Major Banks Biggest Cyberattacks in History

I recently found an article, written by David Goldman of CNN, discussing the denial of services attacks against the banks: Bank of America, JPMorgan Chase, Wells Fargo, US Bank, and PNC Bank.  Security experts say the outages stem from one of the biggest cyber-attacks they've ever seen. These "denial of service" attacks -- huge amounts of traffic directed at a website to make it crash -- were the largest ever recorded by a wide margin, according to two researchers. (Goldman, 2012)   These same banks have a great deal of defenses built to prevent such attacks, but Goldman says this time they were outgunned. 

"The volume of traffic sent to these sites is frankly unprecedented," said Dmitri Alperovitch, co-founder of CrowdStrike, a security firm that has been investigating the attacks. "It's 10 to 20 times the volume that we normally see, and twice the previous record for a denial of service attack."  To carry out the cyberattacks, the attackers got hold of thousands of high-powered application servers and pointed them all at the targeted banks. That overwhelmed Bank of America and Chase's Web servers on Sept. 19, Wells Fargo and U.S. Bank on Wednesday and PNC on Thursday.

Goldman writes, denial of service attacks are an effective but unsophisticated tool that doesn't involve any actual hacking. No data was stolen from the banks, and their transactional systems -- like their ATM networks -- remained unaffected. The aim of the attacks was simply to temporarily knock down the banks' public-facing websites. That level of pre-planning is a deviation from the kinds of denial of service attacks launched at banks in the past by so-called "hacktivists." Typically, hacktivists use home PCs infected with malware to amass their botnets. Attacks on this scale would be impossible to carry out with home PCs -- users too frequently turn them off or disconnect them from the Internet.

Cited:

Goldman, David. (2012). CNN: Major Banks hit with biggest cyber-attacks in history. Retrieved at: http://money.cnn.com/2012/09/27/technology/bank-cyberattacks/index.html

Top 5 Deadliest Mobile Malware Threats Of 2012

Not long ago, we discussed threats to mobile devices and networks.  Brian Prince, contributing writer of Dark Reading, has reviewed the five most dangerous, sophisticated, and prolific pieces of mobile malware that have appeared thus far in 2012.

1. FakeInst SMS Trojan and its variants

"FakeInst disguises itself as popular apps like Instagram, Opera Browser, [and] Skype, and sends SMS messages to premium-rate numbers," says Jerry Yang, vice president engineering at mobile security firm TrustGo.

"It is selected because it has been widely infected. There are many variants in the FakeInst family, such as RuWapFraud, Depositmobi, Opfake, and JiFake," Yang says. "Sixty percent of total Android malware we found belong to the FakeInst family. Geographically, it mainly exists in Russia. There are also samples found from all over the world."

2. SMSZombie

Also on the list is SMSZombie, which was recently spotted in third-party markets in China and has infected more than 500,000 devices in the past few weeks. The malware works by sending SMS messages to China Mobile's online payment system and "top-up designated accounts," Yang explains.

Once installed, it obtains Device Admin privileges and is very difficult to remove, prompting TrustGo to publish details of a manual removal process on its blog.

"We expect more Android malware will adopt similar techniques to protect themselves," he says.

3. NotCompatible

Discovered by Lookout Mobile Security in April, NotCompatible is the first piece of mobile malware that used websites as a targeted distribution method, notes Derek Halliday, lead security product manager at Lookout.

"NotCompatible is automatically downloaded when an Android browser visits an infected website," he says. "The downloaded application is disguised as a security update in an attempt to convince the user to install it."

If it successfully installed, NotCompatible can potentially be used to gain access to private networks by turning an infected Android device into a network proxy, and can be used to gain access to protected information or systems, Halliday says.

4. Android.Bmaster

Bundled in with legitimate applications, Android.Bmaster was spotted on a third-party Android app market earlier this year. The majority of the infected victims were Chinese users. Once on the device, the malware swiped sensitive data from the phone, including the Cell ID, location area code, and IMEI (International Mobile Equipment Identity) number, and caused users to send SMS messages to premium numbers.

"Analysis of Android.Bmaster's command-and-control servers indicate the total number of infected devices connected to the botnet over its entire life span numbered in the hundreds of thousands," says Kevin Haley, director of Symantec Security Response. "The number of infected devices able to generate revenue on any given day ranged from 10,000 to 30,000, enough to potentially net the botmaster millions of dollars annually if the infection rates are sustained."

