Tuesday, May 26, 2015

0

Hass and Associates Cyber Security: Web sites attacks around Australia are shorter but bigger

Posted in , ,
Web sites attackers are utilizing shorter bursts of activity to infiltrate servers and systems inside a large way, in comparison towards the relaxation of Web sites attacks in Asia-Off-shore.

Arbor Networks' first-quarter Active Threat Level Analysis System (ATLAS) set of distributed denial-of-service (Web sites) attacks demonstrated that Australia possessed a shorter time period of Web sites attack activity, however that the attacks were greater in scale, as compared to the relaxation of Asia-Off-shore.

Arbor Systems discovered that the attack length around Australia throughout the very first quarter of 2015 was 22 minutes, versus 46 minutes in Asia-Off-shore. Consequently, nearly all attacks were so short resided that 96 percent survived under 1 hour, in comparison to Asia-Off-shore, where 90 % of attacks survived under an hour or so.

However, the typical size Web sites attacks around Australia were 1.25Gbps roughly two times as large because the average attack recorded in Asia-Off-shore.

"Rapid time period of attacks reported in Q1 is interesting. Short bursts of Web sites attack activity require automated defences to safeguard against them," stated Nick Race, Australia country manager for Arbor Systems.

"Operators around Australia absolutely should be aware. On-premise Web sites protection is important for recognition and minimization of attacks, enabling bad visitors to be scrubbed within an immediate and automatic fashion."

Based on Arbor Systems, attackers utilized reflection amplification techniques on network time protocol, simple service discovery protocol (SSDP), and DNS servers.

Around Australia, SSDP capped their email list for many common individual reflection attack within the first quarter, using the biggest reported at 26Gbps. However the biggest individual attack was an NTP reflection attack which was recorded at 51Gbps.



0 comments:

Sunday, May 17, 2015

0

NuData Security reveals improvements to online fraud detection engine

Posted in ,
Software development company NuData Security recently revealed its enhancements to its online fraud detection engine called NuDetect, according to Hass and Associates Cyber Security.

They added new powerful anti-fraud tools, based on continuous behavioral analysis and compiled behavioral biometric data. This enables them to significantly reduce the probability of fraud while also avoiding false positives.

NuDetect's expanded array of behavioral biometric sensors achieves 97 percent accuracy in verifying a user's identity. Its improved user interface acts as an "early warning system" that makes high-risk events easily accessible to security teams. This enhancement allows detection as early as 15 days before a fraud attempt is made wherein it provided the client with sufficient time to track, discover and avoid fraudulent transactions from happening.

Institutions that fall victim to fraud are at risk of losing large amount of money and customers, and suffering long-term brand damage. To avoid additional damages, NuDetect provides an immediate solution through behavior-based fraud detection, real-time detection and mitigation, faster development, historical context awareness, invisible implementation, and reducing cost and workload.

Furthermore, NuDetect utilizes behavioral biometric to greatly improve on traditional device identity and deliver far more intelligence than traditionally available, without interrupting a user's experience. It monitors activity in real time that allows the client to easily take action against fraud because the system shows fraudsters' intent before they have a chance to penetrate and do damage. It also allows for deployment in just a couple of days so that companies are equipped to defend against fraud as quickly as possible.

NuDetect also uses historical cross-session and cross-cloud behavior patterns stored in the NuData cloud. This provides outstanding accuracy and security from day one. Institutions are able to determine risk and deploy necessary security countermeasures only to the most suspicious actors.

With this platform, more back-end work is completed in advance, therefore lowering institutions' expenses and developer needs. Moreover, these institutions need to do less work to customize how data is sent, further improving deployment time.

Nowadays, it is obvious that attackers become more sophisticated in terms of identity theft, therefore institutions must quickly implement strong fraud detection measures. NuDetect's improved features put highly effective anti-fraud tools into the clients' hands. It provides clients with a more in-depth view in how fraud attacks functions and the full fraud lifecycle, instead of focusing only at the fraudulent purchase of goods.


The company of NuData Security predicts and prevents online fraud, protecting businesses from brand damage and financial loss caused by fraudulent or malicious attacks. NuData Security analyzes and scores billions of users per year and services some of the largest e-commerce and web properties worldwide.

0 comments:

Tuesday, May 12, 2015

3

‘Trojan.Laziok’ malware targets energy companies

Posted in ,
Malicious software called ‘Trojan.Laziok’ was recently revealed by the researchers of an American technology company called Symantec.

Based upon the report of Hass and Associates Cyber Security, the malware is known to be a part of an ongoing worldwide espionage campaign wherein it targets energy companies worldwide especially in the Middle East.

Attacks are launched through spam emails from a moneytrans.eu domain. Those emails contain an attached Microsoft Excel file wherein it activates a backdoor that gives the hackers a crucial view into the targeted computer.

