Loading...

Cyber Security & Tips (April 2019)

Cyber Security & Tips

I recently enjoyed presenting a Keynote Talk in Namibia to the Financial Industry about Digital Security and Cybercrime. This subject is so extensive it was impossible to touch on all its aspects during a single session so I promised to post this article.

Coincidently I started to write this article in the safest country in the world for Cybercrime, which is Singapore. The country with the most Cybercriminals is America followed by China. Here is a nice pie chart I found during my research offering a visual overview on the main hot spots for resident cybercriminals.

Jean-Pierre Murray-Kline - The latest trends in internet marketing

Cybercrime is the greatest risk to global security because it is the least understood, least prepared for, fastest growing, and, unlike most crimes which operate in a niche sector, cybercrimes affect everyone, every company, every device and every asset. It has the least laws and the least prevention funding.

To try and offer a good summary on this subject and not overload you with too much technical waffle, I have decided to use bullet points and divide this article into sections covering:

  • Status & Overview.
  • Types of Cybercrime.
  • Who is a Cybercriminal?
  • Points specific to Financial Industry.
  • How a target in the Financial Industry is picked.
  • Tips for the Individual, Corporate and Government.
  • Where to report cybercrime.

 

Status & Overview.

Things are really bad… and you had no idea!

  • Digital crime is when a PC or electronic method is used as a weapon on an organization or an individual.
  • In general, most governments are unable to identify future threats and struggle with managing or monitoring the current ones.
  • About 80 billion scams are attempted each day, 10 times the earth’s human population.
  • There are about 900 000 reported hacking attacks per day.
  • This type of crime is popular because it is very rewarding and has comparatively low chances of risk for the criminal, they hardly get caught and even when they do the laws in place don’t really know how to deal with them.
  • Motives for this type of crime are greed, fame, power, or to show-off expertise.
  • Most crimes originate from countries that have lax cyber security policies.
  • The perpetrator of most corporate cybercrimes is a staff member.
  • The perpetrator of most private cybercrime is an uncle in Nigeria wanting to offer you 100 million USD.
  • Damages are estimated at over 600 billion USD annually, which is nearing 10% of the global GDP.
  • In addition to financial damage, the damage to people or company reputations are extreme.
  • Children are most vulnerable to abuse through cybercrimes.

 

Jean-Pierre Murray-Kline - The latest trends in internet marketing

Types of Cybercrime.

These differ based on local laws and expert opinions. My opinions on categories are:

Harassment and Cyberbullying.

Cyberstalking is unsolicited communication which is personal in nature. Stalking is often referred to as trolling.

At my keynote talk I gave an example using Dirk who was on the Board of Directors at the company that employed me to do the keynote talk. Obviously I cannot share too much information about this person within my article, but I did demonstrate how in just 30 minutes online I could work out his probable age and that he had a helicopter at his 50th birthday party. This I knew was not enough information to impress, so I then went on to share his probable religion, that he enjoyed cycling (while wearing spandex), that he could ride a horse and probably had a skippers licence.

I took the personal information up one more level, and shared his preference of beer and professional camera, what his high school uniform colours were and what type of Visa he had in his passport for May 2011.

To make things really uncomfortable I shared a geolocation pin point on where his daughter worked.

The information I shared was available online already, and if in the hands of a cybercriminal it could be used against him or even his family.

Cyber safety is not only about what information you make public but also where your information is stored. In December 2016 the internet giant Yahoo lost 500 million contacts including email addresses, dates of birth, passwords, phone numbers and security questions. There was a 19 year old from Uruguay who managed to gain remote access to the Google Cloud Platform. For reasons like this search engines are spending a lot of funds on checking their systems for issues. Google has paid security researchers nearly $20 million for bug bounties.

Obscene and Offensive Content Sharing.

Pornography, nasty messages and inappropriate communications. This has in some cases been so bad it has resulted in suicide.

Hacking.

Hackers are also known as “Crackers”. This is an intruder accessing your system without your knowledge or permission.