5. LuckyCat

LuckyCat was the name given to a campaign of targeted attacks that struck the aerospace and energy industries in Japan as well as Tibetan activists and others. To broaden their attack, the perpetrators have brought the attack to the Android platform.

Once installed, the application displays a black icon with the text "testService," and opens a backdoor on the device to steal information.

With the direction mobile devices are going, this is one of the largest issues facing both private and corporate consumers in the world today.

Cited:

Prince, Brian. (2012). Dark Reading: Top 5 Deadliest Mobile Malware Threats of 2012.  Retrieved at: http://www.darkreading.com/mobile-security/167901113/security/news/240006056/top-5-deadliest-mobile-malware-threats-of-2012.html

Vulnerability Assessment

This week we discussed the listing of information technology assets with the purpose of prioritizing them.  This helps with the taking threat and vulnerability assessments and generating the risk analysis.  In doing so, I found an interesting company matching our topic of discussion this week. 


USA.NET, a Perimeter e-Security Company informs their future clientele with the following information on vulnerbilities:

Vulnerability Assessments are critical components of an organization's network security policy. With new vulnerabilities created daily, it's important that an organization keeps an updated view of its current security posture. Vulnerability Assessments have become such a standard best practice that many regulatory bodies strongly recommend or require institutions to have a policy that includes them. The PCI Security Council, publisher of the PCI-DSS set of requirements, is among these bodies now requiring organizations to perform assessments at least quarterly. With so many reasons to scan, it makes sense to consolidate all these scans inside one easily accessible location that includes scan scheduling, report review, and remediation recommendations. (USA.NET. 2012)

They then discuss the three types of scanning devices they are able to provide to help with this:

• External - this vulnerability assessment utilizes Perimeter's cloud-based scanners to perform scans on your externally facing devices. Performing scans from this perspective helps you understand what an individual trying to break into your network sees. The same web-based portal is included for easy service management and reporting with this service as is included in the Internal service. (USA.NET. 2012)

• Internal - this assessment performs scan from inside your network, revealing vulnerabilities that an individual would see once they are past the edge devices. The same web-based portal is included for easy service management and reporting with this service as is included in the External service. Scanner software is provided to you with this service that can be installed on a dedicated device or virtual machine, or can be loaded as needed on a shared device.(USA.NET. 2012)

• PCI- this external scan is customized to include the required Statement of Attestation and Self-Assessment Questionnaire mandated by the PCI-DSS set of requirements.. In addition to the management and reporting portal, this option provides additional reporting options including an overview of your PCI compliance status and more insight into any areas that are currently out of compliance. (USA.NET. 2012)

The information security of the organization is rests with its vulnerabilities and how they are handles. It is very important that threat and vulnerability assessments are thoroughly detailed and that risk analyses receive the appropriate amount of senior leaders' time and attention. We discuss so much that IT teams should be scrubbing the system for vulnerabilities and while that is true, companies like USA.NET are available to assist organizations with their vulnerabilities.

Cited:
USA.NET. (2012). Perimeter e-Security Company: Vulnerability Assets. Retrieved at: http://www.perimeterusa.com/services/network-security/vulnerability-assessments/

Top 10 Threats for 2012

I was reading a post by Dawn Kawamoto from Daily Finance and she brought some interesting threats to discussion for 2012. Now I know 2012 is almost over, but it will be interesting to see if we see the ones that didn't widely occur in 2013. With cell phones and automobiles becoming more computerized, hackers have an even wider selection of devices to infect with viruses and other malicious threat, says Mrs. Kawamoto. Her listed top 10 threats are listed below:

Top 10 Threat Predictions for 2012:

10. Increased industrial attacks. Many industrial systems are not prepared for cyber attacks, and attackers may engage in blackmail or extortion. 

9. 'Legalized' spam. Legitimate advertisers are purchasing email lists of consumers who have authorized receipt of online ads, a move that comes as global spam volume has dropped over the past two years.

8. Hacktivism. Online activists will join forces with physical demonstrators, targeting public figures, industry leaders, and other entities.

7. Cyberwar showoffs. Countries are expected to demonstrate their cyber-war capabilities to send a message that they are not vulnerable to cyber attacks against their infrastructures (such as utilities).

6. Rogue certificates. Production of fake digitally signed certificates, which are used as a means of assuring consumers and their security software that the website they are viewing is legitimate, will increase.

5. Blinking online traffic lights. Legislative issues are expected to stall efforts to develop Internet traffic "rules of the road," which could aid in reducing instances in which hackers steer users to an unintended server.

4. Advances in operating systems directing hackers elsewhere. New security features included in the operating system will force hackers to find alternative entry points in a consumer's computer.

3. Threats to virtual currency. Hackers will increasingly target the growing use of cyber currency, which is often not encrypted, as a means to steal money and spread malware.

2. Embedded hardware. Cars, medical devices, routers, digital cameras, and other items use embedded systems designed to control specific functions. Once these embedded systems are hacked, an attacker can have complete control over the hardware, such as asking a car's GPS system to tell the hacker where you live.

1. Mobile threats bypassing PCs. Attackers will improve their craft with an eye toward launching mobile banking attacks. For example, consumers may eventually see SpyEye and Zeus, two Trojan banking attacks, migrate from the computer to the smartphone.

Cited:

Kawamoto, Dawn. 2012. Daily Finance: The Top 10 Looming Computer Security Threats of 2012. Retrieved at: http://www.dailyfinance.com/2012/01/03/the-top-10-looming-computer-security-threats-of-2012/

Reasons for Security Awareness!

This week we were studying the reasons for having a good security awareness within our organization.

According to a writer at Native Intelligence Inc., awareness isn't just a good idea, it's the law.

Laws requiring security and privacy awareness or training programs apply to:

•The Federal Government (Federal Information System Security Managers' Act)

•The health care industry (Health Insurance Portability and Accountability Act)

•Financial institutions (Gramm-Leach-Bliley Act and Sarbanes-Oxley Act)

•Publicly-traded companies (Sarbanes-Oxley Act)

The Federal Information System Security Managers' Act (FISMA) requires government agencies to report on their security awareness and training efforts annually. (Unknown, 2010)

NIST SP 800-53, Recommended Security Controls for Federal Information Systems, addresses controls that Federal organizations are required to implement for unclassified information systems. One of those controls is "security awareness training." (Unknown, 2010)

National Institute of Standards and Technology (NIST) SP 800-53 also says that the awareness program must comply with:  5 Code of Federal Regulations (C.F.R.) Part 930.301 and NIST SP 800-50, Building an Information Technology Security Awareness and Training Program. (Unknown, 2010)

5 C.F.R. Part 930.301 states that everyone must receive initial awareness training before accessing systems and refresher training at least annually. It defines 5 specific roles that must receive awareness training:

1.All users — security basics

2.Executives — security basics and policy level training in security planning and management

3.Program and functional managers — security basics and management and implementation level training in security planning and system/application security management, system/application life cycle management, risk management, and contingency planning.

4.Chief Information Officers (CIOs), IT security program managers, auditors, and other security-oriented personnel (e.g., system and network administrators, and system/application security officers) — security basics and broad training in security planning, system and application security management, system/application life cycle management, risk management, and contingency planning.

5.IT function management and operations personnel — security basics; management and implementation level training in security planning and system/application security management, system/application life cycle management, risk management, and contingency planning.

As we all know from our research and reading, the biggest risk to an information system is easily the personnel working for the organization.  The consistent need to keep our people trained in good security practices is turning into a increasing trend.  The easiest thing for threat agents to exploit our systems, is to find the gaps within our practice.

Cited:

Unknown. (2010) Glenelg, MD Native Intelligence, Inc.: Information Security Awareness Courses, Posters, Daily Tips.Retrieved at: http://www.nativeintelligence.com/ni-programs/whyaware.asp

Future of Smart Phones

I found an interesting article on Digital Trends (.com) explaining how smart phones will soon be considered PC replacements over the next few years.  In June of 2010 DoCoMo launched their Toshiba T-01A which is Japan’s very fast phone using the advanced Qualcomm chip, Snapdragon.  The Snapdragon runs 30% faster, while using 30% less power as well as featuring enhanced 2D acceleration and 3D graphics core (Ricker, 2009).  Here in 2012, the new iPhone 5 can come with 64GBs of memory, GPS, digital compass, Wi-Fi, 8MP camera, Panorama, 1080P video recording, and Apple’s A6 chip (TopTenReviews.com, 2012).  These powerful phones can now multitask with the best of them, including enough data processing to actually play Blizzard’s World of Warcraft (Brandon, 2010), which is a very resource-demanding computer game.  Location awareness will begin taking effect, where 2015 phones are projected to offer to pay your bill through your phone when near a McDonald’s restaurant or Starbucks (Brandon, 2010).  Augmented reality, an emerging trend will allow a guy sitting in the nosebleed section of a game to see the live feed being streamed from the person in the second row at a game or event (Brandon, 2010).  From my personal experience, when I lose my TV remote, I can grab my smart phone and control my smart TV from the Samsung App installed on my phone.  I have an interest in cyber security, but I have a real passion for smart phone technology.  I’m very excited to see what comes next.

Cited:

Ricker, Thomas. (2009). Engadget: Qualcomm’s 1.3GHz QSD8650A Snapdragon chipset is 30% stronger, uses 30% less power. Retrieved at: http://www.engadget.com/2009/06/01/qualcomms-1-3ghz-qsd8650a-snapdragon-chipset-is-30-stronger/

Unknown. (2012). TopTenReviews: Apple iPhone 5. Retrieved at: http://cell-phones.toptenreviews.com/smartphones/apple/apple-iphone-5-review.html

Brandon, Richard. (2010). Digital Trends: The Future of Smartphones: 2010-2015 and Beyond.  Retrieved at: http://www.digitaltrends.com/mobile/the-future-of-smartphones-2010-2015-and-beyond/

Planning For Contingencies

This week we studied the importance of contingency planning and preparing our organization or home network for as many incidents or disasters that can be planned for. The different tools we talked about for this objective were: the Incident Response Plan, the Disaster Recovery Plan, and the Business Continuity Plan.

The Incident Response Plan is a document and list of procedures to help prevent a disaster and realign the organization’s operations as quickly as possible to not lose production. It is extensive and consists of many step by step procedures that should be able to guide anyone with no training through these processes. Its main objectives include: Incident Planning, Incident Detection, Incident Reaction, and Incident Recovery.

• Incident Planning involves a great deal of brainstorming to single out the many possible incidents that may occur throughout normal operations.
• Incident Detection is the ability to notice an incident occurring before it becomes too late.
• Incident Reaction focuses on the speed at which a member of the organization will react to the incident and begin their list of actions required to contain an incident.
• Incident Recovery is the organization’s ability to bounce back to normal operations after an incident occurs.

The Disaster Recovery Plan is a list of actions to accomplish after a disaster has occurred. This could be from an incident evolving into a disaster or one that had no warning before it happened. The Disaster Recovery Plan includes: Plan for Disaster Recovery, Crisis Management, and Recovery Operations.

• The Plan for Recovery resembles the Incident Plan closely, just on a larger scale.
• The Crisis Management will focus more on the actual damage done to the systems, operations, or personnel of the organization.
• The Recovery Operations, like the Recovery Plan, resembles the Incident Recovery closely, and is just more extensive due to the difference in impact.

The Business Continuity Plan re-aligns operations to another site or system that will either keep up the prime or all the function performed within that organization. It consists of Establishing Continuity Strategies, Plans for Continuity of Operations, and Continuity Management.

• The Continuity Strategies is the point at which the organization formulates their plan to continue on with the mission or production while the disaster recovery is underway.
• The Plan for Continuity Operations is built from the strategies designed in the first planning phase.
• Continuity Management is the follow through of the plans put in place to maintain the daily operations and not lose production time within the company.

If these are all carefully planned and carried out, an organization or company would be able to experience an incident or disaster without and of their customers knowing about it. In some cases a gap of service availability may occur, but the idea here is to minimize the period in which it occurs.

The essential text used in the research of this topic was the:

Whiteman, Mattord. Management of Information Security. 3rd ed. (2010). Boston, MA: Course Technology, Cengage Learning

SecSDLC

This week I’d like to discuss the Security System Development Life Cycle (SecSDLC) as defined by the National Institute of Standards and Technology (NIST). We’ve started learning about it in Whitman &  Mattord’s Management of Information Security, but NIST’s model differs slightly.

The NIST first points out that many different SDLC models exist, but they all should push an organization to the same goal, which is effectively developing their information system. They describe that a traditional  SDLC is a linear sequential model that assumes the system will be delivered at the end of the cycle.

Generally a SDLC includes five phases: initiation, acquisitions/ development, implementation/ assessment,  operations/ maintenance, and sunset (or disposition). They go on to say that each phase includes a minimum set of security tasks needed to effectively incorporate security in the system development process and that  including security earlier in the process will result in less expense later on.

According to the NIST, certain questions should be addressed during the security controls that the system  will require:

- How mission-critical is the system?
- What are the security objectives required by the system?
- What regulations and policies are applicable in determining what is to
be protected?
- What threats will the system experience during normal operations?

Phases and Key Tasks described by NIST are located in their System Development Life Cycle brochure  located here: http://csrc.nist.gov/groups/SMA/sdlc/ documents/SDLC_brochure_Aug04.pdf

Cited:

National Institute of Standards and Technology, (2012, May 18).  Information Security in the Systems Development Life Cycle. Retrieved  from http://csrc.nist.gov/groups/SMA/sdlc/index.html

Bell tolling for desktop antivirus?

Ellen Messmer's article in PCWorld discusses how analysts are have been saying that signature-based checking, which is the principle of our personal anti-virus software, can no longer keep up with the new flood of viruses. That users should adopt newer approaches, such as whitelisting or behavior-blocking, that only allows authorized applications to run.  Whitelisting products are currently available from SecureWave, Bit9, Savant, AppSense and CA.  The article continues on to say antivirus labs get more samples than they can handle on a daily basis, and that they basically single out the "big fish," trying to stop the more severe viruses. At the same time, others believe antivirus is worthwhile and not going anywhere. While antivirus programs have been compared to a "shield with holes in it," it certainly wouldn't hurt for the user to be able to decide 'which bullets are allowed to be shot at the shield.'  I think the real future is going to be a balance of both. I've already noticed my personal antivirus program prompting me to grant unknown programs access to run an operation on my computer.  While I usually know why a program would need to execute, I don't know all the programs out there, so I will certainly not be uninstalling my signature-based checking software.


 Cited:
Messmer, E. (2007). Is Desktop Antivirus Dead? PCWorld. Retrieved from http://www.pcworld.com/article/130455/is_desktop_antivirus_dead.html

Ransom-ware

This blog has been generated to post information pertaining information security. I welcome discussion any topics presented in these blogs. Since its my first one, I'll introduce myself further. I've worked in the communications for a while now.  I received my bachelors degree in Computer Science in North Carolina. I currently work in Nebraska and maintain computer/communication systems connected around the world.  With such a large footprint I'm  now in contact with, information security is a huge concern of mine now.  

As far as discussion on viruses that affect Windows' new operating systems. The most interesting one I've witnessed is a type of "ransom-ware."  I don't want to give the name of the program I've been finding because just researching it online on a clean computer, my personal system "contracted" it the very next day. What I would like to do it pass knowledge of symptoms and corrective action. 

While the system is booted up and running normally, a program will pop up that seems to be scanning your computer for viruses.  The name was not a commonly advertised one (i.e. Nortan or McAfee).  However, it was "finding" viruses at an alarming rate on a system I knew had virus protection already.  It is pressing you to purchase a "license" for the program that is "scanning" your computer in front of your eyes.  The "x" in the top right to close the program will not work. Alt + F4 doesn't work. Right-click, close doesn't work.  Opening the task manager and ending the process will not terminate the program.  Personally, I was quite surprised at the power of this program.  While using, the later to be known, infected computer to search the program's name on the internet, the Internet Explorer, then Firefox would stop running all together and wouldn't not allow the me to launch the programs anymore. I tried to search the computer for the program and uninstall, but it would then turn off my ability to search through my own computer!

I finally learned the only way to stop it was to open a file called R-Kill. I couldn't search for it on the internet because it was again, blocked by this ransom-ware. I had to download the file from the internet using another computer and then insert it into the infected computer by USB, etc. By running R-Kill, it terminates ALL programs currently running that isn't the bare minimum operating system. At this point I could finally uninstall the program, and then re-activate my anti-virus. 

Hope you enjoyed the read. I really wanted to pull my hair out when I was helping my friend out with it. 

Cheers, 

Kyle