Ron McCarty's Blog

by Malyssa Woodward

Malware is on the rise in 2011, as are high-profile attacks against government entities and corporations, according to the Mid-Year Security Threat Report published recently by IT security and data protection company Sophos. The report focuses first on malware, which saw a huge increase in 2011. Since the start of this year, the team at SophosLabs has seen 150,000 different samples of malware each day, a 60 percent increase from the malware analyzed in 2010. To give a little perspective, this year’s numbers represent a unique file nearly every half second, according to the report.

So what exactly defines malware? Malware, or “malicious software,” can show itself in several forms, including viruses, worms and Trojans. Viruses are self-replicating malicious computer programs that are spread from computer to computer via removable media like disks and USB drives, or by infecting a file stored on a computer that is part of a network. A virus makes copies of itself, but in order to spread, it needs the ability to execute code and save to memory. Because of this, most viruses attach themselves to programs. When the user launches the program, the virus is launched at the same time.

There are two types of viruses: resident and non-resident. Resident viruses load their replication modules onto the infected system’s memory, where they can then execute themselves each time a certain action is performed by the operating system, thus spreading to multiple programs on the computer. A non-resident virus goes one step further in that it contains a finder module as well as a replication module. The finder module will seek out new files to infect and then call on the replication module to infect them.

A worm differs from a virus in that it does not need to attach itself to a program to work. A worm takes advantage of a computer’s weakness to infiltrate the system, where it then creates copies of itself and sends them to all computers on the network. Unlike a virus, a worm can replicate and spread without any action by the user. Where a virus infects or changes certain files on a target computer, a worm can damage computers on a network, even if it means simply taking up the bandwidth and slowing the network down. Worms are often used to create zombie computers for use in spamming botnets. A popular example of this is the infamous Waledac botnet, which infected as many as 90,000 computers worldwide before it was brought down by Microsoft last year.

Another kind of malware is the Trojan, which as its name implies, is a malicious program disguised as one that is seemingly useful. This program infects the target computer in order to steal sensitive information or harm the system. Trojans differ from worms and viruses in that they do not replicate themselves. Trojans can give hackers remote access to a system or use infected computers as part of botnet schemes used for spamming or denial-of-service (DDoS) attacks. They can also be used to log keystrokes on a machine or crash the infected computer.

A popular form of Trojan, and one that Sophos reports is still a persistent threat in 2011, is the Trojan that presents itself as an anti-virus application. In this scam, users are tricked by a fake anti-virus pop-up window warning them that their computer is infected. They are then convinced to purchase a rogue application to rid their computer of the virus. The program not only fails to protect the computer, but most likely installs some form of malware onto the system. This wreaks more havoc for the victim, who has just sent their money straight into the scammer’s pocket. According to the Sophos report, the FBI estimates that nearly one million people were duped into buying fake anti-virus software from one particular cybergang, netting the criminals over $72 million.

An example of a persistent Trojan that continues to evolve and target new devices is the Zeus banking Trojan. Recently, researchers discovered a variant of the Zeus malware called “Zitmo,” which can run on Android phones as well as Symbian, Windows Mobile and Blackberrys. The malware intercepts one-time passcodes sent to these devices as a form of added two-factor security, which then allows the hacker access to private information like bank accounts. The increase in consumers who use their smartphones and tablets for sensitive personal and business transactions makes these devices desirable targets for hackers.

According to the Sophos report, Google’s Android platform is proving particularly difficult to secure, and has been a popular target for hackers in the first part of 2011. In June, Google removed several Android applications from the market because they contained data-swiping Plankton malware. Tablets running the Android operating system are also at risk for similar attacks. With more consumer technology making its way into the professional workplace, IT managers have new concerns on their hands as they try to keep their organizations secure.

While much attention has been paid this year to large-scale strikes on major targets, the Sophos report found that attacks against consumers continue to be a threat.  Social networking scams, email scams and spear phishing campaigns are still popular, as is SEO poisoning. In SEO poisoning, the hacker takes advantage of popular keyword searches as a way to target the most victims, redirecting users to malicious sites where a variety of malware is downloaded onto their system. Often the malware is hosted on legitimate sites that have been infiltrated by hackers. To see a video demonstration of how this technique works, watch this Sophos video on YouTube.

Even Mac OS X, long believed to be the most secure operating system, is no longer safe in the current hacking landscape. The fake anti-virus malware Mac Defender and its many variants took users and Apple by surprise this spring. Apple was slow to respond to the influx of tech support calls, drawing much criticism. The company finally conceded that the malware was indeed a reality and offered steps to remove it.

