Thursday , 2 May 2024
Home 4 Security 4 Keep Organized Crime out of Your Network

Keep Organized Crime out of Your Network

June 23, 2007

A couple of months ago we looked at the trend toward serious IT security breaches and organized crime’s involvement in those breaches. It’s estimated that the majority of these serious security breaches are coming about because of organized criminal activity – and yes, the Mafia is getting involved. In the original article we covered scams ranging from petty spam threats all the way to violent extortion with potential damages ranging from inconvenience up to hundreds of millions of dollars.

There are a few ways to protect yourself from organized crime — the best being not to get noticed or targeted in the first place. Traditional solutions include calling in the cops or just paying up, with the latter clearly being the least attractive scenario. IT security solutions can help, but IT systems are being targeted because behind that technology is real money and real secrets and real people. And where there’s real money there are very determined criminals who are working very hard to subvert or get around technological defenses.

What does that mean? It means that a purely technological approach to dealing with the new world of organized cybercrime is unlikely to succeed. You are also going to have to change your business and personal processes and practices.

Here’s a quick list of the main kinds of scams and crimes that can affect you or your company and that involve IT security in some form. These are all taken from our original article and examples of each in detail are given there.

  • credit card and telephony billing
  • Nigerian and derivative scams
  • phishing
  • zombies
  • extortion
  • wifi and packet sniffing
  • buddying up
  • insider trading
  • piggybacking
  • secure data
  • invisible links
  • feed and image spam

This list is wide ranging, which leads to the inevitable conclusion that there isn’t a single silver bullet to kill the organized crime monster. So let’s break it down, topic by topic, and in each case we’ll try to cover personal vs. corporate security — although in many cases the techniques are the same. The simpler strategies may seem obvious and to have nothing to do with the more organized forms of IT breaches. But good security is a complex web of practices, procedures and technologies. One obvious weak link compromises the whole structure.

Password Protect
There are some basic security issues that everyone should adhere to no matter what. And passwords are the biggest one. Most people use easy-to-guess passwords, even if they think they aren’t. And a shockingly large number of people use one or two passwords for everything.

Prepare to have your eyes opened by this interesting blog posting, which details exactly how easy it is to crack passwords. And security guru Bruce Schneier has a similarly alarming article about how aggressive password cracking – including tools that criminals pass around – makes it very easy to break most passwords.

So what should you do to make your passwords more tamperproof? Here are some suggestions.

1. Commonly accepted practice is to use a password at least 8 characters long that includes a combination of as many lower and uppercase letters, numbers and special characters as possible. But this is no longer enough.

2.Build combination passwords – passwords made up of more than one piece of data and that vary from login point to login point. Take the interleaving technique. I need a password for my gmail account, for example. Let’s say my basic password is the word “honey” but spelled with a 0 (number) instead of an o. Now I combine four letters from the site – maybe the first four – with my base by interleaving them to get ‘hg0mnaeiy’ for my password. I can rebuild this password every time I need a unique hard-to-crack password for every place I need to log in to. So the password for yahoo would be ‘hy0anheoy’. And they’re easy to remember. You can just put one word after another, or interleave or invent any combination you need – just so long as you can remember the rule.

3.Use a password tool. Here are some suggested ones:

Nic Wolf’s online password generator. You can rebuild every password on the fly. You just need to remember his Web page!

Bruce Schneier recommends PasswordSafe.

One Man’s Blog recommends Roboform.

Keyloggers
One additional concern is keyloggers, which are pieces of software – and in some cases hardware – that log every keystroke you make and are then later analyzed to identify the keys pressed to enter username and then password. This is largely a danger when using public computers where you have no idea or control of what has been installed.
You may find this a little bit incredible, but one technique of hackers is to install these on public computers, harvest data and then sell it on to groups that aggregate this information and pass it on to criminals. The going rate for a set of personal information that can allow access to credit card accounts is about $10 per person on the black market.

You can avoid the issue by entering different parts of your password separately – for instance, use your “hg0mnaeiy” rule and foil the keylogger by typing ‘h0ney’ and then clicking between each letter to enter the “gmai” part. Now they keylogger has the wrong password – it thinks it is “h0neygmai.” But if the goal is to be really secure, try this technique from Microsoft Research.

Antivirus, Antispyware and Firewalls
If you are in a corporate environment, chances are you’re secure. But don’t take it for granted. Spyware in particular is often ignored by corporate security suites – and it is often a backdoor for sliding more dangerous programs inside the network. So check and make sure there is a firewall on your corporate router. And download one of the following spyware detectors and run it every week or so on your personal system.

