentication. The second one was using what they termed as Vitamin Authentication. The Vitamin Authentication comes in the Expect the demise of password-only security form of a pill that has a small chip inside of it with a switch. When a mechanisms. Since attackers can now easily download person swallows it, the acids in their stomach serve as the electrolyte and cloud-based password cracking tools for as low as $20, that powers it up. And the switch goes on and off and creates an 18 bit FortiGuard predicts an increasing number of companies ECG wide signal in their body and essentially makes the entire body the will start using some form of two-factor authentication authentication token. for their personnel and clients. This will likely involve a web-based login which requires a user password and a Apple introduced a fingerprint reader for the iPhone 5s. secondary password that will be provided to the user via the user’s mobile device or a stand Therefore this prediction came true! alone security token. Mobile devices:
In 2013 it was discovered that several mobile applications were transmitting and storing user credentials in clear text. The one example was the “With the continued development and proliferation of KIK messenger app that stored user names and passwords in clear text. intelligent portable electronic devices (smartphones, Another example was ESPN’s ScoreCenter for iOS that sent passwords in tablet computers, etc.), I predict a rise in account clear-text. compromises resulting from the credentials for those accounts being stored on unsecured devices. While the Therefore this prediction came true! user may have selected a password of sufficient length, when it’s stored on an unsecured device it may be easily recoverable by an attacker. “ - Fred Kerby
Cybershield Magazine • January - March 2014 • Cybercrime • Page 38
Looking back at 2013
Prediction
Outcome
Geolocation:
The documents leaked by Edward Snowden all but confirmed that several law enforcement agencies use mobile devices to gather information on “I predict a much wider range of investigators, both particular individuals and / or organisations. public and private, will begin to take advantage of geo-artifacts present on nearly every computer and Therefore this prediction came true! mobile device, giving the ability to put the device at a particular place at a particular time.” - Chad Tilbury
Which Predictions from 2013 came true?
Internet devices and Machine Attacks:
An article written by Kashmir Hill from Forbes discussed how she was able to hack a smart home and control it over the Internet. A number of hackers also revealed that they were able to disarm home security systems, open garage doors and turn of the lights of several smart homes. A vulnerability was also fond in Samsung Smart TVs, which has now been patched, that allowed hackers to remotely turn on the TVs’ built-in cameras without leaving any trace of it on the screen.
“However, in particular the advent of IPv6, and the continuation of Moore’s law to deliver cheaper and more powerful devices, will make it much easier to deploy devices ubiquitously. We already see a surge in internet controlled home automation and alarm systems. Cars with not one but several IP addresses, sub $50 “servers” as implemented in the Raspberry Pi project and projects like Androino to deliver sensory and control capabilities to the masses. These technologies frequently take Therefore this prediction came true! advantage of cloud computing to supplement their limited computing capacity and heavily rely on commodity networks for data exchange. We should pretty soon see successful attacks against these devices by exploiting unsecured communication networks. Later on, complete take over of the device by injecting exploit code into the insecure communication stream may be achieved. - Johannes Ullrich
APTs:
The report released by Mandiant, the documents leaked by Edward Snowden and the revelation of the Red October malware all involved the We’ll see more advanced persistent threats much use of advanced persistent malware. like Stuxnet, Flame and Gauss, hitting civilian targets like celebrities, company CEOs and political figures. Therefore this prediction came true! Since targets are not directly linked to military and or government agencies, attackers will likely be looking for information they can use for criminal activity such as blackmail, according to the report. Sandboxes: As adoption of sandboxing becomes a more widely employed security technology, attackers will launch exploit codes that can circumvent sandbox environments. The most likely targets in 2013 will be security appliances and mobile devices.
Attacks in 2013 resulted in the following applications’ sandboxes being bypassed: -
Adobe Reader
-
Java
-
Microsoft Internet Explorer
-
Google Chrome
-
Android RAT malware could bypass sandbox
Therefore this prediction came true!
Cybershield Magazine • January - March 2014 • Cybercrime • Page 39
Looking back at 2013
Prediction Botnets:
Outcome In 2013 the Obad Android malware was more commonly distributed using a pre-established mobile botnet. Also, the Zeus malware targeted Cross platform botnets such as Zitmo will become more both PC users and mobile device users. widespread in the coming year. Since many divergent platforms now share many features, FortGuard predicts Another example, was the Perkle crimeware kit that infects the user’s that 2013 will see an increase in new forms of denial of desktop, poses as an authentication measure for the user’s banking web service attacks that will simultaneously hit both PC and site and requires that the user scans a QR code that downloads malware mobile structures. onto the user’s mobile device. The mobile side then waits for confirmation texts sent by the bank, intercepts the codes and sends them back to the desktop to gain access to the victim’s bank account. The attackers are aware that users are increasingly using mobile devices as such they make variants of their malware that can also work on mobile devices, in addition to on the computer. Therefore this prediction came true!
Which Predictions from 2013 came true?
Mobile Malware:
According to a report released by ESET there was an exponential growth of mobile malware in 2013. Similar reports by McAfee and other vendors Growth of malware written for mobile devices will close also noted the rapid growth of mobile malware. in on those for PCs and laptops. Historically malware has been directed against PCs because the devices have Therefore this prediction came true! been around for so long. The number of new mobile devices however continues to expand making them the ideal target of attackers Social networks:
In 2013 a new piece of malware spread across Skype which tried to convince recipients to click on a link. Once a user clicked on the link a BitOne of the most widely used techniques is social coin miner application was installed in order to make the malware author engineering. Tricking users into collaborating to infect money. It was reported that the malware was spreading at 2 000 clicks their computers and steal their data is an easy task, per hour. There were also several other types of malware, such as Shyas there are no security applications to protect users lock, that spread via Skype in 2013. from themselves. In this context, use of social networks (Facebook, Twitter, etc.), places where hundreds of Social network users were also targeted in several phishing attacks in millions of users exchange information (very often 2013. personal data), makes them the preferred hunting ground for susceptible users. Particular attention should Therefore this prediction came true! be paid to Skype, which after replacing Messenger, could become a target for cybercriminals.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 40
Looking back at 2013
Prediction
Outcome
Malware for mobile devices:
At the end of 2013 Google announced that it would be putting Android in cars. Several mobile devices, phones and tablets, opted to make use Android has become the dominant mobile operating of Android. system. In September 2012, Google announced that it had reached the incredible figure of 700 million Android Therefore this prediction came true! activations. Although it is mainly used on smartphones and tablets, its flexibility and the fact that it doesn’t require a licence for use will result in new devices opting to use Google’s operating system. Its use is going to become increasingly widespread, from televisions to all types of home appliances, which opens up a world of possible attacks as yet unknown. Cyber-warfare/Cyber-espionage:
The cyber arms race most certainly escalated in 2013 with the revelations of what China and the U.S. had been doing.
Which Predictions from 2013 came true?
Throughout 2012, different types of attacks have been launched against nations. The Middle East is worth Therefore this prediction came true! mentioning, where the conflict is also present in cyber space. In fact, many of these attacks are not even carried out by national governments but by citizens, who feel that they should defend their nation by attacking their neighbors using any means available. Furthermore, the governments of the world’s leading nations are creating cyber commandos to prepare both defence and attack and therefore, the cyber-arms race will escalate. Growth of malware:
In 2013 the occurrence of malware continued to increase across both computers and mobile devices. In particular there was a large increase For two decades, the amount of malware has been in mobile malware. ESET detections of Android malware increased more growing dramatically. The figures are stratospheric, with than 60% between 2012 and 2013. tens of thousands of new malware strains appearing every day and, therefore, this sustained growth seems Therefore this prediction came true! very far from coming to an end. Malware for Mac: Cases like Flashback, which occurred in 2012, have demonstrated that not only is Mac susceptible to malware attacks but that there are also massive infections affecting hundreds of thousands of users. Although the number of malware strains for Mac is still relatively low compared to malware for PCs, we expect it to continue rising. A growing number of users added to security flaws and lack of user awareness (due to over confidence), mean that the attraction of this platform cyber-crooks will continue to increase in 2013. Windows 8:
In 2013 Mac users were once again targeted by attackers. Janicab and Yontoo are examples of malware that infected Mac users in 2013. Mac users were also targets of ransomware in 2013. The infection rates and occurrences of malware on Mac are much lower when compared to Windows. However, 2013 showed that cybercriminals are increasing their attacks on Mac users. Therefore this prediction came true!
