E-mail is still the top attack method for targeted and espionage attacks, says Mikko Hypponen, chief research officer at security firm F-Secure.
Chat, instant messaging and web-based attacks are still in the minority, he told delegates at the RSA Conference 2011 in San Francisco.
The reason espionage is increasingly moving online, he said, is simply that most information is now stored digitally, and it is possible to steal information without necessarily gaining access to the target organisations.
Typically these are targeted attacks, where an individual within an organisation will receive an e-mail that appears to come from someone they know.
The e-mails also typically have a document attached that makes sense and is relevant to the recipient that is often a copy of actual documents used by the supposed sender’s organisation.
The recipient views the document, but is totally unaware that malware is being installed in the background that creates a backdoor, said Hypponen.
“This backdoor not only gives the attacker access to the victim’s system, but also to everything on the network that they are authorised to access,” he said.
Even though Word and other document types are used, PDF is the most common document used for targeted attacks.
“Attackers exploit vulnerabilities in Adobe Reader to install the malicious code on the victim’s machine,” said Hypponen.
In the face of these types of targeted espionage attacks, businesses should make employees aware of the tell-tale signs.
If documents take longer than usual to appear, it could be that a backdoor is being installed before a fake document is displayed, said Hypponen.
A difference in the name of the attached file and the file that is eventually displayed, is also an indicator of a potential targeted attack.
Anyone who suspects that e-mail may be illegitimate should check with the supposed sender to see if they did indeed send the e-mail in question, preferably before they open the attachment, he said.
Businesses can also better detect targeted attacks by monitoring the sites to which employee computers are connecting, said Hypponen.
In addition to several well-known malicious sites, businesses can monitor for sites that use variations on the spelling of legitimate sites.
“If an employee’s computer is connecting to a site like www.kabspersky.com, it is likely to be a malicious site,” said Hypponen.
It is important for businesses to ensure security patching is always up to date and they are monitoring all connections made from corporate computers, he said.
Hypponen also recommends businesses use an alternative PDF reader than the product from Adobe. His reasoning is that other readers do not have the same install base and are therefore less targeted.
Preventing cyberattacks is impossible, but governments and businesses can and should be able to stop attackers from stealing data, a computer security specialist says.
There is “nothing in the world you can do” to prevent attacks such as the one that penetrated computer systems in three Canadian federal government departments, said Stephen Northcutt, president of the SANS Technology Insitute, a security training facility in Bethseda, Md.
If a hacker penetrates the security of a computer system, “that’s bad, but it’s not terminal,” Northcutt says.
“Until the data actually gets out of your organization and into the hands of your adversary, you haven’t lost.”
Unfortunately, in the case of the recent attack, hackers are believed to have stolen sensitive government information.
Northcutt applauded the Canadian government for responding to the attack, which was detected in January, by disconnecting its computers from the internet.
He said that is a good move if you believe your system has been successfully compromised and the attack is ongoing.
The next step is to bring in experts who can find the malware responsible for the attack and help figure out where the data is headed.
Northcutt added that most organizations never even detect when a cyberattack is underway. Partly, that is because security systems tend to monitor data entering rather than leaving the system.
“It’s a big part of the problem,” he said. But he added that people are starting to recognize that and install software to monitor data leaving the system through strange routes like unsecured ports.
Organizations should, of course, also be trying to prevent attackers from getting in to begin with, he said.
He recommends implementing software that only allows a certain “whitelist” of approved programs to be installed on computers or tracks the programs that are installed, in order to prevent malicious software from taking root.
Adam Wosotwosky, principal engineer for internet security firm McAfee, said its not unusual for organizations loosen company-wide security measures for a select group of executives — something he recommends against.
“When you open up a back door like that, you’re opening a back door to all your hackers.”
Wosotowsky also suggests keeping web browser software up to date to minimize the chance that browsers will automatically download malware from malicious websites that employees have been lured to visit.
Companies can also ban their email system from transferring any executable files — the form that a lot of malware takes.
“There are other ways to transfer executable files,” Wosotowsky said.
Both he and Northcutt said that, in addition to technological defences, it’s important to educate employees to prevent successful phishing.
For example, Wosotowsky said, they need to know that all the text in an email can be “made up,” and that the person it appears to be from may not have sent it.
Northcutt said a number of U.S. government organizations, including the New York State government, have started “inoculation” campaigns that educate employees about security threats and hold occasional drills.
“From time to time, we need to send a note to ourselves — and see how many people fall for it,” he said.
He estimated that only five per cent of organizations actually do that.
But both he and Wosotowsky also acknowledge that technological measures to detect attacks are crucial even when employees are educated.
“We can’t get every single employee to do the right thing,” he said. “Humans make errors.”
The head of mining giant BHP Billiton (Hamburg: BHP1.HM – news) has confirmed he harboured concerns
about Chinese and competitor espionage on his business, citing it as a
reason behind his push for market pricing of key commodities.
Marius Kloppers, BHP’s chief executive, made his comments after the Sydney
Morning Herald said it saw Wikileaks cables that suggested Mr Kloppers
had offered to share intelligence about China with US authorities.
Asked on Wednesday to confirm whether he was concerned about espionage from
China and from competitors such as rival miner Rio Tinto (Berlin: CRA1.BE – news) , Kloppers told an
earnings briefing: “I would rather like to put that in a positive.”
“One of the reasons we have pushed so hard for market-clearing prices is
so that these sorts of things are not a concern, because if you sell your
product at the market-clearing price, that everybody can read off screens,
it minimises any impact of differential information that the one party or
the other may hold,” he said.