The malware collects system data including the name of the computer, CPU and GPU details, installed software, hard disk and RAM size, as well as what antivirus software was installed. Immediately after, it uploads those data towards the attackers and then downloads additional malware such as Backdoor.Cyberat and Trojan.Zbot.

Petroleum, gas and helium companies were most often targeted in the United Arab Emirates, Saudi Arabia, Pakistan and Kuwait. Based on a report obtained by Hass and Associates Cyber Security, whoever is behind these attacks may have an intentional interest in the activities of the affected companies.

Attacks rarely happened on energy companies in other countries like India, United Kingdom, and the United States.

Symantec also claims that “the group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and use their attack to distribute well-known threats that are available in the underground market.”


The attack is simple and outdated which clearly shows the significance of frequently updating all software because organizations nowadays fail to follow basic security guidelines which includes updating the software running on a secure system.

3 comments:

Sunday, May 3, 2015

0

Hewlett-Packard partners with cybersecurity firm FireEye

Posted in ,
The prominent cybersecurity firm FireEye, Inc. and tech giant Hewlett-Packard (HP) recently announced a partnership to develop advanced threat protection.

Hass and Associates Cyber Security perceives this as one of the coming wave of alliances between small and large tech companies aiming to strengthen their security.

The deal that will expand Milpitas-based FireEye’s reach was announced at the RSA Conference on security that is held in San Francisco.

This year’s conference has 500 exhibitors, compared with 400 last year.

The interest in cybersecurity has been heightened in the conference because of the attacks on big companies for the past two years such as Sony, Target Corporation, JPMorgan Chase, Anthem Inc., and Home Depot.

CEO and Chairman of the Board of FireEye, Dave DeWalt defined the deal as “capability meets scale” during an interview before the announcement.

In addition, the two other alliances announced by HP were cloud security partnerships with Los Angeles-based Securonix and Palo Alto-based Adallom.

Securonix is a provider of security intelligence platform for monitoring security events. It also identifies and access data to detect insider threats and advanced targeted attacks. While Adallom is a cloud security firm with research headquarters in Israel.

HP described the alliances as developing an advanced cyber defense emphasizing the protection of users’ interactions, applications and data, rather than the old practice of securing the perimeter, in which data flows were restricted in the interests of security.

Although HP has its own large security team, given the threat level, HP needs a FireEye which has a next-generation security platform.

HP’s own security professionals can now bring in FireEye’s technology and the investigative group from Mandiant.

On December 30, 2013, FireEye acquired Mandiant in a stock and cash deal worth in more than $1 billion.

In February 2013, Mandiant rose to prominence when it released a report documenting evidence of cyber-attacks by the Chinese People’s Liberation Army targeting at least 141 organizations in the United States and other English-speaking countries extending as far back 2006.

Mandiant’s main services are expensive. However, the deal will bring a co-branded version of its services to smaller companies.

Executive Vice President of HP Enterprise Services, Mike Nefkens said that the partnership will beef up HP’s security portfolio. HP and FireEye are making it possible for their clients to analyze and improve their defenses before the next attack with the most advanced cybersecurity protection available today.

HP also reaches many countries where FireEye has a smaller presence including Africa, Middle East, and Europe.


FireEye also announced a partnership with Israeli security provider Check Point Software Technologies to share threat intelligence to protect customers from modern advanced attacks.

0 comments:

Monday, March 30, 2015

0

Hass and Associates Cyber Security: Botnets inflate Twitch viewership

Posted in ,
With the boom in online streaming these days, it's only expected that people will get creative and game the system to earn more money. In the case of streaming site Twitch — known for its community of gamers — it appears that some of its broadcasters are using botnet-for-hire services to illegally get those "millions" of viewers.

IT security company Symantec has released a report last week that some websites are openly advertising services that can generate big numbers of viewers on Twitch as well as on other streaming websites. One of the services identified claim to generate 5 separate streams from a single infected PC, with all the streams muted and hidden. Some add-ons on such services could also include automated chats that are programmed to send in comments during the live stream like normal users.

A botnet is a PC connected online that is used to do a task, so practically any PC can be used for this purpose even without the owner knowing. It can be hijacked to covertly perform a task from the attacker on the background and still function as it normally would, hence lowering the possibility of discovery. Aside from those, Hass and Associates Cyber Security also found out that botnets could replicate automatically to other legit viewers by links in the chat of a stream, for instance. The malware could also make itself look like an update from Google or Adobe to infect a PC.

According to Twitch's report in January, their stats for 2014 include 10,000 partnered channels, 100 million unique viewers every month and 1 million concurrent viewers. While there are partner channels that are operating legitimately, others are fraudulently boosting their viewership numbers in order to become a partner. No surprise there since becoming a Twitch partner comes with advantages like pre-stream ads and ability to get donations.

