Found this simple but cool slide from ASCL Online which explains how easy it is to launch a phishing attack in a very layman terms. I have attached the file for your weekend reading pleasure.
The moral of the case study:
Have a great weekend! Cheers!
Swedish authorities have few leads in their investigation of a massive denial-of-service attack on Thursday that downed about 40 websites belonging to police and media outlets. The attacks flooded media IT development firm Adeprimo with some 400,000 requests per second, compared with the 800 requests that are typical.
Read more.
The Register reported that the FBI and the UK’s Serious and Organised Crime Agency (SOCA) have drawn up a program for dismantling and disrupting cybercrime operations.
The three prong strategy aims to target botnet and malware creators, so-called bullet-proof hosting providers that offer hosting services to cybercrooks, and digital currency exchanges. Digital currency exchanges such as WebMoney and Liberty Reserve are central to the operation of the black economy, according to Andy Auld, head of intelligence at SOCA’s e-crime department.
[…]
The RBN – described as a purpose-built criminal ISP – allegedly paid off local police, judges and government officials in St Petersburg. There were strong indications RBN had the local police, local judiciary and local government in St Petersburg in its pocket. Our investigation hit significant hurdles.
Sounds like a Hollywood movie? Well, we are definitely witnessing the proliferation of cybercrime. I applaud the effort being put together by the likes of FBI and SOCA but this is not good enough. More governments and relevant agencies of the world should come together to combat this and eliminate the safe haven for the cybercriminals.
The US-CCU produced a special report on the Georgian cyber attacks which took place in 2008. The report was supposedly 100 pages long but I only got my hands onto a 9-page report containing the summary of the whole cyber incident. Here is the summary of the summary:
The Nature & Identity of the Cyber Attackers
Methods Used to Attack
The Targets & Effects
Lessons Learnt & Summary
There is an urgent need for nations to establish national CIRTs involving active participation by all the relevant government officials and departments, and the private sectors. These CIRTs must have well-established working relationships with other nation’s CIRTs via a globally coordinated response centre. It is not far-fetched any more to say that cyber-terrorism is just around the corner.
The full executive summary here.
A colleague of my mine introduced me with this website http://www.pipl.com which can search for people. First I thought it was just another search engine. After playing with it, it scared the hell out of me.
The search results are not only from your profiles from social networks such as Facebook and Friendster or any other websites your name might have appeared but also from public records, birth database, names mentioned in reports, documents and etc. It also finds your email addresses and summarizes a quick fact about yourself. Scary.
Pipl.com is not the only one of its kind, there are other people search engines such as spock.com, reunion.com and intelius.com. Intelius is unique because it sells the information for people seeking to do background checks. It also claims that it provides identity theft protection. The type of information Intelius can provide is even scarier – DOB, home value, phone number, criminal check, bankruptcies, relatives, income details, marriage, neighbours and so much more. Oh yes, now I know what my next profession going to be – I want to become a private investigator.
In what claimed to be the largest data-breach and identity-theft case ever prosecuted in the United States, a former Secret Service informant, Gonzales and 10 others were charged in 2008 for network intrusions. The hackers allegedly stole more than 130 million credit and debit card numbers. The actual damage is still unknown and I think it will remain unknown forever.
Jury selection is slated to begin on the 14th September 2009 and they each face a maximum penalty of five years in prison and a possible maximum fine of $250,000 on the computer-fraud count and an additional 30 years and $1 million fine on the wire-fraud count, or twice the amount they gained from the offense, whichever is greater. Malaysia’s Computer Crimes Act 1997 has got plenty to learn from this.
The hackers apparently used attack such as SQL-Injection to break into the networks and planted back doors to provide them with continued access at later dates. Is is also reported that the hackers tested their malware against some 20 different antivirus programs to make sure they wouldn’t be detected, and also programmed the malware to erase evidence from the hacked networks to avoid forensic detection.
To avoid forensic detection? This shows how sophisticated the cybercriminals can be and we thought all these were fictitious.
Read the full story here.
You can check the strentgh of your password with Microsoft’s Password Checker.
I tried so many times and everytime I managed to create only medium strength passwords. I still believe my medium strength passwords are uncrackable. Just for the fun of it I tried until I managed to get a password with the best strength but I bet I can never remember it. So benchmarked against Microsoft’s standard, I guess I will just stick to medium strength passwords.
I have been using a supplementary phone line for the past few months and decided to cancel it last thursday (had enough with carrying two phones around). Below is my experience at the ISP’s branch office.
Firstly, to cancel my supplementary line I was only required to produce my National ID card. That was the only verification needed to cancel the line. No filling up forms and no signatures needed. The guy at the counter did not even make a photocopy of my ID card as a proof of cancellation. If I want to play prank I can just go back there and say I didn’t request for any cancellation and threaten to sue them for the inconveniences they caused me.
Well of course they may go to the extend of reviewing the CCTV footage and etc but that is beside the point. It looks like anybody could just grab another person’s ID card (you may need to at least look a bit similar to the picture on the ID card and trust me that it is quite simple. I have a friend who looks more or less like me and on a passport-size photo you can’t really tell the difference, plus with the long queue the guys at the counter will not have the time to scrutinize the photo). Hey how hard do you think it is for a determined attacker to clone a similar ID card just to mess up someone’s life.
It is obvious that the ISP lacks a change management framework or procedure (as far as line cancellation procedure is concerned, I hope). It has to be mandated that customers need to fill up a form and sign it to provide traceability and non-repudiation.
Secondly, I wanted to pay my bill and one of the staff ushered me to a ATM cash deposit look alike machine and requested me to make my payment there. Again, talk about convenience. I was only required to key in my mobile phone number and I could view the outstanding bill. Isn’t it great, I can now just go to the machine and key in anybody’s mobile phone number to know how much he/she spends monthly on phone bills. What do we call this? Privacy violation?
On the 29th May 2009, the US President gave a wonderful speech at the White House on securing the nation’s cyber infrastructure. Below is the full speech extracted from the White House website:
11:08 A.M. EDT
THE PRESIDENT: Everybody, please be seated. We meet today at a transformational moment — a moment in history when our interconnected world presents us, at once, with great promise but also great peril.
Now, over the past four months my administration has taken decisive steps to seize the promise and confront these perils. We’re working to recover from a global recession while laying a new foundation for lasting prosperity. We’re strengthening our armed forces as they fight two wars, at the same time we’re renewing American leadership to confront unconventional challenges, from nuclear proliferation to terrorism, from climate change to pandemic disease. And we’re bringing to government — and to this White House — unprecedented transparency and accountability and new ways for Americans to participate in their democracy.
But none of this progress would be possible, and none of these 21st century challenges can be fully met, without America’s digital infrastructure — the backbone that underpins a prosperous economy and a strong military and an open and efficient government. Without that foundation we can’t get the job done.
It’s long been said that the revolutions in communications and information technology have given birth to a virtual world. But make no mistake: This world — cyberspace — is a world that we depend on every single day. It’s our hardware and our software, our desktops and laptops and cell phones and Blackberries that have become woven into every aspect of our lives.
It’s the broadband networks beneath us and the wireless signals around us, the local networks in our schools and hospitals and businesses, and the massive grids that power our nation. It’s the classified military and intelligence networks that keep us safe, and the World Wide Web that has made us more interconnected than at any time in human history.
So cyberspace is real. And so are the risks that come with it.
It’s the great irony of our Information Age — the very technologies that empower us to create and to build also empower those who would disrupt and destroy. And this paradox — seen and unseen — is something that we experience every day.
It’s about the privacy and the economic security of American families. We rely on the Internet to pay our bills, to bank, to shop, to file our taxes. But we’ve had to learn a whole new vocabulary just to stay ahead of the cyber criminals who would do us harm — spyware and malware and spoofing and phishing and botnets. Millions of Americans have been victimized, their privacy violated, their identities stolen, their lives upended, and their wallets emptied. According to one survey, in the past two years alone cyber crime has cost Americans more than $8 billion.
I know how it feels to have privacy violated because it has happened to me and the people around me. It’s no secret that my presidential campaign harnessed the Internet and technology to transform our politics. What isn’t widely known is that during the general election hackers managed to penetrate our computer systems. To all of you who donated to our campaign, I want you to all rest assured, our fundraising website was untouched. (Laughter.) So your confidential personal and financial information was protected.
But between August and October, hackers gained access to emails and a range of campaign files, from policy position papers to travel plans. And we worked closely with the CIA — with the FBI and the Secret Service and hired security consultants to restore the security of our systems. It was a powerful reminder: In this Information Age, one of your greatest strengths — in our case, our ability to communicate to a wide range of supporters through the Internet — could also be one of your greatest vulnerabilities.
