99
1cyber crimesTrends to watch...Dr K Rama SubramaniamChairman, Valiant Voora Center of Excellence in Digital Forensics, Che...
2First Edition, 2013Copyright © 2013 Dr. K Rama SubramaniamAuthor	 : 	 Dr. K Rama SubramaniamEditor	 :	 V Pattabhi RamPric...
3Dr. K Rama SubramaniamMBA(UK), Ph.D, FCA, FISC, CISA, CISM, CISSP, CFIP, CEH, CHFI, Security+Chairman,ValiantVooraCentero...
4Africa and is a consultant to a number of organizations in the commercial,government, armed forces, judiciary and law enf...
5First word----------------------------------------------------------070	 Net game from the Net---------------------------...
7first wordCyber Crime was a novelty among criminologists abouta decade ago. Today, it is commonplace. The speed of itsevo...
8Economist is a 45-year-old Chennai (India) based businessmagazine. I am indeed grateful to Mr. S Viswanathan, Editorand P...
90Net gain from the NetWhen the history of modern world is written, theworld-wide-web will receive a primordial position. ...
10can do transactions while on the move. Importantly, the newgeneration is making friends on the Internet; it’s no morelov...
11Even as the ink on the PATCO rulinghadn’t dried, a fresh ruling came thatseemed to suggest that the PATCOruling might no...
12at a specified date at a specified time on the Internet; and theydeliver on that promise! That’s what we speak in They p...
131Sandy and the Hacker…LIKE everyone else, the BFSI segment told the worldthat it had adequate disaster management mechan...
14when the bank was busy fighting the possible consequencesof Sandy.Sandy leaves its trail of damageThe New York Stock Exc...
15under attack, Janet Napolitano wasasked if the attackers were stealinginformation or money from the banks.She said “Yes”...
16Mike Smith, a Security Evangelist with Akamai, says that thedegree of automation found on DDOS attacks suggests fraudas ...
17Walker agrees that internet trafficdata for October 31 suggests thatattackers went on to hit institutionsthat were strug...
18Do we have to say it?Yes, the world is nowin our hands; thanksto the Internet.
192PATCO Ruling –Wake up call for banks?PATCO was obviously happy at the reversal of the order ofthe District Court’s judg...
20electronic banking systems, the Bank argued that it had imple-mented serious security and authentication features like: ...
21that will force the User to go throughan additional authentication processwhen the transaction value exceeds abase value...
22ten past passwords, which was interpreted to mean that thesame password would not repeat for 300 days – 30 days andten u...
233Will the Real Hackerplease stand up?TWO events that happened in December 2012 startledme. First was the release of Vers...
24All through, we have decried hacking as a crime, an evilattitude, something to be dealt with sternly, etc. I have always...
25destructive metal testing, only a smallsample is tested while the “hacker” hasbefore him a live production systemprocess...
26to be satisfied for criminal liability, vizactusrea, which refersto the criminal act being actually committed. The proje...
274Juvenile HackersBUT what made me sit up, review and write this columnis the profile of the person who successfully hack...
28human being. I thought the kids would play with the boxes!Within four minutes, one kid not only opened the box butfound ...
29them hacking as it happens and alsolet them understand the perils ofindulging in it and the ways to defendagainst it. Bu...
30Nor will he be allowed to use the Internet in an unsupervisedmanner, or for any purposes other than education-relatedone...
315ZERO IQ…US MAGISTRATES issuing warrants of arrest is nothingnew but this warrant was for a cyber crime against a namedi...
32like Jarand’s as also multi-men unincorporated enterprises,whose owners are hard to identify.FBI carried out a well-orch...
33resources at his disposal and traded inbatches of 30 to 40 credit cards.The underground carding forum runby FBI collecte...
34issuing company and more than 80 per cent of the ‘dumps’data sent in by Jarand were found to be “valid, current andwith ...
35at the point of crime. In the case ofcyber crimes, one of the factors thatis favorable to committing crime andhence weig...
36“The battle between the cyber copsand the cyber criminals is a mindgame; like the game of chess.”
376Operation High RollerYEARS ago, Willie Sutton, who had robbed US $2 millionduring a criminal career that spanned four d...
38Roller,’ a term borrowed from the gambling world. HighRollers refer to those playing for very high stakes. In theonline ...
39Dissecting Operations High-RollerA research report titled “Dissecting Operations High Roller”released by Guardian Analyt...
40the compromise of 176 accounts covering multiple banksand the average amount involved in the illegal transfer was€5499. ...
41Infection of PCsIn response to these developments,ENISA has issued an advisory toEuropean banks containing three verysig...
42transferred. It was J P Morgan Chase that alerted Comericaabout abnormal transactions going through their servers andend...
437CITADEL: The collaborationsuite of cyber criminalsIN AUGUST 2012, the Federal Bureau of Investigation(FBI) sounded a st...
44ransomware is installed on the user’s computer. Onceinstalled, the computer freezes and a screen is displayedwarning the...
45being first time offence. The fine,ostensibly paid to the US Departmentof Justice, is to be paid using a pre-paid card s...
46Can users be so very naïve to fall for this? Quite a fewconsiderations come up.One, the message appearing on victim scre...
47A lethal combination...Avivah Litan, a financial fraudanalyst with Gartner has a differentperspective. She says that the...
48to determine geographical location using their log in, theysaid they knew it since they have seen it on their e-tickets!...
498They promised. They delivered!AND THAT was exactly what many said when the RegionsFinancial Corporation was successfull...
50Chase Bank, Wells Fargo and PNC Bank. This list by itselfwould have created some sensation; the four banks sufferedDDOS ...
51indicate there was no response or theserver was down and inaccessible.To help interpret the chart better, I rana tool to...
52watchers and ensuring that a few IT and Web administratorshave sleepless nights.What does the attacking group want to ac...
53Not just financial institutions; itappears to be the norm for almost allorganisations that are victims of cyberattacks. ...
54voice of dissent heard at Washington DC. Jamie Dimon, awell - known Banker and Chairman and CEO of JP MorganChase, spoke...
559The case of Insider FraudRECENTLY in a round table session at a professional body,a member from the audience asked me i...
56and financial institutions. The cases coming to light nowdon’t fit into any size.At the lower end, we have Willard Scott...
57study presents six substantiated findings and two of them areof interest and concern.The low and slow fraudsters...First...
58FBI indictment, Foster allegedly used his knowledge of thebank operations to commit the ultimate inside job.United State...
59Why no early warningsystems?The one question on everyone’s mindis why can’t the players in the BFSIsegment put in some e...
60Surely, we cannot have technology, deterrence or other formsof control to eliminate all insider frauds but a combination...
6110Clipping the butterfly’s wingsTHESE BOTHERDS (called so in line with shepherds andcowherds since they ‘herd’ Bots) col...
62used by cyber criminals for a variety of activities with varyingdegree of criminality, resulting in different kind and a...
63for helping the law enforcement incracking down on those who hackedinto the user accounts resulting in thesuccessful cra...
64operation involving high technology that has the potentialto move the malware across the internet anywhere, anytime.A fo...
65the threat in order to cause long-term damage to the cybercriminalorganisation that relies on thesebotnets for illicit g...
66they identify any attempt to compromise their computers andnegate it. This appears to be the philosophy behind runningth...
6711The new threat vectorWHEN WE TALK of cyber infractions and frauds, we havetraditionally looked at computers, internet,...
68We had heard stories of malware embedded in printers duringthe recent Gulf war but these accusations were dismissed aste...
69telecom components. This exercisewas built around the faith that anyproduct with a malicious payloadwill only come via d...
70or are otherwise vulnerable to attack and damage. Thisscenario is well summarised by Boscovich who said that the“supply ...
71While Herberger refused to name these six banksciting confidentiality clauses in his company’s agreementwith the Banks, ...
72and compromised had refused to comment about theattacks and also refused either to confirm or to deny theattacks. While ...
73Pastebin post that the third phase oftheir attacks against the US bankinginstitutions was about to begin. Thisgroup clai...
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Cyber crimes trends to watch-full book-l
Upcoming SlideShare
Loading in …5
×

Cyber crimes trends to watch-full book-l

803 views
595 views

Published on

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
803
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cyber crimes trends to watch-full book-l

  1. 1. 99
  2. 2. 1cyber crimesTrends to watch...Dr K Rama SubramaniamChairman, Valiant Voora Center of Excellence in Digital Forensics, ChennaiDirector and CEO, Valiant Technologies, India and UAEAdjunct Professor, Department of Criminology, University of Madras
  3. 3. 2First Edition, 2013Copyright © 2013 Dr. K Rama SubramaniamAuthor : Dr. K Rama SubramaniamEditor : V Pattabhi RamPrice : Rs.250/-Published by : Valiant Voora Center of Excellence inDigital Forensics 196, Burmah Colony, Perungudi Chennai 600 096 Phone +91 44 2496 7730 Fax +91 44 2496 7740 coedf@valiant-technologies.comLayout & Design : Malaiselvan N, Prime AcademyFont : Garamond and Swis721 Cn BTPrinted at : Shri Akshaya Graphics, Chennai 600 026Ph: (044) 2484 3118Disclaimer: While every effort is taken to avoid errors or omission in thispublication, any mistake or omission that may have crept in, is not intentional.It may be taken note of that neither the publisher, nor the authors, will beresponsible for any damage or loss of any kind arising to any one in anymanner on account of such errors or omissions.
  4. 4. 3Dr. K Rama SubramaniamMBA(UK), Ph.D, FCA, FISC, CISA, CISM, CISSP, CFIP, CEH, CHFI, Security+Chairman,ValiantVooraCenterof ExcellenceinDigitalForensics,ChennaiChairman, Center of Excellence in Digital Forensics, ChennaiDirector & CEO, Valiant Technologies - India and UAE.Executive Director, Baker Tilly MKM, Abu DhabiAdjunct Professor – Dept. of Criminology, University of Madras.Global Chair, International Institute of Certified Forensic InvestigationProfessionals (IICFIP), USAIBM GIO Alumni.India’s country representative at International Federation of InformationProcessing (IFIP); serving on their Technical Committee TC-11 dealingwith information security& privacy.Awarded the ISC-Prof S S Srivatsava Prize for Excellence in Social ScienceResearch and Teaching.Information security and GRC consultant, audit and assuranceprofessional, trainer and educator for over two decades. Certified andexperienced professional in the areas of creating and implementing fullcycle business continuity and disaster recovery plans; secure informationsecurity architecture; risk management systems and processes; internalcontrols systems and processes; anti-money laundering processes andframeworks; security audits and certification of network infrastructure,GRC systems, ERP application controls review, multifactor authentication(including PKI and X.509 compliant certification infrastructure); andassurance processes for SOX, COSO, COBIT, ITIL, PCI-DSS, ISM3,ISSAF, ISO-27001, ISO-22301, BS-25999, ISO-31000 and ISO-15408compliant information security management systems.Trained experts in BCP and DRP domains, risk management andinformation security domains across Gulf nations, India, Far East andthe author
  5. 5. 4Africa and is a consultant to a number of organizations in the commercial,government, armed forces, judiciary and law enforcement segments inthese countries.Currently providing consulting support to a number of organizations inthe BFSI, Manufacturing and Telecom sector in the GCC countries, Africaand South Asia in the areas of Business Continuity and Disaster RecoveryManagement Systems, Enterprise Risk management, Information security,Anti Money Laundering, DLP, Audit and Assurance and compliance withnorms of various central banks and global ‘best-practices’ framework,Digital Forensics and fraud investigation.Served earlier as Global Chair of the Education and Awareness PrinciplesExpert Group of Globally Accepted Information Security Principles(GAISP), based in the United States and is former Global Chair of theAccreditation Process committee of Open Information Systems SecurityGroup (OISSG), based in the UK where he established their certificationand accreditation processes. Charter President of the first chapter ofISSA (Information Systems Security Association) in Asia and also CharterPresident of ISC2’s first Chapter in India. Served on the boards of Dubai,Chennai and Bangalore chapters of ISACA.Former Managing Director of Thewo Corporate Services based in Lusaka,Zambia; Group Operations Director of Benetone Group of Companiesbased in Bangkok, Thailand and Commercial Director of DynaspedeIntegrated Systems Ltd, based in Mumbai.