A popular example of hacking is SQL Injections. This is a technique that plays on the vulnerabilities of software on websites with databases.

An interesting fact: Dennis Ritchie and Ken Thompson, the creators of the UNIX operating system and even Mark Zuckerberg of Facebook all used to be hackers.

Digital Fraud.

This type of fraud can be as simple as using Photoshop to manipulate a company invoice with your own account information and sending it out to clients who then make payments to a personal account. This happened in my own company. It can be more complex of course, and if the criminal can access enough information or resources it can lead to more complex crimes like sales or investment fraud.

Data diddling, or data manipulation, is also a type of digital fraud. It often involves part of a programs code or data being manipulated to change an outcome in the criminal’s interest. This sort of crime is normally done in conjunction with another crime.

Credit Card Fraud.

This is one of the oldest practices around and happens at petrol stations, shopping chains or even online.

Data, Property Theft and Damages.

This is a nice plump category.

Web Jacking. This is when a hacker takes control of a website and often results in a ransom request or publishing of nasty posts on the website.

Identity Theft. This is a very common type of digital crime. Identities are stolen for personal gain or even to resell.

Software Piracy or ‘Cloning’. We think it is a no harm crime and in most cases we are all involved with pirated media or software. Pirated media often contains trojans, viruses, worms and other malware.

Digital Money Laundering. Generally illegal and high value funds need to be laundered before they can be spent. This normally happens through “wire transfers”.

Malware.

This is malicious software injected into a system with the intent of causing harm to data or even the actual device.

Phishing.

This is the technique of gaining confidential information like credit card names, numbers, usernames and passwords to be used while pretending to be a legitimate organisation. This practice is very common in the banking sector and mostly done via spam emails which direct the victim to a fake website where they offer their personal information.

Spam.

Often carried out by botnets or people with way too much time on their hands.

Malicious programme attacks:

This is another plump category.

Viruses infect a system and circulate to other computers on a network.

Worms are like viruses, but don’t need a computer host, they just replicate until they use all available memory in the entire system.

Trojan horses. They look like legitimate PC files and are often ‘caught’ with drive-by downloads, which is a fancy name for when you download something by mistake when visiting a website you should not be on. Gaming sites are often big culprits here. They are often used to steal information or hamper or disrupt the function of a system.

Logic Bombs. Also known as slag code. This is malicious code intentionally inserted into software to execute a naughty task. They work mainly on closed networks like internets at companies. They wait in the system and launch on a trigger determined by the developer of the attack. A good example is the famous “Friday the 13th” bomb.

Denial-of-Service attack. This is a big one in banks, and is basically about flooding a computer or network with traffic so it slows it down or even crashes it. Often done with e-mail bombing.

Distributed Denial of Service attacks. Similar to Denial-of-Service, but differs because the attackers are often at a number of geographically spread out locations.

Ransomware. This is when a person or organization has to meet demands by the cyber attacker before they will give the owner access or control of their systems. This is reported to be one of the greatest threats at the moment.

Vishing.

Voice phishing involves phone calls using fake identities to trick you into believing the caller is from a trusted organisation so you feel comfortable enough to offer personal information.

Salami Slicing.

This is when cybercriminals steal little bits at a time to avoid detection or setting off alarms. Most of the time it is manipulation like rounding off a value related to funds to an even number, so a few cents in a decibel factor, but over time they can steal huge amounts of funds. Similar damage can be done with manipulating data around stock inventory.

Eavesdropping & Surveillance.

Any device on the internet, work or home network, and perhaps even unsecure cell phone data connections have the risk of being used to share information about you.

Wiretaps are very popular, but depending on the device, a criminal with the know-how can actually see you, hear you, work out your location, access files and then share them, or even manipulate apps.

Cryptocurrency Theft & Crypto-Jacking.

Cryptocurrency is digital phenomenon which will shape trade and have socio-economic impacts I cannot even begin to imagine yet, and I’m a Future Thinker. Unfortunately Bitcoin is used on the dark web a lot, and this sort of practice has created a lot of negativity for this type of technology. Remember, technology does not commit crime, people commit crime using Tech.

