Monthly Archives: August 2015

  • -

The Case of Ashley Madison and the Dark Room.

Tags : 

A Blog Noir by Vigne Kozacek and Gary Sharpe.

The scene: a room in near darkness. A figure, seated, visible only by the glare of computer screens. He sits forward, intensely observing the dark web’s data streams. He already knows from the patterns of activity that something big is about to go down.

He is waiting but primed for action, watching for a Name. His traps are pre-prepared: small programs ready to record all the keystrokes on any computer they can infiltrate. These short pieces of code are also lurkers in the darkness. Just like him, they are thieves. Stealers of usernames, passwords, website activity. His prey are usually blind to these lurking bots which compromise their machines.

The word from the criminal network is that it’s about to be Open Season. Big Game Season. If the low down from his contacts is right, he will not need the dark room for a while, he can emerge, spend a few days in the light. Indulge his online shopping addiction, buying directly from the bank accounts of his prey, ever protected by the cover of a mailing address in countries where the laws of the internet are not enforced.  Then, once he has extracted what he needs to satisfy the addiction, he will sell the stolen identities on to his ready and hungry buyers, at a premium. Medical records are his biggest earner on the digital data Black Markets.

He sees it now. The Name is out on the Dark Web.

He jumps up, the chair falls backwards. He can’t believe it. It’s big. Really big. For him, it’s pure, black gold. They’re broadcasting the List itself on the dark network.

His cold calculating mind is already processing the numbers. His lottery win is the published List on the dark web, but the List itself is irrelevant to him. He’s a thief himself, not one of his buyers. The numbers are astronomical. He runs through them again. He reckons up a few million people are about to unwittingly install his program on their computers.

He sets his traps in the massive email lists he’s stolen over a criminal lifetime and camouflages them with quickly rendered but professional looking websites. He baits the traps with a sign. The sign reads “we’ve got the list and we’ve made it searchable – find out if anyone you know is on it – click here”. That click, the link, is how the crime is done. With each click thru, a lurker program goes back up the link, on to the prey’s computer, ready to steal everything which is typed. He checks his numbers again. Yes, he’s sure. His success rate will be in the millions. Not just those on the List, but anyone with a need or desire to look. The silence of the room is briefly broken as he mutters “…Journalists… Lawyers…”.

He sets about his work.

It’s later now.

His work is now done, all the traps set, so he sits back again, returns to just watching the screens. Waiting for the first traps to close.

He watches the public newsfeeds now too, monitoring the internet for the first mentions of the Name. He doesn’t have to wait long to see it everywhere.

..“Ashley Madison”… “Ashley Madison”…

In the dark room, the figure is sitting, waiting, watching. It’s too dark to see the cold smile on his face.


  • -

The Ashley Madison Affair

Tags : 

Here is a topical one. The Ashley Madison data dump is all over the news (an almost inevitable event), but beware and be warned – because this is only the start of this story in terms of IT Security risks. Other things are stirring in the darkness…

Many people, either out of curiosity or out of personal interests, are now hunting on the internet for the stolen data, little realising they may actually be the prey.

I would advise people to be very, very careful when seeking to access this information, because it has been published on the “Dark Internet” (the internet black market, a subject for a future instalment) and as it is trending, there are many traps being set for inexperienced internet users. Your machine can become infected and worse by browsing to sites claiming to have the information.

I strongly suggest that anyone looking to gain access to the data should wait until a reputable company/news organisation provides verified links to it. Do not click on links in emails received as multiple spam campaigns are already well underway.

We are all naturally very curious especially when it comes to this type of thing, partners and spouses that have the slightest doubt will naturally be itching to take a look to see if their other half’s names are listed.

Let’s look at the numbers first.

There are various reports about the number of Ashley Madison customers’ details that have been dumped and published. Let’s use for the sake of argument the figure of 33 million customer’s records. We could assume that virtually all of these are going to try to access the details to confirm whether they are on the list and then we could add in at least a million more suspecting partners that want to check it too. When we add in all the other curious parties, nosy neighbours, suspicious colleagues, the media, other family members etc. due to the trending news agenda, we may well be into the hundreds of millions of people keen to take a look!

Ready and willing victims.

What this means is that there is now a HUGE market with a keen interest and, in some cases a personal interest, in the data. Be in no doubt that this interest will be exploited by cyber criminals predominantly through email Phishing (explained in a previous post) campaigns as well as specially created attack websites.

Thanks to Gary Sharpe for his editorial assistance.


  • -
Personal IT Security

“Two Step Authentication” What it is and Why You Need It.

Tags : 

In two decades plus as an IT security expert, it has been apparent to me that when technical people begin to explain IT security issues to business executives, glazed expressions sweep through the room like a Mexican wave if technical terms are used. So the purpose of this “IT Security Explained” series, which began with my article on “Phishing”, is to remove these mysteries behind the IT Security jargon and ultimately to aid businesses in becoming more aware of the dangers as well as to help businesses help themselves.

We tend to forget during the internal battles for budgets and resources that without the Business there would be no IT or IT Security needs and without IT and IT Security there may not be a business left to manage. The key to unlocking IT Security is better internal communication and realizing that IT is integral to business, while it is the business whom IT departments are there to serve.

