Simon Heron – SecureNet

Last week’s Talinn conference was the latest in a series of international gatherings to discuss cybercrime. Unfortunately, although international cooperation is an essential element in defeating cybercrime, these discussions have so far been unable to find an actionable agreement.

Yes, treaties have been signed and in some cases, ratified, but what use are these documents if they don’t produce results? In our new paper, The state of international co-operation on cybercrime, we explore what has been done to create an international response to cybercrime and look at what is still left to be done.

Clearly, it will take quite a while for nations to agree and implement an international strategy to fight cybercrime. It could even end up being a private sector initiative – consumers need protecting and businesses don’t have the same diplomatic worries that Governments do.

But it’s imperative that Governments keep working together to find a solution in the interim and with the UK now being responsible for almost six per cent of the world’s viruses and receiving more than its fair share of malware, it’s obvious that finding an international solution to the problem should be one of the new British Government’s number one priorities.

Meanwhile, the IT industry will keep developing defences to the increasingly varied attack vectors and  trainers will endeavour to spread the word on security to users.  However, in parallel governments need to continue to try and find some form of agreement that will enable them to fight this menace together.

Twitter users are no strangers to receiving spam tweets about trending topics, but spammers are becoming more sophisticated. As reported by TechCrunch, Twitter users are starting to get spam that gives them an @ mention and tells them to watch or read something.

This method takes advantage of the fact that Twitter users love being mentioned in a tweet and will naturally want to see what they’re being referred to. It also relies on shortened urls to hide the true url being promoted.

Unfortunately, we’re all going to come into contact with some questionable characters from time to time, both in the real and virtual world. Of course, it can be harder to judge people online, without the usual audio and visual cues that we depend on. We’re also likely to have more encounters of this kind online, due to the sheer amount of interaction that takes place there.

If someone you’ve never tweeted before, and that you don’t follow, sends you a link via twitter, keep in mind that this person is a stranger and that by clicking on the link you are effectively welcoming them into your home (for home read computer). Take precautions to try and protect against tricks as you would when meeting a stranger.

If using Firefox, use ‘NoScript’ on a website until you trust it, employ similar means on IE and Chrome. Ensure you have the latest update on your operating system, browser and anti-malware installed.

Don’t forget, if you receive a suspicious tweet you can always block and report the user for spam.

A guide on how to use Twitter securely can be down free from the Network Box website.

It was with more than a little concern that I read about Monday’s attack on the Strathclyde Police website. Sadly, attacks on websites have become all too common, but what really grabbed my attention was the statement released by the Police which highlighted a level of naivety I did not expect from the police.

As reported in The Drum:

“They ruled out viruses as the cause and said that no one who had logged onto the site, would have put their computer at risk.”

Perhaps they intended to say that they trust their employees, that they are well trained and educated about current internet threats. But, this completely ignores the fact that most people don’t willingly download viruses and Trojans onto their computers, they are tricked into doing so and frequently have no idea that they are infected.

Then there are the passwords to consider. I remember a case around 20 years ago where a Police force were securing their systems with the password ‘police’. Of course, one would expect people, especially the Police, to be far savvier these days, but weak passwords are endemic and maybe someone just did not take care. As we’ve advised before, it’s important that people change their passwords regularly, using a mixture of upper and lowercase letters, numbers and symbols rather than dictionary words or anything that would be easy to guess.

I’d also be careful about pinpointing blame. It’s unclear why China has been pinpointed as the source of the attack, but it could be anyone pointing links at a server in a country that is, perhaps, just a little slower than others in taking down servers that host malware.

Taking the website down whilst they investigate the cause of the breach is obviously the best response. It’s likely that this was some kind of SQL injection or cross scripting attack and until that error is found, the site remains vulnerable.

The one thing that is clear from this is that adequate security was not in place at the time of the attack, and that is something that will need to be remedied before the site goes back online.

Our May threat statistics are out and show that the UK is now responsible for almost six per cent of the World’s internet viruses (production is up from 3 per cent in April). This makes the UK the third largest producer of viruses after Korea (at over 16 per cent) and the US (at almost 12 per cent).

This growth in the UK suggests that end users in the UK are not being careful and either visiting malicious sites or running executable attachments to their emails. It also suggests that they are not installing good anti-virus software which is probably the most vital step in defending themselves.  It should be kept in mind that if a computer is sending out viruses, it is ‘owned’ by the hacker who is running the virus and may also be running software to find passwords and credit card details. .