However, they have to get a consistent average of 500 viewers. That's where the botnet-for-hire comes in. Different packages are being offered with options to gain you followers, chatters and live viewers courtesy of bots. One of the service providers claims to give you 40 chatters and 100 viewers for as little as USD 30.

Lionel Payet of Symantec said, "While many broadcasters stream their gameplay online as a hobby, some have managed to turn it into a well-paid full time job. Over the past few years, this business model has grown sharply, so it's unsurprising that scammers are piggybacking on the industry in a parallel underground economy."

A connection between this discovery of botnet use and the security breach last week where stream keys, IP information and user credentials were compromised has yet to be proven, according to Hass and Associates Cyber Security. But as Payet puts it, "If a user's computer is compromised by any malware, then their info is always exposed."

Meanwhile, Twitch has responded with a statement from its Vice President of Marketing: "These illegal services are a long-standing issue that is not unique to Twitch. We detect when they are used and deal with them in a layered approach including legal action, tech solutions, and human monitoring."

There would certainly be backlash from the legit broadcasters of Twitch if this is proven to be true. For now, the question is, how many user accounts in Twitch are actually bots and just how many broadcasters have been availing of their services.

0 comments:

Tuesday, March 24, 2015

0

Hass & Associates Online Reviews on the Evolution of Hacking

Posted in ,
Computer hacking was once the realm of curious teenagers. It's now the arena of government spies, professional thieves and soldiers of fortune.

Today, it's all about the money. That's why Chinese hackers broke into Lockheed Martin and stole the blueprints to the trillion-dollar F-35 fighter jet. It's also why Russian hackers have sneaked into Western oil and gas companies for years.

The stakes are higher, too. In 2010, hackers slipped a "digital bomb" into the Nasdaq that nearly sabotaged the stock market. In 2012, Iran ruined 30,000 computers at Saudi oil producer Aramco.

And think of the immense (and yet undisclosed) damage from North Korea's cyberattack on Sony Pictures last year. Computers were destroyed, executives' embarrassing emails were exposed, and the entire movie studio was thrown into chaos.

It wasn't always this way. Hacking actually has some pretty innocent and harmless beginnings.

CURIOSITY CREATED THE HACKER

The whole concept of "hacking" sprouted from the Massachusetts Institute of Technology nearly 50 years ago. Computer science students there borrowed the term from a group of model train enthusiasts who "hacked" electric train tracks and switches in 1969 to improve performance.

These new hackers were already figuring out how to alter computer software and hardware to speed it up, even as the scientists at AT&T Bell Labs were developing UNIX, one of the world's first major operating systems.

Hacking became the art of figuring out unique solutions. It takes an insatiable curiosity about how things work; hackers wanted to make technology work better, or differently. They were not inherently good or bad, just clever.

In that sense, the first generation of true hackers were "phreakers," a bunch of American punks who toyed with the nation's telephone system. In 1971, they discovered that if you whistle at a certain high-pitched tone, 2600-hertz, you could access AT&T's long-distance switching system.

They would make international phone calls, just for the fun of it, to explore how the telephone network was set up.

This was low-fi stuff. The most famous phreaker, John Draper (aka "Cap'n Crunch) earned his nickname because he realized the toy whistle given away in cereal boxes emitted just the right tone. This trained engineer took that concept to the next level by building a custom "blue box" to make those free calls.

This surreptitious little box was such a novel idea that young engineers Steve Wozniak and Steve Jobs started building and selling it themselves. These are the guys who would later go on to start Apple.

Wire fraud spiked, and the FBI cracked down on phreakers and their blue boxes. The laws didn't quite fit, though. Kids were charged with making harassing phone calls and the like. But federal agents couldn't halt this phenomenon.

A tech-savvy, inquisitive and slightly anti-authoritarian community had been born.

A NEW WAVE OF HACKERS

The next generation came in the early 1980s, as people bought personal computers for their homes and hooked them up to the telephone network. The Web wasn't yet alive, but computers could still talk to one another.

This was the golden age of hacking. These curious kids tapped into whatever computer system they could find just to explore. Some broke into computer networks at companies. Others told printers at hospitals hundreds of miles away to just spit out paper. And the first digital hangouts came into being. Hackers met on text-only bulletin board systems to talk about phreaking, share computer passwords and tips.

The 1983 movie "War Games" depicted this very thing, only the implications were disastrous. In it, a teenager in Washington state accidentally taps into a military computer and nearly brings the world to nuclear war. It's no surprise, then, that the FBI was on high alert that year, and arrested six teenagers in Milwaukee -- who called themselves the 414s, after their area code -- when they tapped into the Los Alamos National Laboratory, a nuclear weapon research facility.

Nationwide fears led the U.S. Congress to pass the Computer Fraud and Abuse Act in 1986. Breaking into computer systems was now a crime of its own.

The damage of hacking started getting more serious, too. In 1988, the government's ARPAnet, the earliest version of the Internet, got jammed when a Cornell University graduate student, curious about the network's size, created a self-replicating software worm that multiplied too quickly.

The next year, a few German hackers working for the Russian KGB were caught breaking into the Pentagon. In 1990, hacker Kevin Poulsen rigged a Los Angeles radio station's phone system to win a Porsche, only to be arrested afterward.

The cat-and-mouse game between law enforcement and hackers continued throughout the 1990s. Some hacked for money. Russian mathematician Vladimir Levin was caught stealing $10 million from Citibank. Others did it for revenge. Tim Lloyd wiped the computers at Omega Engineering in New Jersey after he was fired.

But hacks were still more of an annoyance than anything devastating, though it was quickly becoming apparent that the potential was there. The stock market, hospitals, credit card transactions -- everything was running on computers now. There was a bone-chilling moment when a ragtag group of hackers calling themselves L0pht testified before Congress in 1998 and said they could shut down the Internet in 30 minutes.

The danger was suddenly more real than ever.

FROM CURIOSITY TO CRIMINAL

The ethos was starting to change, too. Previously, hackers broke into computers and networks because they were curious and those tools were inaccessible. The Web changed that, putting all that stuff at everyone's fingertips. Money became the driving force behind hacks, said C. Thomas, a member of L0pht who is known internationally as the hacker "Space Rogue."

An unpatched bug in Windows could let a hacker enter a bank, or a foreign government office. Mafias and governments were willing to pay top dollar for this entry point. A totally different kind of black market started to grow.

The best proof came in 2003, when Microsoft started offering a $5 million bounty on hackers attacking Windows.

"It's no longer a quest for information and knowledge by exploring networks. It's about dollars," Thomas said. "Researchers are no longer motivated to get stuff fixed. Now, they say, 'I'm going to go looking for bugs to get a paycheck - and sell this bug to a government.' "

Loosely affiliated amateurs were replaced by well-paid, trained professionals. By the mid-2000s, hacking belonged to organized crime, governments and hacktivists.

FIRST, CRIME: Hackers around the world wrote malicious software (malware) to hijack tens of thousands of computers, using their processing power to generate spam. They wrote banking trojans to steal website login credentials.

Hacking payment systems turned out to be insanely lucrative, too. Albert Gonzalez's theft of 94 million credit cards from the company TJX in 2007 proved to be a precursor to later retailer data breaches, like Target, Home Depot and many more.

Then there's government. When the United States wanted to sabotage the Iranian nuclear program in 2009, it hacked a development facility and unleashed the most dangerous computer virus the world has ever seen. Stuxnet caused the Iranian lab computers to spin centrifuges out of control.

This was unprecedented: a digital strike with extreme physical consequences.

Similarly, there's proof that Russia used hackers to coordinate its attack on Georgia during a five-day war in 2008, taking out key news and government websites as tanks rolled into those specific cities.

Then there are hacktivists. The populist group Anonymous hacks into police departments to expose officer brutality and floods banks with garbage Internet traffic. A vigilante known as "The Jester" takes down Islamic jihadist websites.

What exists now is a tricky world. The White House gets hacked. Was it the Russian government or Russian nationalists acting on their own? Or freelance agents paid by the government? In the digital realm, attribution is extremely difficult.

Meanwhile, it's easier than ever to become a hacker. Digital weapons go for mere dollars on easily accessible black markets online. Anonymity is a few clicks away with the right software. And there are high-paying jobs in defending companies like Google or JPMorgan Chase -- or attacking them.

As a result, law enforcement tolerance for hacking has fallen to zero. In 1999, the hacker Space Rogue exposed how FAO Schwarz's website was leaking consumer email addresses and forced the company to fix it. He was cheered. When Andrew Auernheimer (known as "weev") did the same thing to AT&T in 2010, he spent more than a year in prison until his case was overturned on a technicality.

The days of mere curiosity are over.

0 comments:

Saturday, March 21, 2015

0

Hass & Associates Online Reviews: The threat of fraud is evolving; are your controls?

Posted in ,

When asked, many business owners will flat out deny that fraud or misconduct could be happening in their organization. Their denial is usually based on the belief that appropriate controls are in place or that every employee is loyal and trustworthy. Sadly there are many examples where controls and loyalty are absent. The result can be a catastrophic loss.

In the 2014 MNP fraud survey, 33% of the businesses surveyed in British Columbia reported having been the victim of fraud. Immediately following the incident, business owners believed their fraud risk was higher. Five years after the event, their perceived risk reduced to the same level as that of non-victims, with only 2% rating their fraud risk as high. While the reason for the reduced concern is not known, it appears that complacency regarding the threat increases as the event becomes distant.