Corporate resources can be found here on the following topics:
Firewall
VPN
NAC
Intrusion Detection
Spyware

Personal users should be using all three – firewall, anti-virus and anti-spyware. You can either purchase one of the big suites (like Symantec/Norton or McAfee) or you can use one of the following free resources:

Avast (antivirus)

AVG (antivirus, anti spyware)

ClamWin (antivirus)

Microsoft Windows Defender (antispyware)

Lavasoft Ad-Aware (anti-spyware, firewall, although the firewall is not free)

ZoneAlarm (free firewall, and paid antivirus, antispyware, and more)

Comodo (firewall)

eEye Personal Blink (antivirus, antispyware, patch management, intrusion prevention, firewall, and identity theft – all free for personal use)

Online Accounts and Credit Cards
First off, online banking and using credit cards online is a relatively safe proposition. There have been several large and well-publicized break-ins, like the TJX debacle, that have resulted in a large amount of credit card data being available to criminals. They got the data from the retailer, however, not from the credit card company or from individuals’ accounts. So refusing to allow or have online access to accounts isn’t really protecting yourself. In fact, it is hurting you since the most basic protection you have is monitoring and rapid knowledge of a problem. And the fastest and easiest way to monitor is to HAVE an online account and check it frequently – in fact, daily checks are recommended. But make sure to follow the password recommendations above.

Identity Theft
This is a very tough crime to defend against. Although it is possible that this is initiated through a computer system you have control over, it is more likely to come about through data being stolen from somewhere else or via a lack of physical security (losing your wallet or the equivalent). The primary goal in identity theft is money, so it is important to keep account data safe. But identity theft mainly uses your identity for nefarious reasons such as gaining credit and using that credit to get cash advances, make purchases and get loans – all against your credit, not the criminal’s. Keep a close eye on account changes to help limit the damage. You should also keep an eye on your credit report – you are entitled to one free report from each of the main providers per year. Check with your credit card provider – some now offer continual credit overviews for free.

Another issue is the corporate responsibility of keeping corporate officer and employee data safe. The most common method of breaking in is via insider access and the second most common is an intrusion that gets in through an unanticipated access point into the network. Organizations need to install intrusion detection and network access controls to make sure that corporate networks and data are safe from electronic attack and they need good physical security policies to make sure data is safe from unscrupulous employees.

Email Systems
Spam gets a bum rap for all kinds of reasons: it is only used as a tool in the organized crime arsenal in the sense that spam is sometimes used to deliver more malicious payloads like bots and trojans and phishing messages. In addition, the new breed of organized computer criminal is trying to avoid detection. That makes spam a less attractive tool. Having said that, it is so easy to deliver spam, that it is still commonly used with the hope that it will infect a computer with more serious problems. Install a good spam filter and don’t open email attachments that aren’t guaranteed to be safe. Here are 25 tips to help keep email safe. And to find out more about effective mobile email, see our webinar.

Phishing
This is now moving up the scale of criminal activity. Although it has gained a great deal of publicity, phishing is still an effective method for a criminal to gather username and password data for important online sites. There are some useful techniques to detect phishing scams – the simplest of which is to use the address bar at the bottom of the screen in Internet Explorer or Firefox, which shows the URL you are about to go to. If it isn’t the right site, don’t click it.

In fact, the safest way to avoid phishing scams is to treat all incoming email with caution. If an email contains a link to an account of some kind, always go there by typing the address in the browser by hand and then going to your account and logging in. Chances are there will be no request to update or make changes to your account after all – and there you will be smugly safe from another phishing attack.

Most personal antiphishing tools use some addition or extension to your browser that helps make sure that descriptions and site IP addresses match up. Some even use databases of rogue IP addresses that they have collected or that are shared against that they can match the URLs and IP addresses that every user clicks on – and block those that are considered unsafe. Check out this huge list of freeware anti phishing resources – note that these are untested.

Botnets and Zombies
Botnets and zombies are where the rubber hits the road for organized crime. An organized attack can set up a group of young hackers to use any of the preceding attacks to infect large numbers of computers worldwide with a specific trojan. These can be used for spam attacks or for building a network to run a denial of service attack on a site. The crime ring then threatens to take the site down using this botnet unless a ransom is paid.

Typically these networks are built up of ordinary PCs all over the globe. Although it might not seem to be, this is at least as much a concern to corporate IT security as for personal computer security. While it may be harder to break into a corporate network and install bots, once inside they can be far more effective for the criminal – whether the goal is to steal data or send out spam.

There are no specific defenses against botnets and zombies, although antispyware tools often scan for them. New botnets, run by organized crime, hide and do nothing. They remain in place quietly, not attracting attention until activated by the criminal. And if no activity is occurring, it is very hard to detect that there is a problem.

Solutions involve combining any of the other solutions listed so far, in addition to monitoring your network (whether personal or corporate) in order to detect the botnet and prevent its activation. For enterprises, many of the newer monitoring tools have techniques to spot these kind of intrusions and if policies are put in place and tools are used as they should be, they can be effective.

Extortion
Typically extortion is active and passive. In the active sense, there is a threat, perhaps a demonstration, a demand for payment and possibly a repercussion if no payment is forthcoming. Again, these range from the personal to the corporate. In personal scams, demands are for hundreds or thousands of dollars. In corporate scams they are for millions. Many of the scams are nothing more than spam – there isn’t even a threat behind them. But that doesn’t mean they are any less horrific. In a particularly chilling extortion scam, recipients were given death threats.

If you get a real extortion threat of any kind, contact your local law enforcement office and try to involve higher levels of governmental law enforcement. If you are concerned about being tracked, pick up the phone and call – these criminals are looking at your data network – if they are looking at anything.

Wifi Spying and Packet Sniffing
This is a relatively new form of attack – and it isn’t really yet part of the organized crime arsenal simply because most real transactions involving real value aren’t conducted over easily accessible signals like wifi or unsecured networks. But it is sure to rise largely because of user behavior and the rapid growth in adoption of mobile web applications. If you are browsing publicly and going to sites that use accounts and usernames and passwords, you are safe if you are browsing to https sites. You can tell because the infamous padlock appears in the bottom right of the browser and also because the URL will begin with “https.”

But how about all the other non-https sites? There are several ways to stay safe – but the surest is encryption – and frankly, you can’t do any better than PGP or its equivalents.

For corporate users the safe option is a corporate VPN – which puts all traffic inside an encrypted “tunnel” that spies won’t be able to read. A similar option for non corporate users is a private equivalent like iPig from iOpus, which uses its own encryption to build a VPN-like network to its secure servers and then routes all communication to and from the rest of the Internet. The disadvantage is that all your traffic has to go through their servers, although the company sells a server version, so enterprises can set up their own secure site if they prefer.

Now that mobile email devices and tools are becoming very common, a new avenue for potential problems has arisen. For more about mobile email and issues and solutions in this area, see this webinar.

Change Your Behavior
Most of the rest of the organized crime arsenal doesn’t really involve technology – and instead takes advantage of human behavior. If people persist in revealing personal information on sites like MySpace and Facebook, it is just like posting a flyer on a lamppost downtown with that same personal information. Except that anyone who finds that information can immediately cross-reference it with most of their other publicly available personal information. The solution is to be very careful about letting any unnecessary personal information out on the web. Use aliases and provide inaccurate information when in doubt. Any criminals who contact you are certain to be doing just that. Set up a couple of basic alias accounts on gmail, Yahoo or a similar service that you can use to sign up to new services without revealing real email data.

The other big secret is to just be uninteresting – if you reveal nothing of interest, then you aren’t in as much danger. Setting up a big MySpace page called “Hot 20-year old millionaire” that also has your phone number on it is inviting criminal attention.

The newest and most dangerous tactic of organized crime is nearly impossible to defend against – putting people inside your organization. If you hire a great IT talent with a good pedigree, how do you know that organized crime didn’t put that person through school in return for a little access? Also keep in mind disgruntled employees. Make sure you have really good physical security and good vulnerability analysis and scanning and first-rate network access control. It is possible to have a network that knows when an employee plugs an unauthorized USB drive into a port on a machine and copies files to it. But it is very hard to have that policy and enforce it and stay on guard day after day, month after month.

Same for old equipment. Are you making sure the data is scrubbed before you dispose of it? That’s another policy that should be being enforced.

Here are some places you can find out more about enterprise-level security policies, network access control and vulnerability scanning.

source : itsecurity.com

Check Also

Enrolling in Age-Restricted Courses or Workshops: Does Fake IDs can do?

Many courses and workshops cover topics that may be deemed sensitive or require a certain level of maturity, leading to age restrictions on enrollment. These restrictions are often put in place to ensure that participants are able to fully comprehend and engage with the material. For individuals who are underage but eager to enroll in …

Smart Tips For Uncovering

Cirque Events in South Florida: A World of Wonder South Florida is known for its …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

https://www.son.web.id
SON © 2024