Bot-Watch.com

In a previous post, we outlined the potential costs to a business experiencing a data breach (e.g. cyber criminal steals customers’ login credentials and then uses those credentials to conduct fraud on the targeted site — outcome: $2M - $22M in total costs to the targeted business!).

Now there’s a new cost to add to the equation: Legal fees.  Bank Information Security reported on a lawsuit by EMI (a metal supplies company) against Comerica Bank alleging that Comerica’s two-factor authentication system was subverted (at Comerica’s fault) resulting in EMI’s losing $550k through fraudulent wire transfers out of EMI’s account by cyber criminals.

Regardless if Comerica is found at fault, the legal fees due to just one breach will be substantial.  And given the rise in the amount of cyber crime targeting financial services, the incidence of lawsuits (and associated costs) is likely to climb.  Indeed, as reported in Computerworld, there has been a rash of lawsuits filed against banks for inadequate security measures leading to cyber criminal activity.  Increase lawsuits, of course, will lead to higher insurance rates for banks (e.g. Errors and Omissions).  Which, of course, will lead to higher bank fees.

Recently announced by Symantec, and subsequently covered by Softpedia, there’s an interesting development in the world of malicious botnets: Competition.  Zeus is malware that’s been a raging success for bank-targeted cyber crime.  It now faces competition by the name of SpyEye.

Among the now-ubiquitous key loggers (to enable cyber criminals steal your login credentials, i.e. “credentials theft”), a new feature of the SpyEye botnet toolkit is a “Zeus Killer’.  In other words, just like the old days when “slammers” used to move you from one long distance telephone company to another (without your permission), the makers of SpyEye will slam you from the Zeus botnet to SpyEye’s botnet.  How nice.

This is certainly the first of many tit-for-tat salvos amongst competing malware developers.  So not only is there money to be made in cyber crime, there’s so much money in this “industry” that it’s attracting new entrants.  How very nice.

So what can you do?  Well, as mentioned in our previous post, it’s time for some help from the law making and law enforcement agencies to remove the root cause.  Until then, protecting yourself via technology is always your best bet: best practices and processes to ensure you don’t create issues in first case (e.g. ISO 27002), preventative technology measures to avoid falling prey to malware (e.g. Cernious‘ “in use” data protection software), and thorough system auditing and cleansing (e.g. as offered by traditional AV companies like McAfee).

Last week I attended an IT Security trade show during which Elan Winkler (Director, Marketing at McAfee Enterprise Security) spoke on Operation Aurora.  It was full of fear, uncertainty, and doubt (i.e. high FUD factor).

And, despite the fact that I know this stuff already, her speech worked in spades: The summary scared the you-know-what out of me.  The skill and tactics used in this cyber attack were impressive enough if it were not for one key conclusion — the experts believe Aurora to be merely a test — a beta, if you will, of something that will be better, greater in scope, and worth paying attention to.

I feel like the Internet is becoming just like how NYC was viewed back in the 70s and 80s: No place is safe, you can be robbed at any corner.  Only now you can be robbed without knowing it until much later.  I guess there’s solace in knowing there are no deadly weapons involved.

And just like Guiliani came in to clean things up in NYC, it seems like it’s time for a legal entity to step up and take on the organizations at the root of all this crime.  Everybody I’ve spoken with raises the same concerns regarding jurisdiction: legal jurisdictions, country jurisdictions, technical jurisdictions.  But just because the problem is hard doesn’t mean its unsolvable.  Technology can only take us so far.  The root cause is bad people.

I live in an area replete with winter activities (ski areas, back country snowmobiling, ice climbing, etc) and one key safety rule is layering: wearing the right kind of layers to protect yourself from the elements (cold, wind, moisture, and the like).  Implicit is the understanding that no single layer will protect you from everything.  For instance, a rain slick may keep you dry but won’t insulate you from the cold.  Further, if that single layer fails, you could be in serious trouble in a very short amount of time.  Imagine if your down coat got soaked while you are at the top of the mountain at the height of a snow storm — you’d experience significant frostbite within minutes.

IT security works in the same way: layers.  Each layer protects businesses from specific threats, and there is no single solution that can mitigate every threat — nor would you want to rely on one single solution as it might fail resulting in significant financial impact to the business.

The industry learned yesterday that one of its strongest security solutions yet, the Trusted Platform Module (TPM), was successfully hacked.  To be fair, it took a fair amount of effort and ingenuity, but it shows how reliance on any single layer is a poor decision.

Likewise, not addressing certain problems makes easy prey for cyber criminals.  To wit: protecting “in use” data, the data you see on your screen or interact with via your keyboard.  As we’ve mentioned several times, our colleagues at Cernious have developed a truly innovative way to protect data you see on your screen from being stolen in real time.  It’s a new layer of security that the industry desperately needs.

Harvard Law School teacher and member of Hoover Institution’s Task Force on National Security and Law, Jack Goldsmith, wrote an article for today’s Washington Post asking the question: “Can we stop the global cyber arms race?”

He points out that, disturbingly, rather than being consistently attacked from unseen enemies at all possible geographies, many such attacks are conducted from within our borders by our own machines: yours, mine, pretty much everybody’s.

“The United States has the most, or nearly the most, infected botnet computers and is thus the country from which a good chunk of botnet attacks stem…and the number of dangerous botnet attacks from America grows.”

We have seen the enemy, and the enemy is us.

It’s an unfortunate fact: the industry’s best authentication measure, 2-factor authentication, is now being continually hacked.

As summarized in their recent article Hackers Conquer Two-Factor Authentication, from IT security portal Information Security Resources, regardless of the security measures employed (tokens, chip cards, and biometrics),  all strong authentication tactics are being defeated.  Even out-of-band authentication such as phone calls can be compromised.

Gartner suggests businesses use more intelligent fraud detection tactics, but nothing to protect the end users from bots residing on their PCs.  And yet, the most prevalent tactic used to steal credentials is keyloggers:

“In many cases the cybercriminals have been successful in planting keystroke logging Trojan horse programs on the computers used by employees to conduct online banking on behalf of their companies.“

Empowering the end users with a software-based, web service to elude this type of credential theft and re-writing of sensitive data, or in-use data protection, is also warranted and prudent.  Bots can’t steal what bots can’t see — businesses can, in fact, stop credential theft at the point where the theft is occurring in the first place.

A blog we follow, Last Watchdog, posted an article about a variant of the Koobface worm that forces people with infected computers to fill out a CAPTCHA (and, to the end user, does pretty much nothing else except waste his/her time).  In fact, the worm is surreptitiously creating FB accounts and is presenting the account-registration CAPTCHA (required as part of FB’s registration process) to the person with the infected computer.  The person answers the CAPTCHA and the account registration is complete.

It’s an (unfortunate, albeit creative) example of how hackers are creating and distributing bots (Koobface), which then passively enlist the capabilities of unsuspecting humans to complete a set of useful tasks.

However, it’s really not that original.  It’s what reCAPTCHA (now a part of Google) does: those horribly difficult to read CAPTCHAs are actually scanned in images from publications like the NY Times (read more here).    The difference, of course, is that the Koobface authors are making an illicit profit.

CNN.com had an article today describing the absolutely depressing turmoil experienced by a couple whose identity was stolen.

And we’re not talking a week of harried calls to banks and credit card companies to cancel accounts, etc: this poor couple is dealing with THIRTEEN YEARS of serial fraudulent activity due to just one occurrence of personally identifying information, or PII, theft (specifically, their social security numbers).

For individuals experiencing such theft, the costs can range from brief angst (as they resolve issues quickly) to years of headaches and poor credit ratings.  In this couple’s case, they even had to seek counseling (and no wonder — the “gift” of ID theft just kept giving, and giving, and giving).

Should businesses take any proactive steps to help out such individuals avoid these problems?  After all, it’s the responsibility of an end-user to protect his or her PII, right?

Of course, the answer is no: if your business is dealing with individuals online, and your business somehow bungles the security of key data or the integrity of required security processes (like, say, protecting login credentials during the login process), that business will likely (and very quickly) experience the “gift” of a data breach.  The cyber thieves will quickly log in and take what they can from the business — especially customers’ PII.

According to Forrester, the value of that “gift” ranges from $90 to $305 per data record stolen.  Based on statistics from Verizon and Forrester, typical breaches range from 30k to 188k records stolen.  Thus a business — your business — can lose anywhere from $2M to $22M in single caper.

And this “gift” just keeps giving: post-breach customer churn jumps upwards by as much as 6.5% according to the Ponemon Institute.

Part of understanding the solution to this vexing issue is understanding more how the crimes are commited in the first place.  In a subsequent article, we will go through different methods by which bots conduct such gift-giving…er…theft.

Welcome (back) to our blog! Whereas Bot-Watch.com has been around for a while, we have re-launched our efforts to provide a more broad base of content. Our focus will continue to be cyber crime, and more specifically bot-initiated cyber crime, and what the industry is (and should be) doing to fight the battle.

Articles written by the Bot-Watch.com staff will focus on a wide array of areas, including:

• opinions and commentary on industry trends, headlines
• business impact of cyber crime and bot activity
• technical evaluations of entrenched and emerging industry solutions
• gaps and challenges in the market place

In addition, we will diversify the content on the site so we can be a clearinghouse of information. Specifically, you will find:

• industry experts in the form of guest opinions, commentary, blog feeds
• headlines, news from various sources
• relevant industry and vendor announcements

We welcome your suggestions on additional sources of relevant information as well as your comments.

Sincerely,
The Bot-Watch.com Team

Jason Koziol, Bot-Watch.com Founder
Anthony Koziol, Bot-Watch.com Founder
Tim Brown, Bot-Watch.com Managing Editor