According to the Herald , Mr Kloppers said he would exchange information
with US diplomats in 2009, as he detailed the high level of surveillance
that Chinese authorities had on his company. China is BHP’s largest
customer.
Rival mining groups were also accused of spying on BHP’s activities. “Clearly
frustrated, Kloppers noted that doing business in Melbourne is like ‘playing
poker when everyone can see your cards’,” Michael Thurston, US
consul-general to Australia, said in a cable.
Mr Kloppers “complained that Chinese and industrial surveillance is
abundant and went so far as to ask consul-general [Thurston] several times
about his insights into Chinese intentions, offering to trade confidences,”
the cable said. BHP declined to comment on the report.
Price negotiations between China and mining companies were particularly
fraught in 2009 as commodity prices recovered from the credit crunch. This
led to the collapse of price discussion relating to iron ore, a vital
ingredient in steel making.
Four Rio Tinto negotiators were eventually convicted of stealing commercial
secrets given long jail sentences, including Australian national Stern Hu.
Objections from Chinese steel mills also contributed to BHP and Rio abandoning
their proposed iron-ore joint venture in the Pilbara region of Western
Australia last year.
The revelations come as BHP, the world’s largest mining company, unveiled
a 72pc surge in first-half profit .
Rising commodity prices have seen the company’s cash coffers swell and
investors are demanding the group announces plans for its cash mountain.
Some investors have complained that they want a substantial amount of cash
returned, but it is believed that Mr Kloppers is keen to make an acquisition
following the group’s failed $40bn bid for PotashCorp last year.
Cyber crime is costing the UK an estimated £27bn a year, and UK businesses are hit hardest owing to high levels of intellectual property theft and industrial espionage, according to a new report from consultancy Detica and the Office of Cyber Security and Information Assurance. Skip related content
The Cost of Cybercrime study found that the cost to businesses of cyber crime runs to at least £21bn a year, and that intellectual property theft accounts for the largest chunk at £9.2bn, followed by industrial espionage at £7.6bn and extortion at £2.2bn.
Interestingly, direct online theft accounts for just £1.3bn, while loss or theft of customer data represents just £1.1bn, despite usually garnering the biggest headlines.
The government is said to be hit with a £2.2bn annual bill thanks to cyber crime, while taxpayers lose £3.1bn mainly through identity theft (£1.7bn) or other online scams (£1.4bn). Scareware and fake anti-virus scams are said to account for £30m.
The report highlights the need for a more strategic approach to cyber crime, but warned that current estimates of the scale of the problem are being undermined by “a lack of a clear reporting mechanism and the perception that, even if crimes were reported, little can be done”.
Businesses should have access to a “government-sponsored, authoritative, online and interactive service”, according to the report, which would help to raise awareness and promote best practice in cyber defence, as well as provide a centralised reporting mechanism.
Security minister Pauline Neville-Jones argued that cyber crime is a ” national security and commercial priority”, and that the public and private sectors need to co-operate.
“This report is an important example of how government and industry are working together to tackle specific threats posed by criminal use of the internet, and highlights the opportunity we have to turn this to our advantage and get ahead of the curve to drive our economic growth and prosperity,” she added.
However, the figures dwarf the amount that the government is currently spending on cyber security. Just £63m is likely to end up supporting cyber crime prevention out of the £650m pledged to the government’s cyber security strategy.
Some security experts have also called into question the huge figures estimated by Detica in the report, especially given that there is little evidence of how the figures were arrived at.
Sophos senior technology consultant Graham Cluley pointed out in a blog post that the £27bn figure easily smashes the estimated £13.9 billion cost to the UK per year of drug related crime.
There needs to be a proper mechanism for reporting cybercrime (both for home users and businesses) before we can begin to whisk up grand totals like this, he said.
Once we know the true scale of the problem, and can produce reports that aren’t dealt with scepticism, we can fund the computer crime authorities appropriately, and we can begin to measure if the UK’s attempts to fight the problem are really working or not.
Mikko Hyppönen, chief research officer at F-Secure, agreed that £27bn is an incredibly large sum, especially given that most of it seems to have come from IP theft and espionage, which he admitted was “very hard to quanitfy”.
He also indicated he would like to see Australian media outlets consider abstaining from publishing material if it was considered against the country’s interests. ”If [the media] receive representations from national security or law enforcement authorities that material could be prejudicial, they will often refrain from publishing the material. And certainly it may well be that that sort of discussion might need to take place.”
The actions of the US have not discouraged all countries from expressing their support for Mr Assange and WikiLeaks. Ecuador has seemingly opened its arms, and invited it to establish a home base there.
The invitation came through a comment by Ecuador’s Deputy Foreign Minister, Kintto Lucas, on a website on Monday. ”We are ready to give him [Mr Assange] residence in Ecuador, with no problems and no conditions. We are going to invite him to come to Ecuador so he can freely present the information he possesses and all the documentation, not just over the internet but in a variety of public forums.”
Even though it was not Ecuador’s policy to involve itself in the affairs of other countries, the worrying nature of the cables – particularly the references to Latin America – had compelled it to offer safe haven, Mr Lucas said.
In an interview in Forbes magazine, Mr Assange indicated that the next target of WikiLeaks would be a big US bank, and said he had tens of thousands of documents that would be published early next year.
The bank leak would ”give a true and representative insight into how banks behave at the executive level in a way that will stimulate investigations and reforms, I presume”.