The results also showed that the risk of fraud increased with the number of employees: 49% of businesses with 25 or more employees reported having been a victim of fraud, versus 26% of companies with fewer than 25 employees. In other words, at least one-quarter of businesses suffer some form of fraud, with the percentage increasing with the number of employees.

In order for a business to manage its fraud risk, owners must accept the likelihood that their business can be a victim. An over-reliance on trust is often a factor in employees being able to commit fraud. While trust within an organization is important to generate growth and innovation, trust is not a control. Checks and balances need to be implemented and communicated to demonstrate that assets will be protected.

In the MNP survey, internal controls were credited with identifying 35% of the fraud cases, and tips/whistleblowers were credited with identifying 25%. These statistics support the hypothesis that an ethical environment with appropriate policies and controls better protects the organization.

So how do you promote innovation and growth without accepting too much risk? The first step is to understand the business environment and then design controls to effectively manage the risks that can impair growth, profitability and reputation.

At inception, the business owner is often very hands-on and will have a feel for how everything is working. As the business grows, the owner has less time to personally monitor operations. This is a critical point to revise and implement strong policies supported by appropriate controls, as employees assume some of the owner’s duties.

Design a hiring process that attracts employees with an ethical compass that best matches your expectations. Ensure you know as much about prospective employees as possible. Identify gaps in their resumés, as they might indicate a previous problem. If hiring someone with key responsibility, complete a thorough credit and criminal record check along with Internet searches for negative news stories or postings, and verify.

The development of controls at a point in time is not the end of the story. Businesses change and evolve, and so should controls. This is not limited to internal changes in process. Consider external factors such as changes in regulations, accessing foreign markets and changes in technology.

Computers and Internet connectivity have increased organizations’ exposure to fraud. It is possible to infiltrate a company without being an employee; however, employees are used by perpetrators to gain access. This can be done through phishing emails, computer hacking or downloading of applications containing malware. Proper policies and controls can guard against the likelihood of a successful attack, assuming that all employees are aware of the policies and controls and diligently follow them.

Even if proper policies and controls exist, they will not be effective sitting on a shelf or in an employee’s inbox. Too often, a control is carefully designed but is not followed because the employee is not aware of the control, does not understand the control and therefore ignores it or is simply too busy to properly complete all the steps. Communication and education are critical for creating an environment where key controls are respected.

Once controls are developed and implemented, it is incumbent on management to regularly check that the procedures are being followed. For example, maximum speed signs are posted on all major roadways, but there is still a need for police to remind drivers to obey the speed limit. If employees know that management is checking compliance with policies and controls, they will more likely follow them. Additionally, if employees do not understand the relevance of a task, they are less likely to complete it and more likely to spend time on other activities that result greater perceived value.




0 comments:

Thursday, March 19, 2015

0

Hass & Associates Online Reviews: Twelve Tips to Combat Insider Threats

Posted in ,
Employees with access to sensitive data remain a critical security vulnerability - but there are practical steps for addressing the issue from within.

The Edward Snowden leaks highlighted that if the NSA can have its sensitive documents stolen by an employee, anyone can. According to the 2015 Vormetric Insider Threat Report, 89% of global respondents felt that their organisation was now more at risk from an insider attack with 34% saying they felt very or extremely vulnerable.

According to corporate security firm Espion, while the frequency of cyber incidents is on the rise, hackers trying to gain access to critical information are not always to blame, with insider involvement remaining a significant problem.

The methods used to transfer data can include uploading to online network storage, email transmission, storage on local media including USB memory sticks, CD’s or DVD’S and other data exfiltration methods. The information sought by hackers is multifaceted and varied and depending on the nature of the target’s business can include; intellectual property, financial information, customer or client related information, project plans, business presentations, blueprints and personnel details.

'Insider abuse is more difficult to detect, as the perpetrators often have legitimate access to sensitive data and removing it may go completely unnoticed,' said senior Espion consultant John Hetherton, commenting on incidents of security breaches from within organisations. 'Whether opportunistic or disgruntled with their employers, the threat from the inside becomes more serious, as these employees have access to the company’s best kept secrets and insider knowledge of security weaknesses.'

'Insider attacks can cause significant damage to companies and the consensus indicates that as workers become concerned for their futures, the likelihood of an insider attack increases.'

With that in mind, Espion offers twelve tips for addressing the issue from within:

Ensure that organisational policies are unambiguous regarding the classification and protection of information. Policies should stipulate controls commensurate to the value of the information; the more valuable the information the more rigorous the controls. These controls should state protection measures for information at rest and in transit

All staff should sign confidentiality and non-disclosure agreements when joining the organisation.

Where BYOD is an option, the organisation should implement technical controls, protecting company information which may be held on personal devices.

Know exactly where all the organisation’s key information is stored and how that information may legitimately enter and leave those repositories.

Set up all user access by means of unique user accounts to maintain accountability of actions. Generic and shared accounts should be disabled and the sharing of passwords should be prohibited by policy. It is especially important that system administrators are also subject to these controls.

Password complexity and management processes should be robust to prevent impersonation attacks.

Strictly control access to information, which is authorised by information owners and regularly reviewed to ensure access to information is appropriate.

Where third party cloud based services are adopted by the organisation, a robust movers and leavers process should be implemented to cover both key internal systems and cloud services where access control may not be centrally controlled by internal IT, such as Dropbox and Google Drive.

Put in place granular auditing for accessing key systems and information repositories. The level of auditing should be granular enough to ensure that the sequence of events which lead to the breach can be reconstructed.

Real time alerting of suspicious activities should be actively monitored and responded to by trained incident responders, as part of a defined incident response plan.

If there is a notice period, the IT department should actively monitor employee’s access to the network to make sure sensitive and confidential data is not being downloaded or sent to the employee’s personal email account. Additional measures should be considered in the event of an acrimonious departure, as employees that leave an organisation on bad terms are more likely to steal data.

And lastly, as an employee leaves an organisation, a thorough audit of their paper and electronic documents should be carried out and company mobile devices and laptops should be returned.

0 comments:

Tuesday, March 17, 2015

0

Hass & Associates Online Reviews about ‘Here is how cyber warfare began — 50 years ago’

Posted in ,
(CNN)Computer hacking was once the realm of curious teenagers. It’s now the arena of government spies, professional thieves and soldiers of fortune.

Today, it’s all about the money. That’s why Chinese hackers broke into Lockheed Martin and stole the blueprints to the trillion-dollar F-35 fighter jet. It’s also why Russian hackers have sneaked into Western oil and gas companies for years.

The stakes are higher, too. In 2010, hackers slipped a “digital bomb” into the Nasdaq that nearly sabotaged the stock market. In 2012, Iran ruined 30,000 computers at Saudi oil producer Aramco.

And think of the immense (and yet undisclosed) damage from North Korea’s cyberattack on Sony Pictures last year. Computers were destroyed, executives’ embarrassing emails were exposed, and the entire movie studio was thrown into chaos.

It wasn’t always this way. Hacking actually has some pretty innocent and harmless beginnings.

Curiosity created the hacker

The whole concept of “hacking” sprouted from the Massachusetts Institute of Technology nearly 50 years ago. Computer science students there borrowed the term from a group of model train enthusiasts who “hacked” electric train tracks and switches in 1969 to improve performance.

These new hackers were already figuring out how to alter computer software and hardware to speed it up, even as the scientists at AT&T Bell Labs were developing UNIX, one of the world’s first major operating systems.

Hacking became the art of figuring out unique solutions. It takes an insatiable curiosity about how things work; hackers wanted to make technology work better, or differently. They were not inherently good or bad, just clever.

In that sense, the first generations of true hackers were “phreakers,” a bunch of American punks who toyed with the nation’s telephone system. In 1971, they discovered that if you whistle at a certain high-pitched tone, 2600-hertz, you could access AT&T’s long-distance switching system.

They would make international phone calls, just for the fun of it, to explore how the telephone network was set up.
This was low-fi stuff. The most famous phreaker, John Draper (aka “Cap’n Crunch) earned his nickname because he realized the toy whistle given away in cereal boxes emitted just the right tone. This trained engineer took that concept to the next level by building a custom “blue box” to make those free calls.

This surreptitious little box was such a novel idea that young engineers Steve Wozniak and Steve Jobs started building and selling it themselves. These are the guys who would later go on to start Apple.

Wire fraud spiked, and the FBI cracked down on phreakers and their blue boxes. The laws didn’t quite fit, though. Kids were charged with making harassing phone calls and the like. But federal agents couldn’t halt this phenomenon.

A tech-savvy, inquisitive and slightly anti-authoritarian community had been born.

A new wave of hackers

The next generation came in the early 1980s, as people bought personal computers for their homes and hooked them up to the telephone network. The Web wasn’t yet alive, but computers could still talk to one another.

This was the golden age of hacking. These curious kids tapped into whatever computer system they could find just to explore. Some broke into computer networks at companies. Others told printers at hospitals hundreds of miles away to just spit out paper. And the first digital hangouts came into being. Hackers met on text-only bulletin board systems to talk about phreaking, share computer passwords and tips.

The 1983 movie “War Games” depicted this very thing, only the implications were disastrous. In it, a teenager in Washington state accidentally taps into a military computer and nearly brings the world to nuclear war. It’s no surprise, then, that the FBI was on high alert that year, and arrested six teenagers in Milwaukee — who called themselves the 414s, after their area code — when they tapped into the Los Alamos National Laboratory, a nuclear weapon research facility.

