Good Guys Collaborating as well as the Bad Guys? Congress Taking Steps

Many of you may be tired of me harping about how well the criminals coordinate with one another and how poorly we, on the other side, work together. It looks like the government may be taking a step to help organizations work more closely together to protect each other.

The article talks about how the government doesn’t want to add too much burden to businesses and that is obviously critical. But, I’m thrilled by the idea that corporations and other organizations can have the opportunity to work together in a way that could benefit the entire ecosystem.

One of the biggest hurdles I see with this is that many times organizations see their data about attacks as a valuable asset. If it takes an organization fifty man hours and $200,000 in development of tools to identify a particular threat or set of data, why would they want to share that with others? Should they get paid for sharing this data? Is there some other way that these organizations could be compensated for this information?

December 6, 2011 Posted by Laura Mather | Detection, education, information security, Investigation | cybersecurity, government, information security, online security | Leave a Comment

Large-scale Attacks Draw Attention – Is It Warranted?

Recent industry coverage has revealed that the same attack that RSA suffered earlier this year has also hit 760 other companies – a list of which has been published here. It is very important to note, however,  that this is actually a list of IP registration records associated with victim IPs, which explains why so many telecoms and hosting companies are on it.

The list itself may actually be quite misleading, but it still brings to light the fact that many of the organizations (or users using their networks) were potentially at risk of an attack. Of course companies don’t want to admit that they’ve been compromised (recent guidance from the SEC is looking to address the disclosure issue), though the fact that companies didn’t disclose these attacks earlier does not necessarily mean they did so purposefully.

Companies often are unaware they have previously been at risk, or have been at risk over a longer period of time and criminals have been taking advantage unbeknownst to the organization. We refer to these types of threats as Advanced Persistent Threat (APT). APT is exceedingly difficult to detect and block, and many companies are not adequately prepared to defend against APT.

Context for security alerts is so important when defending against APT. Organizations should have visibility into all activity of individual users and/or IP addresses and they can’t rely on analysis of isolated activities. To understand what normal behavior looks like, you need to have an accurate profile built for users to best pinpoint what can be deemed as anomalous behavior. That is why full web session intelligence is imperative to identifying and stopping cybercriminals today, and this is a key component to defending organizations against APT and avoiding the fall out after a public attack disclosure.

October 31, 2011 Posted by Laura Mather | Detection, Investigation | Advanced Persistent Threat, SEC guidance | Leave a Comment

New Mobile Malware Delivery Mechanism: QR Code

In many of my recent discussions, people ask how mobile malware is delivered. I’ve heard of it being delivered through some of the following mechanisms: (1) An SMS message could be sent to the phone that encourages the user to click on a link that takes them to an infected website; (2) A legitimate mobile app could be modified to contain malware (think Angry Birds changing to Evil Birds); (3) An app can be created specifically to be malicious – there was once an app that allowed login to more than 50 bank brands, each time stealing the user’s password.

This morning I was told of a new mechanism for infecting phones: QR codes. For those of you who don’t know, QR codes are the three dimensional bar codes that phones can use to direct them to a website. Kaspersky has announced that they have discovered some QR codes that download malware onto mobile devices.

A colleague mentioned to me that this type of delivery mechanism has already been used in Asia which makes sense since QR codes are much more prevalent there. But this new attack vector is evidence that QR codes are starting to become mainstream here if criminals see benefit in exploiting them.

The one other thing my colleague mentioned was that there aren’t good statistics on how often QR codes are malicious. I’d be curious if anyone has such statistics – if you do, let me know as this would make for a very interesting discussion.

October 5, 2011 Posted by Laura Mather | information security, Investigation, Man-in-the-Browser, Prevention | Detection, information security, Man-in-the-Browser, security | Leave a Comment

$114B Lost to Cybercrime in a Year…and This Number is Low!

I was thrilled to see the article by Franz-Stefan Gady talking about the cost of cybercrime.  It is clear that cybercrime is currently under measured.  When I was at eBay, I encountered many consumers who were too embarrassed to report thousands of dollars that they sent to criminals.  And now that I am working more with large enterprises, I hear them talk about how their losses to cybercrime are factored into their cost of doing business and, therefore, not calculated.

