Sunday, September 21, 2014

Laundering Fraudulently Acquired Merchandise

  • Reshipping of goods purchased through stolen credit cards is a new service marketed to cyber crooks.  It is an arrangement that allows European thieves to gain cash from cyber fraud committed against American and European businesses.  This involves re-shipping of goods that were purchased through stolen credit cards.

Cyber crooks will rely on international re-shipping services to help move electronics and other goods that are bought with stolen credit cards, then shipped abroad, and then sold for cash. In this arrangement shipping costs are paid for with cybercrime-funded bank accounts, using seemingly legitimate companies in the United States.(1)

A breach at an online merchant will use the card number, expiration and card verification value (CVV), to purchase high-priced electronics at online stores that will ship to an address that is different from the billing address. The merchandise will be then shipped overseas, where electronics and other luxury items typically sell for a much higher price than in the United States.

The merchandise re-shipping relies on middlemen (“mules”) who get recruited to reship packages after responding to work-at-home job offers. The mules will send the packages containing electronics purchased with stolen credit and debit cards. Pre-addressed shipping labels will be used to make sure that goods are reshipped quickly and accurately. There are a number of firms advertising on the Web that also offer re-shipping services.

Executive Guidance
Re-shipping services that have not been certified for delivery of merchandise should not be used. Only approved re-shippers should be allowed. If merchandise is sent to unknown addresses, receipt of a bank confirmation that the shipment has been paid for should precede dispatch of any goods.


Tuesday, September 16, 2014

Cyber System Threats – A Plant Disease Analogue

  • Much like diseases of humans and other animals, plant diseases occur due to pathogens such as bacteria, viruses, fungi, phytoplasmas, protozoa, and parasitic plants. Plant disease epidemiologists examine the cause and effects of such diseases.


There are several analogies applicable when comparing the damages caused by the current cyber exploits and the historical damages to the cultivation of land by the mankind. When humans began the transition from the hunting and gathering civilization to an agriculture-based society, disruptions in the ecology of the uncultivated lands took place. For ten thousands of years disease epidemics in planted agriculture caused huge losses in crops. Plant epidemics threatened to wipe out an entire species of agricultural products. For instance the potato late blight led to the Great Irish Famine and the loss of many lives when it also coincided with the socio-economic neglect by the government.

Commonly the elements of an epidemic are referred to as the “disease triangle”: a susceptible host, pathogen and a favorable environment. For disease to occur all three of these must be present. In the case of cyber crime similar conditions exist. There are now tens of millions of computers susceptible to cyber infection. Cyber pathogens can be found in the form of tens of thousands of malware. Simultaneously, a favorable infection-prone environment was created by the invention of the Internet, the browser and the Web pages.

Executive Guidance

Cyber crime should not be seen executives as a historically isolated occurrence, but as an evolution in the history of humans to increase the complexity of its habitat. Cyber crime is certainly different from the evolution of plant diseases, but similar in many ways how mankind has organized to deal with the threats to its progress. By analogy cyber breaches will have to be dealt with through innovative means of isolation of networks through prophylaxis. This will require the improvement in the resistance to malware pathogens though corruption-resistant software. Most importantly, it will call for new forms in the organization of defenses. How all that can be accomplished, while the time available now for countermeasures is shrinking, becomes a challenge for operating computer networks in an information-based society.

The solution to cyber crime cannot be found through the application of piecemeal solutions that concentrate in separate and isolated solutions such as virus prevention, firewall or software defined networks. Remedies to cyber threats can be found only through a re-examination of the total ecology of our information-based society.

Sunday, September 14, 2014

Delays in Cyber Legislation

  • Despite a growing number of data breaches that have gained widespread attention,[1] cybersecurity has not yet become a critical issue for Federal legislation.


Voters are not as yet demanding enactment of cybersecurity legislation.  It appears that there is no urgent pressure to bring cybersecurity bills up for a vote. Voters have heard about cybersecurity and do not like reports about the breaches. However, there is little understanding what to do about it.  There is little pressure to take action, because there is no agenda what actions would produce a situation that is more secure.

The House of Representatives has passed a number of cybersecurity bills, but these are stalled in the Senate. The key Cyber intelligence Sharing and Protection Act (CISPA) continues to be stalled, as an example of the current approach to any Federal involvement.