In 2013 there were no major malware strains found that targeted Windows 8 specifically.
Last but not least, Windows 8. Microsoft’s latest operating system, along with all of its predecessors, will also suffer Therefore this prediction did not come true attacks. Cyber-criminals are not going to focus on this operating system only but they will also make sure that their creations work equally well on Windows XP to Windows 8, through Windows 7. One of the attractions of Microsoft’s new operating system is that it runs on PCs, as well as on tablets and smartphones. For this reason, if functional malware strains that allow information to be stolen regardless of the type of device used are developed, we could see a specific development of malware for Windows 8 that could take attacks to a new level.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 41
Twenty Fourteen
Trust and Privacy
TWENTY FOURTEEN
“Privacy will be a hot subject, with its ups and downs. Encryption will be back in fashion and we believe countless new services will appear, claiming to keep you safe from prying eyes. The Cloud, the wonder child of previous years, is now forgotten as people have lost trust and countries begin thinking more seriously about privacy implications. In 2014, financial markets will probably feel the ripples of the Bitcoin, as massive amounts of money are being pumped in from China and worldwide. Perhaps the Bitcoin will reach the mark of $10,000, or perhaps it will crash and people will start looking for more trustworthy alternatives.”
Cyber Security - Expert Predictions for 2014
Misusing Code Signatures “More attack binaries will use stolen or valid code signatures. These signatures allow malware to spoof as legitimate executables and bypass traditional anti-virus looking for those characteristics.” - Amanda Stewart
Java zero-day exploits may be less prevalent “Despite the comparative ease of Java exploit development, the frequent release of new Java zero-day exploits stopped after February 2013. The reason is unclear, but may be due in part to security warning popups in Java 1.7 or increased attention from white-hat security researchers. Another possibility: too few people are using vulnerable versions of Java, giving exploit authors little incentive to continue finding more bugs.“
Increase in Watering Hole and Social Media Targeting Attacks “Watering-hole attacks and social media targeting will increasingly surpass spear phishing emails. Watering holes and social-media networks provide a neutral zone where targets let their guard down. The trust factor is not a big obstacle, and minimal effort is required to lure the target in to a trap.” - Thoufique Haq
- Yichong Lin
- Kaspersky Lab Global Research and Analysis Team
Cybercrime that Leverages Unsupported Software, such as Windows XP, will increase “This topic has been discussed before, but it’s worth mentioning again here. The most effective way to protect systems in the current environment, where drive-by download attacks are so popular with attackers, is to keep all software installed on them up-to-date with security updates. But on April 8 2014, support will end for Windows XP. This means Windows XP users will no longer receive security updates, non-security hotfixes or free/paid assisted support options and online technical content updates.
Increase in Cybercrime Activity Related to the World Cup “As with any large sporting event, cybercriminals will also be looking for illegal ways to make money and take advantage of the excitement surrounding the World Cup. Given ticket sales for the event started long ago, I’m sure attackers have already been trying to identify ways to swindle money. But I expect to see an uptick in current levels of spam and phishing attacks that use the World Cup context as bait. Attackers use spam and phishing sites to try to steal recipients’ personal information (for purposes of identity theft and bank fraud), as well as infect their systems with malware (for many purposes like click fraud, spam campaigns, botnets, etc.). Spam messages associated with advance-fee fraud (so-called 419 scams) have been on the increase over the past 18 months, going from 9.1% of messages blocked by the Exchange Online Protection feature to protect customers in the first half of 2012 to 14.3% in the second half of 2012 to 15.5% of messages blocked in the first half of 2013. Advance-fee fraud is a common confidence trick in which the sender of a message purports to have a claim on a large sum of money or needs financial help because of some hardship. The sender asks the prospective victim for a temporary loan to get access to their
Cybershield Magazine • January - March 2014 • Cybercrime • Page 42
This venerable platform, built last century, will not be able to keep pace with attackers, and more Windows XP-based systems will get compromised. The best way to stay ahead of attackers in 2014 and beyond is to migrate from Windows XP to a modern operating system that can provide increased and ongoing protections like Windows 7 or Windows 8, before April 2014.” - Tim Rains
claim or to help them overcome the harsh circumstances in which they find themselves. Of course these 419 scams won’t be limited to Brazil as football/soccer is the world’s most popular sport. I expect to see attackers cast a broad net using different languages in order to ensnare as many victims as possible in Latin America and Europe, as well as other parts of the world. Football/soccer fans around the world should use a healthy dose of skepticism when deciding whether to open unsolicited email and attachments. They should also pay close attention to the websites they visit and personal information they provide to such sites.” - Tim Rains
Twenty Fourteen
Increase in Ransomware
TWENTY FOURTEEN
“Although ransomware has been around for years, Ransomware is on the Rise, Especially in Europe to date, ransomware infections have been on a much smaller scale than other types of malware. But, given increased levels of success attackers have had with this type of extortion scheme in 2013, I predict more attackers will embrace this business model in 2014 and ransomware infections will rise. The impact of a ransomware infection on businesses of all sizes could be highly disruptive if they aren’t prepared for this type of threat. As the probability of encountering a potentially super impactful threat increases, so does the risk. Now is the time for organisations to plan mitigations for ransomware. Besides running up-to-date anti-malware software from a vendor you trust, backups are extremely important. For many of the systems that get infected by this type of threat, the only guaranteed way to recover data that has been encrypted by attackers is to restore it from backup after the system has been disinfected or rebuilt. Leveraging the cloud to do this is a low cost option.” - Tracey Pretorius “2013 saw a significant trend toward ransomware because cyberattackers were able to utilise Tor and Bitcoin to anonymously blackmail people into paying for access to their own data.” “This trend will accelerate and migrate to mobile devices in 2014”. “There’s an enormous number of consumers to target who are dependent on the data and services in their mobile device. More than half of mobile-device users don’t use even the most basic security precautions, making them easy prey for cyberattackers.” - Ken Westin
Cyber Security - Expert Predictions for 2014
APTs will meet financially motivated malware “We expect the success of advanced persistent threats (APTs) in carrying out attacks for the purposes of industrial espionage will inspire oldschool financial malware gangs to adopt their techniques. In fact, we’re already seeing exploit techniques borrowed from APT groups being used for malware distribution. As security vendors make progress with improving layers of defense, OS security and user awareness, cybercriminals are forced to make bigger financial gains from a smaller number of victims. New attacks initiated by traditional malware actors may in the future include components and delivery mechanisms purposely built or customised for a narrower target audience. The line marking the difference between APT and traditional malware will continue to blur in 2014.” - SophosLabs
New Methods will be discovered to Bypass Automated Sandboxing “Attackers will find more ways to defeat automated (sandbox) analysis systems, such as triggering on reboots, mouse clicks, applications closing and so on. A prime example: malware triggering at a specific time, similar to what we have seen in Japan and Korea. Attackers are focusing on evading sandbox systems, betting that this effort will make their malware dramatically more powerful. “ - Alex Lanstein
Dev-Ops Security Integration Fast Becoming Critical “As more and more organisations across the industry embrace secure development tools, like Microsoft’s Security Development Lifecycle (SDL), and operations teams mature their processes to become more security-centric with methodologies such as Operational Security Assurance (OSA) for online services, attackers will be left trying to exploit the seams between development and operations. This is one of the lessons Microsoft learned years ago with the malware known as Flame; this was a case where software developers’ assumptions about the perpetual state of operations led to a vulnerability that attackers could take advantage in a seam between development and operations. For attackers, finding a gap between an assumption made by a developer and an assumption made by an operations team will be much easier due to the paradox of defence - they only need to find one gap while defenders need to identify them all. As we see attackers attempt to exploit these gaps more frequently, we’ll see the industry continue to improve rigor around identifying and eliminating these gaps both in design and in continual service improvement. We’ll see operational security champions build tighter connections with their developer counterparts. Threat modeling will grow to a broader, more systems-based approach. And methodologies will become more repeatable and rigorous, borrowing from tried-and-true processes in development such as application threat modeling, and growing similar muscle in operations using continuous monitoring and operational reviews. While attackers are already trying to exploit these gaps, many of the pieces for the defences’ playbook exist, and we’ll see them come together to increase the challenge for attackers.” - Mike Reavey
Cybershield Magazine • January - March 2014 • Cybercrime • Page 43
Twenty Fourteen
Cyber Security - Expert Predictions for 2014
Android malware, increasingly complex, seeks out new targets “In 2013 we saw exponential growth in Android malware, not only in terms of the number of unique families and samples, but also the number of devices affected globally. While we expect that new security features in the Android platform will make a positive change in infection rates over time, their adoption will be slow, leaving most users exposed to simple social engineering attacks.
