Scareware – How Crime Pays

Scareware is fraudulent software that uses deceptive advertising to trick users into believing they’re infected with some variety of malware, then convinces them to pay money to protect themselves.  The infection isn’t real, and the software they buy is fake, too.  It’s all a scam.

One scareware operator sold “more than 1 million software products” at “$39.95 or more,” and now has to pay $8.2 million to settle a Federal Trade Commission complaint.

Seems to me that $40 per customer, minus $8.20 to pay off the FTC, is still a pretty good revenue model.  Their operating costs can’t be very high, since the software doesn’t actually do anything.  Yes, a court ordered them to close down their business, but certainly there are other creative entrepreneurs that can recognize a business opportunity when they see it.

Source: Bruce Schneier

Related Articles

• ‘Scareware’ Ring That Unleashed Fake Antivirus Tools to Pay Up (walletpop.com)
• FTC Orders Scareware Scammers To Pay $8 Million (webpronews.com)
• Operator of Deceptive “Scareware” Scheme Will Pay More than $8 Million to Settle FTC Charges (ftc.gov)
• FTC nails 2008 “scareware” distributors for $8 mill (sunbeltblog.blogspot.com)

What happens when your data is compromised?

What would be the impact if your data ended up in the wrong hands? Someone or organization that was able to actually do something with the information that you have on your systems. What would they do? Could they profit from it? What would happen to you? your customers? your image?

Phase one:
The initial breach itself typically has a minimal impact. Most would think that this would be the biggest issue, the interruption. The fact is the goal is not to interrupt, not to alert you that something has or is happening. After the data has been taken the intruder will likely “hang out” and see what else they can do. Once the data has been sold or exhausted for its value that is when phase two occurs.

Phase two:
This when the sale of the data takes place. I recall a small credit union calling us one day because several of their clients were coming into their offices and claiming that money was taking from their accounts. There were a flood of people coming in! This still wasn’t the most costly phase!

Phase three:
The intruder will then start to use your systems to try to break into other systems, host spam engines, host images like pornography and other activities that cause havoc and interruptions. This still is not the worst part! Once the dust has settled and your network is put back together you might not even know that your data was taken because it wasn’t! That is correct, they didn’t take the data they took a copy so you don’t even know until the next phase.

Phase four:
The last phase is when your clients leave because they don’t trust your system. This is typical of the high-profile clients that have to deal with compliance and regulations and just can’t continue to operate their business with your organization as their vendor. Yes, the high-profile clients probably represent the top 20% of your client base and probably 80% of your revenue.

We have witnessed this with small businesses here locally and certainly we have all heard of the high-profile large companies that have been compromised and been through all four phases. Some have suffered repeats of the same because they still didn’t take the appropriate and necessary actions. It is even worse when the intruder doesn’t leave a copy and actually destroys or deletes the data and the business then discovers that their data hasn’t been backing up even though they thought t was.

What would happen if you lost 80% of your revenue and had the reputation of having an insecure system?

Are you connected to unknown networks?

Chances are you are not only connected to your business network but that you are also connected to another unknown or malicious networks with highly sophisticated cyber criminals. Let me explain…

You are aware of your local network. It consists of servers, printers, other systems and even devices like PDA’s. Then there are peer to peer file sharing networks or P2P networks. These are networks that consist of subscribers to services like Napster, Kazaa and Gnutella where users can share files like music, images and video. The threat with being associated with these networks is you are giving other anonomyous users access to your system and with little efforts they can access other files that consist of your financial information or office documents. This is a growing concern with business leaders that have users that use their corporate systems for these purposes.

Then there is the botnet. A Robot Network is where an agent (software program) is installed on your system and makes you part of a network. One of the most poplular and recent bots is the Conficker worm, said to have made its way onto over 7 million government, business and home systems. Most of these networks are run by cyber crime syndicates like the Russian Business Network, Shadow Crew and the Gray Pigeons.

Albert Gonzalez, one of the captains of Shadow Crew, was responsible for the largest security breachs including companies like 7-Eleven Inc., New England grocery store chain Hannaford, and payment card processor Heartland Payment Systems.

Have your systems checked and checked often to make sure you aren’t sharing information you would have rather not have. The other threat is these other networks use your system resources to spread spam and host images just to name a few.

Here is an interesting story about a company that was breached as a result of a user having a P2P application installed on one of its systems. Below is a video that YOU MUST WATCH that illustrates how your children can expose all kinds of information that is stored on your system.

Information Week Article

Related Articles

• The Most Dangerous Site Online? (spectrum.ieee.org)
• New York City’s new “offline P2P file-sharing” network [TNW Shareables] (thenextweb.com)
• LimeWire Ordered To Shut Down (crunchgear.com)
• Three Limewire alternatives for easy peer-to-peer downloading (downloadsquad.com)

10 ways malicious software gets installed on your computer

If you take note all of these methods are self inflected. In other words most of the time you install the malware for the cyber criminals. Don’t be fooled… security isn’t a firewall, anti-virus or other security software solution. Security is a mindset combined with a holistic approach including protection, detection and a prompt response methods.