This is a matter, as well, of America’s economic competitiveness. The small businesswoman in St. Louis, the bond trader in the New York Stock Exchange, the workers at a global shipping company in Memphis, the young entrepreneur in Silicon Valley — they all need the networks to make the next payroll, the next trade, the next delivery, the next great breakthrough. E-commerce alone last year accounted for some $132 billion in retail sales.
But every day we see waves of cyber thieves trolling for sensitive information — the disgruntled employee on the inside, the lone hacker a thousand miles away, organized crime, the industrial spy and, increasingly, foreign intelligence services. In one brazen act last year, thieves used stolen credit card information to steal millions of dollars from 130 ATM machines in 49 cities around the world — and they did it in just 30 minutes. A single employee of an American company was convicted of stealing intellectual property reportedly worth $400 million. It’s been estimated that last year alone cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion.
In short, America’s economic prosperity in the 21st century will depend on cybersecurity.
And this is also a matter of public safety and national security. We count on computer networks to deliver our oil and gas, our power and our water. We rely on them for public transportation and air traffic control. Yet we know that cyber intruders have probed our electrical grid and that in other countries cyber attacks have plunged entire cities into darkness.
Our technological advantage is a key to America’s military dominance. But our defense and military networks are under constant attack. Al Qaeda and other terrorist groups have spoken of their desire to unleash a cyber attack on our country — attacks that are harder to detect and harder to defend against. Indeed, in today’s world, acts of terror could come not only from a few extremists in suicide vests but from a few key strokes on the computer — a weapon of mass disruption.
In one of the most serious cyber incidents to date against our military networks, several thousand computers were infected last year by malicious software — malware. And while no sensitive information was compromised, our troops and defense personnel had to give up those external memory devices — thumb drives — changing the way they used their computers every day.
And last year we had a glimpse of the future face of war. As Russian tanks rolled into Georgia, cyber attacks crippled Georgian government websites. The terrorists that sowed so much death and destruction in Mumbai relied not only on guns and grenades but also on GPS and phones using voice-over-the-Internet.
For all these reasons, it’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation.
It’s also clear that we’re not as prepared as we should be, as a government or as a country. In recent years, some progress has been made at the federal level. But just as we failed in the past to invest in our physical infrastructure — our roads, our bridges and rails — we’ve failed to invest in the security of our digital infrastructure.
No single official oversees cybersecurity policy across the federal government, and no single agency has the responsibility or authority to match the scope and scale of the challenge. Indeed, when it comes to cybersecurity, federal agencies have overlapping missions and don’t coordinate and communicate nearly as well as they should — with each other or with the private sector. We saw this in the disorganized response to Conficker, the Internet “worm” that in recent months has infected millions of computers around the world.
This status quo is no longer acceptable — not when there’s so much at stake. We can and we must do better.
And that’s why shortly after taking office I directed my National Security Council and Homeland Security Council to conduct a top-to-bottom review of the federal government’s efforts to defend our information and communications infrastructure and to recommend the best way to ensure that these networks are able to secure our networks as well as our prosperity.
Our review was open and transparent. I want to acknowledge, Melissa Hathaway, who is here, who is the Acting Senior Director for Cyberspace on our National Security Council, who led the review team, as well as the Center for Strategic and International Studies bipartisan Commission on Cybersecurity, and all who were part of our 60-day review team. They listened to a wide variety of groups, many of which are represented here today and I want to thank for their input: industry and academia, civil liberties and private — privacy advocates. We listened to every level and branch of government — from local to state to federal, civilian, military, homeland as well as intelligence, Congress and international partners, as well. I consulted with my national security teams, my homeland security teams, and my economic advisors.
Today I’m releasing a report on our review, and can announce that my administration will pursue a new comprehensive approach to securing America’s digital infrastructure.
This new approach starts at the top, with this commitment from me: From now on, our digital infrastructure — the networks and computers we depend on every day — will be treated as they should be: as a strategic national asset. Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy and resilient. We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.
To give these efforts the high-level focus and attention they deserve — and as part of the new, single National Security Staff announced this week — I’m creating a new office here at the White House that will be led by the Cybersecurity Coordinator. Because of the critical importance of this work, I will personally select this official. I’ll depend on this official in all matters relating to cybersecurity, and this official will have my full support and regular access to me as we confront these challenges.
Today, I want to focus on the important responsibilities this office will fulfill: orchestrating and integrating all cybersecurity policies for the government; working closely with the Office of Management and Budget to ensure agency budgets reflect those priorities; and, in the event of major cyber incident or attack, coordinating our response.
To ensure that federal cyber policies enhance our security and our prosperity, my Cybersecurity Coordinator will be a member of the National Security Staff as well as the staff of my National Economic Council. To ensure that policies keep faith with our fundamental values, this office will also include an official with a portfolio specifically dedicated to safeguarding the privacy and civil liberties of the American people.
There’s much work to be done, and the report we’re releasing today outlines a range of actions that we will pursue in five key areas.
First, working in partnership with the communities represented here today, we will develop a new comprehensive strategy to secure America’s information and communications networks. To ensure a coordinated approach across government, my Cybersecurity Coordinator will work closely with my Chief Technology Officer, Aneesh Chopra, and my Chief Information Officer, Vivek Kundra. To ensure accountability in federal agencies, cybersecurity will be designated as one of my key management priorities. Clear milestones and performances metrics will measure progress. And as we develop our strategy, we will be open and transparent, which is why you’ll find today’s report and a wealth of related information on our Web site, www.whitehouse.gov.
Second, we will work with all the key players — including state and local governments and the private sector — to ensure an organized and unified response to future cyber incidents. Given the enormous damage that can be caused by even a single cyber attack, ad hoc responses will not do. Nor is it sufficient to simply strengthen our defenses after incidents or attacks occur. Just as we do for natural disasters, we have to have plans and resources in place beforehand — sharing information, issuing warnings and ensuring a coordinated response.
Third, we will strengthen the public/private partnerships that are critical to this endeavor. The vast majority of our critical information infrastructure in the United States is owned and operated by the private sector. So let me be very clear: My administration will not dictate security standards for private companies. On the contrary, we will collaborate with industry to find technology solutions that ensure our security and promote prosperity.
Fourth, we will continue to invest in the cutting-edge research and development necessary for the innovation and discovery we need to meet the digital challenges of our time. And that’s why my administration is making major investments in our information infrastructure: laying broadband lines to every corner of America; building a smart electric grid to deliver energy more efficiently; pursuing a next generation of air traffic control systems; and moving to electronic health records, with privacy protections, to reduce costs and save lives.
And finally, we will begin a national campaign to promote cybersecurity awareness and digital literacy from our boardrooms to our classrooms, and to build a digital workforce for the 21st century. And that’s why we’re making a new commitment to education in math and science, and historic investments in science and research and development. Because it’s not enough for our children and students to master today’s technologies — social networking and e-mailing and texting and blogging — we need them to pioneer the technologies that will allow us to work effectively through these new media and allow us to prosper in the future. So these are the things we will do.
Let me also be clear about what we will not do. Our pursuit of cybersecurity will not — I repeat, will not include — monitoring private sector networks or Internet traffic. We will preserve and protect the personal privacy and civil liberties that we cherish as Americans. Indeed, I remain firmly committed to net neutrality so we can keep the Internet as it should be — open and free.
The task I have described will not be easy. Some 1.5 billion people around the world are already online, and more are logging on every day. Groups and governments are sharpening their cyber capabilities. Protecting our prosperity and security in this globalized world is going to be a long, difficult struggle demanding patience and persistence over many years.
But we need to remember: We’re only at the beginning. The epochs of history are long — the Agricultural Revolution; the Industrial Revolution. By comparison, our Information Age is still in its infancy. We’re only at Web 2.0. Now our virtual world is going viral. And we’ve only just begun to explore the next generation of technologies that will transform our lives in ways we can’t even begin to imagine.
So a new world awaits — a world of greater security and greater potential prosperity — if we reach for it, if we lead. So long as I’m President of the United States, we will do just that. And the United States — the nation that invented the Internet, that launched an information revolution, that transformed the world — will do what we did in the 20th century and lead once more in the 21st.
Thank you very much, everybody. Thank you. (Applause.)
END
11:25 A.M. EDT
We are into the 2nd half of the year 2009 and maybe its time for us to spare a moment to reflect the cyber security threats of 2008. SANS Institute posted on its website the 10 most highly ranked cyber security threats for 2008. The list was put together by 12 cyber security experts.
I am just wondering if the attack pattern is still the same. How much has the threat pattern changed in the last 6 months? Have the perpetrators changed their art of war to counter the ever-increasing transborder partnerships in combating cyber threats and left us fighting a meaningless war?
Siva on Information Security 