TWENTY FOURTEEN
Cybercriminals will continue to explore new avenues for Android malware monetisation. Although their options on this platform are more limited than Windows, mobile devices are an attractive launching pad for attacks aimed at social networks and cloud platforms. Mitigate this risk by enforcing a BYOD (bring your own device) policy that prevents side-loading of mobile apps from unknown sources and mandates anti-malware protection.” - SophosLabs
Increase in Firmware Malware, BIOS Malware and 64 bit Malware “Expect more malicious code in BIOS and firmware updates. “ - Bryce Boland “With growing adoption of 64-bit operating systems on PCs, we’re expecting a growth of malware that is unable to run on 32-bit PCs.” - SophosLabs
Mobile banking will suffer from more MitM attacks; basic two-step verification will no longer be sufficient. “The past year saw a notable surge in online banking threats. The third quarter saw the infection count pass the 200,000 mark, the highest it has ever been. But banking threats were not limited to computers; we also saw them go mobile. Fake banking apps became a common problem. Banking-related apps also became a favored cybercriminal target, led by malicious apps posing as token generators. Going mobile unintentionally rendered two-step verification insufficient. As more people used mobile devices for both banking and authentication, cybercriminals started intercepting authentication numbers with the aid of mobile malware like PERKEL and ZITMO. Nearly one in five U.S. smartphone users banked via mobile devices in 2013, a number that is expected to rise more in the coming years. 2014 will be about mobile banking. Unfortunately, we can also expect mobile threats like man-in-the-middle (MitM) attacks to increase in 2014. Android will remain the most dominant OS in the market. But this dominance will continue to be exploited, as we predict the volume of malicious and high-risk Android apps to reach 3 million by the end of 2014. Though Google did exert effort to address this, most recently with the release of Android KitKat, not all users can take advantage of new security features due to the OS’s heavily fragmented update process. New OSs like Tizen, Sailfish, and Firefox that boast of having an Android compatibility layer will enter the mobile market. On the upside, this layer will allow Android apps to run on the OSs but may also make it easier for cybercriminals to create multiplatform threats.” - Trend Micro
Cybershield Magazine • January - March 2014 • Cybercrime • Page 44
Detecting advanced malware will take even longer than it does now “Depending on whom you believe (Verizon Data Breach Investigations Report, Ponemon Institute, and others), detecting a breach can take 80 to 100 days, and remediating it can take 120 to 150 days. We expect those detection times to increase in 2014. More alarmingly, remediation times will accelerate even faster as threat actors grow more sophisticated in their ability to embed themselves within targeted organisations for extended periods.“ - Rudolph Araujo.
International News Bits
The Secret NSA Toolbox It was revealed through documents leaked by Edward Snowden to SPIEGEL that the NSA has a secret unit that produces special equipment ranging from spyware for computers and cell phones to listening posts and USB sticks that work as bugging devices. When agents with the NSA’s Tailored Access Operations (TAO) division want to infiltrate a network or a computer, they turn to their technical experts. This particular unit of the United States intelligence service is known internally as ANT. SPIEGEL obtained an internal NSA catalogue describing ANT’s various products, along with their prices. The catalogue consists of several “implants,” as the NSA calls them, for computers, servers, routers and hardware firewalls. There is special equipment for covertly viewing everything displayed on a targeted individual’s monitor. And there are bugging devices that can conduct surveillance without sending out any measurable radio signal. The signals that are sent out are instead picked up using radar waves. Many of these items are designed for subverting the technical infrastructure of telecommunications companies to exploit them, undetected, for the NSA’s purposes, or for tapping into company networks.
Revealed!
‘Implants’ for Cisco, Juniper, Dell, Huawei and HP The catalogue is not up to date. Many of the software solutions on offer date as far back as 2008 whereas some apply to server systems or mobile phone models that are no longer on the market. However, it is safe to assume that ANT’s hackers are constantly improving their arsenal. Indeed, the catalog makes frequent mention of other systems that will be “pursued for a future release.” The NSA has also targeted products made by wellknown American manufacturers and found ways to break into professional-grade routers and hardware firewalls, such as those used by Internet and mobile phone operators. ANT offers malware and hardware for use on computers made by Cisco, Dell, Juniper,
Hewlett-Packard and Chinese company Huawei. There is no information in the documents seen by SPIEGEL to suggest that the companies whose products are mentioned in the catalog provided any support to the NSA or even had any knowledge of the intelligence solutions. The implants which were placed around the world have played a significant role in the NSA’s ability to establish a global covert network consisting partly of the agency’s own hardware, but also of other computers subverted to serve its purposes.
Source: SPIEGEL
Cybershield Magazine • January - April 2014 • Cybercrime • Page 45 Cybershield Magazine • January - March 2014 • Cybercrime • Page 45
International News Bits
Intercepting Packages and Manipulating Computers
ANT’s developers often seek to place their malicious code in the computer’s BIOS. The BIOS is software located directly on a computer’s motherboard that is the first thing to load when the computer is turned on. Therefore, even if the hard drive is wiped and a new operating system installed, ANT’s malware will continue to function, making it possible to later add other spyware back onto the computer. In addition to the BIOS the NSA’s hackers also attack firmware on computer hard drives, essentially the software that makes the hardware work. The ANT catalogue includes, for example, spyware capable of embedding itself unnoticed into hard drives manufactured by Western Digital, Seagate and Samsung. The first two of these are American companies. Many of these digital tools are “remotely installable,” meaning they can be put in place over the Internet. However, other tools require direct intervention, known in NSA terms as “interdiction.”This means that brand new products being delivered by mail are secretly intercepted, and hardware or software implants are installed on them. The package is forwarded to its intended destination only after this has been done.