Perhaps the most glaring light this year has shone on the many high-profile targeted attacks against huge corporations, government entities and their partners. The hack of RSA’s SecureID two-factor authentication system led to subsequent assaults on defense contractors Lockheed Martin and L-3 Communications. The CIA was also a victim of hackers, as was the International Monetary Fund (IMF). Mega-corporation Sony is likely still reeling from the persistent attacks launched against it earlier this year.

These and other attacks have spurred legislation addressing cybersecurity concerns. The Department of Defense launched a new program in June that aims to help defense contractors protect themselves against cyber attacks. The program, called the Defense Industrial Base (DIB) Cyber Pilot, will share classified information about cyber threats with defense contractors, as well as help them determine how to defend their networks.

The Obama administration is trying to crack down on hacking and cyber attacks that affect government systems or cause a potential national security threat by proposing increased sentences for hackers. Hackers targeting government computers may face up to 20 years in prison for such attacks.

The new Cybersecurity and Internet Freedom Act of 2011 establishes the National Center for Cybersecurity and Communications (NCCC) at the Department of Homeland Security, which will work to protect federal networks as well as public and private sector networks from cyber threats. The Act spurred controversy early on due to a “kill switch” provision that would essentially allow the President to shut down portions of the Internet during a cyber attack. That provision has since been removed.

On the business front, a new data breach bill is in the works, currently being debated on and refined. The bill would require companies suffering a data breach to report the breach and begin notifying customers within 48 hours if the data compromised could lead to identity theft or other harm. The requirement would standardize the currently varying state laws regarding data breaches, which experts say is both good and bad for businesses.

Whether or not this increased attention to cybersecurity will help stave off serious attacks and create a more secure online environment remains to be seen, but clearly progress is being made. However, the first half of 2011 shows us that there is much work to be done. If you would like to read the full Sophos mid-year report, you can download it by visiting this link. You will need to provide some basic information first, including name and email address.

Your Net Guard can help ensure your network is secure in this ever-evolving landscape of cyber threats. Call Ron today to discuss your security concerns.

By Malyssa Woodward

What is a hacker? For some, the term inspires a vision of a bespectacled youth in a basement bedroom, surrounded by monitors, gadgets and empty soda cans. For others, the impression is darker: a shadowy figure that exists on the edge of society, poised to strike at any moment and wreak havoc on the innocent, stealing identities and bleeding bank accounts of millions of dollars.

And of course there’s the Hollywood version depicted in popular movies like 1995’s Hackers. In it, Angelina Jolie and Johnny Lee Miller head up a gang of gifted teens whose attempts at one-upping each other’s abilities land them in hot water with the Secret Service.   

The film glamorizes the hacking subculture, summed up in a line by the character called “The Plague”: “Governments and corporations need people like you and me. We are Samurai...the Keyboard Cowboys...and all those other people who have no idea what's going on are the cattle...Mooo.”

Real life “keyboard cowboys” have garnered much media attention recently, to the dismay of the security experts at Panda Labs. In its April – June 2011 Quarterly Report, Panda chastises the media for spending so much time covering the antics of these groups, specifically the “hacktivist” group Anonymous and its offshoot Lulz Security (“LulzSec”), a short-lived collaborative of hackers claiming the mission “to have fun by causing mayhem.”

The authors make their disdain for these two groups abundantly clear, calling their actions “deplorable” and attributing at least a portion of what Panda refers to as “a disastrous quarter” in cyber security to their hacking activities.

Dubbing itself a group of “hacktivists,” Anonymous claims to be acting in the interest of the masses to protest various injustices. Its members launch attacks against the computer systems of companies or government entities with which they disagree, often as retaliation for anti-hacking views or policies. The group typically organizes distributed denial of service, or DDoS, attacks against these organizations’ networks and web sites. 

In February, the group launched an attack on HBGary Federal, a security company that performs classified work for the U.S. government. The firm was investigating Anonymous, and claimed to have uncovered the names of some of its members. In retaliation, Anonymous breached the HBGary network and stole around 60,000 internal emails, which they later released to the public.

Recently the group defaced Turkish government web sites in protest of new internet filtering rules to be implemented next month. The Turkish government responded by arresting 32 suspected members of Anonymous. The arrests came just days after Spanish law enforcement officials arrested three alleged leaders of the group.

Seemingly undeterred, on Monday Anonymous released a database stolen from government consulting contractor Booz Allen Hamilton. The database contained the passwords and email addresses of around 90,000 U.S. military personnel. The Booz Allen attack is the latest in a string of hacks targeting private sector firms that work with what Anonymous deems a corrupt U.S. government.

The focus of LulzSec’s attacks was far less purposeful – just for “lulz,” which in hacker terms is “for laughs.” The group primarily targeted entities with lackluster security such as PBS as well as computers at the U.S. Senate, stealing and posting private information online. Though no critical information was lost in the Senate attack, the stunt could land the culprits in prison for five to 20 years if convicted under the Computer Fraud and Abuse Act.