Russia has seen a decline in virus production, which may be as a result of PROXIEZ-NET being taken down, but we shouldn’t assume that this trend will last. As we saw with the McColo shutdown in 2008, cyber-criminals tend to bounce back from these setbacks quickly.

Tabbed browsing has been around for quite a while now, allowing users to switch between dozens of websites whilst keeping the task bar clutter free. One 2009 study discovered that users switch tabs at least 57.4% of the time, 36% of users opening new tabs for search engine use.

It’s become common practice for internet users to login to several websites at once using the tab method. A recent study of Firefox users by Mozilla revealed the following reasons for using tabbed browsing:

-    To act as a reminder to do something later
-    Opening many document/search links at once
-    As a substitute for the back button
-    Keeping frequently used sites open
-    Temporary bookmarks

The study also found that an average of 73.3% of tab switches were revisits.

All of this would simply be an interesting way of looking at internet browsing if it weren’t for one small detail. Cyber-criminals are exploiting the system.

During a typical day in the office, you may have several applications that require a login open at once. Let’s say you have Google, LinkedIn, Twitter, BBC News and Amazon open. You’re in the middle of looking for something on Amazon, when someone asks you to find an article for them, so you switch to Google and carry out a search. After a while, you switch back to Amazon and are confronted not with the page you were previously on, but with the login page. No problem, you’ve obviously just been kicked out of the site and just need to log back in. That’s what many would assume, and that is the assumption that phishers are playing on.

“Tabnapping”, as its being called, is where a hacker uses JavaScript to manipulate one of your inactive tabs so that when you return to it, you’re on a fake login page rather than the one you’d left it on. Unless you check the url, you may not realise that the page is a fake, or that your online bank was your last tab, but is now the second. The fake page may even display a message saying that your session has timed out. Aza Raskin of Mozilla demonstrates just how easy it is to hack the tab and fool the unwitting user. (You can also find out more about the problem, and test it out for yourself over at his blog).

So, what can the user do? Normally, I would recommend installing noscript on Firefox to prevent unauthorised JavaScript from running on your computer, but that won’t help in this case. Aspects of the users behaviour need to change as well. Users should keep the number of tabs open to a minimum; always check that the url matches the site before you enter any login, financial or identity information; and if in doubt, close the tab and navigate to the page again.

It’s important to remember that when we fill out online forms and submit login details, we are entrusting our information to an organisation outside our control. It’s not enough just to trust these organisations to protect our data. We need to make sure we do, too.

This year at InfoSec, a lot of the talk was of the Information Commissioner’s new powers of enforcement that came into play in April. There seems to be confusion from many companies as to what they should do to avoid a data breach, and what the Information Commissioner’s Office would regard as a ‘serious’ breach.

As far as I can tell, it is expected that the ICO will reserve heavy fines for the most serious breaches (for companies that have been lax in their security to start with, or who have deliberately flouted security laws), rather than those who have – through genuine accident – fallen victim to a hacker, for example. Preventative measures that have been put in place to avoid such a breach, and to minimise damage done by it, would seem to stand a company in good stead once the ICO investigates.

I should be really clear here that I am not a lawyer, but at Network Box we do know a thing or two about securing data. So we wanted to do something to help our customers (and anyone else who’s interested) understand what constitutes best practice in security terms. We  sought the opinion of James Pickering, a commercial litigation barrister, on interpreting the data protection laws, and combined this with our own security advice, to produce a guide to securing data. This is available free for anyone to download from our website.

The issue is that organisations keep more data for longer than they’ve ever done before. Much of it – customer records, financial information, personal identity details and so on – has intrinsic value to cyber-criminals.

How an organisation might be compromised, and the steps they should take to avoid it, will differ from company to company. But there are some really simple things that all organisations can do. In my view there is just no excuse, for example, for leaving an unprotected and un-passworded laptop on a train; or moving unencrypted, confidential data on a data stick when you should use a secure VPN; or not checking what information is being transferred out of the building over IM. This list could go on.

Feel free to read the guide, and give us feedback. It won’t – and shouldn’t – replace your legal advice, but I hope it will help businesses put good security practice in place that will help them avoid a security disaster.

Russian internet host PROXIEZ-NET has been taken offline, according to reports from the BBC.

Popular with cyber gangs, PROXIEX-NET had advertised itself as being impossible to shut down, but as we have seen with the McColo shutdown in November 2008 it is possible and it does make it harder for criminals to find a place to host their server.

However, it does not mean that the cyber crooks won’t be back up and running in fairly swift order. We saw a dramatic fall in spam as a result of the McColo shutdown, but levels returned to pre-shutdown highs the following month.

Still, taking the host offline does inconvenience the criminal gangs, and may serve to discourage hosts from obliging criminals. (The cost of the hosting may also go up – which will hopefully drive some of the criminals out of business).

According to our most recent statistics, Russia produces 5.3 per cent of the worlds viruses, 3.2 per cent of spam, and is responsible for 7.7 per cent of the worlds intrusions.  As PROXIEZ-NET was one of the more popular hosts for cyber gangs, theses figures look set to fall – at least for now.

Car dealerships are using increasingly sophisticated technology both to secure their vehicles from theft and delinquency, and to communicate with customers and suppliers.  More and more sensitive data is now being stored on systems that can make the company liable under the new powers of the Information Commissioner’s Office. Something as simple as a not changing a password when an employee is fired can cause a breach in the security of customer and corporate data which can lead to a fine or in extreme cases a jail sentence of up to two years!  There is no question, IT security is set to become as much of an issue for car dealerships across the country as for any other businesses that hold customer data.

The issues facing car dealerships are interesting and increasingly complex. Often IT just isn’t high up on the agenda. As manufacturers put their manuals online, dealerships have not just bandwidth issues but they have routing and security issues to ensure that their connections to third party suppliers (of parts, for example) or head offices do not act as backdoors for viruses or hackers.

We have experience of working with various dealerships across the country and from this experience we’ve published a free guide describing the unique challenges and security threats that car dealerships face and we detail how they can increase security measures to combat them. Dealerships looking for more information or help can contact us via our website.

It is always so difficult to judge about the success or failure of a show.  You put a lot of time and effort into choosing the right presence, the design and building of  a stand, how many people to man it, what events to throw, who to invite and the list goes on.  Obviously, it is important to have a place to meet customers and to be able to talk about the future.  Being able to raise awareness and just to promote the brand is recognised as helping the bottom line of selling the product.  However, it is interesting that a number of big names, BT and Microsoft amongst them, decided that InfoSec was not for them.  So perhaps all the effort did not result in sufficient branding, awareness and sales in previous years.

Personally, I find it interesting to get round the various manufacturers and see what they are focusing on.  I expected to see more web 2.0 but the show seemed more focused on regulation but this might just be my anecdotal experience.  I also find the smaller vendors of interest as you see new products that the established vendors have not put forward, perhaps they did not think of them or maybe they cannot see sufficient return but they can be of interest.

Not so sure about the discussions and talks but I did find the discussion on compliance on Thursday lunchtime particularly interesting.  It is an area that most companies will have to address yet few really understand the implications or what they need to do.  Unfortunately, it is an area that will be of particular interest to lawyers and the case law that is being established seems to be getting particularly detailed.  Stuart Room, one of the panelists, gave an example of a company doing the right thing by encrypting all their laptops but one was stolen whilst waiting to be encrypted in the lab.  The resulting recommendation was that all laptops must be secured to the desk through the use of a security cable to the USS (Universal Security Slot).  The solution may not be great but what is of concern is the specific nature of the recommendation.

So was InfoSec worth the effort?  Well our company made quite a number of contacts and new leads which is always good.  I made a number of contacts too and learnt about issues so I would say personally I did too but as ever, we will continue to look at each year as it comes to make sure all that preparation is worth it.

Google has analysed 240 million web pages over a 13 month period and discovered that fake anti-virus programs account for 15 per cent of malicious software, according to a report by the BBC.

The study expresses surprise that people fall victim to these attacks, and even hand over credit card details. The problem is, scareware doesn’t always come in one easy to recognise form.

Most users should have an up-to-date anti-virus suite on their computers, and so logically they should realise that they don’t need any more protection, but something obviously gets in the way of the users thought process when confronted with the dreaded dialogue box.

They don’t know the risk – the user may be from a vulnerable group and easily exploited or they may be completely in the dark about computer security.

Apathy -  the user may be at the end of a long day and just want to get on with what they logged on to do – clicking on anything to make the annoying box disappear.

Panic – scareware targets people in the safety and comfort of their own homes. Often throwing out alarming warning messages, offering to perform free system scans and bringing back even more alarming results.

Design – most programs aren’t designed to make saying ‘no’ easy. There may be no visible way to close the dialogue box down without clicking on an option. Sometimes the only choice is to close the browser window down completely or use task manager to kill the process, which makes it more difficult to avoid for those who just want to be left alone.

The tendency is to click first and think later which results in the installation of malware.  So if something pops up on the screen that you’re not expecting to be there – don’t click it.