If you are having trouble viewing this email, click here to view this online



   ISSUE 57

28 April  2016

Article of the Month Around the World

How to protect yourself against social engineering


According to the FBI, �business email compromise� is rapidly on the rise.

Hardly surprising, given the low-risk, high-reward nature of this kind of crime.

But coupled with the number of personal data records that have been purloined by criminals from healthcare providers, retail outlets and government departments over the past few years, the big question CEOs should be asking is: what can security professionals do about this and how can businesses protect themselves?


Business email compromise - or social engineering - has netted cyber fraudsters over US$2.3 billion (A$3 billion) since October 2013 through to February of this year. Over 17,000 businesses have been affected so far and attacks have been reported in at least 79 countries.

However, these are only cases the FBI is aware of.

The hard fact is that many cybercrimes go unreported, both in large and small businesses. You might expect that small businesses won�t report it, especially where the loss is insignificant, such as a $200 fee to get data back from a successful ransomware attack.

However, big businesses are not reporting either, maybe for fear of public embarrassment or in an attempt to avoid regulatory scrutiny.

Why email compromise?

Over the past five years or so, we�ve seen many successful hacks remove millions upon millions of records from large companies, such as Target, Sony, the US Office of Personnel Management, Anthem, Talk Talk in the UK, and Kmart and David Jones in Australia.

But these mega hacks are just those that make news. There have literally been tens of thousands of attacks that didn�t make the headlines since they weren�t as juicy.

Nevertheless, in every case, almost without exception, the thieves were targeting customer data. These massive treasure troves of data are worth a lot of money on the black market. Consider the Anthem attack, where thieves took off with over 80 million healthcare records. Each one of these on the black market is worth around $10.

Even at a significant bulk buy discount, they could have sold that database for big money, potentially to an organised crime syndicate. This leads us to consider not the breach itself, but the use of the data once sold.

Typically, the hacker wants to quickly pass the data onto a buyer. The market is filled with unscrupulous organised crime mobs, terrorists and nation states who would have the funds to buy the data and the intent to use it.

There are so many reasons Anthem�s data may have been bought. ID theft is the criminal modus operandi that most people think about, where social security numbers, addresses, names, dates of births, etc. are used to convince credit companies that the criminal is actually a legitimate citizen and then authorise credit agreements for mobile phones, automobiles, new back accounts etc.

However, business email compromise is another mode of operation that the organised crime mobs may be using these data breaches for. They�ve got a lot of useful data in those heists to masquerade as a legitimate partner.

"They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy," the FBI said.

Just imagine how convincing they can be with a few stolen healthcare records, open source research on LinkedIn and a few carefully planned social engineering attacks on the target company.

It�s no wonder these highly targeted, blended attacks are on the rise, given the amount of data that is now circulating on the black market, along with what�s circulating freely on social media.

What can we do?

Unfortunately, there isn�t much you can do about the origins of the attack. That�s for law enforcement to coordinate globally, and the threat is real and is getting progressively worse every year. Also, the wealth of information already leaked, along with that available on social media, means targeted social engineering is still by far the best way to attack an organisation.

The only way to protect yourself is to educate staff, especially those in roles that will be targeted, about the nature of this threat. Security awareness training is by far the best control you can put into an organisation to create a culture that is naturally suspicious and willing to challenge.

The second thing to consider is the process you use for release of capital funds. If an email is enough justification to have your payroll send funds to a creditor, charity or partner, then it�s time to upgrade the workflow to include additional checks and balances.

Building a couple of phone calls into your process where you check a transaction number or secure passcode would be good. Maybe instigate the use of cryptographic technologies to provide the originator of the message was who they say they are, based on signing the message with a key that you have provided them.

There are many ways to increase the security of these kinds of workflows, it�s a matter of seeing their inherent weakness today and engaging with an expert who can design the security architecture of the process for you.

Banks do this already. When you request a payment be made from your account to a third party, you use your RSA token plus PIN to authorise, authenticating that the transaction is indeed being set up by the account holder.

A reasonable paper that introduces secure electronic payments systems was published by ISACA back in 2014 and can be found here [pdf]. NIST publishes the best overall guide on creating a security awareness program, which can be found here [pdf].

The reality is that there is certainly enough information, technology and evidence of criminal intent around today that if you are hacked using a simple business email compromise attack, it�s really your own fault.

If you are handling the amounts of money we are talking about and believe yourself not to be targeted by criminals, then your head needs to come out of the sand before it�s too late.

Tony Campbell www.facebook.com/isaca.srilanka.
Tony Campbell has been a technology and security professional for over two decades, during which time he has worked on dozens of large-scale enterprise security projects, published technical books and worked as a technical editor for Apress Inc.
He was was the co-founder of Digital Forensics Magazine prior to developing security training courses for infosec skills.

