Here is a blog post from HuntBI associate, Jeffrey Stutzman, CISSP. His post makes me wonder how many corporate networks will be infiltrated by malware when Olympics visitors come home and plug back in. -sh
What happens in Vegas stays in Vegas right?
What happens in China won’t necessarily stay in China.
What do I mean by that? In the Navy there was a sea story. It went something like this…
We pulled into <name your favorite port>. When we pulled in, the Captain came over the 1MC (the general shipboard loudspeaker system) and gave us a country brief. He told us to be careful. He told us that if we got into a fight, to win, and to be careful with the women- always. Sexually transmitted diseases ran wild in many of the ‘sailor ports’. The story I remember talked about how the hospital corpsman onboard the ship would use a Sharpie to put the name of the sailor on the pair of syringes used to rid us of whatever we picked up. The syringes were then stuck into a dartboard in the Chief’s Mess. As the story goes, the dartboard was always full.
So here’s the deal….
Chinese cyber spies WILL steal your stuff! When you get to China and use your computers to access the Internet, you will be monitored, and will almost assuredly download, or be pushed, software that will execute on your computer. This software will sit quietly on your computer, will not be detected by anti-virus or intrusion detection/prevention software, and will likely ‘phone home’ –send your data back to intelligence collectors in China. When you return home, that software will likely spread automatically to other computers that you connect to or communicate with via email or through the web. You will be infected. Be ready for it.
The problem? Antivirus vendors don’t have the syringes to fix you. It’s a sad state, but the protections currently loaded on your computers are designed to protect from the common threats –those that infect everybody. When a specific group of users are targeted –Olympic visitors for example, or maybe Olympic visitors staying at a specific hotel, or maybe Olympic visitors who work for or represent certain governments or industries, the methods of infection are not always the same. Smart intelligence collection operators won’t use the same tools on everyone. You know why? They don’t WANT antivirus and intrusion prevention vendors to be able to keep up! Even if they are successful 10% of the time, the number of journalists, politicians, and business people entertaining others will easily afford the cyber spies small pieces of information that they can combine with other small pieces of information to eventually put together the pieces of the puzzle –the BIG piece of information.
You should expect this. It shouldn’t come as a surprise.
A recent interview on CNN disclosed publically (finally!) that over 3500 Chinese front companies exist in the US today solely for the purpose of collecting intelligence. It reported that cyber attacks on the Pentagon (and likely all of DoD) have increased 55% since 2007. References to other Chinese cyber attacks and information gathering run in the thousands on the Internet. A quick Google search for the words “Titan Rain”, the term coined by US Government officials to describe the coordinated information warfare being waged from Chinese sources, yields over four million hits.
Thousands (millions?) of influential people – business managers, politicians, journalists, you name it, have headed to China for the 2008 Summer Games. Don’t be a victim. Don’t allow your home/work networks to be victimized.
Here’s what you can do:
• Think like a spy…
o Leave your computer(s) at home. If you have to have one, take a clean one (one used only for surfing the web and sending emails).
o Use anonymous, encrypted email. The best spies never use computers to relay details of their exploits. If you must use a computer, create two anonymous accounts on an encrypted service such as Hushmail; an encrypted, web-based email service that scrambles your email. Use one account to send, and the other to receive. If you must send data to your company from China, give the second account to the intended recipient before leaving the country. Do not send the account and credentials by email. Kill, or abandon those accounts after you return.
o Do not under any circumstances divulge your identity in email, even when using encrypted communications. This is a sure-fire way to give others those “small pieces of information” that can later be used to target you when you return home.
o Never use HTML formatted email. All communications should be formatted as text only. Graphics and other fancy things that make your email sexy also make it very easy to hide viruses and Trojans in your email –those pieces of software that will later be used to send data back to China once you return home.
o Do not send email directly to a work address. Use the anonymous service. Software may get embedded in your outbound communications. That software will spread once opened by your intended recipient.
o When you do return home, expect to receive more junk e-mail. Spam, phishing, or spearphishing (targeted phishing) are easy ways to get you back into the collection network by embedding malicious software into HTML formatted messages.
o Never forward or respond directly to emails received. If you need to respond to something, start with a fresh email, and format it in text only.
o When you return home, do not, under any circumstances, plug these computers into ANY network without first having it professionally cleaned and reloaded with a fresh version of Windows, or your operating system of choice.
Be safe. Be smart. I really don’t want to hear your IT guy bragging about the number of syringes in his dartboard!
Of all the services for protecting identity, I think Identity Truth has it going on. Trusted ID, Life Lock (Life Crock), or even Experian’s own service just miss the point. Identity is not just about protecting your credit score. Although, that’s what Life Lock would like you to think (spending millions displaying the CEO’s social security number). Life Lock has its troubles as a company too, with several lawsuits, and restrictions from some states and credit companies. The company’s partners are starting to shy away, too, because of fear of being included in the lawsuits.