Computer Monitor
Surveillance
Technicians at the NSA’s ANT division have developed a system that makes it possible to divert data from a computer monitor undetected. A component called RAGEMASTER is installed in the ferrite insulation on the video cable right behind the monitor plug. It emits a signal that Computer Monitor Surveillance Implant known as “RAGEMASTER” is then “illuminated” by a radar unit located remotely from the building being monitored, and thus made visible for NSA workers. A complex system makes it possible to use this reflected, slightly altered radar signal to reconstruct what can be seen on the monitor of the computer under surveillance. Therefore, it is possible for the NSA to see what is on the screen regardless of whether or not the computer is connected to the Internet or any other network. Keyboards For the NSA’s specialists, using software to log keystrokes on a hacked computer is child’s play. The hardware implant “SURLYSPAWN” goes one step further, by transmitting what a computer user types even when the computer isn’t connected to the Internet or any other network. An invisible signal emitted by the implant is modified by every keystroke, and then a radar signal emitted by a device located outside the building makes the implant’s invisible signal visible. This allows agents sitting across the street, for example, to know what a subject is typing on a computer that isn’t connected to the Internet.
Keyboard Implant known as “SURLYSPAWN”
In response to a query from SPIEGEL, NSA officials issued a statement saying, “Tailored Access Operations is a unique national asset that is on the front lines of enabling NSA to defend the nation and its allies.” The statement added that TAO’s “work is centered on computer network exploitation in support of foreign intelligence collection.” The officials said they would not discuss specific allegations regarding TAO’s mission.
It should also be noted that spyware for mobile phones was even on offer in the 2008 version of the catalog. A Trojan for gaining total access to iPhones, which were still new at the time, was still in development, though its specifications are listed in the catalog. For more information on the other tools used by the NSA visit: http://www.spiegel.de/international/world/a-941262.html
Cybershield Magazine • January - April 2014 • Cybercrime • Page 46 Cybershield Magazine • January - March 2014 • Cybercrime • Page 46
International News Bits
Windows Error Messages
Potential Sources of Information
One example of the creativity with which the TAO operatives approach their work can be seen in a hacking method that exploits frequent errors on Microsoft Windows. This method takes advantage of the familiar window that pops up on screen when an internal problem is detected, asking the user to report the error to Microsoft with a click of the mouse. For TAO specialists, these crash reports either were or continue to be a welcome source of potential information. When TAO selects a computer somewhere in the world as a target and enters its unique identifier (an IP address, for example) into the corresponding database, intelligence agents are then automatically notified any time the operating system of that computer crashes and its user receives the prompt to report the problem to Microsoft. The automated crash reports allow TAO to get “passive access” to a targeted machine, passive access means that, initially, only data the computer sends out into the Internet is captured and saved. The actual computer itself is never accessed or changed. This passive information provides TAO with information on security holes that might be exploitable for planting malware or spyware on the unwitting victim’s computer. Although the method appears to have little importance in practical terms, the NSA’s agents still seem to enjoy it because it allows them to have a bit of a laugh at the expense of the Seattle-based software giant. In one internal graphic, they replaced the text of Microsoft’s original error message with one of their own reading, “This information may be intercepted by a foreign sigint system to gather detailed information and better exploit your machine.” (Sigint stands for “signals intelligence.”)
NSA building
“Quantum Computer” In 2013 several of the NSA’s surveillance programs were exposed and now in 2014 a Snowden leak published by the Washington Post revealed that the NSA is trying to develop a futuristic super computer called ‘Quantum computer’ that could be capable of breaking almost every kind of encryption that is used today to protect banking, medical, business and government records around the world. A working quantum computer would open the door to easily breaking the strongest encryption tools in use today, including a standard known as RSA, named for the initials of its creators. RSA scrambles communications, making them unreadable to anyone but the intended recipient, without requiring the use of a shared password. It is commonly used in Web browsers to secure financial transactions and in encrypted e-mails. RSA is used because of the difficulty of factoring the product of two large prime numbers. Breaking the encryption involves finding those two numbers. This cannot be done in a reasonable amount of time on a classical computer. Should the NSA build this ‘Quantum Computer’ they will be able to crack anything that is encrypted even if a 2048 bit key was used. Source: Washington Post.com
For more information on the other tools used by the NSA visit: http://www.spiegel.de/international/world/a-941262.html
Cybershield Magazine • January - April 2014 • Cybercrime • Page 47 Cybershield Magazine • January - March 2014 • Cybercrime • Page 47
International News Bits
WARNING: Evidence found of new and meaner ransomware Security researchers have uncovered evidence of a new piece of malware, called PowerLocker or PrisonLocker, which may be able to take gigabytes worth of data hostage unless end users pay a ransom. The malware is inspired by CryptoLocker and evidence of its existence was found in discussions that have been occurring on underground crime forums regarding the malware since November.
Yahoo Ad Network abused to redirect users to malicious websites
Internet advertisement networks provide hackers with an effective way of targeting a wide range of computers through malicious advertisements. A recent report published by Fox-IT stated that Hackers were using Yahoo’s advertising servers to distribute malware to hundreds of thousands of users since late last month which has affected thousands of users in various countries. According to the post on the Fox-IT blog “Clients visiting yahoo.com received advertisements served by ads.yahoo.com. Some of the advertisements are malicious”. Once a user visited an infected advertisement they were redirected to websites that contained the ‘Magnitude Exploit Kit’. The Magnitude Exploit Kit exploits vulnerabilities in Java and installs a variety of different malware including: ZeuS, Andromeda, Dorkbot/Ngrbot, Advertisement clicking malware, Tinba/Zusy and Necurs. According to the researchers, approximately 9% of the total visitors per hour i.e. 27,000 users per hour, were being infected. Based on the same sample, the countries most affected by the exploit kit were Romania, Great Britain and France. At the time it was unclear as to why those countries were most affected, however, it was suspected that it may have to do with the configuration of the malware. Mark Loman, a security researcher and developer of the Hitman Pro anti-malware software, also confirmed the issue on Twitter. The Yahoo Security team also confirmed the presence of malware on its servers and said it had taken steps to combat the issue. Source: The Hacker News
PowerLocker could prove an even more potent threat than CryptoLocker because it would be sold in underground forums as a DIY malware kit to anyone who can afford the $100 for a license. Furthermore, PowerLocker might also offer several advanced features, including the ability to disable the task manager, registry editor and other administration functions built into the Windows operating system. Screen shots and online discussions also indicate the newer malware may contain protections that prevent it from being reverse engineered when run on virtual machines. PowerLocker encrypts files using keys based on the Blowfish algorithm. Each key is then encrypted to a file that can only be unlocked by a 2048-bit private RSA key. The researchers said they had been monitoring the discussions for the past few months. The possibility of a new crypto-based ransomware threat comes as developers continue to make improvements to the older CryptoLocker title. Source: Ars Technica
Netgear and Linksys Router
Vulnerability Discovered
A hacker and reverse-engineer from France named Eloi Vanderbeken found a secret backdoor interface on Netgear and Linksys wireless routers that allowed him to send commands to the routers from a command-line shell without being authenticated as the administrator. He then discovered how to flip the router’s configuration back to factory settings which resulted in the administration username and password being set to the default settings. In order to perform this attack an attacker would have to be part of the router’s network, however, according to a Shodan scan there are more than 2000 vulnerable routers available on the Internet. Vanderbeken released the Python based exploit script. The script and a list of routers which have been confirmed as having the backdoor can be found here: https://github.com/elvanderb/TCP-32764 Source: The Hacker News
Cybershield Magazine • January - April 2014 • Cybercrime • Page 48 Cybershield Magazine • January - March 2014 • Cybercrime • Page 48
International News Bits
badBIOS Security consultant Dragos Ruiu was in his lab when he noticed that his MacBook Air, on which he had just installed a fresh copy of OS X, started to spontaneously update the firmware that helps it boot. In the following months Ruiu observed that another computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. However, the strangest of all was the ability of the infected machines to transmit small amounts of network data with one another even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. The power cables were unplugged to rule out the possibility that the infected machines were receiving signals over the electrical connection. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux. The ability of the infected machines to transmit encrypted data even though they were “air gapped” i.e. not connected to any network, but in close proximity to each other, lead Ruiu to his theory about badBIOS’ high-frequency networking. He discovered that when he removed the internal speaker and microphone connected to the air gapped machine, the packets suddenly stopped. He then found that with the speakers and mic intact the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS.
