computer
FRAUD & SECURITY ISSN 1361-3723 April 2011 www.computerfraudandsecurity.com
Featured this issue: Contents NEWS In plain view: open source intelligence Microsoft takes down Rustock 1 esearchers can gather a surpris- referenced and filtered to provide Comodo certificates forged 3 Ring amount of information on insightful intelligence. The challenge is FEATURES targets by harvesting data that is to find and manage the data, although In plain view: open source already publicly available. a number of automation tools are now intelligence 5 From newspaper archives to court available. Danny Bradbury explores Researchers can gather a surprising amount of information on targets by harvesting data that records, and even simple Google the not-so-shady world of open source is already publicly available. From newspaper searches, there’s a vast array of data intelligence. archives to court records, and even simple Google searches, there’s a vast array of data freely available that can be cross- Full story on page 5… freely available that can be cross-referenced and filtered to provide insightful intelligence. The slow road to professionalisation Danny Bradbury reports. he question of whether the infor- professions such as doctors and lawyers, The slow road to professionalisation mation security industry should where formal recognised qualifications, 9 T The question of whether the information secu- be ‘professionalised’ is a contentious membership of an industry association rity industry should be ‘professionalised’ is a one. While some practitioners do not and adherence to an enforceable code of contentious one. While some practitioners do not see the value, others are convinced that see the value, others are convinced ethics is mandated. Cath Everett looks change is necessary to protect both themselves that change is necessary to protect at some of the current initiatives that are and their customers. Cath Everett looks at some of the current initiatives that are taking place in both themselves and their customers. taking place in this area and what the this area and what the future might hold. Many would like to see practition- future might hold. Malvertising – exploiting web ers operating in a similar way to other Full story on page 9… advertising 11 Advertisers use Web 2.0 functionality to provide flexibility and portability in sharing third-party Malvertising – exploiting web advertising content across different networks, websites and dvertisers use Web 2.0 functionality To appreciate the severity and preva- blogs. But attackers can take advantage of flaws in features such as widgets and iframes to redi- Ato provide flexibility and portability lence of this class of attack, the Open rect browsers to malicious websites that deliver in sharing third-party content across Web Application Security Project malware. Aditya Sood and Richard Enbody of Michigan State University discuss the exploitation different networks, websites and blogs. (OWASP.org) recently placed invali- model of malvertisements and the way different They use widgets, frames and Javascript dated redirects and forwards in its ‘2010 modes of attacks are used to infect users. banners in order to load and execute top 10’ list. Aditya Sood and Richard The UK fraud landscape for content from ad servers into user web- Enbody of Michigan State University financial services 16 sites. But attackers can take advantage discuss the exploitation model of malver- Fraud in the financial services industry is a topic that constantly makes headlines, says Duncan Ash of flaws in features such as widgets and tisements and the way different modes of of SAS UK, but is the situation really as dire as the iframes to redirect browsers to malicious attacks are used to infect users. media would have us believe? websites that deliver malware. Full story on page 11… Aggregation: the hidden risk 18 Wendy Goucher of Idrach looks at the dangers companies face when they accidentally or delib- Microsoft takes down Rustock erately aggregate their staff members’ access to nce again, Microsoft has used Building on its experiences in shutting sensitive information. Olegal channels to fight spam- down the Waledac botnet, Microsoft’s REGULARS spewing botnets. Working with Digital Crimes Unit (DCU) filed a law- Editorial 2 federal law enforcement agencies in suit in US District Court against ‘John News in brief 4 the US, the firm was able to take the Does’ it said were “controlling a Calendar 20 Rustock botnet offline. Continued on page 3….
ISSN 1361-3723/11 © 2011 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use. NEWS
Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Epsilon and Silverpop (another email Oxford, OX5 1GB, United Kingdom Editorial Fax: +44 (0)1865 843973 ata breaches are now so com- marketing firm that suffered a data E-mail: [email protected] Dmon that it takes something beach recently) were themselves both Web: www.computerfraudandsecurity.com special to catch people’s attention. victims of a social engineering attack, Publisher: Greg Valero The Epsilon Interactive saga has that using spear-phishing. Last November, E-mail: [email protected] special ingredient. It’s not just the Return Path, a firm that offers services Editor: Steve Mansfield-Devine potential size of the breach, it’s the such as tracking email delivery and E-mail: [email protected] fact that so many well-known brand which is used by both Epsilon and Editorial Advisors: names have been embarrassed. Silverpop, issued a warning about Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; Epsilon – owned by Alliance Data phishing attempts against email service David Herson, UK; P. Kraaibeek, Germany; Systems – provides a mass emailing providers, direct mail firms and gam- Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; service for around 2,500 companies. It ing sites. People responsible for email Donn B. Parker, California, USA; Peter Sommer, UK; sends out around 40 billion messages a operations were targeted at more than Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, year and styles itself as the world’s larg- 100 companies. The spear-phishing USA; Bill J. Caelli, Australia est ‘permission-based’ (ie, opt-in) email emails originated from a number of Production Support Manager: Lin Lucas marketing operation. It’s thought to sources, including online greetings card E-mail: [email protected] have around 250 million email address- sites and botnets. Subscription Information es and associated details in its databases. Security specialists constantly fanta- An annual subscription to Computer Fraud & Security includes 12 issues and online access for up to 5 users. Hackers – described as “highly sise that high-profile exploits like this Prices: sophisticated cyber thieves” by will help raise consciousness and lead E1139 for all European countries & Iran US$1237 for all countries except Europe and Japan Epsilon – managed to breach the firm’s to a safer future in which people are ¥151 620 for Japan defences and steal the names and email more aware of the risks. Well, dream (Prices valid until 31 December 2011) To subscribe send payment to the address above. addresses for people on the mailing on. But while we’re waiting for that Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 lists of around 50 of Epsilon’s clients. miracle to happen, there are lessons Email: [email protected], or via www.computerfraudandsecurity.com. It’s believed that millions of details available for those who want to make Subscriptions run for 12 months, from the date payment is may have been purloined, making the effort. received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Computer it the biggest data breach ever. This I suspect the company that will Fraud & Security, 365 Blair Road, Avenel, NJ 07001, USA quickly led to warnings that those learn the most is Epsilon itself. We all