Identity Truth, the service I use (and reviewed here), focuses on what really matters – protecting my assets, privacy and reputation. The service gives me a measurement of my identity risk. If something has already happened to threaten me, they tell me what they’ve found. If it is a threat for the future, they tell you how bad guys could encroach on my identity. Then they give me a heads up and tell me what to do about it.
Maybe you are just interested in credit score protection. You could call Life Lock, but I look at all that Identity Truth offers, with its dashboard so I can view my data, and realize I get a lot more value for the same price.
Identity Truth is not a client of mine. It’s just one of those rare companies that lives up to its marketing claims.
When my team and I find mismanaged confidential information in a security audit we launch
an awareness campaign around trash, recycling, and shredders. Not surprisingly, recycling bins, like
dumpsters, are repositories for plenty of corporate secrets.
But bank dumpsters are the worst (or best, if you’re a bad
guy). The large bank branches in wealthy
neighborhoods attract the most valuable dumpster data of all: personal
financial statements of millionaires. You heard right. Dive a dumpster
in Lake Forest or Bal Harbour and commandeer the bank accounts of the very rich.
I’ve noticed that ABN Amro and Chase Bank are particularly
lax in shredder placement. Private
bankers, every night, throw out reams of paper with names, addresses, bank
account details, social security numbers, and dates of birth. Even mother’s maiden
names are included on ducuments thrown out in ABN and Chase dumpsters around the US.
Climbing through these dumpsters is usually a crime (if not
performed as part of an authorized security audit, of course), since they sit
on private property – behind that crooked wooden gate in the parking lot. But I know of more than one Chase Bank branch in
wealthy neighborhoods with dumpsters in the alley – that is, in the public
Some communities have laws that inhibit trash picking, but
in general, the U.S. Supreme Court protects dumpster diving and trash picking
on public property, ostensibly to permit law enforcement to gather evidence
without a warrant. You don’t have to be
a freegan [a person who chooses to live off food and property retrieved from
trash] to see the value of that kind of accessibility. Identity thieves and all-around scum bags can
The personal financial statements of the very wealthy that I
mentioned are the documents used to "apply" for high end personal and
business loans and usually have all the info needed to set up bank-by-phone and
an Internet account. After all, the very
rich don’t usually do their own banking. Their accountants do it for them the old fashioned way, by balancing
ledgers against monthly statements. Enough time for a bad guy to set up wire transfers, print checks, and
connect to a Paypal account.
You bankers out there may want to have your dumpsters inspected and your "shredder culture" assessed before the bad guys do it for you.
Monster.com the job hunters website, has posted a web page and sent a massive email campaign to inform its users of the fraud and other malicious activity occurring on the site. Monster seems to be the fashionable new phishing target, so it posted this page to teach folks how to recognize and not fall prey to a phishing attack.
Last year we were all concerned about Sarbanes Oxley. This year it’s PCI. PCI is shorthand for the Payment Card Industry security standards that apply to any company engaged in processing credit card information. The VISA Cardholder Information Security Program (CISP) is one specific standard in this category. Compliance to these PCI standards is driving all manner of corporate risk management in tens of thousands of US businesses – from online customer-based transactions, to data storage, to document retention.
My buddy, Ben Rothke, just wrote a very intelligent article on the topic in CIO Magazine. The only thing I’d add is that PCI is commonly thought of as an "information" security problem when in fact it has a heavy physical security slant.
There are over twenty specific statements in the PCI requirements that pertain to physical security. For example, you should have video surveillance around sensitive systems and areas where credit card data is handled, physically restrict access to those areas, escort visitors and require rigorous access control, shred hard copies of documents with that data and protect against dumpster diving, etc.
A security executive from a Fortune 1000 company and another from a Fortune 100 told me separately recently over lunches that PCI is touching every aspect of their respective security operations – IT security, physical security, privacy, and business continuity. Both executives have found that promoting collaboration between those groups has been the key to meeting PCI requirements. PCI is just one more reason to promote a collaborative convergence attitude in your organization’s security program.
Phishing is an art. Which means you can expect see everything from masterpieces to
scribbles. This one lacks the elegance and
polish of most of the phishing mails I get and the subject header made me
The subject header, including typo, read:
Sing in reminder
The Body of the email simply suggested that you log in to
your Bank of America account, and provided a link to a website hosted by a guy
named Jose Alejandro Bonilla Jaramillo in Medellin, Colombia.
Be sure to sign in to your account regularly, otherwise it
may be suspended due to inactivity.
This message was sent to you on behalf of Bank of America.
Ce message a été vérifié par MailScanner
pour des virus ou des polluriels et rien de
suspect n’a été trouvé.
MailScanner remercie transtec pour son soutien.
The sad thing is, he probably hooked hundreds of bozos
typing in their credentials. Good work if
you can get it…