  6. 6. 5First word----------------------------------------------------------070 Net game from the Net-------------------------------------091 Sandy and the Hacker---------------------------------------132 PATCO Ruling – Wake up call for banks?---------------193 Will the Real Hacker please stand up?--------------------234 Juvenile Hackers----------------------------------------------275 ZERO IQ…--------------------------------------------------316 Operation High Roller--------------------------------------377 CITADEL: The collaboration suite of cyber criminals-----------------------------------------438 They promised. They delivered!---------------------------499 The case of Insider Fraud----------------------------------5510 Clipping the butterfly’s wings------------------------------6111 The new threat vector---------------------------------------6712 … and They are Back Again…Wave 3-------------------7113 PATCO Ruling reversed??----------------------------------7714 Digital Forensics – an IT Governance Attribute-------8115 ICT – Tomorrow is here------------------------------------89INSIDE
  7. 7. 7first wordCyber Crime was a novelty among criminologists abouta decade ago. Today, it is commonplace. The speed of itsevolution and the rise in its degree of sophistication has leftmany wondering about the perspectives of this form of crime.The initial hackers were keener on the kick of playing aroundwith technology. True, in a sense, they too were criminals;but they had no motives of defrauding people. Soon theygave way to organized criminals who saw in this the ultimatedream of the cheat: least risk with highest rewards plus thejoy of committing the crime in a comfortable and congenialenvironment.The risk of getting caught is low due to a number of factorsincluding the not-so-mature digital forensic processes. Thereis also this issue of privacy and the lack of trans-bordercooperation. Secondly, the risk of being punished is stilllower due to the significant differences between speed ofdevelopment in crime sophistication and the legal processesattempting to play catch up. To further minimize the overallrisk of crime consequences, the attackers have chosen towork on the most liquid of assets – money in electronic form.The spate of successful attacks on banks and financialinstitutions in the recent past bear testimony to this shrewdcrime risk assessment being carried out by cyber criminalsattacking the BFSI sector.During the past few months, I have been writing a regularcolumn commenting on Cyber Crimes and the emergingtrends both in Industrial Economist and K-Mart. I havepresented those articles in this monograph. The Industrial
  8. 8. 8Economist is a 45-year-old Chennai (India) based businessmagazine. I am indeed grateful to Mr. S Viswanathan, Editorand Publisher of the magazine for permission to publishthese articles. The K-Mart is an Internet only magazinefrom Prime Academy, the pioneering institution, which isin the Knowledge dissemination space. I am grateful to theAcademy for allowing me to publish the articles. I have alsopresented in this monograph, with substantial modifications,a paper of mine published earlier by ISACA, UAE Chapter.I thank my long-standing friend V Pattabhi Ram, a charteredaccountant, for bringing in his editorial skills in giving thismonograph its final shape.This monograph would have served a useful purpose ifit draws the attention of various stake holders in the cybercrime management cycle, to the need for each of us to playour roles in thwarting the efforts of cyber criminals who takeaway what genuinely is ours – our money, our privacy, ourintellectual property and our freedom on the Net.K Rama Subramaniamrama@valiant-technologies.com
  9. 9. 90Net gain from the NetWhen the history of modern world is written, theworld-wide-web will receive a primordial position. For, theInternet has changed our lives the way nothing else has; noteven the invention of “fire” that altered forever the lives ofour forefathers.Who would have thought that knowledge would be availableat the click of a mouse? That, sitting in one part of the world,it would be possible to access, draw, use and return literatureavailable in another part of the world? That, you could sit inthe comfort of your study room at home and listen to topglobal professors deliver talks to you at real time and that youcould have two way interactivity with him and with fellowstudents, again in real time.We today have an entire generation that has not walked intoa bank to draw money from a teller; a generation that has notplaced an order with a stock broker; that has not stood in aqueue at a railway station or a theater to buy a ticket. You
  10. 10. 10can do transactions while on the move. Importantly, the newgeneration is making friends on the Internet; it’s no morelove at first sight, its love first on the site. It’s a wired world.OMG how did we live without the Internet in the pre-Internet days?But like with all things good and beautiful, there is a darkerunderbelly to the Internet. The massive developments intechnology now mean that you can lose everything in a jiffy,and without trace. That wasn’t how it was earlier. Then,if your accounting data had to be lost, someone had tophysically carry away the ledger from your office. Or takecopious photocopies. Today, he simply has to transfer it ona drive that’s the size of your thumb and no one would bewiser. Yes, valuable data can be stolen with impunity. The newgeneration criminal is a white collared tech savvy man-next-door. It’s brain power, not muscle power, which wins here.The worst part is that things are getting far more dangerous.Look at some of the remarkable things that have happened.Even as the weather Gods were busy drowning their furyon hapless America hackers were busy trying to break intoUSA’s pristine banking system. Read about it in Sandy and theHacker. The irony is that no one was sure what they wereupto; namely stealing information or just getting the kick outof a denial or a distributed denial of service attack!Are the bankers careful in ensuring that the customers’ dataand money is not lost? Do they take adequate care? Dothese meet the test of commercial reasonableness? Theseare questions that have baulked the customer. In PATCORuling – Wake up call for Banks we search for some answers.
  11. 11. 11Even as the ink on the PATCO rulinghadn’t dried, a fresh ruling came thatseemed to suggest that the PATCOruling might not be final. We capturethat in PATCO Ruling reversed?? Noone seems to be bothered about thedictum that the Apex Court’s verdictis final not because it is right; but it isright because it is final!Hacking is criminal. Yet hackers enjoya holy halo of being Mr. Brains. Thereis no naming and shaming when itcomes to them. Will the Real Hackerplease stand up tells you just that. Worsestill, hacking has now become kid’sstuff. In Juvenile Hacker read on to how“illiterate children”, yes illiterate children, in Ethiopia of allplaces, hacked the Android! And you thought technologywas rocket science.Is it possible to track those who steal cards on the Net? Theanswer is “Yes.” The FBI cracked it with gusto in the ZeroIQ case. Criminals go where the money is; bank robbers goonline! In a new brand of innovation, money mules are usedto do money laundering and it may happen in your accountwithout you even knowing about it. In the end, you may endup in prison for no fault of yours. Operation High Roller hasinsights into this. You have to be careful about messages thatyou receive on the Net. This can trap both the amateur and theseasoned security professional. “Citadel” is a case in point. Therogues are becoming increasingly daring. Like in the movies,they promise that they will break into banks and do a DDOSDO YOU KNOW?For the year 1938,Time had chosenAdolf Hitler as theman who “for betteror worse” (as Timefounder Henry Luceexpressed it) hadmost influencedevents of thepreceding year. Ifthere is an award forthe most importantdevelopment of thelast 100 years thatwould “for better, notfor worse” go to theInternet.
  12. 12. 12at a specified date at a specified time on the Internet; and theydeliver on that promise! That’s what we speak in They promised.And they delivered. If they can stirike with a fore-warning I amsure they can do anything.The thief is within. The case of the Insider fraud is a telling storyof how a combination of good deterrence and technologythat responds to human behavioral tendencies can saveour banks millions and increase the sagging confidence intechnology systems. Nothing, nothing, is safe; not even supplychain. Read about it in “The new threat vector” to get a ringsideview of how cyber infractions have gone beyond computers,Internet, internal networks and wireless applications.Botherds collectively control a mind-boggling 11 millioncompromised computer systems leading to a staggering lossof over $850 million through stolen credit card and bankaccount credential and compromised Personally IdentifiableInformation. On 12th December 12, the FBI had crackedthis case thus effectively “Clipping the butterfly’s wings”.On March 12, customers of six major US banks couldn’tbank on the Net. This was the largest number of institutionsto be targeted on a single day. For a fuller focus move to …and They are Back Again. How the future would look like iswhat you get to know in the compulsive read “ICT-Tomorrowis here.” In the end the best way to catch the criminal is to gostrong on Digital Forensics. That’s where the future lies.The Internet is a lovely medium. We cannot imagine lifewithout it; for, we are addicted. But there are pitfalls. Yet,we cannot throw the baby along with the bath water. It’s timeto build great security that would trap the best of criminals.Are we headed towards it?
  13. 13. 131Sandy and the Hacker…LIKE everyone else, the BFSI segment told the worldthat it had adequate disaster management mechanism tominimize the impact of Hurricane Sandy. Almost everybank revisited the well-articulated publication of the FederalFinancial Institutions Examination Council, Lessons learnedfrom Hurricane Katrina: Preparing your institution for a catastrophicevent. Just as the bankers were getting prepared to meet anyeventuality that Hurricane Sandy may throw out, so were theHackers. The purpose of their preparedness was, of-course,different. The attackers saw a great opportunity to intrudeSandy took many by storm towards the end ofOctober 2012. Ha, we are referring to Sandy storm(a k a Hurricane Sandy) that swept USA in endOctober.
  14. 14. 14when the bank was busy fighting the possible consequencesof Sandy.Sandy leaves its trail of damageThe New York Stock Exchange that generally doesn’t closeand definitely not due to inclement conditions, closed fortwo days.On October 31, when Sandy had weakened, the financialinstitutions took stock. Secretary of US Homeland Security,Janet Napolitano, told Washington Post, “Right now financialinstitutions are actively under attack.” That very day also sawthe Citigroup experience an online and mobile outage thatlasted around an hour.In this background, the following questions deserve acloser look.• Was there a fraud dimension to this outage?• Was this outage planned and executed by hackers knowingwell that Citigroup would be too busy recovering fromthe aftermath of Sandy?• Was this yet another of the distributed denial of service(DDOS) attack continuing the earlier pattern that affectedover ten banks?There are multiple views on what brought down theCitigroup’s online and mobile services. One view is that itwas a DDOS and a front for attempted fraud. These DDOSpatterns point to a pattern of attack when the organization isotherwise busy getting their services back to normalcy. In thecontext of her stating that financial institutions are actively
  15. 15. 15under attack, Janet Napolitano wasasked if the attackers were stealinginformation or money from the banks.She said “Yes” but quickly added that“I really don’t want to go into that perse. All I want to say is that there areactive matters going on with financialinstitutions.” So, one line of thoughtis that this DDOS could have, as thedriving force, a fraud perpetrated onthe assets of the bank.If the attackers had wanted the DDOSattack to divert the attention resultingin less guarded logical perimeter to thebank’s information assets, then theytimed it pretty well. The Bank wasalready busy coming out of the effectsof Hurricane Sandy and the attackersbrought down the services forcing the bank to thinly spreadits response capability. If this DDOS attack is a continuationof the ten earlier attacks on the Banks in the past coupleof months, then clearly the intention cannot be fraud. For,the Izz ad-din al-Qassam that claimed responsibility forthe earlier attacks wanted to use it as an attention-grabbingtactic and there were no fraudulent intentions. In a Pastebinpost, the group said, “Due to approaching Eid and tocommemorate this breezy and blessing day, we will stop ourattack operations during the coming days”. If this were true,the attack is not part of the series of DDOS by this group.So, does this DDOS point to potential fraudulent intentionsrather than being merely hactivism?DO YOU KNOW?Hurricane Sandy wasthe deadliest tropicalcyclone of the 2012hurricane season. Itcaused an estimateddamage of $75billion, and to thatextent is the second-costliest hurricane inU S history, behindHurricane Katrina.At least 285 peoplewere killed in sevencountries. Becauseof the widespreaddamage the stormcaused, the medianicknamed it as“Super-stormSandy”.
  16. 16. 16Mike Smith, a Security Evangelist with Akamai, says that thedegree of automation found on DDOS attacks suggests fraudas the motive. Referring to the process where the attackersare looking for targets that have footprints on employees’desktops, Smith argues that finding such footprints increasesthe amount of information that can be scanned from thetarget’s network. This can lead one to the proposition thatCitigroup outage on 31 October probably had fraud as themotive and is not a continuation of the earlier DDOS attacks.A counter to this proposition comes from another set ofresearchers who believe that Hurricane Sandy was responsiblefor the outage and it is not a DDOS. Their argument: theoutage is the result of the impact of Hurricane Sandy onthe infrastructure that supported the servers at the Bank.Leading this thought is John Walker, a member of EuropeanNetwork and Information Security Agency (ENISA)security experts’ team. Interdependencies between networks,especially cellular networks and service providers means thatwhen one of them is affected, the others too are and thiscomplicates outages during natural disasters, argues Walker.These dependencies will at best bring down mobile bankingas it happened to Citigroup but it cannot account for theoutage of on-line systems. To that extent, Walker has someexplanations to do if his theory is to be validated.Presenting another dimension to this debate is the dataavailable from the research work at the Nottingham TrentUniversity’s Computing and Informatics Department.Analysis of Internet traffic patterns point to the fact that asHurricane Sandy was attacking the physical infrastructure ofthe Banks on the east coast, vectors of cyber attack increasedin the Midwest and along the East Coast. On this statistic,
  17. 17. 17Walker agrees that internet trafficdata for October 31 suggests thatattackers went on to hit institutionsthat were struggling to recover fromthe Hurricane.There is a third view; that it is incorrectto pinpoint to any one factor ascausing an outage of Citigroup mobileand on-line services. A strong votaryof this approach is Matt Wilson ofVeriSign. Wilson believes that “thereare literally thousands of possiblereasons for an outage. Anyonesuggesting that it’s DDOS or tied to any particular externalevent is literally guessing unless Citi verifies it.” AndrewBrent, Citi spokesman declined to comment.The cause of this outage will remain a mystery with multipleevidences pointing to different reasons and it can only beunderstood when Citi clarifies the cause. The common userof banking services, ones like you and I, are more worriednow; if the traffic patterns during the disastrous Hurricaneare to be believed, are the banks capable of managing thecombined onslaught of future versions of Sandy and theHacker. DO YOU KNOW?The technologybehind the Internetbegan back in the1960’s at MIT. Thefirst message everto be transmittedwas LOG. Why? Theuser had attemptedto type LOGIN, butthe network crashedafter the enormousload of data of theletter G.
  18. 18. 18Do we have to say it?Yes, the world is nowin our hands; thanksto the Internet.
  19. 19. 192PATCO Ruling –Wake up call for banks?PATCO was obviously happy at the reversal of the order ofthe District Court’s judgment in a case where PATCO suedtheir bankers for negligence resulting in ACH and wire fraudrelated loss of over half a million dollars; $ 588,851 to beprecise. The bankers, People’s United, formerly Ocean Bank,contended that they had met the security requirements andthat PATCO had agreed to this set of security implementationwhile signing the electronic banking agreement.In response to PATCO’s specific charge that the Bank didnot fully comply with the FFIEC requirements for security of“It is a wakeup call for the Banks”, said MarkPatterson, co-owner of PATCO Construction Inc.,while reacting to the judgment of the United StatesCourt of Appeals for the First Circuit in Boston.
  20. 20. 20electronic banking systems, the Bank argued that it had imple-mented serious security and authentication features like: UserID and Password; Device Identification; Risk Profiling; Chal-lenge Question; Dollar Amount Rule; and e-Fraud Network.The lower court accepted this position while dismissingPATCO’s claims against the Bank. The judgment raised a fewother questions of law but agreed with what the Bank haddone in terms of security as being ‘commercially reasonable.’The Appeals Court overruled the lower court’s judgment andmaintained that the security was ‘commercially unreasonable.’The fact that this ruling came from a Federal Court is “a bigthing” says Avivah Litan at Gartner. The ruling points to thefailure of the Bank evidenced in its not implementing thekey security measures that are used regularly by the bankingcommunity. Namely, Out of Bank Authentication; UserSelected Picture function; Tokens; and Monitoring.This is the second case in the recent past when the judiciaryhas found fault with the Banks for not doing enough toprevent frauds happening via their Net banking system. Inthe earlier case involving Commercial Bank, the customerExperi Metals Inc. sued the bank for negligence resulting inwire / ACH fraud and the court ordered financial restitution.In PATCO’s case, the Appeals Court applied the test of‘commercial reasonableness’ as defined in Article 4A ofUniform Commercial Code and ruled against the bank.A close study of this case brings home two important lessons.First, banks must understand the conceptualization of thesecurity measures. Secondly, they must build a process tocorrectly and completely interpret reports and alerts from thesecurity systems. People’s United had implemented a system
  21. 21. 21that will force the User to go throughan additional authentication processwhen the transaction value exceeds abase value. This had been earlier set to$ 100,000 but was reduced to $ 1. Thisliterally killed its risk scoring system,which considered multiple variablesincluding additional authenticationprocess triggered by values exceeding acut off amount. As the Appeals Courtobserved, “When Ocean Bank loweredthe dollar amount rule from $ 100,000 to $ 1, it deprivedthe complex Jack Henry Risk Scoring system of its corefunctionality.” The lowering of this threshold dollar valueresulted in the challenge questions and responses beingentered more frequently thus increasing the probability ofkey loggers capturing it and abusing it.I have seen this happen elsewhere too – implementingsecurity with scant regard to its underlying conceptualization.Recently, I was speaking to a security professional whosaid she had a very comprehensive password policy in herorganization; also a Bank. I was interested and wanted toknow details and she rattled off eleven different rules thatconstituted the password policy. She said that the passwordhad to be changed every thirty days and I asked if she wouldencourage shorter life for a given password. Her responsewas typical. She said no one would like to do that since thatwould be inconvenient. Persistent as I was, I asked what shewould do if one were to change it every Monday. She wouldbe happy, she said and I asked if she would be happier ifit happened daily. She agreed she would be happier at thestronger security. I pointed to the password history policy ofDO YOU KNOW?The lowering ofthis threshold dollarvalue resulted in thechallenge questionsand responsesbeing enteredmore frequentlythus increasing theprobability of keyloggers capturing itand abusing it.
  22. 22. 22ten past passwords, which was interpreted to mean that thesame password would not repeat for 300 days – 30 days andten unique passwords. But if she permitted change every oneday, the password will repeat every 10 days; at least in theorythis is possible. And that would defeat the very purpose thatit sought to serve!Ocean Bank’s reduction of the threshold amount for furtherauthentication to $ 1 was similar to the password changepolicy – a clear case of not getting to the grips of theconceptual foundation of the security process. Another viewis that any “one-size-fits-all” approach, as it happened in theOcean Bank case, will not work in security implementationsand each security implementation has to be tailor-made.Next, we have the question of interpreting the reportsprovided by security systems. In the PATCO case, OceanBank did not react to the high-risk scores that were generatedby the Risk Scoring system in respect of each of thefraudulent transactions. The red flags appear to have madeno impact at all. Mark it, the court, the risk score for normaltransactions of PATCO had never crossed 214 on a scale of1-1000. In respect of each of the fraudulent transaction, therisk scoring system had thrown up a risk score around 750.This is surely abnormal compared to the highest score of 214in the normal course; but these red flags were just ignored.As Joe Burton, a former Assistant US Attorney said: “It’s notenough just to have a generally accepted security procedurein place if that procedure is not implemented in a way thatmakes sense. That’s the conduct aspect that has to do withthe actual security and not just the check-box.”These two factors appear to have weighed heavily in favourof PATCO in the Court of Appeal.
  23. 23. 233Will the Real Hackerplease stand up?TWO events that happened in December 2012 startledme. First was the release of Version 2.0 of the coursewarefor “Hackers High School” by ISECOM. The second wasNicholas Negroponte telling the MIT Technology ReviewConference about how “illiterate children” in Ethiopiahacked the Android! Both took some time to assimilate sincethey exposed a totally new dimension to hacking. We willlook first at the attempts to sensitize normal computer usersto the nuances of hacking.Many people who have been called hackers, especiallyby the media, or who have gotten in trouble for“hacking” were not, in fact, hackers.