Permissions may be sought directly from Elsevier Global Rights affected should expect a large increase know that breaches wreck reputations. Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You in the amount of spam they receive. Only time will tell how Epsilon will may also contact Global Rights directly through Elsevier’s home page But the danger goes way beyond that. stand with its very large, very public (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make It’s true that spammers love getting clients, many of whom – including payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 email addresses they know to be live. M&S and Mothercare – have had to 750 4744, and in the UK through the Copyright Licensing Agency Rapid But add names to those addresses, send explanations and apologies to Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other and details of companies with whom their customers. Some customers have countries may have a local reprographic rights agency for payments. Derivative Works those people have done business – received such messages from more Subscribers may reproduce tables of contents or prepare lists of arti- and from whom they are expecting than one company. cles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside to receive emails (and may even have Those companies will have had the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. whitelisted) – then you have a situa- their own reputations tarnished. Electronic Storage or Usage tion ripe for spear-phishing and other For a while, Twitter was alight with Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of targeted scams. customers demanding to know why an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form Some of the affected firms are Epsilon had their details – after all, or by any means, electronic, mechanical, photocopying, recording or banks – such as Barclays, Citigroup, JP they thought they were signing up to otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at Morgan Chase and US Bank – so the receive information from, say, M&S. the mail, fax and email addresses noted above. Notice potential for serious financial harm is And that’s a big lesson for everyone. No responsibility is assumed by the Publisher for any injury and/ there. But even with companies that Although you may go to great lengths or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any meth- aren’t financial institutions, the hackers to secure your systems, remain compli- ods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, inde- may be able to exploit the trust of their ant and generally adhere to the very pendent verification of diagnoses and drug dosages should be made. customers by using bogus sites to push best practices for security, if you share Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a fake AV or obtain anything from login information with a supplier or business guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer. credentials to credit card information. partner, any weakness on their part can Some reports – notably in Australian have grave consequences for you. 02065 newspaper ITNews – suggest that Steve Mansfield-Devine Pre-press/Printed by Mayfield Press (Oxford) Limited
2 Computer Fraud & Security April 2011 NEWS
…Continued from page 1 are now effectively under the control of computer botnet and thereby injuring Microsoft’s sinkhole C&C servers. As Comodo Microsoft and its customers”. The suit is common with many botnet trojans, certificates forged was supported by security firm FireEye, the Rustock malware is programmed to enetration by hackers into a the University of Washington and drug change the domain names it contacts Preseller of Comodo digital cer- company Pfizer, manufacturer of Viagra over time, but Microsoft has registered tificates – part of the company’s – as Rustock is perhaps best known for these future domains. However, the sys- Registration Authority (RA) scheme its pharmaceutical spam. tem vulnerabilities that allowed the zom- – has resulted in the forging of SSL Then, working alongside the US bie machines to become infected in the certificates for sites such as Skype, Marshals Service, the DCU raided the first place presumably still exist. As the Yahoo, Windows Live, Google mail seven Internet hosting firms it believed operators of Rustock are still at large, it’s and Mozilla. These certificates could were home to command and control possible they will simply build another have been used for mounting Man (C&C) servers for Rustock. They botnet from scratch. in the Middle (MitM) or phishing removed equipment – mainly hard disks attacks if Comodo hadn’t responded but also some computers. The botnet “The action by Microsoft has quickly to prevent it. immediately went offline, suggesting that set a legal precedent that An Iranian hacker later claimed Microsoft hit the right seven companies. may prove useful in future responsibility for attacks on two resel- The disk drives are now being examined fights against spammers. lers – GlobalTrust.it and InstantSSL. for evidence that might lead to the bot- Some of the confiscated it, both based in Italy. He said he was net’s operators. hardware did not belong able to obtain the encryption keys used It’s unusual for C&C servers to be to the hosting companies, to provide root authority to SSL certifi- hosted in the US, or even in the West. so Microsoft had to build cates. It’s not known which (if either) Most spamming operations use ‘bul- a legal case for its removal of these firms was the one whose keys letproof’ hosts in countries such as the were used to create the rogue certifi- It did this by showing that Ukraine. However, by using US-based cates, as Comodo has refused to name hosting firms – mostly smaller compa- the spam sent by Rustock the company. nies that had no idea what was going had a financial impact on It’s also not known if the hacker on – as well as deploying TLS encryp- Microsoft’s Hotmail system” acted alone, as he later claimed: ini- tion and disguising the communications tially, Comodo said that it suspected between bots and C&C servers as forum While Rustock is one of the big- the attacks were state-sponsored and messages, Rustock managed to evade the gest and most notorious of spamming confirmed that they came from Iran. attention of spam-fighting services such botnets, the takedown appeared to The hacker said he breached security by as Spamhaus. However, FireEye’s analysis have little effect on overall spam lev- exploiting insecure password-handling of the traffic and Microsoft’s use of sink- els. Although there were some reports as part of the Italian sites’ Certificate hole C&C servers allowed the firms to that they’d dropped by as much as a Signing Request (CSR) processes. identify both the command nodes and third immediately after the takedown, The nine fake certificates were revoked infected machines. MessageLabs said that it was seeing within hours by Comodo, but the The action by Microsoft has set a legal ‘normal’ levels of spam. And TrendLabs exploit wasn’t publicly disclosed until precedent that may prove useful in future pointed to the dent made in spam levels action was also taken by browser ven- fights against spammers. Some of the con- after the McColo takedown – and how dors. Two days later, Google blacklisted fiscated hardware did not belong to the they soon recovered. a handful of certificates during a browser hosting companies, so Microsoft had to Kaspersky has just released its spam update and then Mozilla and Microsoft build a legal case for its removal. It did this report for February 2011, which showed followed suit on subsequent days. by showing that the spam sent by Rustock India as the leading source – the US Later it emerged that two other resellers had a financial impact on Microsoft’s was in eighth place (this is before the were compromised (which may or may Hotmail system and also that the C&C Rustock action). The report noted that not be the Italian firms named by the servers were in violation of the US CAN- spam traffic from the US fell rapidly hacker), although no forged certificates SPAM Act. In the end, the court agreed to after the Pushdo/Cutwail botnet closed, were issued. Comodo said the companies’ the seizure of third-party equipment. but climbed again just as rapidly. RA privileges had been withdrawn. There is still no indication of who was “Spammers are gradually regaining Comodo has also started overseeing the behind the botnet, nor how much they their position following the closure of validation processes used by its resellers were making from it, although FireEye major botnets in the second half of last and is introducing two-factor authen- said that they were spending $10,000 a year, and we foresee a return to spam tication for them. It has been criticised month on the hosting services. levels of 81-82% by April-May 2011,” for allowing resellers to issue certificates The compromised computers that said Maria Namestnikova, senior spam directly from the root, and Comodo said form the botnet are still infected, but analyst at Kaspersky Lab. it is reviewing this procedure.