1. Email attachments

2. Portable media (i.e. usb drives, CD”s, external hard drives, etc.)

3. Visiting Malicious Web Sites

4. Downloading files from web sites

5. Participation in P2P File Sharing Services (Limewire, Napster, etc.)

6. Instant messaging

7, Social Networking sites

8. Social Engineering Attacks

9. Not following security guidelines and policies

10. Ignoring common sense

Related Articles

• Be Aware of the Threat of Trojans (brighthub.com)

Mobile security issues due to surpass computers

Yesterday the SANS News-bites reported that according to the Cisco 2010 Annual Security Report, cyber criminals appear to be shifting their focus from Windows machines to mobile devices. Users are falling prey to social engineering scams through social networking (i.e. Facebook, Twitter, etc.), email and phone calls. Social Engineering is best described as tricking the user to respond typically by clicking a link, downloading an attachment or in this case even accepting a phone call.

Other important notes in this report is that there has been a decrease in spam and the focus for cyber criminals is shifting to Apple based products. Spam decreased due to the large number of “take downs”. Apple is under attack because of the large increase in product sales primarily focused on the Ipad.  To my point that I have made about why the perception that Apple has a more secure product… it is security by obscurity but as Apple surges in market share the hackers are taking note. For the same reason criminals hold up banks… it is where the money is.

Here is a link for the rest of the story. Also below is a news report involving the recent breach involving AT&T and the Apple Ipad.

Cybercrime migrating to mobile and Apple, Cisco report

Related Articles

• Cybercriminals bored with computers (wired.com)

9 myths of safe web browsing

Myth #1: The web is safe because I have never been infected before.
You may not even know you’re infected. Many web malicious software (aka malware) attacks are designed to steal personal information and passwords or use your machine for distributing spam, malware or inappropriate content without your knowledge

Myth #2: My users aren’t wasting company time surfing the web
The fact is that more than 40% of corporate internet use is inappropriate and going unchecked—an average of 1 to 2 hours per day per user. To make matters worse, the potential for employees being exposed to inappropriate content can have serious legal ramifications to any organization. The internet is full of studies related to internet use in the work place, from gambling and pornography to less nefarious activity such as social networking and travel planning. Furthermore, incidents of internet addiction disorder are increasing, with current estimates suggesting up to 5% to 10% of internet surfers have some form of web dependency.

Myth #3: We control web usage and our users can’t get around our policy
Anonymizing proxies make it easy for employees to circumvent your web filtering policy and visit any site they like. Anonymizing proxies are readily available and regularly exploited by school kids and employees alike. Hundreds of new anonymizing proxies are published daily. If you don’t think this is an issue, you can simply Google “bypass web filter” to see there are over 1.8 million ways to do this.

Myth #4: Only porn, gambling, and other “dodgy” sites are dangerous
Hijacked trusted sites represent more than 83% of malware hosting sites. That’s correct. The majority of infected sites are websites that you trust and visit daily—they’ve just been hacked to distribute malware. Why? Because these sites are popular, high-traffic venues that silently distribute malware to unsuspecting visitors. Download the infected sites list to see just a small sampling of these kinds of sites.

Myth #5: Only naive users get infected with malware and viruses
Malware from drive-by downloads happens automatically without any user action, other than visiting the site. Therefore, it doesn’t matter what level of computer expertise you have. The fact is, if you are visiting sites on the internet, you are at risk.

Myth #6: You can only get infected if you download files.
Most malware infections now occur through a “drive-by” download. Hackers inject the malicious code into the actual web page content, then it downloads and executes automatically within the browser as a by-product of simply viewing the web page.

Myth #7: Firefox is more secure than Internet Explorer
All browsers are equally at risk because all browsers are essentially an execution environment for JavaScript, which is the programming language of the web and therefore used by all malware authors to initiate an attack. In addition, many exploits leverage plug-ins such as Adobe Acrobat reader software, which runs across all browsers. Although the more popular browsers may get more publicity about unpatched exploits, it’s the unpublicized exploits you should be most concerned about. The fact is, there is no safe browser.

Myth #8: When the lock icon appears in the browser, it’s secure.
The lock icon indicates there is an SSL encrypted connection between the browser and the server to protect the interception of personal sensitive information. It does not provide any security from malware. In fact, it’s the opposite because most web security products are completely blind to encrypted connections: it’s the perfect vehicle for malware to infiltrate a machine.

Myth #9: Web security requires a trade-off between security and freedom
While the internet has become a mission critical tool for many job functions, whether it’s Facebook for HR or Twitter for PR, it’s completely unnecessary to create a trade-off between access and security. A suitable web security solution provides the freedom to grant access to sites that your users need while keeping your organization secure.

source: Sophos

Related Articles

• What are Cookies & Do They Compromise Security? (brighthub.com)
• Google’s Niels Provos battles malware on the Web (news.cnet.com)

Are you smarter than internet scammers?