“The airgapped machine is acting like it’s connected to the Internet,” he said. “Most of the problems we were having is we were slightly disabling bits of the components of the system. It would not let us disable some things. Things kept getting fixed automatically as soon as we tried to break them. It was weird.” There is much speculation around whether or not badBIOS is real. However, given the evidence Ruiu provided the majority of experts have come to the conclusion that although such an attack could be plausible it is highly unlikely to be true. Sources: Bruce Schneier and Ars Technica
Cybershield Magazine • January - April 2014 • Cybercrime • Page 49 Cybershield Magazine • January - March 2014 • Cybercrime • Page 49
Africa Cyber News
Nigerian
Youth Hacker Arrested A 23-year-old graduate who has been on the wanted list of the Nigeria Security and Civil Defence Corps (NSCDC) for hacking into the websites of government agencies and for selling fake recruitment forms has been arrested. The suspect, who simply gave his name as Adeniji Lukman, was paraded in Abuja in front of newsmen by the Commandant-General of NSCDC, Dr Ade Abolurin. Lukman confessed to hacking into the websites of government and security agencies. He also confessed to selling fake recruitment forms to unsuspecting job seekers. He told news reporters that he was an expert in website design and had been using those skills to defraud many Nigerians. When questioned on why, given his talent, he chose cybercrime, the suspect said, “It is ignorance. I have a talent and I know how to design websites.” Lukman was identified as the notorious hacker responsible for
hacking into a series of government agencies, including the NSCDC, States Security Service (SSS), Joint Admissions and Matriculation Board (JAMB), National Examination Council (NECO) and Nigeria Customs Service. The suspect was also alleged to have hacked into the website of the Nigeria Immigration Service (NIS). It is alleged that he also hacked into the website of JAMB and produced questions and answers likely to feature in the examinations and sold them to the public before the Unified Tertiary Matriculation Examination (UTME) was held. The Commandant-General of NSCDC, Dr Ade Abolurin gave the following briefing on the suspect and his arrest: “The suspect before us is an expert in website design. He can hack into any system, most especially government agencies’ system. He develops portals through which he used to put some adverts, advertising for recruitment for all these agencies. Source: Softpedia
Nigeria pushes for 2013 Cyber Security Bill At a recent gathering in Abuja which was attended by experts in Information and Communications Technology (ICT) as well as government officials, attendees deliberated on new developments in the ICT world and their implications for all countries, including Nigeria. Speakers at the event discussed the dangers posed to Nigeria and other countries by cybercrime and called on the National Assembly to, as a matter of urgency, pass into law the 2013 Cyber Security Bill, sent to it by the executive, to protect the nation from cyber attacks and from hackers. The speakers felt obliged to urge the National Assembly to heed this call soon! This step becomes imperative as Nigeria and Nigerians increasingly join the global ICT revolution. As more and more businesses and official operations move into cyber space in Nigeria, it is not unimaginable that the global network of cyber criminals has taken note and is lurking in the shadows, waiting to hit the country. Already, there are cases wherebycriminals have begun to clone the official websites of government agencies and businesses, with a view to committing crimes. Cybercrime seems to be getting more sophisticated in the country and a state of unpreparedness, legislation wise, would be reckless on the experts’ part.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 50
It is worth noting that cybercrime alone, now costs the world $114 billion yearly. Cybercrime is not limited by geographical barriers, so all businesses across the world are required to fight the growing scourge. Experts say that by passing into law the 2013 Cyber Security Bill, Nigeria will join the rest of the world in the war against crime in cyber space. It is in our national interest, therefore, to take this important step. Nigeria is infamously perceived as a nation of scammers, and undue delay in passing the cyber security bill into law will only reinforce this bad image and lead to incalculable damage to Nigeria’s reputation in the comity of nations. That image is a drawback that the country cannot afford as the government shops for more foreign direct investment to buoy the flailing economy. Therefore, lawmakers are being urged to pass into law the 2013 Cyber Security Bill and consider the issue as a matter of urgency as well as putting Nigeria on the same page as the rest of the world in the global fight against cybercrime. Source: allAfrica.com
Africa Cyber News
Ghana becomes a major hub for cybercrime D.K Mensah, the Chief Executive Officer (CEO) of the Ghana Association of Bankers, has expressed regret that Ghana has been identified as a major hub for cybercrime. The CEO made this known at the opening of a training workshop on E-Crime and Countermeasures in Accra. The training aims to equip participants with the relevant knowledge and skills to detect and prevent electronicrelated crimes targeting businesses. The United Nations Office on Drugs and Crime (UNODC) on Globalisation of Crimes highlighted the problem of cyber criminality in Ghana and the West Africa sub region in 2010 already. Mensha referred to Ghana’s recent inclusion in the top ten cybercrime offending nations by the Internet Crime Complaint Centre (ICC) through its yearly Internet Fraud Report. Mensah identified e-mail related fraud targeting organisations, hacking attempts targeting government and corporate websites as well as the use of spyware key loggers by insiders in collaboration with external perpetrators to facilitate fraud. He noted that regardless of these cases, the awareness and knowledge on e-crime is below the minimum cyber security threshold amongst employees in corporate
organisations. He also observed that businesses lagged behind in the implementation of proactive information security measures to detect and prevent e-crimes. The Founder and the Principal Consultant of E-crime Bureau, Albert Antwi-Boasiako, also felt that the industry’s readiness to deal with cybercrime issues is below the minimum cyber security threshold, hence the need for national effort. Antwi-Boasiako, added that it had become obvious during his assessment that some business decision makers were not well-informed about cyber security issues and the threat of cybercrimes to their businesses. Additionally, most corporate sector employees were not aware of the basic cybercrime and cyber security issues, whilst others had not identified the need for information security personnel to manage corporate cyber security issues and their challenges. He urged organisations to take issues on internet fraud more seriously and to train their staff accordingly. Source: IT News Africa
Ugandan authorities bust cybercrime fraudsters A gang of cybercrime fraudsters linked to the recent spate of Mobile Money and Automated Teller Machine (ATM) scams, is on the run following the seizure of one of their kingpins - a woman - as the Police warn the public to be on the lookout. The Police have discovered a group of fraudsters who connive with Internet cafe owners to defraud the unsuspecting public. One of Kampala’s most notorious computer hackers turned against her comrades because she did not want to go to prison and left her seven-year-old daughter behind. Top members of hacking group, Tusobola Net, that literally translated into “we can handle the Internet” and is an umbrella term used in Kampala to represent an Internet subculture - a collection of online individuals, or ‘hactivists’, who share common ideas of anti-censorship and freedom of speech on the Internet. The group has carried out cyber attacks on Automated Teller Machine (ATM) cards, banks and other corporate fraud. Tusobola net is linked to four Bulgarians, Milen Katsarski, Ivan Ganchev, Adrian Dimitrov and Anton Ivanov who were jailed over ATM fraud.