3 April 2011 Computer Fraud & Security NEWS
In brief UK employees share company data major security flaw. To avoid repeated logging inspection without requiring a warrant. The More than a third (37%) of UK employees have in, the service creates an authentication token searching of such devices has long been shared privileged company data with friends on the user’s machine. The host_id token is controversial. Privacy rights organisations and family. And more than a fifth (21%) who stored in %APPDATA%\Dropbox\config.db have said that it potentially exposes sensi- use laptop or desktop PCs have transferred such on Windows machines. (It’s uncertain if the tive corporate or personal data, especially as data to their own computers – even though same vulnerability exists on other platforms, the Department of Homeland Security has more than half (58%) of these machines were but it’s likely.) If this token is stolen – for exam- a policy of copying or downloading data if shared with, or could be accessed by, other ple, by malware – and transferred to another necessary. And there have been claims that people. These are the findings of a survey by machine, that machine will be able to log in removing devices to another facility for foren- LogRhythm, which asked OnePoll to ques- to the user’s Dropbox without raising any sic inspection, without cause for suspicion, tion 1,000 UK workers. The research also alerts. This is because the token is not tied to is a violation of the Fourth Amendment. showed that, perhaps inspired by Wikileaks, the machine on which it was created and so However, a Ninth Circuit court has ruled more than a quarter of employees (26%) would Dropbox does not see it as a ‘new’ machine con- that such searches are within the law when be prepared to become whistleblowers and leak necting to that account. More details are avail- performed at US border locations. sensitive material if they thought it was in the able at:
4 Computer Fraud & Security April 2011 Feature In plain view: open source intelligence
Danny Bradbury, freelance journalist Danny Bradbury Researchers can gather a surprising amount of information on targets – people or companies – by harvesting data that is already publicly available. And some- times they even surprise themselves. Suddenly, sourcing publicly available information has become like drink- For example, Steve Wilson, an IT securi- (OSINT). The 2006 National Defence ing from a firehose. But it is also a key ty consultant and digital forensic analyst Authorization Act in the US defines it as tool for everyone from law enforcement at Electric Cat, didn’t expect the results “produced from publicly available informa- through to merger and acquisitions of a demonstration he was giving to be tion that is collected, exploited, and dis- teams, headhunters, and anti-fraud as good as they were. He was explaining seminated in a timely manner to an appro- departments in private organisations. to a special interest group how to extract priate audience for the purpose of address- Stephen Leece, director at the UK’s useful information on individuals from ing a specific intelligence requirement.” Open Source Intelligence Centre, publicly available data. He pulled down describes some underlying methodologies a selection of images of a woman from Who wants yesterday’s that can help to guide open source intel- the popular photo sharing site, Flickr. papers? ligence. “You can easily source a 25-year “She was a model and photographer, archive of news and business provided by but then I found out she used to be a In past times, that could have been as someone like Thompson or Reuters,” he lapdancer,” he said, recalling that she simple a process as reading regional points out, “that answers the ‘is there any- went by names other than the one on her newspapers and listening to speeches thing in the newspaper?’ question.” Flickr account. “From that single photo, given in public forums. These days, such The type of outlet publishing informa- I drilled down, and ended up with names sources are still highly relevant, but there tion can also be indicative. Many special- and phone numbers of her aliases from is far more of that information to sift ised stories about industries will appear the things she’d posted in forums.” through. And the availability of other in the trade press before they make it to The audience at his demo were kinds of information, such as metadata the newspapers (if they do at all). shocked, but shouldn’t have been. Using in documents and social networking There are other sources now open publicly available information to build data, has made open source intelligence to open source intelligence researchers. a comprehensive profile of a target has even more useful, while also making it Leece points to the relationship between become an increasingly important part harder to manage. entities, codified in social networks. And of information warfare. As early as the late 1940s, certain parts of the intel- ligence community were systematically mining the public record to find unique perspectives on their targets.
“The availability of other kinds of information, such as metadata in documents and social networking data, has made open source intel- ligence even more useful, while also making it harder to manage”
The military has long realised the Figure 1: In Maltego, running a transform on an email address can show you where it crops up online, and how. importance of Open Source Intelligence
5 April 2011 Computer Fraud & Security Feature
hits per day by subscribing to RSS feeds on a selection of search terms in Google. “You have to be very neat and clever,” he says. But not too clever. A beautifully- crafted search string designed to whittle away the chaff in search results may only return one or two stories a day, which might be too reductive for researchers. “Lockheed Martin is now training gov- ernments and specialists in how to use these different tools,” he says. In any case, Leece points out that much of the information available on non-obvious subjects isn’t available via Figure 2: The edge-weighted view in Maltego helps researchers evaluate the significance of search engines: 80-90% of the informa- specific entities. tion you need isn’t in Google or Bing, he structured information can provide some open formats. Search engines, of course, says. Rather, it lies in the deeper web. critical pointers for open source intel- have become a useful tool, and ‘Google This deeper web may be hidden ligence researchers. hacking’, as advocated by experts such behind paywalls, or closed to search “It’s the key identifiers that people as Johnny Long, creator of the Google engine spiders. There are swathes of use- spend a lot of time on; something that Hacking Database, has become a popu- ful information embedded in documents you can use for an entity,” Leece says. lar hobby. such as County Court judgements, Leece “So in the UK, you’ll ask whether a That said, Peter Wood, CEO of pen- says, and it is areas such as these where person is a registered voter, and whether etration testing and information secu- the real open source intelligence begins. they have a telephone. You could put rity company First Base Technologies, “It is a very legitimate way to start map- three or four elements together to find says that he has had his more complex ping. It is very niche, and perhaps only a classic profile, and you can then put Google search queries blocked by the your forensic, technical accounting teams these things together and create an infor- engine. “At one point I got quite worried will ever go there.” mation path.” about manual Google hacking becoming an automated process and being used Focusing on forensics From database to by black hats to drill down into open search engine ports,” he recalls. If many researchers find going to the Another potential problem is the Registry Trust website, searching for a Much public domain information has skill involved in throttling the volume County Court judgement and paying a historically been located in databases, of information returned by the search fee to be beyond them, then the skills but things have expanded into more engines. Leece recalls retrieving 1,000 required to target still more technical data sources will be even more rarified. Forensics tools can reveal much about the source of a document, the method of its production and distribution, and even the location of its subject.
“Furnishing oneself with an individual’s address, com- bined with their employer, gives you their likely routes to work. It also gives you the likely location of their chil- dren’s school”
It is often not even necessary to extract Figure 3: Creating a network diagram with Maltego. such data using specialist tools. Instead,
6 Computer Fraud & Security April 2011 Feature sites such as Flickr do it for you. In 2009, journalist Matthew Honan cyber- stalked a woman as an experiment.1 He saw her taking pictures with an iPhone 3G in a San Francisco Park. Searching on Flickr that night, he found the pic- ture that she had taken, and was quickly able to work out where she lived and what her apartment looked like, simply by examining her photo stream. Wilson loves geolocation informa- tion, explaining that it makes a target even more multidimensional. Furnishing oneself with an individual’s address, combined with their employer, gives you Figure 4: Maltego can be used to track higher-level concepts for open source intelligence purposes. their likely routes to work. It also gives you the likely location of their children’s private databases. Any of these can be addresses and want to see they’re linked. school, along with a handful of locations mapped to other entities using trans- You could do this by hand, but it will where a spouse might shop for groceries. forms, and users of the product can take you a little time,” he says. It all contributes to the broader profile also write their own transforms. In Wilson likes to mix manual and on a target. Each new piece of informa- Temmingh’s example, the email given automated techniques, largely by hack- tion creates new places to look, and by the person registering the offending ing his own scripts. “There is a lot of should be cross-referenced against exist- domain may show up in a WHOIS list- developing code segments, and rapid ing information in the target profile. ing. Maltego might find evidence of the prototyping,” says the former Unix Technical evidence from digital foren- address used in online forums, which programmer, who says that his script- sics complements information gleaned could lead to further leads. These leads – ing skills are evolving over time. “The from other sources such as search engines which might include IP addresses, phone last script I wrote for Flickr involved or specialist databases perfectly. In many numbers or other entities – could even- 150 lines of Perl, and a friend did the cases, one can inform the other. tually lead to the identification of the same thing with three lines of Python,” malicious party. he recalls. However, where possible Automating open source Temmingh says that Maltego doesn’t he also uses tools such as Maltego, or intelligence do much more than someone could do other tools, such as CLITrack, which with technical skills and a browser. Its extracts EXIF data from photographs “A kiddy porn domain is a good exam- beauty lies in its ability to scale, and and enables their location to be plotted ple,” says Roelof Temmingh, co-creator visualise. “Let’s say you have 200 email in Google Earth. of Maltego, a product that merges open source intelligence and forensics. “Someone had to register it with the name and email address. The name is in the personal space, but that’s a point where the two touch each other.” Maltego allows users to run trans- forms, which are functions that map one entity onto another. An entity is something that the user might want to investigate. Examples include domains, websites, email addresses, individuals, name servers, locations and telephone numbers. New entity types can be created, drawing data from any source includ- Figure 5: Maltego also has unicode support to help mine the increasing percentage of data that isn’t ing closed information sources such as in Latin character sets.