  24. 24. 24All through, we have decried hacking as a crime, an evilattitude, something to be dealt with sternly, etc. I have alwaysspoken about the serious financial damages done to banksby people who hacked into BFSI information systems. Then,why are “Hackers High Schools” being run? Will it generatea new generation of hackers or train a new breed of peoplewith hacking skills? The introduction to “Hackers HighSchool” program has this to say, for a start: Many peoplewho have been called hackers, especially by the media, orwho have gotten in trouble for “hacking” were not, in fact,hackers. So, we are now a bit confused and would like toknow who are the hackers the society is targeting?The term “hacker” has been understood differently basedon the profile of the person who “hacks.” Applied in thecomputer security context, it retains its notorious connotationof a person who circumvents or damages the controls to gainaccess to computer resources. In the programming world, ahacker resorts to a non-authoritarian approach to softwaredevelopment, and they are the ones who create and spearheadthe free software movement. Interestingly, some even have“Hacker” as a surname. We have Col. Francis Hacker whofought in the English Civil War in the seventeenth century;we have Katrina Hacker, the American figure skater andGeorge Hacker, head of Alcohol Policies Project!The “Hackers High School” project is based on the beliefthat hacking is research. It is a kind of challenge-responsesituation where the “hacker” is challenged by network securityimplementations and wants to know if the system is reallysecured. This has some similarities to destructive testing ofmetals to determine how much stress the metal can standbefore breaking down. But the comparison stops there. In
  25. 25. 25destructive metal testing, only a smallsample is tested while the “hacker” hasbefore him a live production systemprocessing real time data. While thehacking process is sought to be givenits due status of legitimacy from aresearch, the intent is to distinguishbetween the research-driven hackerand the crime-driven hacker. Hackingwith a criminal intent is surely crime,but how do we go about establishingor demonstrating this? We fall back onthe extensive judicial thought and pronouncements relatingto mensrea and actusrea, the two very important elements in thecriminal justice dispensation.Drawn from a complex Latin maxim of common law, mensreapropounds the principle that the act does not make a personguilty unless the mind is also guilty. “Hackers High School” isbased on this belief when they teach the young participantsthe principles of computer architecture, networking and theprocess of analyzing attacks on systems. Will someone stopwith only researching or will they abuse this? That’s hard toanswer. But the “Hackers High School” has a point. If youeducate the young on the process and perils of attacks oninformation systems, they tend to keep their systems secureor even end up evangelizing secure computing.The formal and structured exposure to information systemsarchitecture and vulnerabilities is likely to ensure that theparticipants do not seek this knowledge from those whoentice them into becoming malicious intruders. In additionto the guilty mindedness, we have another essential conditionDO YOU KNOW?“I’m still a hacker. Iget paid for it now. Inever received anymonetary gain fromthe hacking I didbefore. The maindifference in what Ido now comparedto what I did then isthat I now do it withauthorization.”– Kevin Mitnick
  26. 26. 26to be satisfied for criminal liability, vizactusrea, which refersto the criminal act being actually committed. The project tomake the next generation understand the perils of hackingand to orient them towards being better and well informednetizens, steers clear of any possible damage, by taking theparticipants through a process of discovery, research andunderstanding the limits.Igetanumberof graduatestudentswhowanttodoInternshipwith us. The first question I ask them relates to their interestin security, their objective of doing the internship with asecurity consulting organization, and their expected takeawayat the end. I have more than 85 percent of them telling mefrankly that they want to learn hacking! In the same breath,they will also tell me that they want to learn hacking so thatthey can defend the information assets from being abused.Interestingly, none of these young security aspirants evertold me that they want to understand the network protocolsor the IP packet architecture or the realms of cryptographyto keep their systems secure.I was recently talking to a group of senior uniformed officersand sprang a surprise by asking all those who have eitherhacked a system or have at least attempted to hack a systemto raise their hands. Understandably, none did. But aftersome persuasive talk, I got about a dozen of them admittingthat they have tried but did not go far. Neither these graduatestudents nor the officers had malicious intentions, but theattraction to look through a secure network drives many andthis attraction will continue unabated.In such a societal context, it will make sense to determinewho is a hacker and who is hack-curious.
  27. 27. 274Juvenile HackersBUT what made me sit up, review and write this columnis the profile of the person who successfully hacked intoAndroid. No, it is not the typical geek with his snazzytechnology tricks nor is it a serious researcher looking to do avulnerability assessment of Android in order to strengthen it.It is the most unexpected profile of a hacker – five to sevenyear olds who had no formal instructions in computing! Yes;it all happened as an unexpected fall out of the OLPC (Onelaptop per child) project in Ethiopia.Here is what OLPC founder Nicholas Negroponte told MITTechnology Review’s Em Tech Conference: “We left theboxes in the village. Closed. Taped shut. No instruction. NoWe have heard of Android attacked and hacked anumber of times in the recent past. Hacking into theAndroid is in itself not newsworthy.
  28. 28. 28human being. I thought the kids would play with the boxes!Within four minutes, one kid not only opened the box butfound the on/off switch. He’d never seen an on/off switchbefore in his life. He powered it up. Within five days, theywere using 47 apps per child per day. Within two weeks,they were singing ABC songs [in English] in the village.And within five months, they had hacked Android. Someidiot in our organization or in the Media Lab had disabledthe camera! And they figured out it had a camera, and theyhacked Android.”The findings of the OLPC Project in Ethiopia are indeedan eye-opener. OLPC, started with a view to deliveringtechnology as a means of improving traditional curricula,has been trying to help the kids ‘learn’ rather than ‘read.’OLPC has realized in their five plus years of work that it isimportant for the children to learn by teaching themselves.The children really taught themselves and one of the thingsthey taught themselves resulted in hacking the Android!Surely there is no mens rea in this hacking effort by the kidin Ethiopia; so we are not taking that kid Android hackerto court but this sets me thinking of the power of curiosity.This child is unlikely to emerge as a malicious hacker sinceit has seen the ‘good’ thrill in hacking. It is more likely tochannel its energies in the positive aspects of this processrather than try and damage computer systems; or so I wouldlike to believe. Contemporary studies on the anthropologyof hacking may take a different position and people likeGabriella Coleman may take a different view. If we wentby the popularity of DefCon Kids, in its third year now, itwould appear that a large number of those concerned withjuvenile hacking strongly believe that it is better to teach
  29. 29. 29them hacking as it happens and alsolet them understand the perils ofindulging in it and the ways to defendagainst it. But have all those who hadlearnt hacking as youngsters reallyused that knowledge for defendingtheir systems against hackers or havethey ‘abused’ that knowledge?This takes me back to understandingthe myriad of perceptions on hacking.In the last chapter, I had talked of theHackers High School and wondered ifit will provide the desired results it sought to get or would it bea fertile ground for creating a new generation of hackers whohave also been taught the traditional approaches to counterthe hackers’ exploits. This fear about the fall out of ‘catch-them-young and train-them-correct’ is credible if we were tolook at an FBI indictment dated the 26th of June 2012. Itnames twelve arrested defendants arraigned before the courtat the end of a two year undercover operation that is said tohave protected over 400,000 potential cybercrime victims andprevented over $205 million in losses. Interestingly, of the 12arrested, five are in their teens and the rest are just barelyabove 20. Add to this various high profile minor hackerslike ‘Cosmo the God’ who was handed a rather unusualsentence last November. A juvenile court in Long Beach, CAsentenced him to what Sam Biddle, writing in Gizmodo, callsthe ‘hacker’s death sentence.’Cosmo the God, a juvenile who will take six long years toreach his age of 21 for release, has been sentenced “…not touse the internet without prior consent from his parole officer.DO YOU KNOW?OLPC has realizedin their five plusyears of work that itis important for thechildren to learn byteaching themselves.The children reallytaught themselvesand one of thethings they taughtthemselves resultedin hacking theAndroid!
  30. 30. 30Nor will he be allowed to use the Internet in an unsupervisedmanner, or for any purposes other than education-relatedones. He is required to hand over all of his account loginsand passwords. He must disclose in writing any devicesthat he has access to that have the capability to connect toa network. He is prohibited from having contact with anymembers or associates of UG Nazi or Anonymous, alongwith a specified list of other individuals. He forfeits all thecomputers and other items seized in the raid on his home.”Hannah Sweet tweeted in protest: You cannot arrest an idea.Jay Leiderman, a LA attorney who represented allegedmembers of ‘Anonymous’ opined that they could have lockedhim up for three years straight and then released him onjuvenile parole; but to keep someone away from the Internetfor six years seems unduly harsh.Now this brings us to the voices being heard around theglobe for a revisit of Sentencing Guidelines, particularlywhen it concerns cyber criminals. Today, there is no clarity onthe considerations that will guide punishing cyber criminals.Three years ago, I pleaded at the International CriminologyCongress in Stockholm for the judiciary to recognize that thecyber criminal is not to be locked up as a traditional criminalas his competencies and skills can be used while still beingsentenced. Moreover, he can be made to be a useful memberof the society after release. Leiderman argues,“At some pointafter getting on the right path, he could do some really goodthings.”Sentencing juvenile cyber criminals by asking them not toconnect to the Internet is viewed by some as the equivalentof taking away Mozart’s piano.
  31. 31. 315ZERO IQ…US MAGISTRATES issuing warrants of arrest is nothingnew but this warrant was for a cyber crime against a namedindividual; something not often done in view of the manydifficulties encountered in identifying the accused.Jarand Moen Romtveit, a Norwegian now in the FBI net, alsoknown as ‘Zero’ or ‘ZeroIQ’ in the underground cardingforums, ran a successful underground shop; selling stolencredit cards. He can be regarded as a small player in theunderground economy that has both one-man enterprisesOn 20 June 2012, a magistrate in the Southern Districtof New York issued a warrant of arrest againsta person whose nick name, amongst others, wasZeroIQ.
  32. 32. 32like Jarand’s as also multi-men unincorporated enterprises,whose owners are hard to identify.FBI carried out a well-orchestrated sting operation thattrapped Jarand. This case raises the question: “on theInternet, how anonymous can anonymous be?” Somewheredown the line, the FBI succeeded in piercing the veil ofanonymity afforded by the Net. That process is interestingas it reinforces the overarching human failings that neutralisethe anonymity offered by technology.The trap and the crimeFBI set up an undercover carding forum enticing all playersin the stolen credit card business to use it as an electronicclearing house to offer, discuss and put through deals instolen credit cards and bank account information. It is notknown how many could FBI, successfully entice to use theirunderground forum but they surely succeeded in gettingJarand hooked to it. Not only did Jarand advertise his stolencredit card information for sale but also got dangerouslyclose to the administrator of the forum, who was a specialagent of the FBI. One wonders, how stupid one can get.Jarand would ‘brute force’ his way through passwordprotected databases of credit cards. He brute - forcedthrough hotels and restaurant data bases that had customercredit card details and in a couple of instances, he alsosuccessfully bypassed the security perimeter of banks to gobeyond credit card numbers – he got through to accountholder information. He also managed to penetrate throughweb site security and collected information stored on webback-ends. Being a one man show, he had limited time and
  33. 33. 33resources at his disposal and traded inbatches of 30 to 40 credit cards.The underground carding forum runby FBI collected the IP addressesfrom which each of the participantslogged in and communicated with theforum. As part of the pre-conditionfor registration at the forum, a valide-mail ID was required to which wassent the validation code. Jarand useda valid mail ID and that containedsome pointers to his identity. Thiswas his second give-in; the firstbeing his misjudging the cardingforum administrator’s true identity.FBI continued to keep an activeconversation going with Jarand andmoved to a point where the accused started sharing his attackscreen shots with the carding forum administrator, namelythe undercover FBI agent. He threw caution to winds andat once shared his Facebook page with the FBI agent whocontinued to pose as the organiser of the undergroundcarding forum.The noose tightensThe FBI started to tighten the noose around Jarand’s neckby offering him an Apple laptop in return for his givingvalid stolen credit card ‘dumps;’ i.e., complete informationavailable on the magnetic strip on the reverse of the creditcards. Jarand walked into the trap by giving them the relevantdetails. The FBI had its authenticity verified with the cardBrute forceattackIt is a listing ofcommonly usedpasswords. Theprogramme triesthese and alsoruns throughcombinations ofletters and numbersuntil it gets a match.These attacks cantake several hours,days, months, andeven years to run.It depends on howcomplicated thepassword is andhow well the attackerknows the target.