According to the Police, the gang is also linked to three former MTN agents, who hacked into the company’s system and swindled sh3 billion ($34, 758, 300). Nasozi, who was described as one of the ringleaders of Tusobola net, pleaded not guilty before Buganda Road Court and was remanded in Luzira Prison. Six other members of the racket are still at large. Three operated from shopping malls while the others are Makerere University students only identified as Rash, TT and Jackson. According to the Police, they fled to Tanzania when their leader was arrested. A preliminary Police report states that the hackers are responsible for a number of attacks on large companies, government agencies and hospitals. Source: allAfrica.com
Cybershield Magazine • January - March 2014 • Cybercrime • Page 51
Africa Cyber News
South Africa
looking for Skilled ‘cyber warriors’
In his reaction to the Norton Cybercrime Report of 2012, Professor Basie von Solms, Director of the University of Johannesburg’s (UJ) Centre for Cyber Security claims that, with a dire lack of skills to counter South Africa’s spiralling instances of cyber fraud, it is no surprise that the country ranks third among those most targeted by cyber attacks. The report places South Africa right behind China and Russia as a favourite preying ground for cyber criminals. Developments such as extra broadband, a growing number of mobile applications and the establishment of numerous technology hubs, in the South African cyber space has become increasingly attractive to offenders. This alarming situation was highlighted at a talk to alumni of UJ’s Academy of Computer Science and Software Engineering, delivered by von Solms. His address follows news of tens of millions of rands worth of losses experienced by South African shops, restaurants and hotels, caused by a new variant of the malware known as Dexter, on payment card systems. Von Solms notes that cyber risk has rocketed so dramatically, it has risen from twelfth to third position on the Lloyd’s 2013 Risk Index Report of concerns to global business. The report states that the most costly cybercrimes involve malicious code, denial of service and web-based attacks exploiting vulnerabilities. Von Solms a holder of multiple awards and author of numerous reports on information security advocates the united efforts of industry, government and academia to tackle the crisis and build desperately-needed skills in the field of cyber security. He suggested the formation of a platform on which all three entities can work to fill critical gaps. “Capacity building is at the core and is urgent,” he states, pointing out that the demand for cyber security expertise worldwide is currently 12 times higher than the requirement for IT professionals. Countries that recognise this demand include the United Kingdom where 11 centres for cyber skills development, allied to universities, have been established. The Indian government is currently sponsoring the training of 500 000 ‘cyber warriors’ while South Korea is churning out 5 000 cyber specialists a year. Von Solms says campaigns to up awareness of cyber security issues are essential. The public, especially new users, are not
Cybershield Magazine • January - March 2014 • Cybercrime • Page 52
sufficiently aware of ID theft, phishing schemes, cyber stalking and at a social level, bullying. Governments and industry, he says, are rolling out mobile systems throughout Africa without cautioning customers about fraud dangers. UJ is a founding member of the South African Cyber Security Academic Alliance which educates youngsters, in indigenous languages, on cyber risk. Von Solms calls for proactive cyber counter-intelligence in both government and business spheres. “It is clear that traditional, reactive approaches to information security are not enough anymore, and more aggressive methods must be designed to go out there, identify attackers and their motives.” He also criticises government for dragging its feet in effecting legislation. The National Cyber Security Policy, which has been approved by government, remains under wraps. The Electronic Communications and Transactions Act of 2002, presently being rewritten, defines the concept of cyber inspectors to ensure national cyber security, but to date has not been fully implemented, mainly as a result of the skills shortage problem. He also suggests the formation of a parliamentary committee on cyber security to review the safety of government and business systems and provide a platform for ordinary citizens to seek recourse when victimised by cybercrime. “Such a committee should hold oversight hearings where government and business can be held accountable for the security of the systems they roll out, and where ordinary citizens can testify about their cyber problems such as identity theft and financial losses,” he states. Upon his return from Oxford University’s newly established Global Centre for Cyber Security Capacity Building, von Solms felt that “South Africa had the ability to be playing in the big league of cyber security.” He commended the UJ Centre for Cyber Security and states that in some instances their work exceeds that being undertaken in the United Kingdom. Source: IT News Africa
Africa Cyber News
Concern as cybercrime costs Kenyan firms their profits Kenya is under attack by tech savvy criminals who use the Internet and Information and Communication Technology to de-fraud innocent citizens and various institutions. By March 2013, financial institutions had recorded loses of up to KSh. 1 billion ($11, 594, 000) while millions of shillings have since been stolen in cybercrime related incidents. An ICT private security firm Serianu, says it detects over 1,000 attempted ICT-related attacks on organisations in the country every day. Sirianu’s founder and managing director Mr William Makatiani, says that even though the financial impact of these crimes are not made public, millions of shillings are lost by organisations in the country. Another emerging area of concern in the country is cyber bullying and spreading of malicious information about individuals and organisations. “On a daily basis we detect a total of 1,000 attempted attacks against organisations and individuals in Kenya. Thousands of cases are dropped because there isn’t a legal framework around cybercrime/cyber security. We desperately need laws in place
otherwise we are an exposed digital society,” says Makatiani. In an attempt to save Kenyans from further losses the government has recruited former Permanent Secretary in the now defunct Information Ministry Dr Bitange Ndemo to lead an onslaught on cybercrime Key on the list of things the country should do, the IT expert advises, is to train enough personnel in technology, put in place a structure for collaboration between the State and private sector and initiate crossborder liaison with other countries within and out of Africa. Makatiani told Crime Watch that, “There is an urgent need for collaboration between the private and public sectors in Kenya. Government needs to do a lot more to protect Kenyans against foreign cyber criminals. Without a clear strategy we will get attacked and these foreign criminals will not be prosecuted”. Source: Standard Media
Cybercrime costs Kenyan Government KSh. 2 billion The ministry of Information Communication and Technology will have spent KSh. 2 billion ($23, 175, 000) by the end of 2013 to fight cybercrime. This was said by Dr. Fred Matiangi, Cabinet Secretary, Ministry of Information Communication and Technology during a Cyber Security Conference held in Nairobi. The conference comes prior to the AU Convention on Cyber Security to be held in January 2014. The Cabinet Secretary added that, because cybercrime is a world issue that affects everyone in one way or another, private sectors and individuals should look for ways in which they can better protect their data. According to Dr Matiangi, “With an internet penetration of approximately 16 million, ICT applications such as e-government services have become enablers for the country’s development. Unfortunately, the same gains are under threat from cyber criminals, whose objective is to illegally compromise online systems. It’s important that countries stay one step ahead of cyber criminals.” Cybercrimes are currently rated as the most committed form of crime worldwide. The most cybercrimes carried out include, account hacking, fraud, dissemination of offensive materials and identity theft among others. Such crimes have resulted in most people losing their properties and money as well as organisations losing important data. These crimes have resulted in world leaders planning to come together to find solutions to cybercrimes during the AU Conference. Dr. Fred Matiangi also added that, cyber cafes will have regulations that will govern them to ensure that the owners manage their businesses in a good way. The regulations will be drafted to help cyber attendants
manage data from the users in case anyone commits a crime making it easy to track the cyber criminals. Internet usage is increasing daily bringing the world closer but cybercrime is still on the verge of helping criminals reap where they have not sowed. While Law enforcement agencies try to tackle this problem, it is still growing steadily and many people are becoming victims. The best way to avoid being a victim is protecting your sensitive data by making use of impenetrable security that uses a unified system of software and hardware to authenticate any information that is sent or accessed over the internet something that organisations are trying to currently embrace. COMESA Secretary General Mr Sindiso Ngwenya, suggested that the Government should provide the police with the necessary training to investigate and curb cybercrimes adding that the judicial system should also come up with stiff consequences for all cyber criminals. “ICT is a key driver of the knowledge economy, but cybercrime is threatening gains made through adoption of technology in economies. Cybercrime now goes beyond threat to economies to countries and corporations’ security controls. It’s a serious issue that needs to be dealt with fast,” said Mr Sindiso. Dr Matiangi also announced that the government is supporting the authorisation of the African Union Convention on the establishment of a credible legal Framework for Cyber Security in Africa in which Head of States will meet to discuss in January 2014. Source: CIO East Africa
Cybershield Magazine • January - March 2014 • Cybercrime • Page 53
Africa Cyber News
4 Major
SA Companies Leak Data
In recent months four security flaws were uncovered in four prominent South African websites. How each organisation handled the news clearly illustrates the difference in attitude towards security and the understanding of IT systems.
This was due to a page on the South African them, and that they will be reviewing their National Roads Agency Limited (Sanral) website systems accordingly. which could be used to expose the PIN of any registered E-toll website user. “We’re grateful to Brunsdon and MyBroadband for bringing this to our attention. We take Sanral followed the City of Joburg’s strategy, customer data security extremely seriously and with the help of MyBroadband and its members and called the security flaw a “cyber-attack”. The four security flaws discovered within the Vusi Mona Sanral’s general manager of were able to quickly make changes to our websites of the City of Joburg, Vodacom, Cell communications stated that, “Sanral strongly systems,” said Vodacom. C, and Sanral were all similar, and exposed the condemns the cyber-attack on the online e-toll private information of their clients. account management website,” said. Big Cell C security flaw uncovered The website vulnerabilities were further comparable as it did not take significant technical knowledge to exploit these vulnerabilities. The Internet users who reported these security flaws help companies to secure their websites and stop criminals from exploiting these security flaws.
“Some people may not like e-tolls but launching an attack on law abiding citizens, just because they registered an e-toll account, is appalling,” Mona said. It is not clear why Mona would equate highlighting a security flaw to a “cyberattack” and “launching an attack on law abiding citizens”.
It is worthy to mention that the majority of the My Vodacom security defect exposes people who reported the security flaws wanted subscriber details the vulnerabilities to be fixed to protect both these affected organisations and their clients. A security fault in the “My Vodacom” online portal exposed Vodacom subscribers’ personal City of Joburg details, including account balances, package details, service providers, average monthly In August 2013 a security vulnerability was spend, the phone used, PUK and PIN details. discovered in the City of Joburg’s (CoJ) online e-statements system which exposed The flaw allowed a Vodacom subscriber who residents’ and business’ personal details. After was logged into the My Vodacom online this vulnerability hit the media, the City of portal to enter any Vodacom number and find Joburg shut down its e-statements system, personal details linked to the entered number. claiming that the incident was a criminal act. The security flaw was reported to MyBroadband The city also opened a criminal case against “a by a concerned forum member Christopher suspected offender” after a “thorough forensic Brunsdon (cbrunsdonza). investigation by the city and its private IT experts”. Vodacom was notified about the security hiccup on the afternoon of the 26 December What is confusing is that the City of Joburg must 2013 and the company launched a “complete have been aware that the alleged “hacker” tried investigation”. Vodacom reported back to to alert the city to the security flaw, but this MyBroadband on the same day that the flaw attempt failed. Therefore, he felt he had no other was identified, and a patch was developed choice but to go public with the information. overnight. The patch was tested successfully on the morning of the 27 December and was Up to now the City of Joburg has not answered deployed into production by midday on the questions or explained why it would open a same day. Overall it took less than 24 hours to police case against a person who was trying to find and rectify the problem. help them to fix their security flaw. “Only high level account summary information was exposed such as the type of package and Sanral e-toll portal the balances. No banking information was In January 2014 a hacker identifying themselves compromised nor was it possible to transact on as “Moe1” published an informal security the affected number,” said Vodacom. advisory warning e-toll users that the PINs used to log into their E-toll website accounts can Vodacom added that the security of customer be easily obtained if their username is known. information is of paramount importance to
Cybershield Magazine • January - March 2014 • Cybercrime • Page 54
A similar security flaw with Cell C’s online portal – aka My Cell C – also occurred which allowed anyone with an internet connection to view personal information about many of Cell C’s subscribers. A concerned Cell C subscriber Eugene Eksteen (aka cavedog), alerted MyBroadband that the “My Cell C My Account” portal provided access to the personal details of many Cell C numbers by using a generic master password. The security flaw was tested by MyBroadband using a new Cell C SIM and existing Cell C accounts. All Cell C numbers could be accessed, except those where the user changed their online password. A wide range of personal information could be accessed through the portal, including account details, banking details, numbers called, PIN and PUK numbers and payment history. According to Eksteen the vulnerability had been there since March 2013, following a system upgrade by Cell C. MyBroadband alerted Cell C to the security flaw on 2nd of January 2014, and the operator confirmed the vulnerability soon afterwards. Cell C replied by stating that, “Cell C can confirm that following a thorough investigation, the security flaw on our online customer portal was identified and resolved.” Cell C said that they suspect the flaw was the result of recent system maintenance. “We are pleased to confirm that by mid-afternoon today [3 January 2014], a patch was developed, tested and deployed and the issue is now fully resolved,” said Cell C. “The security of customer information is of the utmost importance to Cell C and we will be appraising our systems accordingly.” Cell C was thankful to MyBroadband and Eksteen for bringing the security flaw to their attention. Source: My Broadband
Local Training and Events
Wolfpack
FACT
Cyber Academy “The demand for cyber security experts is growing at 12 X the rate of the overall job market.”
WOLFPACK CYBER ACADEMY
We are proud to launch the Information Risk Foundation Programme in South Africa on the17th of February 2014.
WARNING
This is an intense 4 week programme (full-time or flexi options) that combines the best of classroom training, simulations, continuous assessment plus coaching from a team of experienced instructors & invited industry experts. We include recent incidents as case studies, the latest research, proven methodologies & toolkits from our Research, Threat Intelligence & Advisory teams plus integrate key business and communication techniques into one of the most effective information risk skills transfer programmes around.
Launch Special We are offering corporates a 10% early bird discount on the normal fee of R49,500 (excl) or US$4,150 per delegate for all applications received by the 14th February 2014. For more information please contact us at academy@wolfpackrisk. com
2014
Information Risk Foundation Programme
Note - The 4 week programme commences each quarter in Feb / May / Aug / Nov 2014.
Graduates
Please email academy@wolfpackrisk.com for more information
“This is a tremendous opportunity for young talented graduates to obtain the skills and support to enter the information security industry.”
Wolfpack will sponsor a limited number of talented graduates each quarter through the programme. For our top achievers there may even be an option for an internship with Wolfpack or its partners. This may just open up a very promising career for you in the information security industry. For more information on how to apply visit: http://www.wolfpackrisk.com/training/
www.wolfpackrisk.com/training
Cybershield Magazine • January - March 2014 • Cybercrime • Page 55
Of Interest
The world’s most dangerous celebrities of 2013 Move over, Emma Watson. You’re so 2012! Lily Collins, star of The Mortal Instruments: City of Bones, topped McAfee’s 2013 list of Most Dangerous Cyber Celebrity. The search for the riskiest pop culture celebrities on the web has been running for seven years now. The security experts McAfee set out to find the “riskiest” pop culture celebrities on the web – meaning their name is tied to the most malicious software (malware), including viruses and spyware, as well as tools designed to steal and exploit personal information for financial gain. Coming in at number 2 was Canadian rocker Avril Lavigne, while third spot is reserved for Oscar-winner Sandra Bullock. The infographic shows the Top 10 most “dangerous” celebs to click or tap through online, as you might find bad links that might harm your computer or data. McAfee has also gathered the following interesting facts from this year’s study: •
Best known for his work on Mad Men and 30 Rock, Jon Hamm (no. 8) is the only male to crack the Top Ten. Justin Timberlake came in at no. 12 and Patrick Dempsey at no. 13 -- but no one else in the Top 20.
•
A total of 17 musicians made it in the Top 50, with a number of pop divas in the Top 10: Avril Lavigne (no. 2), roaring Katy Perry (no. 6), and Vegas-bound Britney Spears (no. 7).