Crypto-Jacking is when a user’s PC is used without their knowledge, and sometimes as much as 80% of the CPU and Ram hacked and put to work to Crypto coin mining. This often happens with adware from gaming sites or pirated content.

Data and data Traffic Theft or abuse.

Data is the new oil or the new gold. Either way, data is extremely valuable and the most important RAW material on the Internet of Things.

Set aside for a minute what the ‘data is about’, it can be a password, or a picture of your child, it does not matter! If the data cannot move from device to device, it really has far less value.

Therefore, if you manage to control the flow of data, or even the storage of data, either through hacking or even legal methods like charging for data as an ISP, you really are in a position of extreme power.

If a country is able to decrease the cost of data traffic, it becomes competitive on an international scale.

 

Jean-Pierre Murray-Kline - The latest trends in internet marketing

Who is a Cybercriminal?

Cybercriminals are well paid computer nerds and entrepreneurs who have turned to the dark side.

They are not what TV makes them out to be and probably not sitting in their basement in horrible boxer shorts being fed cookies and coffee by their gran.

Most Cybercriminals are between the ages of 29 and 49 years old, and 3 out of 4 are male.

Other than these profile traits, you can categorize these criminals into skill sets:

  • Script kiddies.
    Wannabe hackers. Enough to break into a mailbox.
  • Scammers.
    Are those who flood your email inbox and offering wonderful deals, which will never materialise.
  • Hacker groups.
    Targeting networks and systems and operate in the corporate field.
  • Phishers.
    A type of cybercriminal with the gift of the gab. They are really good at gaining personal information and focus on crimes targeting individuals.
  • Political cybercriminals.
    Those with a political objective. An example of their work would be the Stuxnet Worm which infected Iran’s Atomic Facilities. It is rumoured to have been the act of a foreign government.
  • Insiders.
    Staff and suppliers create 80% of the damage in terms of value, not volume.
  • Advanced Persistent Threat Agents.
    Extremely organized state-sponsored projects.

 

Jean-Pierre Murray-Kline - The latest trends in internet marketing

Points specific to Financial Industry.

Get your coffee topped up for this section.

  • 50% of all cyberattacks world-wide are related to banks and e-commerce services.
  • Attacks have tripled over last 5 years and losses have increased over 40% over the last 3 years.
  • Cybercriminals that focus on the financial industry are very patient people, they often wait months, if not years after penetrating a system before they mount an attack. In most cases they are a hybrid criminal, a mixture of an insider and hacker.
  • Staff from the IT or development departments fit the profile perfectly for this type of cybercriminal.
  • Banks are a top interest for criminals working at an international scale. This means the banks have to fight an international threat, locally, with little to no support from authorities who have jurisdictional challenges.
  • Spearfishing is a rising trend. This is when an employee or customer credentials are compromised through socially engineered schemes.
  • Retailers. Attacks at point of sale breaches, or payments risks associated with retailers and 3rd party payment processors are increasing.
  • Awful passwords. One report I read said a quarter of banks used the password "P@ssw0rd" on at least one part of their network.
  • Abuse of call centres. Criminals with basic information gained from hacking move to impersonating clients or suppliers. They do repeated requests to get more information from the call centre, until they have enough to take steps in mounting an attack, for example they can attempt a password reset for an online account.
  • Mobile phone App attacks. Banks already have to take lots of steps to protect their mobile apps and don’t always have the resources. There are so many channels available for this type of attack because of open system architecture.
  • Most banks are vulnerable with web applications, network security and server configuration flaws. The other main risks inside the banks are outdated verification methods. Another major problem is the ease in which some outdated software allows users (tellers / private bankers / investment brokers / switching consultants / insurance users) to manipulate data so they can transfer funds into their personal or fake accounts.
  • The governance put in place to prevent instabilities hinders the ability for banks to respond quickly, making timing an exploitable weakness.
  • Efica calls (in South Africa) to the Department of Home Affairs as well as Consumer Profile Bureau cost 40cents per call, which means increased banking costs.

