Various news media are reporting that over 30,000 email accounts belonging to users of web based email providers such as Gmail, Yahoo! Mail, Hotmail and Aol (to name a few) have been compromised. It is unclear yet as to the exact nature of the compromise. Some reports state that the accounts were compromised by a phishing attack. Others state, and some of the sources I have spoken to, state the accounts were compromised as the result of a trojan or keylogger software infecting the victims machines.
Either way if you use a webmail based service you should change your password. Also make sure you do not use the same password across different systems because if your email password has been compromised then those other systems could be accessed by the criminals. If you are responsible for managing the security of your organisation then consider that some of your users may use the same password for their personal email and their corporate account. You should monitor your access logs and if you detect any suspicious activity, such as logins from countries your users are not based in, then react accordingly. The CyberCrime & Doing Time blog have a good post on the topic which analyses how they believe the attack may have happened.
I was interviewed by both the SiliconRepublic and RTE today on this issue
The Sunday Business Post published an article yesterday called in their Computers in Business Supplement. The article is The Virus Evolution and in it Gordon Smith discusses with me and a number of other industry experts the changes we have seen in how computer viruses have developed over the years.
Modern viruses are more complex than what we have seen previously. The main reason behind this trend is that organised crime is now heavily involved in the development and propagation of computer viruses. In previous years viruses were developed by people looking to become famous and gain “street cred” amongst their peers. Their motivations would be simply to gain notoriety as the individual who infected x number of PCs and therefore the type of viruses they wrote would be very noticeable.
Those virus writers are still out there but the majority of viruses are now being written by organised criminals, primarily in Russia, Eastern Europe and Asia. These viruses are written so the criminals can make money and therefore are designed not to be noticeable and to infect PCs silently. The main ways they make their money with viruses are as follows;
Keylogging
Some viruses have a feature whereby they monitor the keyboard and screen of the PC they have infected. All the keystrokes the user types are captured and then sent to the criminals, either via email or a file transferred to a server under the criminals’ control. The type of information captured can included passwords, credit card numbers and banking details. Some of the viruses are now sophisticated enough to capture only the information the criminal wants by detecting, for example, when you access a secure website such as your online bank etc.
Botnets
This is the biggest threat we now face. Botnets are computers that have been infected with a virus that enables the criminals to remotely control all the computers infected with that virus. So instead of having to rely on the his/her own computers the criminal can now use thousands, if not hundreds of thousands, of infected PCs to carry out the criminals’ activities. These include
Spam A botnet enables the criminals to send out spam which bypasses some of the traditional filtering methods. Previously spam would originate from one source so once identified it could be blocked by most filters by ignoring email from that source. This would force the criminal to find another server to send their spam from. With a botnet the criminal can send spam from each of the compromised computers that they have, so instead of thousands of emails coming from one source the criminal now just sends out one email from thousands of sources making it harder to detect.
DDOS
In order to attack a site with a Distributed Denial of Service attack the criminals can make the thousands of PCs they control to make legitimate requests to the target server resulting in it being overwhelmed and in effect becoming unavailable to legitimate users. The criminals will then try to extort money from the target organisation to prevent the attack happening again.
Botnet for hire
Criminal gangs are now offering their botnets for hire for people to either send spam, propagate a new virus or conduct a DDOS attack against a victim. You can hire a botnet for a few hours for only a few hundred dollars. Many criminals are also now offering service level agreements and guaranteed levels of service to entice customers. Many of these customers would be people wishing to send out spam email but not having the resources themselves or targeting companies with a DDOS attack to either extort money or other motives such as political, revenge etc.
Targeted Malware
Some viruses are written specifically for a certain target. The criminals, or indeed a hostile nation, may want information from a certain target. A virus will be written specifically for the target organisation so that specific information or other details can be extracted. That virus would then be sent to targeted individuals in the organisation either as an infected program, an infected document (Word or PDF) or most likely as a link to a website that has code on it to exploit vulnerabilities in the target’s browser which are then used to download the malware.
From an Irish point of view IRISS has seen these type of viruses installed on a number of compromised Irish websites. Very often the website owner is unaware that their site has been compromised and is now silently infecting the PC’s of anyone who visits that site. These infections happen by the malware exploiting vulnerabilities in the client’s web browser. More recentlyvulnerabilities in some Adobe products have also been exploited. All of this will be done seamlessly to the victim who will not notice anything happening.