7 April 2011 Computer Fraud & Security Feature
Total awareness in the same group as them, but the company Instead, it’s simply a question of restricted this information over time. understanding the risks. “We have seen At a governmental level, the idea of auto- However, there are relatively easy ways people using the same passwords in dif- mating this information harvesting and in. “We could, with a client’s permis- ferent environments, and that’s a learn- storing it in databases for further use has sion, do the kind of thing that was done ing point,” he says. Using your spouse’s grown to monstrous proportions. John at Blackhat a few years ago, where you middle name or the place where you Poindexter, former national security advi- create a fake profile and then befriend bought your dog suddenly becomes far sor to Ronald Reagan, proposed the idea of someone,” says Wood.2 “Befriending less attractive when you understand the a massive intelligence database containing someone gives you everything you need.” risks. It was what enabled college student both open and closed-source information David Kernell to hack his way into Sarah after the terrorist attacks on the World Trade “High net-worth individuals Palin’s personal webmail account during Centre. DARPA (the Defense Advanced and companies with employ- the 2008 presidential election. Research Projects Agency) funded the ees in sensitive positions Ultimately, there is little new under project, which was called Total Information should be aware that open the sun, but approaches vary as new Awareness, in 2002. The project, headed by source intelligence can be technologies come along. Keeping a the newly-created Information Awareness used for nefarious purposes” watchful eye on unclassified information Office, was designed to mine large amounts in the public domain has always been a of transactional information from the US Social networks open up a whole new tactic for those tasked with investigating public, and included elements such as world of information, because at least as specific targets. However, the opportu- Evidence Extraction and Link Discovery. much value is contained in the relation- nities for harvesting, automating and Funding for the comprehensive programme ships between entities as in the entities codifying that information to produce was later choked off by Congress, although themselves. If you wanted to find out new insights has exploded along with reports suggest that elements of the project everything about writers covering women’s the Internet. Open source intelligence is continued to survive in the intelligence issues in middle eastern countries, along entering a new era. community. with other contacts who were interested in It isn’t just law enforcement and intel- the same subjects, then a search of relevant About the author ligence organisations that might want to periodicals, combined with some judicious Danny Bradbury is a freelance technology combine forensic, personal and organi- social network analysis, would get you a writer who has written regularly for titles sational data to build a comprehensive long way toward your goal. including The Guardian, Financial Times, profile. One company considering the The danger, of course, is that malicious National Post, and Backbone magazine purchase of another, for example, could actors can use the same techniques. High in addition to editing several security and learn a great deal by examining the people net-worth individuals and companies software development titles. He specialises in that work there, and where its infrastruc- with employees in sensitive positions security and technology writing, but is also ture is located. If eight IP addresses sud- should be aware that open source intelli- a documentary film maker and is currently denly spring up geolocated in Nigeria, the gence can be used for nefarious purposes. working on a non-fiction book project. chances are that the firm may have estab- Even if individuals (or their families) don’t lished a branch office there. Why? attract the attention of kidnappers, they References “You can learn from whether a firm has might well invite a spearfishing attack, in 1. Honan, Matthew. ‘I Am Here: a centralised or decentralised IT depart- which a malicious party gathers enough One Man’s Experiment With the ment,” Temmingh says. “You can see that open source information about them to Location-Aware Lifestyle’. Wired, they’re consolidating, or that everyone mount a convincing attack. Open source 2009,
8 Computer Fraud & Security April 2011 Feature
OSINT websites Forensics, discovery, footprinting tion:
Cath Everett, freelance journalist Catherine Everett
The idea of ‘professionalising’ the information security industry has long been a controversial one. Many practitioners, particularly those that have been around suitable qualifications to enter practice for a long time, are simply not convinced that such a move is either necessary or undertake Continuing Professional or has any value. Development (CPD) activity to remain in it is not particularly welcomed outside Although they may maintain member- longed training and a formal qualifica- of highly regulated industries such as ship of one or more of the many extant tion’ (Oxford English Dictionary defini- financial services (though here, too, the industry bodies, it is mainly for status tion of the term ‘profession’). advent of professional standards reasons rather than out of any desire to Maintaining membership of indus- was resisted by many older financial be formally recognised as participating try associations is thus often seen as a advisors when they were introduced in a ‘paid occupation that involves pro- chore and the idea of having to gain in the 1990s).