How Howto tostay stayprotected protected
•
Funny celebs tied to malware are no laughing matter. Along with Sandra Bullock (no. 3), there is also Kathy Griffin (no. 4), Amy Poehler (no. 17), Ellen DeGeneres (no. 23) and two Jimmys: Fallon (no. 24), and Kimmel (no. 39).
McAfee provided the following tips and tricks: McAfee provided Yahoo Digital Crave with the following tips and • tricks: Be cautious of content that tells you to download • Be cautious of content that you tells with you to anything before providing thedownload content. anything before providing you with the videos content. You may want to opt to watch streaming or You may want to opt to watch streaming videos or download content from the official websites of content download content from the official websites of content providers. providers. • Free downloads are the highest virus-prone search • Free are the highest virus-prone search terms.downloads Anyone searching for videos or files to terms. Anyone searching for videos or files to download should be careful to not install malware on download should be careful to not install malware on their computer. their computer. • It is advisable to always use password protection on • It is advisable to other alwaysmobile use password on your phone and devices. protection If your phone your andanyone other mobile devices. your phone is lostphone or stolen, who picks up theIfdevice could is lost or stolen, anyone who picks up the device could publish your information online. publish your information online. • Established news sites may not entice you with • Established sites reason: may not enticethey youdowith exclusives fornews one solid because not exclusives for one solid reason: because they do have any. Try to use official news sites that you trustnot for have any.news. Try to However, use officialtrusted news sites you trust for breaking sites that can also fall prey breaking news. However, cantool alsothat fall prey to hackers. Ensure to usetrusted a safe sites search will to hackers. Ensure to use a safe search tool that will notify you of risky sites or links before you visit them. notify you of risky sites or links before you visit them.
Cybershield Magazine • January - March 2014 • Cybercrime • Page 56
•
Reality stars can also slap you into the reality of online scammers. The Voice co-judges Blake Shelton (no. 21) and Adam Levine (no. 32) were the highest on the list, followed by the Kardashian clan: Kanye West (no. 22), Kourtney Kardashian (no. 27), Kim Kardashian (no. 35), Khloe Kardashian (no. 36), Kris Jenner (no. 38) and Ryan Seacrest (no. 40)
•
Latinas livin’ la vida loca also spiced things up in the Top 20: Shakira (at no. 11), Selena Gomez (no. 14), Demi Lovato (no. 16) and Eva Mendes (at no. 19).
• •
• •
• •
Try avoid downloading videos from suspicious sites. Try videos fromrepeating: suspiciousdosites. Thisavoid is the downloading golden rule that is worth not This is the golden rule that is worth repeating: not download anything from a website you do notdotrust, download anything from a website youwould do not trust, especially videos. Most news clips you want to especially videos. Most news clips you would want to see can easily be found on official video sites, and do see easily be to found on official video sites, and do not can require you download anything. If a website not require you to download anything. If a website offers an exclusive video for you to download, do not. offers an exclusive video for you to download, do not. If you receive a message, text or email or visit a thirdIf you website receive athat message, textyour or email or visit a email, thirdparty asks for information, party asks forFacebook your information, email, home website address, that credit card, login details or home address, credit card, Facebook login details or other information for access to an exclusive story, do other information forrequests access to story, for do not give it out. Such areana exclusive common tactic not give it out. Such requests are a common tactic for phishing that could lead to identity theft. phishing that could lead to identity theft. When searching for information on a major event or When searching for information major event or celebrity in the news, make sureon allayour household celebrity in the news, make sure all your household devices, for example PCs, Macs and mobile devices, devices, for example PCs, and devices, have protection enabled to Macs protect youmobile from the latest have protection enabled to protect you from the latest threats online. threats online. Source: Yahoo Source: Yahoo
Awareness
this episode looks at privacy and how cyber criminals are able to exploit your private information
one morning in cyberville at crime boss robin moola’s head quarters... situated a stone throw away from the local police station.
i wish we could catch those cyber criminals wrecking havoc in our citizens private lives!
ok - gather around everyone. lets begin our strategy workshop.
cyber criminal syndicate strategy meeting....
THAT’S NOT DIFFICULT! people are so careless with their information! thats what makes our job so easy!
all these late night hacks have made me tired... zzzzz
lets see what business trends are hot for this week so we can FIND A WAY TO TAP INTO THEM
we need to be more proactive & obtain the private details of our victims lives
THE PERSONAL INFORMATION ON YOUR PROFILE MAKES YOU VULNERABLE TO ATTACK
social networks
here is the updated target list! lets hit them hard chaps...i want to get our corporate jet by december!
how criminals target and monetise personal information: Username & passwords Identity hijacking Email harvesting Virtual goods Web server Financial Extortion Botnets
68% OF PEOPLE WITH PUBLIC SOCIAL MEDIA PROFILES SHARED THEIR BIRTHDAY INFORMATION 12% SHARED THEIR PET’S NAME 63% SHARED THEIR HIGH SCHOOL’S NAME 18% SHARED THEIR PHONE NUMBER
Cybershield Magazine • January - March 2014 • Cybercrime • Page 57
Shady
Lookout speciality: email harvesting & virtual goods
speciality: credentials and passwords
email harvesting:
1. compile prospective innocent victim (“iv’s”) list 2. hack into “iv’s” computers 3. install spyware onto “iv’’s” computer to capture their keystrokes 4. use captured information to log into victim accounts: * bank or Financial accounts, to steal & transfer money * icloud, google drive, or dropbox accounts, to access all sensitive data * amazon or other online shopping accounts, to purchase goods in ”iv’s”name * ups/fedex accounts, to ship stolen goods in “iv’s”name
1. scan all “iv’s” emails for information to sell i.e: * all the names, email addresses and phone numbers from their contact list * all their personal or work emails. 2. compile “iv’s” database information to sell
virtual goods: 1. copy and steal any virtual goods from “iv’s” 2. sell stolen virtual goods i.e. * online gaming characters, gaming goods or gaming currencies * any software licences, operating licence keys or gaming licences
H.I.Jack
Robin Moola speciality: web server, Financial & Extortion
speciality: botnets & identity hijacking botnets:
turn hacked computer into a webserver to use for the following:
1. connect “iv’s” hacked computer to entire network of hacked computers controlled by me 2. this network is called a botnet that i use for: * sending out spam to millions of people * launching denial of service (ddos) attacks
* hosting phishing websites to steal other peoples’ usernames & passwords * hosting attacking tools to hack vicitm computers * distributing child pornography, pirated videos or stolen music
identity hijacking:
Financial:
to steal “iv’s” online identity to commit fraud or to sell “iv’s” identity to others i.e: * facebook, twitter or linkedin * email accounts * skype or other im accounts
scan “iv’s” system for valuable information i.e. credit card information / tax records and past Filings or Financial investments and retirement plan extortion:
THINK...
BEFORE YOU SHARE TOO MUCH
demand money from “iv’s” in the following ways: * take pictures of them with their computer camera & demand payment to destroy or not release the pictures * encrypting all data on their computer and demand payment for it * track all websites they have visited and threaten to publish them
They are after YOUR information!!
Msizi the meerkat on PRIVACY: 1. Username and passwords: Create strong and unique passwords with upper, lowercase, numbers and special characters 2. Social media: Don’t share personal information and ensure that your privacy settings are in place 3. Malware: Always check your downloads are not malicious
Be alert!!
remember, you are a target! Always follow these awareness tips
4. Home wi-fi: Always change your home router’s setting by customising your password and network name
5. Hotspots: Don’t click on any hotspots under the names of airports, coffee shops etc. Always get the password from the shop management
visit alertafrica.com for more cartoons, videos and resources Cybershield Magazine • January - March 2014 • Cybercrime • Page 58
Research and Threat Intelligence Advisory Training Awareness
Cybershield Magazine • January - March 2014 • Cybercrime • Page 59