LulzSec also took down gaming sites Eve Online, Escapist, Minecraft and League of Legends for a three hour period, and then boasted about the attacks on their Twitter account. When accused of attacking only soft targets, the group carried out a DDoS attack on the CIA web site. After “50 days of mayhem” and the arrest and charging of a suspected key member, the group disbanded. Experts speculate, however, that LulzSec’s leaders were merely reabsorbed by Anonymous and their activities continue under that umbrella.

Hacking collaboratives like Anonymous and LulzSec proudly wag their accomplishments under the noses of the public via social media outlets like Twitter and message boards. Their high profile stunts draw followers and get plenty of media attention, and that has security experts like the folks at Panda Labs shaking their heads.

The spotlight has shifted to these high profile breaches and meanwhile, according to the Panda report, malware creation and distribution continues its staggering rise. There are 42 new malware strains created every minute, according to the report, with Trojans being the most popular attack tool for crooks to gain personal information. More than 68 percent of malware consists of Trojans, followed by traditional viruses at just over 16 percent.

The Panda report deems the past quarter “one of the most negative quarters ever judging from the number of cyber-attacks launched.” During this quarter, the first large-scale attack on the Mac OS appeared in the form of MacDefender, rogueware intended to trick users into purchasing fake anti-virus software.

Apple at first denied such an attack took place, despite the malware affecting thousands of users. A few days later, Apple conceded and released a patch, but within hours, new variations of the malware appeared and skated easily past the intended fix.

Two major breaches occurred during this quarter: the RSA breach and the attack on the Sony PlayStation Network (PSN).

In the first, security company RSA reported their systems had been breached and proprietary data relating to their hardware-based two-factor authentication system SecurID had been pilfered. The thieves used the stolen data to forge SecurID tokens, creating one-time passwords that granted them access to the networks of government defense contractors Lockheed Martin and L3 Communications. RSA has begun replacing the SecurID authenticators of nearly 40 million customers worldwide.

The Sony PSN breach was likely the most infamous attack of the quarter according to the Panda report. Cyber crooks stole data affecting 77 million users of the popular gaming platform in what is to date the largest theft of data ever. On top of that, Sony officials chose not to disclose the breach until days later, and when they finally announced the intrusion, greatly downplayed the seriousness of the breach.

The stolen data included users’ names, billing addresses, usernames and unencrypted passwords, as well as birthdates, photos of the users and in about 10 percent of the cases, their credit card information. Days later, another 25 million Sony Online Entertainment customers were affected by a different attack.

Sony pointed fingers at Anonymous, but the group continues to deny responsibility, claiming “for once, it wasn’t us.”

While the spotlight that currently shines on the antics of groups like Anonymous and LulzSec frustrates experts, it is perhaps drawing important attention to the bigger security picture for business owners. Companies can hopefully learn from the mistakes of the large-scale hacking victims and take their own IT security needs seriously.

Whether or not you find yourself in the crosshairs of hacking group, a tightly-secured network is imperative to protect your company’s valuable data. Your Net Guard specializes in network security implementations and can help you determine the best solution for your company. Call Ron with your questions - he’ll be glad to help.

by Malyssa Woodward

In the wake of recent large-scale breaches at companies like Epsilon and Sony, which compromised the personal data of millions of consumers, security concerns are at their peak. But are these concerns translating into action? Recent surveys indicate that while companies understand the security threats to their systems, many are not taking proper steps to protect themselves from attacks.

A survey conducted by the Courion Corporation polled about 1,250 IT decision makers from large companies around the globe. Most of the participants hail from corporations with more than 1,000 employees. The survey found that nearly one third of the respondents do not believe their companies have accurate assessments of the security risks facing them, including threats stemming from both internal and external sources. Essentially, the people responsible for securing their company’s systems are feeling insecure about their ability to do so.

Their feelings are not without merit, the survey reports, finding that more than 90% of respondents cite identification of user access as a primary method for assessing IT security risk, yet 60% claim to only review this access once a year or even more infrequently. Upon reviewing their company’s access rights, nearly half the respondents found excessive user rights existed in their systems. Obviously the more people who have access to a company’s sensitive data – especially those who do not need this access – the wider the door is left open for potential breaches.

“The results of this survey indicate that there is still widespread misunderstanding of the impact user access reviews have on enterprise IT risk,” said Kurt Johnson, Courion’s vice president of strategy and corporate development.

A similar misunderstanding seems to permeate infrastructure firms, who most will agree face an ever-increasing risk with the emergence of sophisticated malware like the Stuxnet worm.