  34. 34. 34issuing company and more than 80 per cent of the ‘dumps’data sent in by Jarand were found to be “valid, current andwith credit available for use.”The FBI then alerted the card issuers, who in turn cautionedthe card holders of the compromise and replaced theircards. To trap Jarand fully and to establish his identity, theundercover agent wanted him to pay for the shipping ofthe laptop which is done through Western Union and theremitter details match with what FBI already knows aboutJarand. The laptop is delivered to an address mentionedby Jarand and with the help of Norwegian police, it isestablished that a person by name Jarand Moen Romtveitactually lives at the place where the laptop was delivered.The courier who delivered the laptop to Jarand identifieshim from a photograph of Jarand picked up from publiclyavailable sources in Norway. Jarand is completely identifiedas the person who trades as ‘ZeroIQ’ on the undercovercarding forum established by FBI.Special agent John Leo Jr. appeals to US Magistrate AndrewJ Peck for a warrant of arrest of Jarand Moen Romtveit,which was readily issued.Lessons and questionsThis case brings both the “painstaking investigation” by theSpecial Agent John Leo and the ‘behaviour’ of Jarand. Crimerisk theory in criminology tells us that every criminal carriesout a risk assessment of his proposed action. Theory arguesthat every criminal assesses the risks involved in the proposedaction barring spur of the moment crimes which have moreto do with an unstable mind that was emotionally disturbed
  35. 35. 35at the point of crime. In the case ofcyber crimes, one of the factors thatis favorable to committing crime andhence weighs heavily when assessingthe risks involved, is the anonymityover the Internet. Jarand gave in andvindicated Edmond Locard whofamously said, “every contact leaves atrace.” This is often quoted by crimeinvestigators who say: “every criminalleaves some evidence.”Surely, law enforcement has reason to cheer after arraigningJarand but a number of issues will remain difficult to resolvewhen dealing with cyber crimes.First, will be the difficulty in piercing the veil of anonymitythat the Internet so conveniently offers since not all whouse the Internet’s underground economy are as gullible asJarand. We cannot resist wondering whether his Net name‘ZeroIQ’ was a premonition of how he would behave!Second, is the growing interest in the underground economywith some ‘entrepreneurs’ having established manufacturingfacilities for card skimming devices and are exporting itworldwide.Third is something that can be dangerous – the shift incontrol over cyber crimes from techies and script kiddies toorganised crime gangs. This brings in the power of money,reach and silencing to the otherwise technology centricactivity – cyber crimes.DO YOU KNOW?It was G KChesterton whosaid: “It isn’t thatthey can’t see thesolution. It is thatthey can’t see theproblem.” That’sincreasingly truetoday of quite a fewproblems that weface on the Internet.
  36. 36. 36“The battle between the cyber copsand the cyber criminals is a mindgame; like the game of chess.”
  37. 37. 376Operation High RollerYEARS ago, Willie Sutton, who had robbed US $2 millionduring a criminal career that spanned four decades whenasked, “Why did you rob the bank?” famously told journalistMitch Ohnstad, “Because, that is where the money is!”Prof. Helmbrecht was responding to a new form of onlinerobbery happening in the banking systems called ‘HighRecently, Prof. Udo Helmbrecht, Executive Directorof the European Network and Information SecurityAgency (ENISA), did a Willie Sutton when he said,“Criminals go where the money is; Bank robbersgo online.”
  38. 38. 38Roller,’ a term borrowed from the gambling world. HighRollers refer to those playing for very high stakes. In theonline banking world, High Rollers are those who maintainlarge balances in their accounts.Money mules...Manipulating and stealing using online transaction systemsare not new; but what is now making news is that theattackers are becoming selective in their approach. They arelooking into account balance databases and targeting onlythose whose balances are above a threshold that each hackersets for himself. The second unique characteristic of HighRoller attacks is the significant increase in the automationof the whole process and the use of anonymous muleaccounts to transfer and forward the ill-gotten money. Theshift to reliance on server side manipulation, in contrast toearlier client side manipulation, marks the third deviationfrom traditional online stealing. The rapidity of shift in thecommand and control centres used for the attack is the fourthsignificant differentiator of this new generation attack. Inthe sixty days before the attack landed on the laps of the USbanking system, the domain from where attacks originatedwas first registered in Ukraine and later reconfigured topoint to an ISP in Russia; then moved to an ISP in Arizona;shifted to Brazil and returned to California from where avictim bank in Ohio was successfully compromised. Eachof these shifts involved identification and control of activeand passive mule accounts, or money mules as they are morepopularly referred to.
  39. 39. 39Dissecting Operations High-RollerA research report titled “Dissecting Operations High Roller”released by Guardian Analytics and McAfee is the firstavailable comprehensive study on Operations High Roller.This report released in June 2012 points to successful on-line heist in Italy, Germany and Netherlands later spreadingto the United States. As we carefully analyze the timeline ofsuccessful attacks being identified, we see the degree of attacksophistication and value-at-loss increasing with passage oftime. In the Italian attack, the attackers transferred a smallfixed percentage of the balance; around 3 per cent or a fixedsum of roughly €500 to bank accounts from where it wasinstantly withdrawn.Emboldened by the success in Italy, the stakes were uppedin Germany. Available log analysis of attack data point toMoney MulesA “money mule” is a person, an intermediate, that receives potentiallyillegally obtained money from someone and redirects them to someoneelse. Of course, the intermediary receives a share of the transaction. Inother words, this is nothing else than money laundering.The basic process of muling is relatively simple:• job advertisement offers work as ‘financial agent’ or similar service• job seeker signs up and opens, or allows access to, domestic bankaccount• fraudsters transfer money from scam victims to job seeker’s account• job seeker transfers money to fraudster overseas• job seeker receives ‘commission’• job seeker is open to prosecution by domestic authorities for moneylaundering
  40. 40. 40the compromise of 176 accounts covering multiple banksand the average amount involved in the illegal transfer was€5499. The average balance in the compromised accountswas €47,924. The attack on the German Banks resulted ina total transfer of about a million Euros to various muleaccounts, mostly in Portugal, Greece and the UK.March 2012 saw a concerted attack on two Dutch banksand this time the attack came from servers hosted withinthe US. The stakes were significantly higher and the amountof transfers initiated to the mules aggregated €35.5 million.The attackers had shifted their focus from high net worthindividuals to corporate accounts, the primary benefit beinghigher threshold for corporate transactions contained inanti-money laundering legislations and lesser propensity toscrutiny since corporate accounts have a large number oftransfers happening on a regular basis. The server whichwas used to attack the banks in Netherlands were also usedto attack US banks, where 109 accounts were reportedlycompromised, though we have no details of the aggregateamount involved in the fraud.These fraudulent transactions elicited different kinds ofresponses from various stakeholders. One set of securityprofessionals argue that High Roller fraud is old hat and thatit is just a more sophisticated version of known on-line heists.Another set of professionals say that this represents a newgenre of on-line banking frauds since the attack processesused are significantly superior to the current knowledge andskills available.
  41. 41. 41Infection of PCsIn response to these developments,ENISA has issued an advisory toEuropean banks containing three verysignificant recommendations. Thefirst is both important and interesting.It said that for a bank it is safer toassume that all of its customers’ PCsare infected – and the banks shouldtherefore take protection measures todeal with this. This blanket assumptionon the possible infection of all of thecustomers’ PCs may sound to be a good security precautionbut it deviates from the principle that is generally used tobuild end-to-end security mechanisms viz., the user has a roleto play in protecting his end of the network and that hiscontributory negligence in deviating from secure practicescan leave him with no recourse to relief in the case of an on-line fraud. However, even before ENISA had recommendedthat banks should assume that all PCs should be treatedas infected, judicial pronouncements have been movingin this direction where greater responsibility is cast on thebank to the extent of obligating them to monitor customertransactions and to act on pointers to fraud.Do banks monitor?Experi-Metals sued Comerica Bank in Michigan last yearin a case where fraudsters tried to move millions of dollarsfrom Experi-Metals account to mules in East Europe in amatter of few hours. By the time the bank’s fraud monitoringunit neutralised the attack, a sum of US $560,000 had beenTop HostingCountriesThe U.S. saw anincrease of ten percent in the numberof phishing attacksit hosted in May –increasing to 66 percent, or two out ofevery three attacks.Brazil remained a tophost with nine percent and Germanywith four percent.
  42. 42. 42transferred. It was J P Morgan Chase that alerted Comericaabout abnormal transactions going through their servers andending up in East Europe. Fraudsters used J P Morgan serverssince being a much larger institution, the transfers could gounnoticed. Ruling in this case, Judge Patrick Duggan of theU.S. District Court for the Eastern District of Michigan saidthat the bank should have done a better job of stoppingthe fraud. A bank dealing fairly with its customers, underthese circumstances, would have detected and/or stoppedthe fraudulent wire activity earlier,” said the Judge and askedComerica to cover the losses.Losing battle on fraud prevention?With this judicial thought process and the advice of ENISA,a clear shift is happening; the responsibility will be fixed foron-line frauds in the future. Even assuming that banks buildan end-to-end security process, it will be impossible to doanything meaningful, unless there is far more internationalcooperation enabling quick shutting down of command andcontrol centers used by fraudsters.These centers have been moving across nations making italmost impossible for tracking them down. Are we headingtowards a losing battle with the on-line banking fraudsters orwill these developments motivate the banks to put in placea more robust fraud prevention system without making anyassumptions regarding end-user role in fraud prevention? Itis becoming increasingly clear that banks need to fight thebattle both technologically and legally, cutting across nationalboundaries.
  43. 43. 437CITADEL: The collaborationsuite of cyber criminalsIN AUGUST 2012, the Federal Bureau of Investigation(FBI) sounded a stern alert about Citadel.Based on references from IC3 (Internet Crime ComplaintsCenter), FBI warned of a new ransomware called Revetondelivered through the malware platform Citadel.IC3 describes the threat as: “The ransomware lures thevictim to a drive-by download website, at which time theCyber criminals are beginning to have a ball. Theyare not only able to hoodwink the lay user. They areeven able to stump the tech savvy player. Welcome toa cyber crime collaboration suite – Citadel.
  44. 44. 44ransomware is installed on the user’s computer. Onceinstalled, the computer freezes and a screen is displayedwarning the user they have violated United States FederalLaw. The message further declares that the user’s IP addresswas identified by the Federal Bureau of Investigation asvisiting child pornography and other illegal content”.Warning of fine and failterm!An infected web user gets a message that reads somethinglike the following:“Your IP address is: xxx.xxx.xxx.xxx. Your location isidentified as: xxxxx. Your PC is blocked due to at least oneof the following reasons:You have been viewing or distributing prohibited porno-graphic content (child porno etc.) thus violating Article 202of Criminal Code of United States of America. Article 202provides for deprivation of liberty for four to twelve years.Illegal access has been initiated from your PC with or withoutyour knowledge or consent. Your PC may be infected bymalware, thus you are violating the law on Neglectful useof Personal Computers, Article 210 of the Criminal Codewhich provides for fine up to $ 100,000 and/or deprivationof liberty for four to nine years.”Typical users are worried, particularly when they find thattheir location is correctly identified in the message and for atech savvy user, he sees his IP address accurately mentionedin the notice. The typical user panics and goes on to readingthe message further which identifies his residence, state anddirects him to pay a penalty, offering relief from jail term
  45. 45. 45being first time offence. The fine,ostensibly paid to the US Departmentof Justice, is to be paid using a pre-paid card service which has to bepurchased using the computer user’scredit card or through an on-line banktransfer. This is the icing on the cakefor the cyber criminal. The ransomware has already installed a key loggerthat captures the banking and creditcard credentials and passes it on tothe perpetrator of this attack. In otherwords, the victim pays a ‘fine’ andalso offers his banking and credit cardcredentials to the attacker.Why not ignore?Why not ignore the warning message and go on as thoughnothing happened? Here’s why.The computer freezes with the display of the warning messageand gets back to normalcy only when the ‘fine’ is paid to theattacker who successfully masquerades as US Departmentof Justice collecting the ‘fine.’ Some security vendors whohave started researching the traffic and the process tell ussomething very interesting. They have found some traffic isencrypted to ensure that usage of digital forensic techniquesto trace the origin becomes difficult. If we were to agree withEtay Maor who heads RSA’s Fraud Action Research Lab,this “is a technically advanced Trojan” that combines thelethal powers of ransomware and stealth access to bankingcredentials.BE AWAREEven if you are ableto unfreeze yourcomputer on yourown, the malwaremay still operatein the background.Certain types ofmalware have beenknown to capturepersonal informationsuch as user names,passwords, andcredit card numbersthrough embeddedkeystroke loggingprogrammes.
  46. 46. 46Can users be so very naïve to fall for this? Quite a fewconsiderations come up.One, the message appearing on victim screens looks real.There isn’t any sign of it being a fake.Secondly, the infected computers do not give you the choiceof ignoring it since the system freezes and can be broughtback to normalcy only upon paying the ‘fine.’Thirdly, as the victim is contemplating doing somethingsmart to thwart the attack, the Trojan is already searching forstored credentials.Fourthly, the correct location and IP address of the victimdisplayed on the message unnerves even some of the toughervictims who start thinking what if this were really from FBI.Fifthly, if the victim does decide to pay the ransom, he isforced to use a prepaid card service which collects the creditcard bank log-in and transactions credentials and passes it onto the cyber criminals.After paying the ‘fine’ and having the computer systemunfreeze, what is the guarantee that the key logger that wasclandestinely installed on the system has been removed?Users had tried to remove the Trojan using known methodsof malware removal. But to their discomfort, an FBI advisoryon Citadel issued in third week of August has this to say: “Beaware that even if you are able to unfreeze your computer onyour own, the malware may still operate in the background.Certain types of malware have been known to capturepersonal information such as user names, passwords, andcredit card numbers through embedded keystroke loggingprogrammes.”
  47. 47. 47A lethal combination...Avivah Litan, a financial fraudanalyst with Gartner has a differentperspective. She says that the attackmethods are not uniquely differentfrom traditional key-logger and Zeusmethods. But, says Litan, what islethal here is the combination andpackaging of various tried-and-truehacking techniques. So, how do wesort this issue? The solution has tobe a combination of higher degree ofawareness and significant strides to bemade in Trojan research and creatinganti-malware solutions.I personally feel that the best oftechnology will not work till the userknows quite a bit more about thesystem; connectivity to internet andhis vulnerability. I recently showeda screenshot of a Revton infectedsystem to five people; each a successfuland distinguished person and gotinteresting responses. A commonresponse was to point to the capturedIP address and location and say thatclearly indicates how well FBI wasmonitoring illegal activity.When informed that whenever they book an airline ticketon-line, the ticket states that the booking was done from agiven IP address and also showed them the simple processDO YOU KNOW?The very first spammail was sent in1978. That yearDEC released anew product. Aninnovative DECmarketer sent a massemail to 600 usersand administratorsof the ARPANET(the precursor ofthe Internet). Thepoor guy whohad typed it all indidn’t understandthe system, andended up typing theaddresses first intothe SUBJECT:, whichthen overflowed intothe TO: field, the CC:field, and finally intothe email body too!The reaction of therecipients was muchthe same fury asusers today.It wasn’t until laterthough that the term“spam” would beborn.
  48. 48. 48to determine geographical location using their log in, theysaid they knew it since they have seen it on their e-tickets!Despite this knowledge, they credited FBI with monitoringillegal activity effectively.Do we not have a very strong case for massive increase inawareness among users of on-line services?
  49. 49. 498They promised. They delivered!AND THAT was exactly what many said when the RegionsFinancial Corporation was successfully attacked by aDistributed Denial of Service (DDOS) attack on 11 October2012. They were the eighth in a series of DDOS attacks thathad happened since the last week of September.What stands out in this attack is that this is last reportedin a series of three “announced” attacks. This follows whathappened in late September and early October when fourlarge banks suffered DDOS attacks – Bank of America,If you promise, you must deliver on the promise.Atleast that’s what the customer expects. But what ifyou promise a damage? Would the victim be happyif you deliver?
  50. 50. 50Chase Bank, Wells Fargo and PNC Bank. This list by itselfwould have created some sensation; the four banks sufferedDDOS attacks and were brought down, albeit for a few hours,in a short span of two weeks. What happened as a follow-onis not just sensational but disturbing, to say the least.A hitherto unknown group Izz ad-Din al-Qassam, claimedcredit for these four successful DDOS attacks on AmericanBanks. The group would probably have got some presscoverage and a bit of attention had they stopped justthere. They did something further that amazed cyber crimeanalysts. On 8 October, this group posted a warning that itwill hit Capital One on 9 October, bring down Sun Trust on10 October and attack Regions Bank on the 11th. And theydelivered precisely on their promise.‘It is Down Right Now,’ an outage monitoring site publishedthe following status graph on Regions Bank pointing to theprecision in the timing of the attack, as warned by this group.The bars in the table indicate the time taken by the server torespond to a ‘ping’ or connect request by a user. The smallerthe bars, the faster the response time. Zero value bars, asit happened on 11 October between 10.09 and 14.14 PST
  51. 51. 51indicate there was no response or theserver was down and inaccessible.To help interpret the chart better, I rana tool to find how quickly the websitewww.industrialeconomist.com isresponding to user requests and got anaverage ping response time of 651.61ms over a four hour period. Comparethis with the average of ping responsetime of 1,065.42 ms for Regions Bankwebsite. This establishes that theRegions web response was still prettybad even after ostensibly recoveringfrom the attack; at half the speed ofresponse of the website of IndustrialEconomist! Site Down, another sitethat monitors global sites and theiraccessibility, reports that RegionsBank site was completely reset onlyat 07.05 PST on 12 October. Thereare, therefore, multiple independentconfirmations that Regions Bankwas successfully brought down, ascautioned by Izz ad-Din al-Qassam.As the banking community is eagerlywaiting to see who the next target isand awaiting their announcement, Izzad-Din al-Qassam has stated that it isnow spending time on planning for theattacks over the next few weeks raisingthe anxiety levels among cyber crimeDO YOU KNOW?Consultants believein under-promiseand over-deliver.Marketers too shouldfollow that. Let megive you an example.Suppose on a scaleof 10 you promiseto deliver 8 but endup delivering 7. Thecustomer is unhappy.However, if on thesame scale of 10 youpromise 5 but deliver6, the customer ishappy. Notice, thatin the first case youdelivered 7 and in thesecond you delivered6; yet the customersatisfaction levels inthe second is higher.Phew!Twenty hours ofvideo from aroundthe world areuploaded to YouTubeevery minute. Thefirst ever YouTubevideo was uploadedon April 23rd2005,by JawedKarim (one of thefounders of the site)and was 18 secondslong, entitled “Me atthe Zoo”.
  52. 52. 52watchers and ensuring that a few IT and Web administratorshave sleepless nights.What does the attacking group want to achieve or what dothey want to convey?The claim is that they are upset over the Anti-Islam movietrailer run on YouTube. This is quite understandable but afew cyber crime analysts have other versions for the attackmotive. One such view comes from Gartner analyst AvivahLitan who points to “anecdotes about money loss duringthese attacks. Example: through calls to call centres to get wiretransfers done while the website is down.” In an interviewearlier this year, she had cautioned about not being in fullconformance with the updated authentication guidelines ofFFIEC and predicted that the new attack vectors will waitfor websites to be down and use employee accounts as accesspoints in addition to call centres becoming the preferredroute for illegal money transfers.Has this DDOS attack on the eight banks actually resultedin any fraudulent activity or has it just been an attentiondirecting technique for a cause dear to the group that hasclaimed responsibility for these attacks? As of now, none ofthe victim banks have reported any fraud during or related tothese outages.One common view is that even if the banks did find that abreach had occurred, they are unlikely to share it with thepublic. At best they could be talking to law enforcement. Notdisclosing the real consequences of an attack is a standardpractice in financial institutions since such disclosure willseriously jeopardise their credibility and credit worthiness.
  53. 53. 53Not just financial institutions; itappears to be the norm for almost allorganisations that are victims of cyberattacks. More evidence of this attitudeof not disclosing cyber attacks can befound in the various annual surveyson cyber crime, conducted by theComputer Security Institute (www.gocsi.com). This is perhaps natural.Who will like to come forward to saythat she has been assaulted?The Jester, a well-known andcontroversial hacker has spoken ofan interesting dimension to theseattacks. He opines that anonymoushas provided technical support toIzz ad-Din al-Qassam to launch thesuccessful attacks. He has talked ofthe owner of a pay-per-use DDOSsystem claiming that members ofAnonymous had used his system tosupport the recent DDOS attacks onthe eight US banks. The Jester goes onto allege that Anonymous are actuallyoffering this service to the highestbidder which till now happens to beIzz ad-Din al-Qassam, implying that the real force behind theattacks is Anonymous.As analysts are asking for more stringent regulatory controlsover the banking system and FFIEC pushing for suchenhanced controls at least at the technology level, there is aDO YOU KNOW?Of the 247 BILLIONemail messages sentevery day, 81% arepure spam.According tolegend, Amazonbecame the numberone shopping sitebecause in the daysbefore the inventionof the search giantGoogle, Yahoowould list the sitesin their directoryalphabetically.Google estimatesthat the Internettoday containsabout 5 millionterabytes of data(1TB = 1,024GB),and claims it hasonly indexed a mere0.04% of it all! Youcould fit the wholeInternet on just 200million Blu-Ray disks!