I’m certain everyone reading this has received and clicked on an email scam, Facebook post or some other kind of scam that seemed to be legit. It is an attack called phishing and it can be really tough to detect the really good ones. Many times when an organized crime syndicate compromises a database of users it is with the intent to send them phishing emails to scam them. For instance when Monster.com was compromised, a job posting and seeking website, the users would recieve emails indicating that they had been selected for a job but had to fill out a “prescreen” survey due to the large number of applicants. The eager and in most cases recently laid off applicants would rush to send in the application which included personal information that was giving the scammers enough information to create virtual identities and get to work.

Below is a story that just happened within the past couple of weeks. If you own a Honda you will want to read this article and be cautious if you receive what seems like legit emails or phone calls. Educating your users and implementing prevention measures like content and spam filters are the most effective ways to reduce the likelihood that this could happen to someone in your organization or circle of friends.

–Honda Customer Database Security Breach
(December 29, 30 & 31, 2010)
Honda Motor Company is warning millions of its customers that intruders
have gained access to their email addresses, probably through an attack
on Silverpop Systems, a third-party marketing services provider.  The
breach appears to affect two million Honda owners and three million
Acura owners and also includes names and vehicle identification numbers.
The compromised information could be used in phishing attacks.

Honda Web Site Hacked – MSNBC Report

 

Related Articles

• Honda’s Customer Database breached – millions of email addresses and VIN numbers leaked (gansec.com)
• Honda Warns 4.9 Honda and Acura Owners That Their Emails Were Compromised (spectrum.ieee.org)

Security on home computers

As time evolves businesses will likely decrease their brick and mortar office space, move into a more virtual atmosphere and employees will work remotely from home. When this becomes more of the norm these employees will either have two (or more) systems or they will consolidate all of their personal and business information onto one system. Your employees will probably not want to have one computer for business and one for personal, they will want it all on one. So how can business leaders enforce security measures if they don’t own the equipment? Can we enforce policies that state they are not allowed to use business systems for personal use? This certainly is going to create all types of issues as we move forward. Building a security mindset will be the best way to make sure your corporate data will stay safe because it is going to be left up to the employee to make good decisions on how they use the system that has access to your corporate data.

I’ve mentioned in previous posts there is a grant provided by the state of Virginia to help businesses make the investments necessary to allow employees to work remotely, www.teleworkva.org. Take a look at their site as there still funds available, we are very familiar with this grant and we are experts at helping businesses receive the funds. Check out my previous post (or click on the “working from home” category) for more information.

Transitioning employees to a security program

Getting employees to make a change can be agonizing, this I know all about! Most changes are abandoned before the the first meeting is over and the culture and moral just went down the drain with your efforts. Getting your employees to care about your corporate data might not be that difficult but implementing security measures can put you in the “worse boss ever” category. Making this change has to come from the person that owns the data (or at least it will greatly increase the likelihood it will succeed). I decided to make a few user education and training videos that you can share with your team to prepare and help transition them to this new way of thinking and more importantly support the program.

Be on the lookout for videos from time to time and I’ll add a category called “security program” so you just see these posts to make it easier to sort them them as time goes and I add them. Please let me know if I can help you make this a success, it truly is our passion and mission to help companies secure their information and we know that end user education is critical and probably the most difficult part of the process.

The Cloud – Who is responsible if the data is lost or compromised?

YOU ARE! It is your responsibility so you might want to refer to my previous post “The Cloud – Will my data be safe?” for some good ideas on making sure you engage with the right provider if you choose to try to make this change in your organization. This is illustrated in the recent Wikileaks.org vs Amazon.com saga where Amazon kicked Wikileaks off their servers for violating their terms and conditions. So Wikileaks just moved their site to another provider in Sweden. Originally they moved their site to Amazon to elude an attack on their site referred to as a Denial-of-Service (DOS) attack. A DOS attack basically is where an internet connection (in this case their web site) is made unavailable due to the fact that some source(s) is flooding it to the point that the site is overwhelmed, this has happened to Google not to long ago leaving their email and other services unavailable for about 6 hours. My point… The Cloud isn’t all safe and secure and problem free like the commercials you see on TV. It is loaded with security issues and providers not willing to take any of the heat when the data is breached or lost. They will just kick you off their system and tell you to read the terms and conditions of their agreement (if there was an agreement).

And what is worse!? Cyber criminals are licking their chops at the idea of all of this data floating around on the the World Wide Web. The next five years should be very interesting…

Take a look at my latest Tweets (twitter.com/randysklar) to watch some really cool videos I have found on You Tube for you to help you better understand what cloud is and how it could impact us (according to some visionaries).