If, as an industry, we are going to be able to combat these threats with the priority they deserve, we need to understand the full impact of the threat against both consumers and enterprises.  To be honest, I’m not sure of the best way to do that.  It is possible to do much more detailed reporting on a per-consumer or per-enterprise basis.  But that would be expensive.  Some sort of sampling would be required and that would probably make the measurement problem a bit more tractable.  The main issue is how large of a sample you’d need to get accurate results since cybercrime may only impact a very small subset of people/organizations.  Luckily, I’m not a statistician and can leave that computation to those of you smarter than me!

It would be great to see the cybersecurity community take this measurement task in hand.  While it is lower priority than fighting some of the large emerging threats, it is not much lower in priority in my opinion.  Only by understanding the true impact of cybercrime can we determine the best approach to addressing it.

September 26, 2011 Posted by Laura Mather | Cost of fraud, Fraud, information security, Investigation | Cost of fraud, Fraud, information security, Investigation | Leave a Comment

Has MIT Cracked the Code?

A newly presented paper from an MIT research team claims to defeat attempted Man-in-the-Middle attacks on wireless networks. At a high-level, the paper discusses the three ways that Man-in-the-Middle (MitM) attacks are perpetrated and then describes how they can use different types of signals between parties A and B, to notify party B when a third party has tampered with a message intended for party A.

After reading through what sounds like a lot of math mumbo-jumbo, it comes down to two assumptions: first, there are only three types of wireless MitM attacks and second, each type of attack can be identified to the party receiving the messages as the attack occurs. If this is true, it’s quite impressive. Now, I’m nowhere close to an expert on wireless MitM attacks, but my thought process about this approach comes in the form of two questions: 1) Are there really only three ways to perpetrate a wireless MitM attack and 2) Is it true that the attacker can’t work around the various ways to expose the tampering?

For the sake of argument, let’s assume the assumptions are true. Since I am much more concerned about the online world, I am wondering if there is any correlation between the wireless case and the online case. One concern is that there are several types of Man-in-the-Middle attacks in the online world.  Sometimes just reading the “message” (for example the userID and password) is enough to benefit from the attack. If there is a way to be notified when there is such tampering, it would be very interesting to understand that since MitM is also a problem in the online space.

August 30, 2011 Posted by Laura Mather | education, information security, Investigation, Man-in-the-Browser | information security, Man-in-the-Browser, Prevention | 7 Comments

Recorded version of “Get Real About Stopping Online Fraud” webinar

For those of you who missed it, Jon Gavenman and I had a great discussion about the legal risks associated with online fraud during last week’s webinar.  The webinar was the first in a five-part series from Silver Tail talking about the various aspects of online fraud.

The webinar drew a huge number of attendees and there were great questions from the audience. 

If you are interested in seeing a recorded version of the webinar, you can get to it here.  Enjoy!

July 4, 2010 Posted by Laura Mather | Cost of fraud, Fraud, Investigation, Online Fraud | Leave a Comment

“60 Minutes” Video: Sabotaging the System

Several people have mentioned the 60 Minutes episode that aired last Sunday night.  I watched it and was fascinated by a lot of it.

First, it’s very rare that the government will talk about possible threats against its infrastructure.  To hear people talking about how you could manipulate the programming of a power generator to get it to self destruct was much more information than I’m used to seeing on tv – especially prime-time.

Second, the discussion about how other governments have very likely already infiltrated our government’s systems was amazing.

I agree that all of this has very likely already happened, but I was surprised to see it discussed so openly.  I’m torn – is it a good thing to raise awareness about these types of issues?  Maybe.  I suppose it might help increase the funding around protection mechanisms, etc.  Is it better to not talk about it?  Maybe.  That means the attackers don’t know what we know and it also makes it more difficult for new attackers to identify these vulnerabilities.