The Norton report of 2017 said 978 million customers were affected by cybercrimes with a loss of $172 billion. Then one year later, the President of the World Economic Forum said that losses from cyberattacks approached USD 1 trillion. That is a gigantic increase over just a few months. Some examples of these losses:

  • A Nepal Bank closed for local holidays, and criminals accessed their systems and took advantage of the downtime. They used SWIFT to withdraw money.
    They lost $4million on one attack. That is what I call paid leave.
  • There was a flood of attacks targeting card processing in Eastern Europe. Criminals accessed card processing, increased overdraft limits, disabled antifraud systems, and then withdrew cash from ATMs in other countries. The loss was $100 million.

Not all attacks lead to profits, some just create damages like The NotPetya attack with a loss of $300m.

Criminals monitor the published vulnerabilities in the sector and exploit them before security is able to update defences and most attacks are made by groups. Some examples of Digital Gangs:

  • Lurk Trojan group.
    Several years of attacks on remote banking systems. Arrested in 2016.
    They got away with $52.5 million.
  • Cobalt gang.
    They took control of ATMs by sending cash dispensing commands.
  • The Lazarus gang.
    They attempted to steal a billion dollars from the Central Bank of Bangladesh. They only got away with $81 million because they made a mistake in paperwork!

 

Jean-Pierre Murray-Kline - The latest trends in internet marketing

How a Target in the Financial industry is picked.

This is a generalised crime scenario and a target is picked based on the criminal’s technical abilities and knowledge of internal banking processes.

  1. They first survey the target. 1-3 months. The criminal often engages, and in most cases pays dishonest bank staff to share information about the bank, information such as:
    • Network perimeter systems.
    • Software.
    • Other employee email addresses, telephone numbers.
    • Which contractors are used and their systems, and if possible information on their staff.
    • Overall business processes.
  2. Ground Work. 3-12 months. With the information gathered they then begin to prepare:
    • Developing their own software, or adapting off the shelf software,
    • Working on vulnerabilities around the banks OS,
    • Preparing phishing emails,
    • Stockpiling coffee and cookies,
    • Setting up infrastructure like domains and server rental,
    • Preparing the infrastructure and network for money laundering and their exit plans,
    • Sorting out money mules,
    • Testing the infrastructure and malicious software.
  3. Go Time. After a few months of work, it’s time to gain control of bank's intranet. The most common foot in the door on bank's infrastructure is done by a phishing email to bank staff.
    Or
    Hacking third-party companies that do not protect their resources.
    Or
    Infecting websites visited by employees.
    Or
    A combination of all options.
  4. Once the criminal has some code or door opened into the system, they move onto compromising the systems to prepare for stealing funds. This means they need to work on getting privileges on the system. Popular end objectives are:
    • Transferring funds to fictitious accounts through interbank payment systems,
    • Transferring funds to cryptocurrency wallets,
    • Controlling bank cards,
    • Hard cash at ATMS.

    While trying to get their Golden Ticket, they work around:
    • Outdated software versions,
    • Failure by banks to install OS security updates,
    • Configuration errors such as excessive user and software privileges,
    • Setting local administrator passwords through group policies,
    • Absence of two-factor authentication on critical systems.

    Once privileges are sorted out on the host, access to the OS memory helps them learn the credentials of all logged in users. This data can be used to connect to any other computer on the network, and allow them to move around on the network with legitimate software and built-in OS functions. This means they are unlikely to cause any suspicion.

    When code is used it is often bodiless code that lives on the RAM. Some well-known software is used at this stage like Mimikatz Tool or ProcDump.
  5. Control Taken. Now that they have similar control privileges to those of the highest users, they can access everything they need, not limited to:
    • Business systems,
    • Banking software,
    • Identify workstations. This is very important because certain PCs have passwords for critical systems, so all they need to do is find the software associated with these functions to work out which PC to copy the memory dump.

    At this point, the money is as good as gone and it is just a matter of timing.

 

Jean-Pierre Murray-Kline - The latest trends in internet marketing

Tips.

It is everyone’s responsibility to assess vulnerabilities, take action and mitigate risk.

Technology is both the threat but also the solution to this crime wave, if we can just manage the human factor.

 

For the Individual:

  • You must have a Firewall and security programs.
  • Don’t post silly things on social media.
  • Be alert of situations when online. Don’t go onto untrusted sites. Don’t log onto routers you don’t know.
  • Look for spelling errors in communications. Cyber-criminals in general don’t run a spell or grammar check.
  • Learn some safety tricks, like hovering your cursor over a website’s hyperlinked URL and seeing if the info pop up matches the displayed link in the communication and not referring you somewhere dodgy.
  • Never respond to spam. If you are not expecting an email or you are not sure if you can trust the source, delete.
  • Do not click on pop ups.
  • Review credit card and e-statements often to check for odd activity.
  • Opt for extra security with suppliers if it is offered, like two step verification options.
  • Do a credit health check at least once a year to pick up if anyone has stolen your identity.

For the Corporate:

  • Budget for, and ensure you are doing training and workshops to boost awareness for staff.
  • Sort out basic security measures on every PC, even the one in the printer room. For example, email attachments should be checked in an isolated environment (sandbox).
  • Some Internet of Things devices connected to a network also create a risk. Think twice before you plug your coffee machine or aircon into your main network.
  • Do proper background checks of staff that have access to even lower level workstations privileges, especially new positions. When a staff member leaves tie up loose ends.
  • “Hire a Black Hat” / computer hacker to do an external test on your system. Make a day of it, a company team build!
  • Educate suppliers and clients with risks associated to your trade. Make it memorable.
  • Ensure there is a direct line of communication for anyone to alert the company to a cyber threat, and the information is able to go direct to a team that has the authority to act on the spot.
  • Be proactive in detecting, preparing, alerts, and where all else fails execute a mitigation or recovery plan.
  • When possible have something in place that looks for signs of trouble on your system like odd entries in event logs, changes in registries, erasing of boot records or hard disk partition tables.
  • Implement stronger authentication for suppliers and staff, not only clients.
  • When possible, use big data analytics or AI to help anticipate risk. Analytics technology is getting better.
  • Keep an eye on international trends.

For Governments:

  • Aim for International standards when designing policy.
  • Have an entire department for cybersecurity that has real authority.
  • Ensure your budget for training law officials on this new threat and educating your nation.
  • Consider penalties for trade partners with nations who harbour cybercriminals. The risk is that serious, we can’t be nilly nally about this.
  • Find the balance: cyber privacy verse cyber freedom. They both need to be cared for.

 

Jean-Pierre Murray-Kline - The latest trends in internet marketing

Where to report Cybercrime.

Reporting Cybercrime in South Africa

http://cybercrime.org.za/reporting
and
https://alertafrica.com/awareness/who-to-report-to/

Jean-Pierre Murray-Kline - The latest trends in internet marketing

 

Please feel free to send any questions or comments. My other articles are at: http://www.jeanpierremurraykline.co.za/mediaarticlesinfoseospecialist.html

If you want to be the first to hear more news on tech, marketing and other related information, be sure to follow me on Fa**bo*k: https://www.facebook.com/Jean-Pierre-Murray-Kline-1811395325773068/

Jean-Pierre Murray-Kline - Internet & Social Media Specialist

#cybersecurity
#cybercrime
#cybersecuritytips
#cyberattacks

Published April 2019

Disclaimer:

  • While I attempt to ensure information is accurate and up-to-date at time of publication, I will not accept liability should information be used, and found to be incorrect. If you do see an error, please let me know.
  • The links, images, videos and/or text in this article are not necessarily under my direct management, ownership or care. Should you be the owner or manager of any content herein, and wish for the content to be removed, please let me know and it will be done.