9 April 2011 Computer Fraud & Security Feature
The situation is also not helped by the after undertaking a course of only a few At this point, however, there are no fact that the numerous CPD schemes days’ duration generates the risk of creat- plans to develop the principles into a available have to date not been stand- ing cowboys that have the potential to more formal, enforceable code of prac- ardised. Moreover, any credits gained by bring the industry into disrepute. tice, although Creasey does not entirely participating in one are not necessarily Although there appear to be no current rule out the idea. interchangeable with another and can moves towards either consolidating the “We have more important things to sort often differ quite radically in value. number of industry bodies or rationalising out at the moment, which is about develop- the numerous CPD programmes on the ing the professional rather than professional- “There is currently no accept- market, work has been going on to at least ising the industry,” he says. “It’s about mov- ed definition of what an come up with a set of core principles to ing forward one step at time and we believe information security profes- govern responsible practitioner behaviour. it’s more powerful to try and get practition- sional actually is or does” While falling far short of an enforceable ers to adopt a de facto standard.” code of practice, the principles, which One of the issues is that using the Another issue is that there is currently were jointly developed by the Information principles as the basis of a code would no accepted definition of what an infor- Security Forum (ISF), the Information require the creation of an agreed set mation security professional actually is Systems Audit and Control Association of information security terminology or does. This means that there is no for- (ISACA) and the Information Systems (which is currently being worked on by mal profile, no mandatory requirement Security Certification Consortium (ISC)2, ISO, the International Organisation for to be a member of an institute or have are intended to provide guidelines for Standardisation) as well as involving con- minimum qualifications and no unified, good practice. siderable work looking at the pros and enforceable, globally recognised code of cons of professionalisation. practice, as is the norm with established Independent principles As a result, Creasey adds: “While we professions such as doctors or lawyers. might consider doing that in future, it’s Jason Creasey, the ISF’s global alliances not in our agreed work programme, but it Mixed quality leader, explains the rationale: “There’s is on our radar.” a massive proliferation of standards, The problem for potential employers codes of practices and ethics, but they’re Code of practice and customers in this scenario arises written by individual organisations and from the mixed quality of the practition- owned by them. So we thought there Advent IM’s Gillespie says that, person- ers on the market and the fact that there was a requirement for an independent ally, he would welcome such a step, is no standard, formal means of assess- and non-proprietary set of principles to although he acknowledges that, “the ing their knowledge and/or experience. promote responsible security behaviour.” quantity of industry bodies and lack of For example, David Porter, director of a mandatory route into the profession, Resilient Thinking, says he tends to look “We have more important including the disparity of qualifications, at an individual’s track record, recent job things to sort out at the makes this highly unlikely”. testimonials and word-of-mouth feed- moment, which is about Such an enforceable code would not back. “It’s about having an audit trail of developing the professional only ensure that practitioners remain inde- proof, so pick up the phone and speak to rather than professionalising pendent of the business, in the same way their previous boss,” he advises. the industry” that financial or audit professionals are, but On the other hand, Mike Gillespie, a would also help in protecting both them director at information security consul- The organisation chose its partners and their customers, he believes. tancy Advent-IM, looks for “a basic set of based on the fact that they were “leading “As we all know, it can sometimes be a underlying skills and knowledge in spe- international [rather than local] bodies” fine line between providing services to the cific key areas rather than qualifications and the next phase will see ISACA and customer and satisfactorily addressing stat- per se” and takes a more “show-me rather (ISC)2 marketing the principles among utory requirements,” Gillespie says. “Also, than tell-me” approach to recruitment. their membership as well as trying to how many consultants either hide behind But in an organisation where informa- secure the endorsement of other industry policy because they lack the risk manage- tion security is not the core business, bodies – particularly in the US where ment skills or say what the customer wants such judgements are likely to be much awareness is especially low. Discussions to hear either because they want the work more difficult to make. And the fact that are also ongoing as to whether the guide- or because they get intimidated?” inexperienced pretenders can set them- lines should likewise be embedded into But Gillespie is not entirely convinced selves up in business with no sanction their qualifications. about how much difference the principles,
10 Computer Fraud & Security April 2011 Feature which he describes as “a bit basic”, will purposes by commandeering more than The next step will be to host an ongo- make in and of themselves. While he says 21,000 computers around the world. ing series of workshops over the next 12 that the “unification of views” from dis- Carolina canvassed the opinions of a months or so and to circulate reports parate industry bodies can only be a good number of information security prac- based on the outcomes to members of the thing, he points out that their value to the titioners as to whether they considered working group, although other individu- industry is likely to remain limited “until the move right or wrong. The responses, als will be invited to join as appropriate. and unless businesses [rather than individual which ranged from “it’s absolutely appall- “If this gains traction and popular sup- practitioners] are made fully aware of their ing and law enforcement should throw port, we might be able to start abstracting existence and accept and embrace them”. the book at them” to “they deserve to get out basic principles to describe what ethical “It’s a good starting point if only for an award” – which, incidentally, they later practices are and maybe write them down as debate such as this,” he says, “but it will did – prompted him to explore what ethi- a rule set,” Carolina says. “But if we do that, be interesting to see the status of the cal guidance was currently available, most it will only be published with highlighted principles in a year’s time.” of which he found unhelpful. case studies as you have to have examples As a result, as of early February this and context. In my professional opinion, Ethics project year, Carolina kicked off the first in a without that, it’s not much value.” series of ethics workshops, made up of While such initiatives are, unfortu- Meanwhile, another potential step on no more than 25 IISP members. “This is nately, still rather fragmented in nature, the road to professionalisation is the an area where people are crying out for what they would appear to suggest is creation of an initiative entitled the guidance, especially in the private sector,” that the information security industry is Information Security Ethics Project, he says. “We want practitioners to have slowly starting to move down the path which is sponsored by and housed better information so that they feel less of becoming more professionalised. within the UK’s Institute of Information exposed and better informed to make As Gillespie concludes: “Things are Security Professionals (IISP). hard decisions.” changing. There are lots of pockets of The idea behind the project came work being done and, while they’re from the Institute’s general counsel, Things are changing not consistent or global, you can see a Robert Carolina, who is also a sen- day when the industry will get there – ior visiting fellow at Royal Holloway The half-day discussion centred on a series although it’s a long road yet.” University’s information security group, of hypothetical case studies that were where he teaches in its information secu- used to debate the right and wrong ways About the author rity MSc programme. to respond in each scenario and, most Cath Everett is a freelance journalist who In early 2009, Carolina wrote an article importantly, why. The aim was to look for has been writing about business and tech- for Computer Weekly about the legal- points of commonality and difference in nology issues since 1992. Her special areas ity – or otherwise – of the actions of the individuals’ beliefs and approaches and to of focus include information security, HR/ BBC’s Click TV programme team when use those areas where opinion diverged as management and skills issues, marketing it created its own botnet for educational the basis for further discussion. and high-end software. Malvertising – exploiting web advertising
Aditya K Sood, Richard J Enbody, Michigan State University
Online advertisements provide a convenient platform for spreading malware. Since ads provide a significant portion of revenue on the web, significant effort can be redirected. Of particular use to is put into attracting users to them. Malicious agents take advantage of this malicious agents is that redirection is skillful attraction and then redirect users to malicious sites that serve malware. built into online advertising so the mali- cious user only needs to co-opt a redirec- Search engines’ intimate tie-in with significant effort goes into attracting tion that is taking place. As a bonus, the advertising also assists malicious agents: users to particular sites from which users user expects a redirection to take place, so
11 April 2011 Computer Fraud & Security Feature
order to redirect traffic from malver- tisements that are distributed across the World Wide Web. When a user clicks on a malvertisement, the traf- fic is redirected towards a malicious domain rather the legitimate one. • Generally, no verification check can be imposed on advertisements to detect whether the redirect occurs appropriately or not. This lack of verification results from the nature of the web-advertising model that makes it difficult for a publisher to scrutinise web traffic related to ad delivery. • Attackers can also tamper with spon- sored links to distribute malicious executables directly into the system as a part of drive-by-download infection. Internet Explorer has been a popular target because of both its popularity and its ability to run custom exploits through ActiveX controls [8]. The irony is that advertisers pay the publishers for the advertisements while the attackers exploit those same ads to spread malware. Malvertising modes Most of the web malware is triggered through web injections to exploit the vul- nerabilities in web software and domains. Figure 1: Registering a widget on a vulnerable advertising domain. Different modes of infections are used for injecting malicious advertisements the redirection to a malicious site is less it is hard to determine the integrity of in vulnerable domains. To appreciate of a red flag. content that is shared among different the severity and prevalence of this class Another feature of online advertis- domains across the web. of attack, the Open Web Application ing that can be co-opted by malicious The result is that online marketing has Security Project (OWASP) recently placed agents is the dynamic delivery of ads. A opened up new avenues for profit gen- invalidated redirects and forwards in its standard approach is to provide HTML eration while at the same time providing 2010 ‘top 10’ list.2 code snippets that are used in conjunc- a convenient platform for malware deliv- tion with normal websites in order to ery. Malvertising growth is being assisted Malvertising with embed advertisements. For example, by the following: malicious widgets Doubleclick.net provides millions of ads • Malicious agents can register nearly that are served to different domains as any domain and can use it as a stor- and redirection dynamic content – that is, the content of age base for malware in order to con- The advent of Web 2.0 popularised advertisements can change dynamically duct drive-by-download attacks by widgets for use in advertising and traffic based on user or content characteristics. redirecting users to their malicious redirection.3 However, flaws in the design Service Level Agreements (SLA) exist domains.1 Generally, these types of of some web widgets pose high risks to between ad distributor and website to domains do not comply with any domains using those widgets for advertis- define appropriate content, but they are types of security or privacy standards. ing.4 As mentioned above, the redirection neither designed for nor appropriate for • Malicious agents can use different can be co-opted by malicious users to applying effective security. In particular, modes of malvertising infections in redirect traffic to malicious sites.