IRISS has also been involved in dealing with Irish sites that have been compromised by criminals to host Phishing sites for organisations outside of Ireland, e.g. financial institutions and tax authorities in other countries. People in the target country are then directed to the Phishing site via phishing emails. Once they visit the site they are then prompted to download the latest e-banking software which in fact is an infected file that the criminals have put onto the website in other to capture the victims’ financial details.
Finally, IRISS has also seen Irish websites being compromised with malware that pops up a window within the victim’s browser to warn them that their PC is infected with a computer virus and to download a free anti-virus software tool to detect and remove the viruses. This software turns out not to be anti-virus software but is in fact a ruse to install viruses onto the victim’s PC. Some of this “scareware” software also requests the victim to buy the software so it will remove the viruses from them, so the victim not only gets viruses installed on their PC but also pay for the privilege and of course have now given their credit card details to criminals.
How these Irish websites get infected we are not 100% sure but suspect that either;
The criminals exploit a vulnerability in the web server software to place their malware on the site
Have gotten login credentials from the owners or the developers of the website as a result of a virus infecting the website administrator’s PC
Weak login credentials being used on the website, e.g. people using simple passwords to FTP information onto the site.
To protect against these viruses you should;
Use reputable anti-virus software
Make sure your anti-virus software is updated regularly
Apply the latest patches to your operating system and ALL the applications you use. Criminals are targeting other products such as Adobe, iTunes, Realplayer etc.
Do not open files in email attachments until you have verified they come from a trusted source and there is a legitimate reason for them to send you the file
Do not click on links in emails sent to you until you have verified they come from a trusted source and there is a legitimate reason for them to send it.
Make sure users are aware of the risks – I recommend company’s run these sessions with a view to educating people how to protect themselves online using their home PCs as this gets better engagement from the staff as the issue is more personal to them
Make sure you have email filtering to detect viruses, spam and other suspicious files.
Make sure your web browsing gateway has anti-virus capabilities and will block suspicious files
Make sure that mobile workers have appropriate protections on their laptops (e.g. a, b, c above) and they use a firewall on their laptop when accessing the Internet away from the office.
Ideally you should try and force all their Internet connections to route via your company’s VPN and not allow them access the Internet directly. Using your VPN connection ensures they have the same level of protection as if they were in the office.
Ensure all mobile devices are checked for viruses before allowing them connect back onto your network.
USB keys are becoming a common vector for computer viruses to spread so make sure that you have appropriate end point controls in place to ensure infected USB keys cannot impact your network. For example, allow users to only use certain authorised USB keys (there are software solutions available to manage this) and disable the autorun feature within Windows which will help prevent any viruses from being run once the USB key is inserted into the PC.
And for those Apple Mac and Linux users out there don’t think that you are immune from these attacks. Many of the modern attacks are targetted now at the browser and applications and not just the operating system.
Ireland’s economy is now more than ever dependant on information technology and the Internet. Both have enabled consumers and businesses alike to better access and deliver services, create new markets, exchange information rapidly and process information in more efficient means. Technology and the “knowledge economy” are now seen as a strategic path by the Government to get Ireland’s economy back on track again. Indeed the Minister for Communications, Energy and Natural Resources, Eamonn Ryan TD recently unveiled the Government’s smart economy strategy to create Digital Ireland. The plan, titled “Technology Actions to Support the Smart Economy” looks to develop over 30,000 jobs in areas such as ICT, green technology, cloud computing and energy efficient datacentres.
However, this increasing reliance on information technology brings with it numerous risks and threats that if not properly addressed could result in significant negative impact on Ireland’s economy and potentially on the country’s national security.
The recent Eircom outages resulting from attacks by unknown hackers highlight those very risks that are posed against the Irish Internet space. Eircom have admittedthat these attacks were the result of DNS poisoning but we still have no further details as to the vulnerabilities exploited by the attacker(s). Nor do we have any insight into the motivation behind the attacks. Speculation has ranged from the same hackers that attacked US and South Korean sites, to Russian mafia gangs to disgruntled Eircom customers.
Eircom is the largest ISP in the country providing Internet services for their own customers but also many other telcos and ISPs that piggyback on the Eircom infrastructure. By default then Eircom can be classified as being part of our Critical Network Infrastructure.
Eircom admit in their own press release that they had to patch some of their systems to deal with the attack. They even acknowledge that some of their remediation steps may have caused additional outages for their customers. This to me is something extremely worryingand raises questions such as;
Why is a key provider of our Critical Network Infrastucture not applying patches in a proactive manner?