He now lives and works in Perth, where he maintains a security consulting role with Kinetic IT while continuing to develop training material and working on fiction in his limited spare time.




1 Statistics on the Internet growth in Sri Lanka
2.The Dragon Research Group (DRG)
3.TSUBAME (Internet threat monitoring system) from JPCERT | CC
4.Shadowserver Foundation
5. Team Cymru


Samsam may signal a new trend of targeted ransomware


"...The conventional ways ransomware infects systems is through malicious downloaders distributed through drive-by-downloads and malicious spam emails. Once a user is infected with a malicious downloader, it will download additional malware, which often includes crypto-ransomware. The malicious emails contain a variety of file attachments, which if opened, will download and run one of the many ransomware variants to start the encryption process. Once the files have been encrypted, a ransom payment is demanded of the victim in order to decrypt the files....."

  Judge tosses evidence obtained by FBI malware planted on dark website

'...A US federal judge has thrown out evidence in a child abuse imagery case obtained by the FBI�s use of a hacking tool.

Although civil libertarians have praised the judge�s ruling to suppress the evidence, the ruling doesn�t inhibit the FBI�s ability to use so-called �network investigative techniques� (NIT) to plant code (i.e., malware) on a defendant�s computer..'



'....A federal agency dedicated to monitoring cellular network traffic was watching last December as calls flooded San Bernardino 911 dispatchers.

Nope, not the National Security Agency or the Federal Communications Commission.

It was the National Coordinating Center for Communications, an obscure part of the Homeland Security Department....'



'....The biggest barrier to maximizing the use of cloud technologies in government has more to do with people than technology, according to Defense Department IT officials.

U.S. Air Force Chief Technology Officer Frank Konieczny said Tuesday the biggest lesson learned in implementing cloud solutions across the Air Force has been the need for culture change..'

25 highest paying companies: Which tech co outranks Google, Facebook and Microsoft?

'...Tech companies dominate Glassdoor�s ranking of the highest paying companies in the U.S., snagging 20 of the top 25 spots. But no tech company ranks higher than Juniper Networks, which pays its workers a median total compensation of $157,000......'

Month in Brief
Facebook Incidents Reported to Sri Lanka CERT|CC in March  2016
  Statistics - Sri Lanka CERT|CC

Beware of emails with JavaScript attachments!

'...Malware peddlers are always looking for the next trick to get users to infect their computers. According to Microsoft and other sources, the current latest trick is malicious JavaScript attachments.

The spam campaigns delivering these attachments range from blank emails pretending to deliver a business cards and fake �order status� emails, to bank-related and resume-themed spam....'

Researcher develops tool that blocks OS X crypto-ransomware

'...In his spare time, security expert Patrick Wardle (who�s also director of R&D at Synack) creates OS X security tools. The latest addition to his collection is RansomWhere?, a tool for foiling OS X crypto-ransomware.

Luckily for Mac users, OS X crypto-ransomware is not at all widespread, and the impact of these treats has been very limited, but Wardle is not satisfied with waiting for crypto-ransomware to become a big problem for Mac users in order to do something....'

Apple's emphasis on security makes ARM-powered Macs 'inevitable'

"...Apple will offer Macs equipped with an ARM processor, the same silicon used in the iPhone and iPad, an analyst said, calling the move "inevitable" because of the company's emphasis on security and encryption...."
Google Fiber planning wireless home Internet where fiber is too pricey

'...Google Fiber is testing a few wireless technologies in an effort to build a wireless home Internet service that would complement its fiber broadband, according to a company executive.

Craig Barratt, a senior vice president at Alphabet who oversees Google Fiber and other projects in the company's Access and Energy division, spoke generally about the plans in an interview with Re/code published today. Though Barratt didn't reveal a timeline or specifics on technology, he said Google Fiber wants to provide fixed wireless Internet to homes where it wouldn't make financial sense to build fiber...."
My video, My first video, Private video: Don�t fall for this Facebook scam

"...Not even a week has passed since ESET warned users worldwide about an active Ray-Ban scam campaign on Facebook, which tricks users into sending their payment card details to the attackers. Today we bring you information on yet another malicious activity targeting the world�s largest social network...."
TeslaCrypt 4.0 � Unbreakable Encryption and Worse Data Leakage

"...Even with the greater awareness for strong security within organizations�and the high-profile hacks that have contributed to that increased awareness�security executives still encounter significant hurdles in doing their jobs to protect data and systems. Password entry Sample password protection policy The password protection policy of a large financial services institution with more than 5,000 employees. READ NOW Clashes with senior business executives as well as those at lower levels of organizations make it more challenging for CSOs and CISOs to create a secure environment, and yet they continue to happen..."

Notice Board
  Training and Awareness Programmes - April  2016

 No events have been scheduled for April 2016


Brought to you by: