Rossander’s Security Reader

The FBI just announced the largest ever cybercrime investigation to disrupt and dismantle "botnets" and to prosecute some of the ringleaders in these criminal activities. So far, they have identified about 1 million compromised computers across the country. The FBI is working with the CERT Coordination Center at Carnegie Mellon Univ to notify the victim owners of the computers.

So far, the FBI has charged 3 people with cyber crimes as a direct result of this investigation; one hacker in Texas accused of infecting tens of thousands of computers, one hacker in Seattle accused of using botnets to send tens of millions of spam messages and one hacker in Kentucky accused of using botnets to disable other systems.

Note: The FBI will not contact you online and request your personal information. Nor will they offer to clean your computer for you. As word of this investigation gets out, be wary of fraudulent message appearing to come from the FBI or some other agency and offering to "fix" your computer for you. If you receive such a scam, file a complaint online with the Internet Crime Complaint Center or call the nearest FBI office.

A botnet is a network of other people’s computers all controlled by a hacker. In a typical botnet setup, the first hacker uses viruses, worms or trojan horses to install malicious software (the bot) on your computer without your knowledge. The hacker builds up the network as large as possible – tens or even hundreds of thousands of compromised computers. He then rents out the right to use his network of hacked computers to the highest bidder. The second hacker sends out the command messages to all the hacked computers telling them to execute their attack. Examples of attacks might be distributed denial of service (flooding the target with so many requests that the real traffic can’t get through), publication of phishing emails, click fraud and mass distribution of spam and spyware.

Unfortunately, the hacked computer’s user might not even notice that his/her computer is being used by someone else. Look for slow performance, an outbox full of mail you didn’t send or messages saying that you’ve sent spam. Any of these would be reason to investigate your computer carefully.

If you think your computer might be infected, contact your Technical Support immediately.

Take the following steps to protect your computer from being captured in a botnet:

• Pick strong passwords
• Install anti-virus software and keep it up to date.
• Install a firewall and keep it turned on.
• Keep your computer’s software fully patched.
• Install and update anti-spyware software.
• Be careful what you download.
• Turn off your computer when you’re not using it.
From westfieldinsurance.com

This article was originally published in the Mar 2007 edition of The Agent Newsline, a publication of Westfield Insurance.

When John retired last month, when Sue left the company, when Sam moved into another department, did their access rights get updated? Or can they still log onto the computer and see your customers’ confidential information? Can they log onto one of your partner web sites and prospect against your customers?

Identity and rights management is a complex and serious problem for any company with more than a few employees. Federal and state regulations require that private customer information be protected based on a business need-to-know. Social Security numbers, credit scores and driver license numbers are just a few of the fields that are considered private. If your employees, contractors or support staff have access to files or programs holding that kind of data, I recommend creating a plan to make sure that only the right employees have access.

Here are suggestions to help keep your data safe:

• Keep a current list of users for your systems.
• If you have a user who no longer needs access, you should remove the name from the list of authorized users. According to Secret Service Internet crime statistics, most penetrations of electronic systems are carried out by former insiders whose access was not properly shut down. Make someone responsible for changing access rights whenever an employee’s status changes to ensure users do not keep rights they should no longer have.
• Keep an employee access checklist of all carriers’ systems, bank systems industry web sites, etc.
• Make sure that they also know of the employee’s status change. A sample checklist with some of the most common considerations is available on Agent’s Web Passport* and can be used as a template to build or expand your own list.

* Agent’s Web Passport is a proprietary web portal for independent agents affiliated with Westfield Insurance. The sample checklist is not currently available through this blog.

As a general rule of thumb, it costs 40 times as much to fix the security of a project after the fact as it would have cost to build security in at the front of the project.

You should always design your applications and solutions be designed with security in mind. Call the Information Security team in your IT department for help identifying and prioritizing security risks. They should also be able to help you develop the business requirements and technical controls necessary to ensure that your confidential data is properly secured. Contact them as early in the design cycle as possible – preferably during the business case stage of the initiative. They can help make sure that all the hidden costs and implications have been identified.

If you’re planning to buy a service from a third party where the vendor or service provider will have access to any company data, especially confidential customer data, or will have access to any system or accounts which could be used to get access to our data, the vendor’s security practices should be evaluated against your company’s security standards. Many companies use an Application Service Provider (ASP) Questionnaire to evaluate the vendor’s security practices. Again, contact your IT department for help with understanding the vendor’s practices. Do not assume that their practices live up to your standards without checking on them.

Authentication means knowing who is on the other end of the line. Authentication is essential before you share any non-public information with the other person whether you are sharing it by phone, email, instant messaging or in person. Authentication is based on one of three "factors":

• Something you are – recognizing your face, voice, fingerprint, signature, etc.
• Something you have – a car key, a digital certificate on your computer, an ID card or security token
• Something you know – a password, the last four of your SSN, mother’s maiden name, etc.

Multi-Factor Authentication means checking against two or more of those types of authentications. For example, the HELP Desk might check caller ID to see if you are calling from your own phone (something you have) and still ask for your employee ID number (something you know). A debit card is another form of two-factor authentication. You need both the physical card and the four digit PIN to get cash out of the ATM. Authentication methods that use more than one factor are more difficult to compromise than single-factor methods.

In the weaker sense, multi-factor authentication is sometimes interpreted as asking for two things you know – a password and a PIN. This is better protection than just asking for a single password but considerably weaker than proper multi-factor authentication. If a hacker knows enough to compromise your password, they are also likely to be able to compromise your PIN. Still, internet sites which require both a password and PIN have added “friction” to the process. They force the hacker to do more work and make it more likely that the hacker will go somewhere else instead.

Keystroke loggers are small tools which covertly capture the user’s keystrokes on his/her computer. They record every click the user makes including typos, backspacing and retyping. Some loggers will also capture the user’s mouse movements and clicks and may even take snapshots of the contents of the user’s computer screen.

Keystroke loggers were first developed by researchers to see how users interact with new software and to identify sources of error. More commonly, keystroke loggers are used by hackers as a means to obtain passwords or encryption keys and to bypass the user’s security. Because the keystroke logger captures the information at the point of keyboard clicking, it can capture information which would normally be hidden from display.

Keystroke loggers are widely available on the internet.

Hardware keyloggers come in two types – visible (a device that attaches to the keyboard cable) and invisible (installed by opening up the keyboard case and soldering the logger into the circuits). A hardware logger will store the information until the person who installed it comes back to collect and download the data.

A software logger can be installed on your machine by a virus, worm or trojan horse. Software loggers will typically attempt to send the data back to the hacker through the internet. Because they are so easy to spread to a victim’s computer, software loggers are now more common.

• Always keep your antivirus program and firewall turned on and up-to-date. Run anti-spyware software regularly.
• When using public computers (such as the library or a cyber-café), avoid visiting sites that require you to enter login details.
• Use common sense.

Adapted from: wikipedia.org