My opinion is that these vulnerabilities and potential exploits need to be kept somewhat secret.  There are a select set of people who could help defuse the problem if they are “in the know”, but making it public is very risky.  I look at what happened around the Kaminsky vulnerability and, more recently, the SSL MitM hole.  For a while, these issues were kept very secret while a select set of organizations and individuals labored to resolve them. Obviously, they didn’t stay totally secret.  But I think something along those lines is the better way to handle these threats than to expose them on tv.

In case you want to see what the government is talking about on tv, you can watch the 60 Minutes video here.

November 15, 2009 Posted by Laura Mather | Detection, Fraud, information security, Investigation | attack, Fraud, government | Leave a Comment

New Webinar: Detecting Man-in-the-Browser

Join us for a Webinar on July 14.

The proliferation of authentication models, device fingerprinting, IP geo-location mapping, and other security technologies has raised the stakes in using stolen online accounts.  Bad actors need to find a way to access users’ accounts without being detected by the systems currently in place.  The rise in malware infections has created a unique opportunity for these bad actors: The ability to access the account through the victim’s own web browser, IP address, and session.  These “Man-in-the-Browser” attacks are extremely difficult to detect and prevent, and are increasing with the spread of malware.

Laura Mather, Founder & VP, Product Marketing at Silver Tail Systems, will define Man-in-the-Browser attacks, explain how they are perpetrated, show a demonstration of an attack, and show the ways these types of attacks can be detected.

Join us for the first session in our Silver Tail Webinar Series, “Detecting Man-in-the-Browser Attacks”.

Title:         Detecting Man-in-the-Browser Attacks: Silver Tail Webinar Series, Part 1
Date:        Tuesday, July 14, 2009
Time:        10:00 AM – 11:00 AM PDT
Register:   https://www2.gotomeeting.com/register/470908250

After registering you will receive a confirmation email containing information about joining the Webinar.

Register Now

June 30, 2009 Posted by Sherrick Murdoff | Detection, Investigation | Detection, Man-in-the-Browser, Online Fraud, Webinar | Leave a Comment

Blogging Highlights from RSA

The RSA conference 2009 picked up with some great keynotes on Wednesday and stellar sessions on Thursday. It is done, at least for me.

I thought Melissa Hathaway delivered a solid keynote, but everyone wanted more details and especially the 60-day cyber-security assessment due from the White House next week. That let some folks down, but she still delivered with examples, priorities and even some humor. Good to hear the Obama administration considers cyber-security a top priority.

Dave DeWalt from McAfee started off suspect – I thought the weather analogy would get cheeky, but he held true to it and it played well, inserting some gruesome stats and trends. My favorite (or scariest): “…more malware attacks in 2008 than in the previous 5 years combined”. And by the way, what is this malware doing? Abusing business logic, hijacking sessions, and in general driving malicious behavior on web sites – good timing for Silver Tail, in my opinion. The more complex the malware and the attacks, the more important behavior analysis, anomaly detection and real-time disruption will become.

The last keynote, James Bamford, was an eye-opener. One would think the NSA could do anything, but its amazing what it missed – both in terms of trends and specific attacks. Another favorite (or scariest again): After 9/11, President Bush ordered the NSA to eavesdrop domestically, violating the FISA act. Attorney General Ashcroft had to sign a “it’s ok to eavesdrop” form every 90 days. Eventually Ashcroft was convinced it was a bad idea to keep signing this and the entire leadership of the Justice Department nearly resigned over the issue.

I must highlight the Fighting Russian Cybercrime Mobsters session with Dmitri Alperovitch, from McAfee and Keith Mularski from the FBI. They did a fantastic job outlining the history and current threat of Russian organized crime in online fraud, including a summary of the DarkMarket campaign the FBI and 8 other countries ran to arrest many cyber-criminals. Very informative and entertaining. Favorite quote (not so scary): “Q: Are the bad guys far ahead?” Mularski’s Answer, “No, I really don’t think so.” So you’re saying there’s a chance…!