Nationwide fears led the U.S. Congress to pass the Computer Fraud and Abuse Act in 1986. Breaking into computer systems was now a crime of its own.

The damage of hacking started getting more serious, too. In 1988, the government’s ARPAnet, the earliest version of the Internet, got jammed when a Cornell University graduate student, curious about the network’s size, created a self-replicating software worm that multiplied too quickly.

The next year, a few German hackers working for the Russian KGB were caught breaking into the Pentagon. In 1990, hacker Kevin Poulsen rigged a Los Angeles radio station’s phone system to win a Porsche, only to be arrested afterward.
The cat-and-mouse game between law enforcement and hackers continued throughout the 1990s. Some hacked for money. Russian mathematician Vladimir Levin was caught stealing $10 million from Citibank. Others did it for revenge. Tim Lloyd wiped the computers at Omega Engineering in New Jersey after he was fired.

But hacks were still more of an annoyance than anything devastating, though it was quickly becoming apparent that the potential was there. The stock market, hospitals, credit card transactions — everything was running on computers now. There was a bone-chilling moment when a ragtag group of hackers calling themselves L0pht testified before Congress in 1998 and said they could shut down the Internet in 30 minutes.

The danger was suddenly more real than ever.

From curiosity to criminal

The ethos was starting to change, too. Previously, hackers broke into computers and networks because they were curious and those tools were inaccessible. The Web changed that, putting all that stuff at everyone’s fingertips. Money became the driving force behind hacks, said C. Thomas, a member of L0pht who is known internationally as the hacker “Space Rogue.”

An unpatched bug in Windows could let a hacker enter a bank, or a foreign government office. Mafias and governments were willing to pay top dollar for this entry point. A totally different kind of black market started to grow.

The best proof came in 2003, when Microsoft started offering a $5 million bounty on hackers attacking Windows.

“It’s no longer a quest for information and knowledge by exploring networks. It’s about dollars,” Thomas said. “Researchers are no longer motivated to get stuff fixed. Now, they say, ‘I’m going to go looking for bugs to get a paycheck – and sell this bug to a government.’ ”

Loosely affiliated amateurs were replaced by well-paid, trained professionals. By the mid-2000s, hacking belonged to organized crime, governments and hacktivists.

First, crime: Hackers around the world wrote malicious software (malware) to hijack tens of thousands of computers, using their processing power to generate spam. They wrote banking trojans to steal website login credentials.

Hacking payment systems turned out to be insanely lucrative, too. Albert Gonzalez’s theft of 94 million credit cards from the company TJX in 2007 proved to be a precursor to later retailer data breaches, like Target, Home Depot and many more.

Then there’s government. When the United States wanted to sabotage the Iranian nuclear program in 2009, it hacked a development facility and unleashed the most dangerous computer virus the world has ever seen. Stuxnet caused the Iranian lab computers to spin centrifuges out of control.

This was unprecedented: a digital strike with extreme physical consequences.

Similarly, there’s proof that Russia used hackers to coordinate its attack on Georgia during a five-day war in 2008, taking out key news and government websites as tanks rolled into those specific cities.

Then there are hacktivists. The populist group Anonymous hacks into police departments to expose officer brutality and floods banks with garbage Internet traffic. A vigilante known as “The Jester” takes down Islamic jihadist websites.

What exists now is a tricky world. The White House gets hacked. Was it the Russian government or Russian nationalists acting on their own? Or freelance agents paid by the government? In the digital realm, attribution is extremely difficult.

Meanwhile, it’s easier than ever to become a hacker. Digital weapons go for mere dollars on easily accessible black markets online. Anonymity is a few clicks away with the right software. And there are high-paying jobs in defending companies like Google or JPMorgan Chase — or attacking them.

As a result, law enforcement tolerance for hacking has fallen to zero. In 1999, the hacker Space Rogue exposed how FAO Schwarz’s website was leaking consumer email addresses and forced the company to fix it. He was cheered. When Andrew Auernheimer (known as “weev”) did the same thing to AT&T in 2010, he spent more than a year in prison until his case was overturned on a technicality.

The days of mere curiosity are over.


0 comments:

Monday, January 26, 2015

0

Hass and Associates Cyber Security: Portable HD 'Mirror' from LaCie

Posted in
Early this month, LaCie made waves when it announced "Mirror", a high-end portable hard drive with a reflective body which is absolutely stunning -- but do you really need such a thing?

LaCie, Seagate's premium brand is no novice when it comes to designing sleek and classy storage products as it has already partnered with Linux and Apple before. This time, it has teamed up with French designer Pauline Deltour to develop the striking Mirror HDD. What's more, they used Corning Gorilla Glass 3 to encase the device, something which is known for its toughness in preventing scratches and chips that break a glass.

Considering that our data these days can truly be said to be a "reflection" of a person, Mirror seems to be a clever symbolism. Apparently, it is both a functional 1TB HDD and a "striking piece of decor". Its glass body not only serves as a decoration but also as a strong casing. But if you're looking for a real portable HDD that you can use on the fly, never mind the fancy design and just go with the usual ones, Hass and Associates Cyber Security wisely advised.

According to Deltour, "The LaCie Mirror, propped up on its ebony wood display stand, is captivating on a desk or anywhere in the home. The intense ebony color contrasts sublimely with the LaCie Mirror's silver facets."

Just its display stand which is made from Makassar ebony wood is enough to captivate anyone once it's connected to a PC. Its rich color and exceptional density apparently makes for a very unique design that no two pieces would be the same. Sounds useful for preventing sly switches we usually see in movies but for mere mortals like us who don't have sensitive data apart from our income statement, this is probably not reason enough to shell more money.

This premium hard drive  will be available starting this week for an SRP of USD 279.99. Typical 1TB portable HDD only costs USD 100 or below, which should tell you just how expensive the Mirror's fancy casing is.

"You have to look twice to discover the LaCie Mirror's true ambition. Covered by mirrored glass, it's first an elegant and functional object, and only on second glance is it revealed to be a slim high-performance hard drive," added Deltour.

This would make an excellent gift choice for those with much to spare -- it has both functionality and class. However, like what Hass and Associates Cyber Security quipped, until the rest of your house looks sleek enough to go along with such a fancy hard drive, it's a good idea to pass for now.

0 comments:

Friday, January 2, 2015

0

Hass & Associates Online Reviews: Cyber warfare provides ominous welcome to 2015

Posted in ,

“So long mom, I’m off to drop the bomb, so don’t wait up for me. … I’ll look for you when the war is over, an hour and a half from now.” — Lyrics by Tom Lehrer, to the song, “So long, mom.”

Fifty years ago, when Tom Lehrer’s hilarious topical humor was being set to music, the notion of World War III was imagined as one consisting of nuclear warheads that could attack any target in about 30 minutes.

After that, it was anybody’s guess. As a guide told my family during a tour of an old missile silo in the Arizona desert, once the command was given to launch, the men in charge of a silo were to subsist on available food storage for a month or so. Then, if they had heard nothing, they were to venture above ground to see what was left of the world.

Make no mistake, such a threat still exists, although many of the old Cold War missile silos dotting the land have been deactivated and filled with dirt. But it would be interesting to hear the songs Lehrer, now in his 80s, could write today about warfare conducted by people in their pajamas wielding computer mice and keyboards.

The year that is passing has not been a kind one for personal financial responsibility. Sure, the U.S. economy is humming along. The Dow seems to be setting record after record as the new year approaches, and unemployment is at 5.8 percent nationally and falling.

But as the year ends, the office supply chain Staples has confirmed a data breach that compromised 1.16 million credit and debit cards used by customers at 119 stores across 35 states. The company also said criminals appear to have used this information already for fraud and other mischief.

Ah, for days of auld lang syne, when nuclear Armageddon was our only concern.

The Staples news, of course, comes on the heels of a growing list of similar breaches involving retail heavyweights such as Target, Neiman Marcus and others. It ended a year in which JPMorgan came under attack by hackers who bypassed the bank’s filters and might have caused all kinds of mischief if not discovered by accident on a site used to register runners for a charity race the bank sponsored.

It is difficult to be unassailably prudent and responsible in a world that has migrated to an infrastructure so vulnerable the average person can do little to protect against theft.

But the year’s cyber security crescendo was the shot across the bow delivered by (according to U.S. government officials) someone in North Korea — a nation not known for its computer-programming prowess. The target was Sony Corp., and its new movie billed as a comic take on the fictional assassination of North Korea’s leader.

Arizona Sen. John McCain and former House speaker Newt Gingrich were quick to call this an act of war. President Obama tried to tamp such rhetoric, calling it instead an act of “cyber vandalism,” but he vowed to retaliate in an unspecified way.

A few days later, North Korea’s Internet mysteriously crashed for several hours.

The truth is cyber attacks are a serious new tactic that, as an official from the Center for a New American Security told Fortune.com, is cheaper “and far more accessible to these small nation-states” than conventional weapons.

The Pentagon not only is aware of this, it has an estimated $5.1 billion cyber warfare budget for 2015, according to the Washington Times. Some believe the U.S. was behind a computer attack against Iran’s nuclear program in 2012.

The fear is that the next successful attack will be against the United States’ vulnerable power grid, or that someone will drain a major bank of its funds. South Korea recent conducted cyber-war drills after someone stole online data containing nuclear power plant designs. If this isn’t really a war, there sure are a lot of shots being fired.

None of which offers much cheer as we welcome 2015 on social media. You may want to tweet your mother that you’ll look for her when the war is over, a mouse click or two from now.

0 comments: