Security measures in government, business and personal computer systems continue to be haphazard, and criminals are exploiting the weak points, stealing funds and data and sowing chaos. This article highlights cyber crime vulnerabilities.
The US Federal Reserve (Fed), the crossroads of the international banking system, detected more than 50 “cyber breaches” between 2011 and 2015, according to heavily redacted data released under a Freedom of Information request. And that was only for the Fed’s Board of Governors in Washington, DC; no information was provided about attacks against their 12 regional banks.
At the New York regional branch, hackers stole U$81 million from the account of Bangladesh’s central bank in March, and would have made off with another billion dollars if not for a typographical error in an instruction. In 2012, British activist Lauri Love allegedly infiltrated a server at a regional Fed branch, stealing names, email addresses, and phone numbers of Fed computer system users.
An internal watchdog criticised the Fed last year for not adequately scanning databases for vulnerabilities or putting enough restrictions on system access. “There is heightened risk of unauthorised disclosure and inappropriate use of sensitive Board information,” the audit stated.
“The threat is not new, although the way they attack is evolving all the time,” according to Alex Towers, Cyber Security Capability Lead for Thales. “As we connect all our systems, the risk spreads and spreads. They can attack from far away, anonymously, inexpensively, and they can just choose the weakest target from across all connected systems. It is very important that you are the best-defended target.”
Mikko Hypponen, Chief Research Officer at F-Square and a leading cyber security expert, noted: “In the vast majority of online crime cases, we do not even know which continent the attacks are coming from.”
In the UK, the first official published estimate of the extent of cyber crime incidents – online scams, malware, virus attacks, theft of banking or other personal data, and other online crimes – was pegged at 5.8 million incidents. Fraudsters stole £755 million from British consumers and financial institutions during 2015 – a 26% increase over the preceding year. Financial Fraud Action UK said the biggest growth area was remote banking fraud, criminals posing as bank staff to convince trusting people into sending them money via online banking. The LegalBeagles network said that while every UK bank is affected, Barclays is predominantly the bank of choice for fraudulent accounts.
Richard Emery of security consultancy 4Keys International called on banks to institute a 24-hour “cooling off” period for sending sums of more than £250 to a new payee.
One of the most profitable types of cyber crime attack currently is “ransomware,” in which the hacker locks a target business’ computing systems until a ransom is paid. Globally, more than 40% of victims paid the ransom demands, though in the UK nearly 60% capitulated (more than 20 times higher than their US counterparts).
“Think of the costs of a ransomware attack – legal fees, lawsuits, security, reputation – these all add up to a very expensive post-attack cost that no organisation wants to take on,” commented Andy Buchanan, Vice President for security firm RES. He advised businesses to carry out penetration tests regularly to identify and patch any vulnerabilities.
Spy Vs. Spy
Cyber crime does not always involve money, at least not directly. Oftentimes it is state-sponsored espionage. In 2014, hackers hijacked more than 21 million background check records from the US Office of Personnel Management. American officials accused the Chinese government.
That same year, a breach of Sony’s internal emails and future business plans were orchestrated by the North Korean government’s Reconnaissance General Bureau, according to James Comey, US FBI director.
Of course, no state-sponsored surveillance group is more recognized than the US NSA, whose own website was hacked – enabled by an anti-encryption backdoor the NSA had lobbied for two decades ago. More than 36% of websites worldwide are said to be vulnerable to the same type of flaw.
Cyber attacks are also threatening to disrupt the US presidential election process. A supposedly lone Romanian hacker calling himself “Guccifer 2.0” (Guccifer 1.0 is in jail) claimed credit for hacking the email accounts of the Democratic National Committee (DNC); thousands of the emails, which revealed a committee bias favouring Hillary Clinton against challenger Bernie Sanders, were subsequently published by Julian Assange’s Wikileaks website. Democrats accused the Russian government of the hack (without producing proof), and screamed treason when Republican nominee Donald Trump sarcastically invited the Russians to find and publish the more than 30,000 emails deleted from Clinton’s controversial private server while she was US Secretary of State.
Today’s cyber criminal may work for a complex operation much like a legitimate business, including an R&D division. Some are estimated to be billion-dollar enterprises. At the same time, the cost to set up an online scamming business is well within reach of the proverbial lone wolf hacker. A service known as “Deer” is offering infrastructure and support for hosting services and distributed denial of service protection which UK security firm Digital Shadows claims, “appears to be custom-built for cyber criminals.” No technical skills required.
Most of the service’s customers offer illegal or quasi-legal digital goods that violate Amazon or eBay rules: Bulk auto-registered social media accounts, stolen social media accounts, and stolen bank accounts. Deer administrators claim its users have profited more than $3.8 million.
Mark Hughes, CEO of cybercrime at UK telecom giant BT, said: “The industry is now in an arms race with professional criminal gangs and state entities with sophisticated tradecraft.”
He advocated that companies, “take the fight to the criminals. Businesses need to not only defend against cyber attacks but also disrupt the criminal organisations that launch those attacks.”
BT plans to add 900 people to its current security team of 2,500.
The UK MoD is spending £40 million on a new Cyber Security Operations Centre based in Corsham, Wiltshire, part of a wider £1.9 billion plan to modernise and transform the government’s capabilities to protect the country from cyber attacks.
The UK National Crime Agency and Government Headquarters (GCHQ) – the NSA’s British counterpart – are also working together through a new Joint Operations Cell (JOC), partially focused on abuse of children online. GCHQ Director Robert Hannigan said the JOC will also aim to, “identify and stop serious criminals,” which may include drug dealers, traders of illegal goods such as counterfeit documents, stolen financial data and weaponry.
Despite the frequent headlines about hacks and cyber thefts, many people continue with risky behaviours with their personal and office computers. For example, a Google research team recently deliberately “lost” USB removable storage drives around a university campus; the drives contained malware. Almost all of the drives were picked up and nearly half were plugged into computers. USBs labelled “Exams” or “Confidential” were the most likely to be used.
Those simple USB drives can contain files, which infect a computer system in the background while running innocuous programs in the foreground. Users could be sent to a “phishing” site that would attempt to steal personal information. Activated code could search the computer’s files for personal credentials and send them back to the hacker. It is also possible to use USB sticks to mount zero-day attacks that exploit known software flaws before vendors patch the hole or before users download updates.
According to a new KPMG report, 80% of cyber security executives acknowledged their company has been hit with a cyber attack in the past two years. Yet only half had invested in information security in the past year. “Cyber attacks are affecting nearly every single company we encounter, but we’re not seeing those attacks drive enough proactive business action as evidenced by the rate of investment made in information security,” said Greg Bell, KPMG Cyber US Leader. “We are still seeing companies taking a passive or reactive approach toward cyber security.”
According to a “Cost of a Data Breach” study by the Ponemon Institute, a typical organisation of 15,000 employees can fall victim to nearly two million security incidents per week. How many of those are detected? Only about 100.
Sometimes the “white hats” prevail. A few weeks ago, Interpol arrested the leader of a 40-person cyber crime ring with operations in Nigeria, Malaysia, and South Africa who had accumulated $60 million by compromising email accounts of small and mid-size businesses from Australia to India to North America. The alleged mastermind was brought to Interpol’s attention by Trend Micro, one of the international police agency’s strategic partners at the Global Complex for Innovation in Singapore. Analysis and intelligence included personnel from Fortinet Fortiguard Labs. “The fight against cyber crime must rely on public-private partnerships and international cooperation,” said Abdul Chukkol, head of the Nigerian Economic and Commission Financial Crime cyber section.
Removing Humans from the Loop
The next frontier of cyber security – using artificially intelligent (AI) machines to detect threats – may be close at hand. In Las Vegas at the annual Def Con hacker conference, DARPA staged a “Cyber Grand Challenge” for security researchers from industry and academia. There were no humans in the loop, only machine “bots” challenged to fix security holes in their own systems while exploiting gaps in other machines’ systems.
DARPA believes the world’s growing dependence on computer systems requires creation of smart, autonomous security systems.
The winner was a bot known as “Mayhem” from start-up company ForAllSecure, an outgrowth of research at Carnegie Mellon University. Part of their technique used “fuzzing” – a software testing technique for discovering coding errors and security loopholes by inputting massive amounts of random data to make a system crash.
There is still some work to do on Mayhem before it’s ready for prime time. The bot quit working for several of the competition “rounds,” but restarted itself and managed to coast to victory thanks to a huge early lead. The $2 million first prize should help with fine-tuning the programme.
Second prize of $1 million went to Team Xandra from the University of Virginia and European firm GrammaTech.
At the Black Hat hackers conference, security firm SparkCognition rolled out what it claimed is the first AI-powered “cognitive” antivirus system: DeepArmor, aimed at protecting networks from new and emerging cyber security threats by combining AI techniques such as neural networks, heuristics, data science, and natural language processing with antivirus. DeepArmor is currently available only to members of SparkCognition’s beta programme.
UK information security start-up Darktrace is focusing on a self-learning security system to enable automatic defence. “We believe we are the only ones at the moment who focus only on learning from the behaviours of people and systems within the business rather than on algorithms that look for known types of attacks,” said Darktrace co-founder and Director of Technology, Dave Palmer.
Governments are constantly scrambling to keep up with the evolving technology used by cyber criminals. But there is widespread concern about what will be interpreted by temperamental leaders as a “crime.” Hasnain Iqbal of the Punjab Information Technology Board in Pakistan said that country’s Cyber Crime Bill 2015, which aims to regulate the online conduct of individuals and organisations through a special court, has been criticised, “for curbing human rights and giving enormous powers to law enforcement agencies. It is said to be a muddle of punishments and vaguely defined crimes, intended to leash the power of social media, given its increasingly transformational role in shaping public opinion and holding rulers accountable. A piqued state can summon this bill to unleash hell for dissenters.”
For example, the proposed law does not define the term “critical infrastructure,” Iqbal said: “The notion of ‘national security’ is no different, equally obscure and abused by both civilian and military governments to muzzle freedom of speech and opinion. Similarly, the clause regarding violation of the dignity of a natural person can be easily stretched to target political opponents.”
He noted that critics fear online criticism of the judiciary, armed forces and foreign policy may invite the state’s wrath and the invocation of the cyber crime bill.
“Regulation and not strangulation should be the spirit and laws must not stifle free opinion, debate and access to information. Broad definitions of what is deemed punishable give authorities too much power to prosecute and censor. It may increase the risk of Pakistan going down the Erdogan way – brutally purging the media of dissent as he is doing in the aftermath of the failed coup [in Turkey] .”
F-Square’s Hypponen similarly cautioned: “While we might trust our government right now, any right we give away will be given away for good. Do we blindly trust any future government we might have 50 years from now?”