Another highlight – Pat Peterson from Cisco diving into the details of bots and botnets. Fascinating research and data. Essentially, “there is no online criminal activity without bots involved.” The money is pretty staggering.

Trey Ford put together an entertaining session on business logic flaws – always a favorite for me since highlighting the abuse of the business process (e.g. business logic abuse) demonstrates the ROI Silver Tail can bring if you could detect new threats and disrupt them in real time. “The code is not broken, its the business process!”

Good news is I’m done with the RSA conference – its been great, good seeing old friends, fellow bloggers & tweeters and meeting new contacts. We are back in SF next week for FinovateStartup09.

Continue to follow Silver Tail through our blog and now Laura Mather @STSgirl and I @smurdoff are on Twitter.

April 23, 2009 Posted by Sherrick Murdoff | business logic abuse, Business Logic Flaw, Detection, Investigation, Online Fraud | botnets, bots, business logic abuse, cyber-security, cybercrime, FBI, FISA, malware, Melissa Hathaway, NSA | Leave a Comment

Internet Openness – Embrace It, or Let it Go to the Bad Guys

[Below is a guest post from Mary Berk, Ph.D., Lead Product Manager for Fraud at Microsoft Advertising.  Mary's doctorate is in ethics, so Silver Tail asked her to comment on whether or not security professionals should talk publicly about emerging threats on the internet.]

“The organization of our press has truly been a success…. We’ve eliminated that conception of political freedom which holds that everybody has the right to say whatever comes into his head.”  -Adolf Hitler

The internet makes it tough to keep secrets.  In a world where bad guys take advantage of uninformed computer users, that can be a good thing or a bad thing.  In the end, suppression or restriction of this freedom always plays into the hands of the bad guys.  My point is that the freedom to publish online is something that’s here to stay, so instead of fighting it, we need to embrace it and use it to our advantage.

It’s tough, because good guys are always held to some code of responsibility, where publishing some information is almost never ok.  Bad guys don’t have this code — and there’s no honor among thieves.  So when publishing online, good guys are stuck, for better or worse, with using discretion in sharing information widely.  It’s one thing to describe common strategies used by bad guys (phishing emails, password guessing, Craigslist scams), and another to give detailed instructions on how to commit fraud (providing code for creating your own bot, or sharing instructions for mining email addresses).   The first is generally a good thing, and equips the public to be more savvy online; the second, not such a good idea.

While good guys are often restricted by a code of responsibility, the lack of restrictions on fraudsters can be a useful thing.  In a recent personal project I was involved in, we wanted to test the efficacy of a prototype fraud detection system.  The internet was our best source of ways to try to break the system.  Website publishers frustrated with a popular search engine devised an attack on the system as a kind of “payback.”  While these folks were playing dirty (and I certainly don’t condone their practice), the openness of the internet helped us out.  We took the code published by bad guys and used it to attack and train our own system.  So in the end, our system is stronger for it.

So, what’s the right balance for determining how open good guys can be?  There are a couple of ways to slice it, but the question is not settled.  One gut-check test is the “could my mom benefit from this information?” question.  My mom has certainly never heard of a bot, a trojan, or a worm, and she would be mystified by code.  But she can make use of a list of passwords that are most easily hacked.  That’s a pretty strict test (knowing my mom…), but it’s perhaps one end of the spectrum.  Another test is the “strategy versus tactics” question.  If you’re describing general strategies used by bad guys, you’re probably ok.  If you’re giving instructions on how to enact fraud, you might be stepping over the line.

Of course, different businesses may need to slice this differently.  An e-commerce site, for example, needs to ensure customers that the site is safe, without alarming them.  This site will probably do best to publish tutorials or general descriptions.  But out there on the net, the discussions can roam more freely.

In the end, my take is that the democracy of the internet, and the freedom to publish online, is here to stay.  We can embrace it, or let it fall into the hands of bad guys.

April 15, 2009 Posted by Mary Berk | Cost of fraud, Fraud, Investigation, Prevention, Trust | ethics, Internet openness, Online Fraud | Leave a Comment