The purpose of CISPA is to encourage businesses to share cyberthreat information with the government. This legislation has been contentious because critics have asserted that it does not offer sufficient privacy and civil liberties safeguards. One of the key provisions, providing immunity for business that surface cybersecurity instances, should not be allowed. Instead, the legislation should “…encourage the private sector in taking reasonable steps to make sure it does not compromise privacy interests when it is not necessary to do so to protect cybersecurity.”[2] Accordingly businesses could hide behind claims of seeking protection from lawsuits that do not involve cyberthreats. Therefore, the proposed legislation must safeguard that personal information isn't shared with the military, including the National Security Agency. 

Rep. Mike Rogers, the Michigan Republican and CISPA's chief sponsor, says the bill was never about sharing personally identifiable information, saying the information being shared are the 0s and 1s that represent code that could contain malware that threaten critical IT systems. CISPA, he says, isn't about the written content in a message. Even though the proposed bill has added four layers of privacy protection, privacy will be assured by the Department of Homeland Security to serve as the government's sole contact with industry in sharing cyberthreat information. Whether such arrangement is practically sufficient to shield data from the NSA and the military remains then as a controversial issue.

Cybersecurity legislation has concentrated on debates whether Congress should prescribe how industry presents cyberthreat information and how it shares data among businesses. Accordingly the government has no role in telling business how to anonymize personally identifiable information that must be exchanged. Such details stopped the passage of the Cybersecurity Act of 2012. Proponents of government and business cooperation objected to the government, working with industry, to establish IT security best practices that businesses could voluntarily adopt. Even such voluntary cooperation was objectionable because it could potentially lead to objectionable regulation.

Executive Guidance

The rapid escalation of cyber breaches leaves open the question whether enterprises should expect legislative assistance in fighting cyber crime. Based on current circumstances, one must conclude that any such help would be, at best, a set of token activities that will address mostly intra-departmental jurisdictional differences. Little, if any direct actionable support can be expected from the Federal Government, which leaves each enterprise to do whatever is necessary to protect its operations against information breaches.

If one views cyber crime as a rapidly expanding global and toxic “infection”, the analogue of mobilizing the equivalent of a Center for Disease Control (CDC) in 1946 appears to have many scientific, technical, political and economic similarities. However, the current toxicity, speed, global coverage and human-created equivalents of toxins would make the formation of a Center for Cyber-Crime Control an enormous undertaking the that current legislative structure is unable to address.


Wednesday, September 10, 2014

Computer Security Incident Response Team by Akamai

  • Akamai makes available a Computer Security Incident Response Team (CSIRT). Its purpose is to define incident response plans that will help enterprises to efficiently detect, contain and recover from computer security incidents. By taking timely, appropriate action, the CSIRT can respond to potential attacks before an organization's systems and networks are significantly altered or damaged. The swiftness with which an organization will recognize and respond to threats is crucial in minimizing the impact of and accelerating recovery from info security incidents.
The core responsibility of the incident response team is to respond systematically to security incidents when they happen, performing reactive services such as incident management, which involves taking action to identify the causes of an incident and restore and protect affected systems and networks. The CSIRT may also provide proactive services, offering assistance to IT and security personnel in order to improve an organization's security controls and processes. (1) This includes:

Supporting security and auditing efforts through the implementation of best practice reviews, vulnerability scanning, and penetration testing.
Ensuring the proper configuration, maintenance and patching of network security tools, applications, and systems.
Developing new security tools and technologies and scripts that enhance the functionality of existing security infrastructure.

Executive Guidance
Akamai handles 15-30% of the world's total Web traffic, providing a unique view into what's happening on the Web - what events are generating traffic, how much, from where, and why. During a 24 hour period Akamai processes 134 million transactions. To support such monitoring Akamai has deployed the most pervasive, highly distributed cloud optimization platform with over 150,000 servers in 92 countries within over 1,200 networks.

That provides Akamai with an exceptionally detail understanding of the characteristics of Internet traffic. Akamai’s CSIRT assists in avoiding data theft and downtime by extending the security perimeter to the edge of the network to protect from increasing frequency, scale and sophistication of web and data center attacks. Proprietary methods include:

Kona Site Defender: Offers multi-layered defense to protect websites against the increasing threat, sophistication and scale of attacks.
Prolexic Routed: DDoS defence for protecting all data center infrastructures against large, complex attacks.
Kona Web Application Firewall: Application-layer defense to protect against data theft through attacks like SQL injections and cross-site scripting.
Site Shield: Origin defense by cloaking web infrastructure and reducing vulnerability.
Fast DNS: DNS resolution that is fast, reliable and secure.

Akamai’s CSIRT should be engaged as one of the highly trusted cyber crime consultants in investigations that involve global attacks on the integrity of systems.


Monday, September 8, 2014

Cyber Resilience Review (CRR)

The CRR is a non-technical assessment to evaluate an organization’s operational resilience and cyber security practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by cyber security professionals. The CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices.


The Department of Homeland Security (DHS) partnered with the Computer Emergency Response Team (CERT) Division of Carnegie Mellon University’s Software Engineering Institute to create the CRR. The CRR is a derivative of the CERT Resilience Management Model (RMM) ( tailored to the needs of critical infrastructure owners and operators.[1]
CRR Self-Assessment Package: This package includes the entire CRR self-assessment, including the fillable assessment form and report generator. All assessments will require this file to be completed.
CRR Method Description and User Guide. This guide contains the overall description of the CRR along with detailed steps and explanations for how to conduct a CRR self-assessment at an organization.
CRR Question Set with Guidance This document contains the entire CRR self-assessment question set along with guidance on how to interpret and answer each of the questions contained within the self-assessment package.
CRR NIST Framework Crosswalk. This document provides a cross-reference chart for each of the categories in the NIST Cyber security Framework and how they align to the CRR and other references.

Executive Guidance

Executives are advised to give serious consideration to the use of the CRR to offer a high-level assessment of their organization’s resistance to cyber crime. The CRR offers a series of well-documented and structured questionnaires the offer a comprehensive reviews of the methods that should be employed in dealing with malware. Forms are provided that offer a checklist of actions that should be deployed in dealing with cyber criminal activities.  
While the CRR predates the establishment of the Cybersecurity Framework, the inherent principles and recommended practices within the CRR align closely with the central tenets of the Cybersecurity Framework. The CRR enables an organization to assess its capabilities relative to the Cybersecurity Framework and a crosswalk document that maps the CRR to the NIST Framework is included as a component of the CRR Self-Assessment Package. Though the CRR can be used to assess an organization’s capabilities, the Framework is based on a different underlying framework and as a result an organization’s self-assessment of CRR practices and capabilities may fall short of or exceed corresponding practices and capabilities in the Framework.


Rescator Marketplace for Malware

  • Rescator is an illegitimate cybercrime shop that has sold, on line, millions of credit card identities that has been used for attacks on major retail merchants. The marketed batches of credit card identification were obtained from hacking Point of Sale (POS) credit card readers.

Rescator’s listing of available credit cards enumerates each available card according to the type of card, city, state and ZIP code of the store from which each card was stolen.[1] Experienced crooks prefer to purchase cards that were stolen from stores near them, because they know that using the cards for fraudulent purchases in the same geographic area as the legitimate cardholder is less likely to trigger alerts about suspicious transactions.

There are signs that the perpetrators of these breaches may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, among others. These hackers have been moved massive new batches of stolen cards onto the market. The newest batches claim 100 percent validity; meaning cyber criminals won’t run into the embarrassment of having a stolen card declined while trying to make some illicit purchase.

Executive Guidance
POS data security problem can be attributed to lack of investment in secure application development, disputes with the financial services industry over who's to blame, disputes between brands and franchise stores, and lack of oversight by those who develop and deploy retail applications.
Recent network intrusions were the result of the “Backoff” malware. The Secret Service currently estimates that over 1,000 U.S. businesses are affected.[2]

Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request.

Anti-virus (AV) vendors have now released variants of the “Backoff’ malware family that have hitherto remained largely undetected by AV vendors. It’s important to maintain up‐to‐date AV signatures and engines as new threats such as this are continually being added to your AV solution.
The forensic investigations of compromises of retail IT/payment networks indicate that the network compromises allowed the introduction of memory scraping malware to the payment terminals. Information security experts recommend a defense in depth approach to mitigating risk to retail payment systems. While some of the risk mitigation recommendations are general in nature, the following strategies provide an approach to minimize the possibility of an attack and mitigate the risk of data compromise:
  •        Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.
  •        Limit the number of users and workstation who can log in using Remote Desktop.
  •        Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).
  •        Change the default Remote Desktop listening port.
  •        Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.
  •        Require two-factor authentication (2FA) for remote desktop access.
  •       Install a Remote Desktop Gateway to restrict access.
  •        Limit administrative privileges for users and applications.
  •        Periodically review systems (local and domain controllers) for unknown and dormant users.