  54. 54. 54voice of dissent heard at Washington DC. Jamie Dimon, awell - known Banker and Chairman and CEO of JP MorganChase, spoke before the Council of Foreign Relations wherehe strongly criticised regulators for inhibiting business.The Press quickly surmised his views as that coming froma person who, while denying any interest in becoming theTreasury Secretary, actually spoke like one!I have heard this from many of my banking clients who keeptelling me that the cost of technology use is stringent controlsthat can stifle growth. I keep repeating today’s bankingtechnology has resulted in higher customer empowermentand the computer cannot distinguish between a good and abad customer to be empowered. This justifies the need forgreater blanket controls.Izz ad-Din al-Qassam’s successful, time-tabled attacks oneight well - known US banks vindicates the long held beliefof many of us that banks need to do more in rolling outand enforcing stringent technology controls to protect theircustomers.
  55. 55. 559The case of Insider FraudRECENTLY in a round table session at a professional body,a member from the audience asked me if there is any cyberthreat that existed across sizes and geographies.I would have probably thought for a while before answeringthis question, but for the fact that the response was glaringat me from what has been shaking us up in the recent past– Insider Fraud. The series of sentencing of senior formermanagers of banks in the US has made many sit up andwonder what was happening behind the scenes at the banksA combination of good deterrence and technologythat responds to human behavioural tendencies cansave our banks millions and increase the saggingconfidence in technology systems.
  56. 56. 56and financial institutions. The cases coming to light nowdon’t fit into any size.At the lower end, we have Willard Scott, former Presidentof Texas’ Huntington State Bank, pleading guilty to a chargeof $7400. At the end we have the mammoth embezzlementof $22 million, over an eight-year period by Gary Foster,former employee of Citigroup’s treasury finance department.Willard Scott did it as a single transaction, while Gary Fosterdid it over eight years. In between these, there are manyothers. Matthew Walker perpetrated a 16 month operationat Farmers and Merchants Bank in California where he wasVice President and netted $2 million. We then have BarbaraRechtzigel charged with stealing hundreds of thousands ofdollars from Minnwest Bank, over 14 years!Insider threats...At almost the same time these startling revelations weretrying to shake our belief that banks have strong internalcontrol systems. Software Engineering Institute of CarnegieMellon University published their findings of research intothe Insider Threats in the US Financial Services Sector.An Insider Threat needless to say is one that comes frompeople within the organization; like employees, present andformer; contractors or business associates, with access to thecompany’s security practices, data and computer systems.This fairly elaborate study sought to answer one key question,viz. What are the observable technical and behaviouralprecursors of insider fraud in the financial sector and whatmitigation strategies should be considered as a result? The
  57. 57. 57study presents six substantiated findings and two of them areof interest and concern.The low and slow fraudsters...Firstly, the study finds that fraudsters who adopted the“low and slow” approach inflicted more damage and wentundetected for longer periods of time. Secondly, the meansadopted by insiders were not technically very sophisticated.The combination of these two attributes kept the crimeactivity under wraps as far as normal fraud investigationswere concerned. To use a technical jargon, the clippinglevels were understood by the perpetrators of fraud and theyoperated well within it, thus escaping detection by fraud radarsystems. This may be a valid finding of the research surveyby Carnegie Mellon but if we looked at Gary Foster, heappeared to have gone well past the clipping levels: betweenJuly and December 2010, he moved around $14 million fromthe bank’s debt adjustment account to the cash accountand from there, he made eight separate wire transfers to hispersonal accounts maintained outside the bank.This should surely have raised a wholeseries of red alerts as most analysts,including Shirley Inscoe, believe. Butit didn’t. Inscoe who authored thewidely read book Insidious: How TrustedEmployees Steal Millions and Why it’s sohard for Banks to Stop them says that“Citi is not alone. Most banks havedone a poor job of keeping withinternal threats.” According to the
  58. 58. 58FBI indictment, Foster allegedly used his knowledge of thebank operations to commit the ultimate inside job.United States Attorney Lynch expressed her appreciationto Citigroup which brought the matter to the attention ofthe FBI and the US Attorney’s office. Some eyebrows wentup. Reporting a crime is normal and natural and will sucha normal and natural action warrant an appreciation fromthe United States Attorney? Reporting insider fraud has notreached a point of full reporting.The Association of Certified Fraud Examiners (ACFE)in their 2012 report to the Nation state that many of thevictims do not report fraud cases to Law Enforcement. JohnWarren, Vice President and General Counsel at ACFE feelsthat the “many institutions don’t report these crimes to lawenforcement, in part because they fear reputational damage.”Carnegie Mellon report referenced earlier agrees on the lackof reporting, but points out that fear of reputational damageis only part of the reason for non-reporting. In many cases,the victim organisation may not have enough and relevantdetails to relate a fraud to specific individual or a group. Thisadds to the reluctance to report an insider fraud.Based on a sample of 80 cases, the Carnegie Mellon studyalso points to another disquieting trend. The average timetaken to detect an insider fraud from the time of its startis 32 months and where reported, it has taken another fivemonths to complete the process; a total of around threeyears to report a fraud since the time it started! Withoutconsidering what such long elapsed time could do to evidence;particularly when they are digital in nature, we need to ask ifearly detection could not have arrested significant damage tothe bank’s assets quite early in the fraud cycle.
  59. 59. 59Why no early warningsystems?The one question on everyone’s mindis why can’t the players in the BFSIsegment put in some early warningsystems?Theuseof anomalydetectionsystems and behavioural analytics cansurely detect potentially fraudulentevents in real time or near real time.But the problem often occurs dueto the way we have designed mostinternal controls. For instance, if thedetection system is programmed toraise an attention directing flag whenthe amount involved exceeds a givenamount, the insider plays within thatamount to escape attention since theinsiders know those thresholds.Technology implementation in fight-ing frauds must be combined withappropriating non-technology prac-tices like segregation of duties; peri-odic audits and reduced time betweenaudit findings and implementationof correction mechanisms. Whilethese will not totally eliminate insiderfrauds, it will bring them to light fast-er than the current average lead-timeof 32 months, if the sample chosen isrepresentative of the population.DO YOU KNOW?An insider mayattempt to stealproperty orinformation forpersonal gain, orto benefit anotherorganization orcountry.A report publishedin July 2012 onthe insider threat inthe U.S. financialsector says 80% ofthe malicious actswere committedat work duringworking hours; 81%of the perpetratorsplanned their actionsbeforehand; 33%of the perpetratorswere describedas “difficult” and17% as being“disgruntled. Theinsider was identifiedin 74% of cases.Financial gain wasa motive in 81%of cases, revengein 23% of cases,and 27% of thepeople carrying outmalicious acts werein financial difficultiesat the time.
  60. 60. 60Surely, we cannot have technology, deterrence or other formsof control to eliminate all insider frauds but a combinationof good deterrence and technology that responds to humanbehavioural tendencies can save our banks millions andincrease the sagging confidence in technology systems.
  61. 61. 6110Clipping the butterfly’s wingsTHESE BOTHERDS (called so in line with shepherds andcowherds since they ‘herd’ Bots) collectively and effectivelycontrolled a mind-boggling 11 million compromisedcomputer systems. Their actions resulted in a staggering lossof over $ 850 million through stolen credit card and bankaccount credentials and compromised Personally IdentifiableInformation (PIIs).Bots is an abbreviation referring to robot network. Theseconsist of compromised computer systems and are oftenOn the rare date 12-12-12, the FBI announced that ithad cut off the wings of the ‘Butterfly.’ It announcedthe arrest and arraignment of a group suspected ofrunning the Butterfly Botnet.
  62. 62. 62used by cyber criminals for a variety of activities with varyingdegree of criminality, resulting in different kind and amountof losses to the owners of the compromised systems.Bots are the favourites for executing distributed denial ofservice attacks or DDoS attacks; send spam e-mails, conductunderground criminal activity and malware distribution. Thislist is not exhaustive as botherds are quite innovative in theusage of their ‘assets.’Facebook - an easy target...At this stage let us introduce Facebook. The very mention ofFacebook conjures up different reactions in different minds.The trendy see it as a way of keeping in touch; the tech savvysee it as a mixed bag with significant potential for loss ofPIIs; the marketing professional sees its great opportunity toreach out while some security conscious are sceptical – forvalid and perceived reasons.With a billion messagesflowing through Facebookon a monthly basis, this socialnetworking site has also been afavourite spot to harvest PIIs;both directly and indirectly.Between 2010 and 2012, it wasestimated that over a millionFacebook accounts werecompromised using variantsof Yahoo malware and thesecompromised accounts werelinked to Butterfly Botnet.Facebook is acknowledged
  63. 63. 63for helping the law enforcement incracking down on those who hackedinto the user accounts resulting in thesuccessful crackdown on ButterflyBotnet.And to many Facebook has really andtruly made the world a global villagethat helps connect people in real time.Butterfly Botnet...Butterfly Botnet is the latest in a family of abuse ofcompromised computer systems for fraudulent purposes.Starting off with Ramnit in early 2010, we saw the ZeuSFacebook worm recking havoc in mid-2011 and now we havethe notorious gang of 10 herding the Butterfly Botnet. Whenwe all screamed at ZeuS Facebook worm having supposedlyinfected over 45,000 Facebook users, the number pales intoinsignificance when we see 11 million compromised systemsin the Butterfly Botnet.Almost 70 per cent of the infection by Ramnit happenedon UK users of Facebook; around 26 per cent were Frenchwhile the balance 4 per cent were in other countries. Afterthis was the famous taking down of the Zeus malware, in adramatic move that involved the US Marshals. This operationwas carried out when the U.S. District Court for the EasternDistrict of New York approved the operation while ruling ona plea by Microsoft and its partners to seize the computers andsue a John Doe (as-yet-unnamed) defendant. The operationalportion of the Court order speaks volumes of the way thejudiciary has considered the intricacies in a search and seizureDO YOU KNOW?At 1:21:02 am,people celebratedthe second, whichmarks a date-timecombination whichwill be read the sameboth backwards andforwards. 2012-12-12 1:21:02.
  64. 64. 64operation involving high technology that has the potentialto move the malware across the internet anywhere, anytime.A forensic icing on the cake...The order, in part, said that “the United States Marshals andtheir deputies shall be accompanied by plaintiffs’ attorneysand forensic experts at the foregoing described seizure, toassist with identifying, inventorying, taking possession ofand isolating defendant’s’ computer resources, commandand control software, and other software components thatare seized.” Interestingly, the Court also asked the Marshalsto preserve up to four hours of Internet traffic beforedisconnecting the computers from the Internet. This was aforensic icing on the cake, in the court order.Microsoft had been instrumental in taking down threeBotnets earlier. The operation of bringing down of Botnetsdriven by the ZeuS and its variants was very different fromthe three earlier operations due to three factors; firstly, itwas not an action by only Microsoft – there were partnerswho closely cooperated with Microsoft. The partners wereInformation Sharing and Analysis Center, a trade grouprepresenting 4,400 financial institutions, and NACHA, theElectronic Payments Association, which operates the systemfor electronic funds transfer.Secondly, the objective of this action was different from theearlier actions. The earlier actions of taking down the threeBotnets were aimed at shutting them down. In this case, inthe words of the initiators of the action, “the goal here wasnot the permanent shutdown of all impacted targets. Rather,our goal was a strategic disruption of operations to mitigate
  65. 65. 65the threat in order to cause long-term damage to the cybercriminalorganisation that relies on thesebotnets for illicit gain.” This thoughtprocess, commonly referred to as“Hack Back” or “Getting even withthe Cyber Scum,” is gaining popularitythough it is not accepted by everyoneas the best solution to fight cybercriminals.Thirdly, the law suit, instead of merelyaccusing the three accused John Doe,goes on to introduce an unknown corporate entity and claimthat the three accused formed “The Zeus RacketeeringEnterprise” for the purposes of squandering the resourcesof compromised computers. As an example, it is alleged thatspam emails infringing NACHA’s trademarks were as highas 167 million emails in a 24-hour period in contrast to thenormal volume of 1500 outbound emails per day!So, what do we learn from this?As always, we are back to the same music – the users ofInternet connected computing equipment need to exercisemore caution than what they are now used to. Attempts bydifferent organizations in making the users security-consciousare showing some results; but they remain ‘some’ results. Anidea gaining ground globally is to catch’em young.Many organisations are working on these using differentapproaches. One set of people are looking at empowering theschool goers with a good grounding in hacking process so thatDO YOU KNOW?12 has been asignificant numbersince its creation.12 months in theyear, 12 hours ofnight and day, 12astrological signs,12 Olympic godsand goddesses, 12days of Christmas,and Shakespeare’sTwelfth Night.
  66. 66. 66they identify any attempt to compromise their computers andnegate it. This appears to be the philosophy behind runningthe Hacker High Schools (HHS), an initiative by a few not-for-profit bodies in North America. Another approach is toteach the school goers and their parents various Safe SurfingOptions (SSO), an approach preferred by ISC2, the globalcertification body for Security Professionals.It surely emerges that there is an urgent need to catch theyoung users and get them to grow with a mindset thatcombines security, caution and the ability to balance betweenthe convenience of the ubiquitous Net and its inherent risks.
  67. 67. 6711The new threat vectorWHEN WE TALK of cyber infractions and frauds, we havetraditionally looked at computers, internet, internal networksand wireless applications to find the threat vectors.We then added ‘people’ as another threat vector and startedfocusing all research and development efforts at handling thedevastating consequences of a combination of these threatvectors exploiting a whole range of vulnerabilities. The likesof Stuxnet were still operating within the contours of thesethreat vectors until we woke up recently to a series of threatsthat emanate from a hitherto unknown origin – supply chain.We woke up recently to a series of threats thatemanate from a hitherto unknown origin – supplychain. And that’s catastrophic.
  68. 68. 68We had heard stories of malware embedded in printers duringthe recent Gulf war but these accusations were dismissed astechnology fairy tales. Of late, the consequences of securitycompromise via supply chain embedded threats is a reality.The attack vectors have always looked for new attack pathsand such a search yielded the desired results when Stuxnetinfected SCADA systems that were till then thought to beinvincible. Now a larger scale exploit is on the anvil with theattackers using various unprotected parts of the supply chainto embed the malware or other forms of threats.Security threat by Chinese telecom companiesIn October 2012, a special investigative report by thePermanent Select Committee on Intelligence of the USHouse of Representatives addressed the specific threat toUS Security posed by Chinese Telecom companies in generaland two companies in particular – Huawei and ZTE. Apartfrom a number of recommendations, it carries a stronglyworded advice to the US companies to avoid Chinesenetworking hardware. Should the users be worried only aboutthe Chinese networking hardware or take precautions aboutany hardware coming in for use in critical infrastructure, isa question that deserves consideration. It is possible thatthere are other groups who are either actually doing or areplanning to use the supply chain vulnerabilities to introducespyware or newer genre of threats.Supply chain led threatsSince 2005, several countries have taken a clear call oncombating supply chain led information threats by effectingseizures of counterfeit networking hardware and other
  69. 69. 69telecom components. This exercisewas built around the faith that anyproduct with a malicious payloadwill only come via deployment ofcounterfeit components. The 2011operation of seizing US$ 143 millionworth of counterfeit networkingand telecom components by the USauthorities lend credence to the beliefthat spread of malicious hardware happens via counterfeit.That belief has been busted by the findings in the October2012 report where it is found that even companies that sellapparently genuine products may infect their componentswith undesirable malware.When supply chain is totally insecureWhile these reports point a finger to China for supply ofcounterfeit or malware infected components, the Chinesecomputer market itself is battling counterfeits locally. WhenMicrosoft successfully launched an all-out effort to eliminateNitol Botnets, they got trusted people to go out and buylaptops and desktops in China and of the 20 systems theyprocured, all had some counterfeit component. Each ofthese purchased systems had been configured in such away to reduce security and four of these systems alreadyhad malware installed! Just imagine you are getting a brandnew computer system with all its box seals in tact and findthat you are starting off with a low security configurationalong with an embedded malware. The worst part of thisscenario is that many of the users may not be aware of thisscenario and will be happily typing away on their keyboardsnot knowing they are vulnerable to become either zombiesDO YOU KNOW?We can behopelessly wrong.Like: 9 out of 10people believeThomas Edisoninvented the lightbulb. This isn’t true;Joseph Swan did.
  70. 70. 70or are otherwise vulnerable to attack and damage. Thisscenario is well summarised by Boscovich who said that the“supply chain is broken; it is totally insecure, and it is easyfor criminals to inject what they want into that supply chain.”Three point responseHow does the business react to insecurity of supply chain?A report published Georgia Tech Information SecurityCenter and Georgia Tech Research Institute has classifiedthe responses into three categories. First, we have a majorityof the companies who do nothing about it other than tolimit their purchases to what they regard as ‘trusted’ vendors.Secondly, a small number of companies carry out randomtests on devices and determine if there are any indicationsof serious forms of vulnerabilities. Depending on thetest results, further action is initiated. Thirdly, a very smallnumber of companies are taking a paranoid approach ofnot trusting the supply chain at all. Their security stance isbased on the premise that any device that comes through thefront door has already been compromised. These companiescontinuously monitor the devices for abnormality.Andrew Howard of Georgia Tech Research Institute perhapshad the most realistic of assessment when he said: “This isa problem that is extremely expensive and difficult to solve.Solve may not even be the right word.” I sincerely hope thatwhat Howard said later does not become a reality. “It is goingto take a bad event to have the momentum necessary to fullytackle the problem.”One silver lining here is that the problem appears to havebeen recognized though it is too ubiquitous in its reach forany one set of stakeholder to manage it completely.
  71. 71. 71While Herberger refused to name these six banksciting confidentiality clauses in his company’s agreementwith the Banks, there were others who pointed to the targets.Keynote Systems, which monitors Internet and Cloudservices said that traffic pattern analysis point to the onlineoutage suffered by JP Morgan Chase, BB&T and PNC onMarch 12. All the Banks that appear to have been attackedOn March 12, customers of six of the major USBanking institutions experienced disruption totheir Net banking services and if Carl Herberger ofRadware is to be believed, this is the largest numberof institutions to be targeted on a single day.12… and They are Back Again…Wave 3
  72. 72. 72and compromised had refused to comment about theattacks and also refused either to confirm or to deny theattacks. While the suspected victim Banks formally refusedto comment, the first indication of something going wrongcame from Chase Services tweet.A tweet on Chase Twitter Feed said on March 12 “*ALERT*We Continue to work on getting Chase Online back to fullspeed. In the meantime, pls. use Chase Mobile app or stopby a branch.” The next day, Chase tweeted “We’re sorry itwas such a rough day and we really appreciate your patience.”This is yet perhaps the most direct admission of any of thevictims that they were attacked.Keynote Systems gave more precise data on the attacks laterin the day. They said that the outage at Chase resulted ina nearly 100 percent failure between 2pm and 11pm ET.BB&T suffered outage between 12.30pm and 2.30 pm ETand also later in the day at 5.30 pm ET, thought this wasa brief interruption. PNC’s site was down for about 30minutes at 3.30 pm ET on the same day. Keynote Systemshowever said it was not commenting on the cause of thedowntime; it could only confirm the outage.Commenting on these attacks, Harberger felt that “thething that’s kind of frustrating to all of us is that we aresix months into this and we still feel like this is a game ofchess.” He wondered how is it that an industry that has beenadorned with so many resources – with more than any otherindustrial segment in the US missed the threat of hacktivistconcerns?On the day of the attack - March 12, the hactivits groupIzz al-Din al-Qassam Cyber Fighters (IDQ) said in a
  73. 73. 73Pastebin post that the third phase oftheir attacks against the US bankinginstitutions was about to begin. Thisgroup claimed in that post that theywere waging the attacks against USbanking institutions over a Youtubevideo deemed offensive to Muslims.IDQ identified nine targets for theirPhase – 3 attacks that started onMarch 12: Bank of America, BB&T,Capital One, Chase, Citibank, FifthThird Bancorp, PNC, Union Bankand US Bancorp.I had written earlier about thesuccessful attacks by IDQ who hadused DDOS to disrupt the on-lineservices of Banks in the US. Thegroup’s posts in Pastebin had thenclaimed that these attacks wereattention-directing methods to warnthe US powers-that-be to remove aparticular movie and all its clippingsfrom the Internet since this movie wasoffending the religious sentiments ofMuslims. Other forms of protestswere witnessed across the globe onthe same issue and the offendingmovie did find its way out. Every group that had protestedtriumphantly claimed a causa proxima between their protestand the movie going out of the Internet. So did IDQ CyberFighters and they declared a cease fire.DO YOU KNOW?The most commonform of “cyberterrorism” is aDDOS, or DistributedDenial of Serviceattack, wherebythousands ofsystems around theworld simultaneouslyand repeatedlyconnect to a websiteor network in orderto tie up the serverresources, oftensending it crashingoffline. Anonymousreleased a tool thisyear that userscould downloadand set on autopilotto receive attackcommands from aremote commandsource. SimilarDDOS attacks areoften performed bythe use of malwareinstalled on userscomputers withouttheir knowledge.

×