Stuxnet targets Siemens Supervisory Control And Data Acquisition (SCADA) systems, which control and monitor industrial systems like those found in electric, water, gas and other key infrastructure sectors. The malware takes over the operation of specific equipment components and causes them to behave erratically, but reports back to system operators that everything is functioning normally. It is believed the worm caused real damage to the Natanz nuclear facility in Iran last year, proving its dangerous potential to hinder operations in similar plants.

A recent study conducted by McAfee and the Center for Strategic International Studies (CSIS) found that utility companies are aware of the increased risk, yet are not adopting security technologies intended to protect against such threats.  

Over 200 leaders in the oil/gas, energy and water sectors around the world were surveyed in the study, which found that many critical infrastructures were not adequately protected against cyber attacks. Forty percent of these executives believe that their industry is more vulnerable to such attacks, and even expect a major attack to occur against their sector within the next year.

Almost 30 percent do not believe their company is prepared to respond to a cyber attack, and a staggering 80 percent have been the victim of large-scale denial of service attacks. In addition, 70 percent of the respondents have reported frequently finding malware on their systems that is designed to sabotage them, including 46 percent of respondents in the electricity sector who reported finding Stuxnet on their systems.

So what are these companies doing to increase their security measures? According to the study, not enough.

When comparing this year’s report findings to those from last year, experts see a concerning – and continuing – lack of attention to security. In her blog, McAfee Vice President and Chief Technology Officer for Global Public Sector Phyllis Schneck writes that “Perhaps one of the most frightening findings in the report is the fact that, although the security threat and awareness of the threat have increased exponentially, the energy sector increased its adoption of security technologies by only one percent.”

Oil and gas companies were slightly more progressive, increasing their adoption of security technologies by 3 percent, while the water and sewage sector took the lead by increasing their security measures by 8 percentage points.

Overall, despite clear evidence that they are at an increasing risk of sabotage, key infrastructure organizations are slow on the draw to implement technologies that could protect them and prevent large-scale threats to public safety. Is budget to blame? In a struggling economy that’s very likely. Spending resources to protect against a chance attack by an unseen threat may not seem worth it. Yet surely the recovery cost will be much higher should such an attack be perpetrated on an electric grid, for example. Perhaps companies have a difficult time understanding the impact of such an attack until they are targeted directly.

Whatever the reasons, the survey results paint a rather grim picture of potentially vulnerable targets left unprepared to handle what seem to be inevitable attacks against them.

Another recent report lays out the need for basic security implementation, while indicating that cyber crime trends may be shifting. The 2010 Verizon Data Breach Investigations Report was released in April. This 4^th edition of the report included 800 new breaches that were investigated by Verizon and the US Secret Service last year, an all-time high since the first report was published three years ago. The first three years combined totaled about 900 breaches.

But while the sheer number of breaches skyrocketed, the number of compromised records plummeted to just under 4 million. That number was 144 million in 2009, and in 2008, a frightening 341 million. Recording the highest number of breaches in the same year as the lowest number of records compromised seems like a fluke, but perhaps it signals a trend in the way cyber criminals attack their targets.

Experts suggest that the large-scale breaches like the one at Heartland Payment Systems might be considered too high-risk for hackers now, or that perhaps these huge breaches have flooded the black market with enough credit card numbers, causing their value to drop.

The Verizon report found that 92 percent of attacks stemmed from external sources, up 22 percent from 2009. Fifty percent of the attacks used some kind of hacking technique, up 10 percent from the previous year. Incorporated malware also increased in popularity by 11 percent, constituting 49 percent of all breaches.

An interesting note is the increase in physical attacks like ATM skimming and Point of Sale (POS) equipment tampering. The figure that doubled in 2009 doubled again in 2010, accounting for 29 percent of breaches.

Also interesting and likely a bad sign is the increased number of customized malware discovered in the caseload studied. Nearly two-thirds of the malware investigated had been customized, indicating that the cost of customization is low and it is more accessible to criminals. With an increase of the “malware-as-a-service market,” this does not bode well.

Card payment data is still the number one breach, according to the report, and most victims (83 percent) were ones of opportunity. Most attacks were not particularly difficult, and a whopping 96 percent of them could have been avoided by instituting simple or intermediate controls.

The advice Verizon offers to businesses is familiar – focus on essential security first:

• Eliminate unnecessary data and keep tabs on what’s left
• Change default credentials
• Review user accounts on a regular basis
• Restrict and monitor privileged users
• Assess remote access services
• Test and review web applications
• Monitor and mine event logs
• Examine ATMs and other payment card input devices for tampering

These three reports indicate an evolving cyber crime landscape and a slow response on the part of many businesses to update their security practices. Are you concerned that your business is falling behind on security measures? Your Net Guard specializes in network security and can help you keep your systems protected. Call Ron with your concerns – he’ll be glad to help find a solution that meets your needs.