Why did it take an attack to ensure that the appropriate patches and fixes were applied?
What incident response capabilities and pre-planning were in place to ensure that the source of the attacks and systems affected were quickly identified, remediated with minimum impact and systems fully recovered?
The main concern I have is what is being done to ensure that the organisations who make up our Critical Network Infrastructure, whether they be private or government entities, are properly securing those systems? What reassurances do we have that all ISPs have applied the appropriate security patches to their DNS servers and indeed other key elements of their infrastructure?
Industrial and state espionage is not a new thing and with the introduction of information technology it has become even more prevalent. Countries like the US, UK, France, Belgium and Indiahave all raised concerns about foreign nation states targeting high tech resources in their respective countries. As recently as late July a German counter intelligence official claimed that Germany is losing an estimated €50 billion and 30,000 jobs a year as a result of industrial espionage. Some of the key industries included renewable energy and communications, the very industries outlined in Irish Government’s smart economy strategy to create a Digital Ireland.
A number of the countries, such as the US and the UK, have learned from their experiences and are quickly appointing people to ensure their nations’ digital assets are protected.
Indeed in the United States this whole issue has even gotten the attention of the President.
Listen to the above speech and see how the U.S. is taking this issue seriously and then compare it with the below answer given by our Minister of Defenceto a question posed to him on what steps Ireland has taken against the “cyber risks and threats”;
Cyber security, cyber crimeand internet security represent challenges that are constantly evolving and require vigilance and appropriate responses. Cyber security is multi facetted. The nature of the threat and the potential impact also varies considerably depending on the approach and objective of those with malicious intent.
In the first instance, each State agency, business and individual should take every precaution with regard to their security. Awareness of security, the risks and available safeguards, can be seen as the first line of defencefor the security of information systems and networks. I am aware of considerable activity in this regard. My colleague the Minister for Communications, Energy and Natural Resources has undertaken a number of awareness campaigns aimed at individuals, SMEs, the education sector, the public Sector and business. My colleague the Minister for Justice and the Garda Siochana are also active in areas such as cyber crimeand cyber bullying. The legislative programme includes the Criminal Justice (Cybercrime) Bill, being prepared by the Department of Justice. This Bill gives effect to the Council of Europe Convention on Cybercrime as well as to the EU Framework Decision on attacks against Information Systems.
My Department and the Defence Forces focus on the risks and threats arising in the context of the roles laid down by Government for the Defence Forces. My Department and the DefenceForces implement a programme of continuous review in relation to ICT security in order to keep up to date with current threat levels. This risk assessment is carried out by a high-level Board comprising civil and military personnel and is supported by sub-groups who carry out specific reviews where a security risk is identified. Detailed policies and guidelines are provided to all users of ICT systems and considerable resources are invested in assessing weaknesses and protecting systems against cyber attack and malicious security breaches.
I would also point out that the Defence Forces take comprehensive measures with regard to the security of their information and communications systems when deployed, in Ireland and overseas. Details of measures taken are not publicised for security reasons, but given the levels of upgrading and increased protection put in place in recent years, the vulnerability to such attacks has been greatly minimised.
I think the fact that Ireland’s CERT (IRISS)is a not-for-profit organisation run by a number of volunteers and depends on sponsorship to survive is another indicator as to how serious the Government appears to view cyber security.
If we as a nation want to seriously become a knowledge economy then we need to take a strategic view on how we protect the digital assets that we are trying to develop. We need to develop a cyber security strategy and ensure that someone is given the responsibility and most importantly the authority to ensure that all organisations that make up our Critical Network Infrastructure and upon whom we rely on to create the new Digital Ireland do so in a secure manner.
Courtesy of Brian Krebbs from the Washington Post it appears that the largest ever breach of credit card data may have occurred. It appears that a payment processor company in the United States, Heartland Payment Systems, discovered malware on their network that may have captured the credit and debit card details of over 100 million credit cards. The data captured include names, credit and debit card numbers and expiration dates.
There are no details yet as to how the malware got onto their network or indeed what type malware it is or the type of systems infected. Often when I do security assessment for clients I see strong malware controls on desktops and servers but often the network is one area that is overlooked. Routers, switches and other network components are often never looked at once they have been installed. These devices invariably are not included in any vulnerability or patch management strategies and will probably not have been upgraded, reviewed or tested since they were installed. This leaves a gaping hole in your security infrastructure as once an attacker controls a router or switch they have access to all the data that passes through it.
Another item to consider is what monitoring was in place to detect any suspicious behaviour. Again this is often something I find clients overlook as part of their information security infrastructure. The article does explain that Heartland found the malware as the result of an investigation so to be fair it is possible that their monitoring systems alerted them to some suspicious behaviour. However, until more details are available we can only rely on speculation at the moment.
No doubt questions will be asked as to whether or not Heartland was PCI compliant. To me this is a non-issue. If you have implemented a strong information security infrastructure then PCI compliance, or indeed any compliance, will practically be a side benefit. As always I will repeat the mantra, just because you are compliant does NOT mean you are secure.
I await more details on this breach with interest. As always we should use all of these breaches as an opportunity for ourselves to learn how better to protect our own networks and data.
While not yet published, some of the results from the 2007 Irish Crime Survey were revealed in the SiliconRepublic.com. The survey was compiled by the Irish chapter of the Information Systems Security Association (ISSA) and University College Dublin’s Centre for Cybercrime Investigation. The survey looks at attacks and intrusions at both public and private organisations during the course of 2007.
What is interesting is that 1 in 4 organisations surveyed admitted to having experienced an external intrusion into their systems. While 30% stated they experienced denial-of-service (DoS) attacks.
One figure that struck me was that despite a high number of organisations reporting internal security breaches, only 14% of those surveyed were concerned about employees accessing data they should not, and only 8% rated internal intrusions in their top three security concerns.
Organisations need to wake up that one of the biggest threats to their security is their own staff. If we look at the recent spate of reported data losses here in Ireland the vast majority resulted from lost laptops or mobile devices.
So when it comes to securing your systems and your information, remember those that you trust the most are the ones that can hurt you the most.
The Irish League of Credit Unions has issued a warning alerting people to spoofed emails that are trying to get credit union customers to surrender their personal details. People are advised to ignore the emails. The warning from the ILCU can be found here
Apparently the EU is proposing an Internet crime hotline so people can report online crimes to Europol. The Irish Justice Minister, Dermot Ahern, supports the move. While I support any moves to make the lifes of cyber criminals more difficult I do find it frustrating that our own government does not see fit to set up a CERT to provide for users of the Irish Internet space.
While doing some research for a client I came across an interesting video on Youtube about Phishing. Paul Laudanski the founder of Castlecops discussed Phishing from the methods used to detection and tracking. Well worth having a look.
The Estonian Government has released a strategy paperon enhancing cyber security. This is an interesting read as we can all learn from the lessons of the cyber attacks against Estonia last year. The report makes for interesting reading and yet it is still sad to see that governments and many organisations only take computer security seriously after they have suffered a major attack.
Do you think this paper would have seen the light of day had Estonia not been a victim to a major Distributed Denial of Service attack last year? I also wonder how many government officials here in Ireland are working on a similar paper to defend the Irish Internet space?
A recent report released by Finjan highlights that cyber crime is a growing concern for businesses of all sizes. Ninety one percent of 1,387 IT managers surveyed consider cyber crime as a major risk to their business with 73% claiming data theft is more worrying than downtime or malware infection. What is even more interesting is that 25% of those surveyed admitted to having been the victims of cyber crime.
The fact that 1 in 4 companies have been a victim of cyber crime is something that should concern us all. Remember no company exists in isolation and we depend on our customers, partners and vendors to enable our companies to survive. So even if your company has not been the direct victim of cyber crime what exposure do you have with any other companies you have close ties with? Have you clarified in contracts and SLAs who is responsible for certain areas of information security and more to the point what disclosure mechanisms have you in place in the event that one of your partners or vendors is the victim of cyber crime?
Maybe you should take some time to reflect on how integrated other companies and perhaps review your incident response plan to see how best to react in the event of one of them, or indeed you, becomes the victim of cyber crime.
The Sunday Business Post published an 
Ireland’s economy is now more than ever dependant on information technology and the Internet. Both have enabled consumers and businesses alike to better access and deliver services, create new markets, exchange information rapidly and process information in more efficient means. Technology and the “knowledge economy” are now seen as a strategic path by the Government to get Ireland’s economy back on track again. Indeed the Minister for Communications, Energy and Natural Resources, Eamonn Ryan TD recently unveiled the Government’s 