Speaking of keys, that’s the theme of this, my second post in this series. Here we consider something called “Two Factor Authentication”. I will now explain what this actually is and why you should be using it.

Imagine a building which contains something of high value, something to be protected. We could lock the door with a key or we could lock the door with a combination lock. To be really secure we would have both types of lock, so that to enter the building we need both a physical key and the passcode.

Two Factor Authentication is the digital equivalent of the case of having both locks on the door – but with one vital difference: the passcode on the combination lock changes every few seconds! Imagine now to get into the building, we have to have both the key (password) and the one time code for the combination lock.

Picture1

So with standard authentication, to access an online account we just need a key (the password), but with Two Step Authentication, we need both the key and the one-time only passcode.

Most of the bigger companies provide “Two Factor Authentication” for free and you may already be using it. Gmail, LinkedIn, Facebook, Twitter all have this as an option and if you are using these for business you really should have this protection turned on. These work by sending the passcode via SMS/Text message direct to your mobile phone or via an App installed on your phone, after you’ve entered your password. Receiving passcodes via SMS/Text message can also be useful as an alerting system, because if someone steals your password and then tries to access your account, this will trigger a passcode to still be sent to your phone. Therefore you immediately know if your password has been compromised. If you receive a code when you are not expecting it, you know you need to change your password, not just on the account which alerted you, but on all and every online account for which you use the same password.

Many accounts accessed can also be integrated with the Google Authenticator app, which can be found at

Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en

Apple: https://itunes.apple.com/gb/app/google-authenticator/id388497605?mt=8

This is app is worth serious consideration, if you are not using it already.

For some online banking systems, you might be provided an individual app which works similarly to Google Authenticator or even provided with a small physical device which usually looks similar to a small calculator or a key fob with a digital screen which displays the passcode.

Thanks to Gary Sharpe for his editorial assistance.

 


  • -

IT Security Explained: Phishing.

Tags : 

 

In this, my new series of blog posts, it is my aim to make IT Security issues accessible to all. A kind of “…. For Dummies” series. I hope these are useful and that they will be helpful to business users in particular.

We begin with “Phishing”.

Phishing is a term which is a play on the word “fishing” – the analogy holds well. The “hackers” (fishermen) cast their line and nets (typically by sending mass email) into their online “ponds” of large email lists where their prey await (unwitting online users). These emails sound enticing to some and like a trout fisherman’s fly or pike fisherman’s lure, they appear to the targets to be to all intents and purposes something they are not. Beware: for they hide a very barbed hook.

The way these cyber attacks work is usually the emails contain a link or button which they try to entice you to click. Clicking on the link will take you to a website which is usually a pretty good copy of a legitimate website asking you to verify your account information, for example. When you enter your account details and password, this information is recorded on the fake site and then the hackers have it. They may use it to log into your legitimate account which they faked. Worse still, they can then potentially access other accounts where you use the same login details. Indeed, these days virtually all our accounts are online and instead of having different passwords and user names for each, it is all too tempting to use the same details across many accounts. So if a Phishing attack is successful, often you don’t only give them access to one account but they will try the same details with multiple sites. For example, if you have an EBay account and you inadvertently release your password to a Phishing scam, they may now also have access to your email, amazon, apple, google, bank account, etc., if you have not protected yourself by having different login details for each account or at the very minimum enabled “two-factor authentication” (covered in a future post).

As an example, in 2003 a successful phishing campaign was conducted against eBay customers. Millions of emails were sent out to potential eBay customers stating that they needed to verify their details immediately or their account would be suspended and thousands if not millions of people clicked the link and gave their details away. That same year the U.S. government reported that 9.9 Million U.S. residents were the victims of “Identity Theft” (to be covered in future post), the cost to businesses was $48 Billion and the cost to customers $5.5 Billion.

Something else that can occur when you click on one of these links, is that software created by the attackers can be downloaded onto your computer and can sit in the background without your knowledge. This software can have almost endless capabilities, anywhere from recording every key press (this can also capture you login details for everything you login to) to giving full remote control of your computer to an attacker – allowing the attacker to use your computer as if he/she was sitting at the keyboard.

I am aware of many companies that have been compromised in this way.

What to Do?

If you receive an email or text message purporting to be associated with one of your accounts, do not ever click on any links, go to your browser and browse to the actual company website referred to in the message, not through URLs contained in the email, but by internet searching for the company’s official web page. Find the section that refers to Phishing and Scams (most reputable companies have details of the latest phishing scams as well as an email address where you can forward the message that you have received). Also check the companies email policies – many will say “we will never ask for your details by email”, for example. If you are still concerned about your account, contact the company directly using the contact information provided on their website. I strongly recommend that you do forward the information onto the company, as they will use the information from the message you received to help protect other customers and as potential evidence when/if they manage to track down the attackers.

In summary: read the message received carefully and if it is encouraging you to click on a link verify it with the company before you do. Make it part of your online routine to keep checking the scams page of companies that you use often. This will also help you to grow more familiar with the types of emails in circulation and help you more quickly recognize Phishing scams and suspicious messages when they arrive. Indeed, there is rarely any reason for clicking directly on a link in an email, and if there is any doubt, it is advisable not to do so.

If you found this informative or useful, as my first go at this I would appreciate it if you would share it.

Thanks to Gary Sharpe for his editorial assistance.