12 Computer Fraud & Security April 2011 Feature
For example, we detected a widget vulner- ability in a popular news publisher web- site. The normal procedure is for a user to register, which allows the publisher to render news from various popular chan- nels and embed them into the user’s web- sites and blogs. However, because of flaws in the publisher’s system, it’s possible to redirect traffic. In order to install the widget, the pub- lishing domain requires certain steps to be performed by a user to facilitate the ability of the widget to include third- party content. Specifically: • The widget can only be installed after registration. The user selects the wid- Figure 2: Installed widget. get code based on the target platform – such as blogger, MySpace etc – in the vulnerable publishing domain as HTTP specification includes the iframe which the widget is to be installed. follows, where ‘outbrain.com’ is a vulner- to embed one web page into another. • Once the registration is complete, the able advertising domain and ‘xsstesting- Iframes can be used to load dynamic publisher requires the user to log in blog’ is a blog that serves malware: content for advertising. This functional- to his or her website or blog so that ity of iframes can be exploited to trigger widget installation can be completed. http://outbrain.com/most-viewed. infections. Iframes are used extensively After installation, the publisher starts action?sourceUrl=http://www. in order to bypass Same Origin Policy sending news and advertisements to xsstestingblog.blogspot.com (SOP) and launch a Cross Domain the registered user website. Attack (CDA).5,6 Attackers can easily • After the widget is embedded in the Step 3: Users who go to the widget embed hidden iframes that serve mal- user’s site, the user is able to receive thinking that they are entering the pub- vertisements in order to spread malware random content from various content lisher’s site find themselves redirected to while interacting with legitimate users. providers through a vulnerable adver- the attacker’s site. A successful attack can Usually, iframes are exploited using the tising domain that acts as an interme- be seen as a response request mechanism following procedures for running mali- diate service provider. in Figure 3. cious code: For advertising purposes, the vulner- This attack is the outcome of a design 1. Scripts in iframes are allowed to execute able publishing domain uses redirec- bug in the widget implementation. in the context of the browser process (the tion links in order to advertise on the Attackers can exploit this scenario by more powerful the context, the greater publisher’s website. However, web traffic generating malicious advertisements the vulnerability that can be exploited). can be easily redirected from where the (using the publisher’s name) that are 2. There is no specific security restriction widget is installed to any domain. This embedded with redirected URLs which on Active X object usage. shows that inclusion of the widget in exploit the design bug in the vulner- 3. Browser redirection can be done easily any random domain can result in traffic able publishing domain in order to through iframes. redirection from a vulnerable publisher’s execute redirection towards the malicious 4. Access to local objects is not restricted website through advertising links. The domain. This shows how a vulnerable completely. attacker can exploit this scenario by per- advertising widget can be subverted by The hidden iframes used for malvertis- forming three steps: an attacker. ing are constructed as follows: Step 1: The attacker registers as a legitimate user (in order to get a widget Remote malvertising with the same domain as shown in Figure 2. ers to hide the objects that are used Step 2: The attacker can activate the for spreading malware. The concept
13 April 2011 Computer Fraud & Security Feature
Player files and Javascript extensively. However, this is a grave concern because if a CDN server is exploited, the attacker can inject malicious code in the form of mal- vertisements and that code is widely dis- tributed. There is a chain reaction because if a parent server is infected, the child nodes will automatically get infected, too. Corrupting a server that serves thousands of sites spreads the malvertisements broadly and often in a trusted manner. We have identified Windows Media Player files being used in malvertising
Figure 3: Victim browser successfully gets redirected to the malware domain. for spreading malware. An attacker can perform the following steps in order to In addition, attackers can hide their for inline infections so that the detection design and inject malicious .wmv files as malicious purpose using Javascript process becomes harder. malvertisements: obfuscation techniques to encode the Step 1: The attacker ‘backdoors’ the malicious links. Iframes possess a default Malvertising through .wmv file using Windows Script Editor, inherited flaw of defining a trust rela- infected Content with malicious code (as presented in tionship between different domains that Figure 4) that executes through Cross are communicating with each other. The Delivery Networks Site Scripting (XSS) attacks. trust relationship cannot be determined A Content Delivery Network (CDN) Step 2: The attacker injects this .wmv every time within different domains that is a third-party ad server that provides file in an iframe and injects the code in are sharing content. content to different domains across the a vulnerable CDN domain. When this The inability to precisely determine web. CDNs are the preferred choice for file is distributed across domains, it starts trust is why it is very hard to restrict the attackers to spread malware by exploiting spreading the malicious XSS file and content present in iframes and why it the CDN web servers – the attackers can bypasses the Internet Explorer XSS filter is executed in the context of the parent simply let the servers assist in spreading as shown in Figure 5. website. Attackers load malvertisements the malware. Advertisements use Flash, As you can see, CDNs have the poten- in iframes to run in the parent domain Silverlight, pop-ups, Windows Media tial to be a big problem with respect to web malware. Malvertising through malicious banners Advertising banners are used exten- sively in order to spread infections.7 Primarily, attackers exploit servers that host a number of websites on a single server – a common scenario. As above, attacking servers is an easy way to infect a large number of websites. In addition, since advertising banners are widespread, an attack through them will also be widespread. In this attack, the attackers exploit an XSS flaw or SQL injection vulnerability in websites hosted on the server in order to take full control. The attacker then uses two specific tech- niques to infect websites with malicious Figure 4: Designing a .wmv file backdoor. banners as follows:
14 Computer Fraud & Security April 2011 Feature
• Attackers update the database with malicious iframes by exploiting SQL injections in order to trigger persistent infections. • Attackers compromise the shared hosting server and use automated scripts to render malicious code on the main web page of different hosts. When a user visits a specific website, malicious banners are displayed along with dynamic content. Click on the ban- ner and the user is infected, or simply dis- playing the banner can lead to infection. This trick can be used in conjunc- Figure 5: WMV file is spreading malicious VbScript file. tion with SEO poisoning in which an attacker coerces a search engine to visit are becoming one of the main sources of pending on hardware buffer-overflow pro- malicious domains or hijacked websites spreading web malware. One reason for tection, which will prevent most computer that display malicious banners. their popularity is a dearth of appropri- worms and viruses. He recently co-authored ate security procedures for content shar- a CS1 Python book, The Practice of Solutions ing. For example, merely signing an SLA Computing using Python. does not ensure security and integrity • The design of web applications and in a shared network. There is a pressing Resources widgets should be thoroughly veri- need for rigorous security policies and • Polychronakis, Michalis; fied before allowing their use in a procedures to curb the risk of this type Mavrommatis, Panayiotis; Provos, production environment. The widget of infection. History indicates that it is Niels. ‘Ghost Turns Zombie: should be installed with appropriate impossible to get rid of malware infec- Exploring the Life Cycle of Web- access controls in order to avoid any tions completely, but continuous efforts based Malware’. Accessed Mar 2011. rogue actions. can contribute towards enhancing the
15 April 2011 Computer Fraud & Security Feature
• ‘Active X Controls’. Microsoft. References 4. Sood, AK. ‘Open Redirect Wreck Accessed Mar 2011.
16 Computer Fraud & Security April 2011 Feature by increases of 30% in communications harder and more expensive to obtain insur- have a significant effect on the results an products and 34% in mail order, when ance in the future. From the perspective of organisation can achieve in fighting fraud. compared to 2009.1 The report highlights the insurance industry, this type of fraud For example, when marketing departments the flexibility with which fraudsters adapt exposes a large chunk of an insurer’s motor are developing campaigns to mail out their methods and targets in relation to the book to unprofitable business through to customers, the questions they ask can current environment. insurers unintentionally accepting wrongly further support the risk department in its The Fraudscape report says: “Whether priced risks. This problem is further com- fight against fraud. Naturally, equilibrium it is using a false identity to obtain a pounded by the growth of price compari- needs to be struck between the two depart- mail order account, taking over an exist- son sites and online insurance applications ments to ensure security without hamper- ing mobile phone account to obtain an that make it more tempting than ever for ing the customer experience. Only by upgrade by changing a mailing address, or consumers to bend the truth to get a better unifying the financial-crime-management simply lying on an application form, all price. It is therefore crucial for the insur- process across the entire organisation can of these types of frauds are attracting both ance industry to tackle this threat in order fraud teams eradicate a compartmentalised opportunist fraudsters and those involved to protect both their customers and also approach and gain access to the right data in organised criminal activity.” their profitability. from throughout the organisation. Soft fraud – online The battle continues Additional benefits of insurance applications business analytics Whether it’s the emergence of new chan- When considering the fraud threat to nels that allow consumers to easily lie, or In the case of the kinds of online applica- financial services, it is tempting to envis- the fact that professional fraudsters are tion insurance fraud mentioned above, age a global network of master criminals. constantly modifying their approach to using real-time analytics can not only However, this paints only part of the pic- target weak spots, it’s clear that financial reduce fraud risks, but it can also lead ture. The insurance industry, for instance, services companies cannot afford to be to increased cross-selling and up-selling classifies fraud into two types – ‘hard’ and complacent about the fraud threat. As opportunities. ‘soft’. Hard fraud occurs when someone such, fraud prevention techniques can At the point of application, having made fraudulently claims on their insurance by never remain static and need to evolve to a real-time decision about whether to planning or inventing a loss such as a car stay one step ahead of the fraudsters. No offer the customer a policy, insurers need accident. Criminal rings are sometimes single approach will serve successfully to to use all means possible to convert their involved in hard fraud schemes. On the combat fraud; it will always require the best customers into sales there and then. other hand, soft fraud (also known as right mixture of good business practices, Having built up a picture of the customer, opportunistic fraud), which is far more education, prevention and detection. insurers can offer them extra incentives or common than hard fraud, occurs when Only a system that allows behavioural discounts, tailored specifically to them. For an individual is obtaining a new insur- profiling and analytics across multiple deliv- instance a motor insurance policy often ance policy, and they misreport previous ery channels and products simultaneously, automatically includes optional extras such or existing conditions in order to obtain and in real time, can adequately address as breakdown cover or personal accident a lower premium on their insurance many of the emerging fraud trends in the cover. Using a real-time decision engine, policy. A case in point is motor insur- online world. Business analytics can be used insurers can ascertain whether a customer ance. According to the Association of to implement rigorous detection, preven- is a low risk and, in turn, reduce the cost British Insurers, over half (53%) of British tion and investigation rules using predictive of the additional services to ensure they adults think it is acceptable or borderline models backed by flexible rules engines. retain the business. behaviour for an older, lower-risk person This not only helps to accurately identify Ultimately, financial services cannot to insure a vehicle in their name when a crime patterns and the perpetrators, but afford to rest on their laurels. Fraud younger higher-risk driver is the actual taking an enterprise-wide approach can also threats may come from a diverse range main driver.2 What’s more, one in five allow fraud teams to monitor every transac- of sources – whether it is consumers drivers would not rule out exaggerating the tion, in real time where necessary, enabling looking for a cheap deal or professional number of years since they last claimed. them to identify complex, cross-channel criminals looking to exploit weaknesses While this type of ‘soft’ fraud may seem crime such as identity theft. in the system. The fact that losses from harmless to consumers, in reality it can Underpinning a successful fraud preven- some channels, such as card fraud, have mean that they are unwittingly driving tion strategy powered by business analytics reduced year on year is encouraging, and illegally, they may face extremely high bills is access to the right data. As such, improv- demonstrates that the industry is indeed if involved in an accident, and it will be ing the quality of data to be analysed can moving in the right direction through
17 April 2011 Computer Fraud & Security Feature
improved fraud prevention methods. HSBC case study: a customer-centric view of fraud Ultimately the goal of the financial serv- ices industry should be to ensure that HSBC Holdings is one of the world’s largest provides a wealth of up-to-date information the damage can be limited as much as banking and financial services organisations, about the performance of our fraud defences serving more than 100 million customers and allows us to adapt, as needed, to combat possible and that consumer confidence is through 10,000 offices in 86 countries and changing threats. We also need different left intact. territories. Not surprisingly, combating all models for different regions of the world.” forms of fraud – payment cards, online Moving forward, HSBC is expanding its About the author transactions and even first-party (customer) fraud monitoring to cover multiple trans- fraud – has vaulted to the top of the corpo- actions across different channels to obtain Duncan Ash is responsible for market- rate agenda. a customer-centric view of fraud threats. ing and strategy for the financial services According to Derek Wylde, head of Group Rather than have separate, isolated teams industry at SAS. He has over 15 years Fraud Risk, Global Security and Fraud Risk looking at online bill payments, debit card for HSBC, the bank has extensive anti-fraud transactions and credit card purchases, experience in the software industry and has policies that span the entire enterprise. A big HSBC will be looking at that data in worked in a number of roles from pre-sales, part of a bank’s relationship with customers is the aggregate. “Sometimes there are subtler to business development and marketing at giving them confidence that you are protect- threats that – when viewed separately – can a number of software companies, including ing them against fraud, and balancing that appear benign. But when you bring them with their need to have access to your services. together, you can spot fraud earlier,” says Netscape, AOL and Sybase. “Fraud losses are true operating costs that Wylde. “For instance, if a customer’s credit go directly to the bottom line and affect our card is used shortly after his debit card and References ratios,” he says. “So, it’s an incredibly impor- there is also activity on the Internet banking tant focus for HSBC. Like most institutions, channel, you don’t want all of that activity 1. ‘Fraudscape: depicting the UK’s fraud we’ve implemented policies to segregate duties, being reviewed by three separate analysts in landscape’. CIFAS, March 2011. create dual controls and establish strong audit three different locations. Instead, all of your Accessed Mar 2011.
Wendy Goucher, Idrach Wendy Goucher
When PFC Bradley Manning was arrested on suspicion of leaking highly sensi- information with an ‘outsider’, there is tive documents, some were surprised at the information available to a low-level a greatly increased risk and some of the analyst. However, his opportunity came about because he was authorised to use underlying assumptions regarding risk the intranet known as Secret Internet Protocol Router Network, or SIPRNet, acceptance will probably be undermined. which gave him access to huge amounts of data. The Manning story, attractive though it Manning, and many more like him, the appropriate degree of care due to its may be to the press because of its similarity had such access in order to do their sensitivity, then the risk is acceptable. to the days of spying and the Cold War, analysis. When analysts only access the However, when you have one person who actually makes its greatest contribution to information they need, and treat it with sees an opportunity to share some of the the information security narrative in the
18 Computer Fraud & Security April 2011 Feature way it reveals the dangers of the aggrega- lack of granularity of access; association in under the table. The point was that the tion of access to information. In the con- risk (inferences or conclusions that may be user had to exercise some responsibility in text of Manning and others, it might be drawn across data); and shared knowledge. sorting and properly storing documents felt that aggregation is always a bad thing. on the shared drive and not just leave it However, to business people, the aggrega- Lack of risk awareness open for selection. tion of data is often seen as a good thing Within the EU, organisations are – it is an example of operational business One of the interesting aspects of prepar- familiar with the requirements of data and information security using the same ing a client for ISO27001 accreditation protection. But with information that words but meaning different things. recently was to demonstrate the aggrega- falls outside these requirements it can “An important point to make is that tion risk they were exposed to by their be difficult, and time consuming, to some people are better than others need to use some of their lower level discern and maintain the different types at aggregating information,” says Tac staff to work flexibly across departments. of access required to a shared drive Anderson, who describes himself as a social For a small organisation it was a rational – whether that’s the ability to make media anthropologist. “Those people are decision, but the resulting aggregated changes to the document or save the very valuable in your organisation.” access was a revelation that caused much document elsewhere. It is important to On the technical side there is posi- discussion and debate. appreciate, however, that there must be tive benefit to be had from aggrega- This issue seems to arise with reference a difference between a shared drive that tion of data. Any regular user of the to a number of security risks -- including still has access controls, and an open online retailer Amazon will be familiar the risk of access from ex-employees – drive where anyone with an account on with its tailored recommendations and either to acquire information or manipu- the system can access data. One of the marketing techniques. And a memo to late the network. However, this is the principal lessons learned from the pos- Amazon.com from the Harvard School aspect of aggregation that is most likely to sible leakage of information by Manning of Engineering and Applied Sciences run into problems with the ‘divided by a was this lack of discerning granularity makes it clear that the aggregation of common language’ issue. Where organisa- with regard to the information he could data is central to the company’s ability to tions make common use of project group- legitimately access. use this approach. ings across the organisation, or where new The reason why aggregation of data is “Amazon uses data aggregation as joiners are given experience in a number so valuable in business is that it allows an enabling component of many of of departments, access control can lag the drawing of inferences and conclu- its core features, including sponsored behind or just not have the necessary pro- sions – and if you’re not careful, by search advertising, customer-specific vision for temporary access. people who you would rather didn’t have recommendations, and dynamic pricing The shared drive on a network can be that knowledge. schemes,” says the memo. “We believe a huge benefit to security. Sensitive docu- that data aggregation represents a core ments can be stored away from local, Solutions component of many of Amazon’s unique potentially portable, machines, with and beneficial features.” all the risks that these entail. However, Identify your sensitive data. This is there are problems with the use of shared basic stuff, but a good understanding of Hazards drives, chief among which is the lack of which information is sensitive, both in discernment and organisation. A couple and of itself, and what is the aggregated But while keeping in mind that there are of years ago, as part of a security cam- risk of likely collections of data from positive reasons to promote the aggrega- paign for a financial institution, Idrach various sources, is the starting point for tion of data in business, it is clear that commissioned a cartoon that portrayed its addressing this issue. there are also hazards. Let’s look first shared drive as a buffet table with a range Understand the aggregation risk. as some of the basic causes: lack of risk of sensitive types of information available The beauty of this stage is that it is awareness; legacy access; careless storage; to all, including one person who sneaked ...Continued on page 20
A SUBSCRIPTION INCLUDES:
• Online access for 5 users • An archive of back issues 8 www.computerfraudandsecurity.com
19 April 2011 Computer Fraud & Security Calendar
…Continued from page 19 culture was the greater problem, so clear- reasonably easy to deal with. A straight- ing desks could be used without upsetting Calendar forward demonstration from the organi- the spirit of the work.3 Discrete behav- sations’ own data sets shows this iour, especially as regards communica- 3–12 May 2011 SANS Security West 2011 risk. One example is the race and sex tion, should be a key part of any security San Diego, California, US equality questionnaire that companies awareness training. Website: http://bit.ly/ifP1F2 ask their applicants to fill out so they Sensitivity categorisation. At the can demonstrate that they are treating EuroCACS conference in Budapest in 9 May 2011 minority groups fairly in their selection. 2010, Matthew Pemble gave a presenta- Secure Coding: major web The information, which might include a tion called ‘Destroy for Victory’ where attacks and how to defeat persons’ sexual orientation, should not, he talked about the disposal of a range of them generally, be significant to their role so data prior to the UK military exit from Rome, italy should not be included in their person- Iraq. One of the key points he made that Website: http://bit.ly/fzoBQF nel file if they become an employee. is applicable to this situation, was the cat- However, if they were all kept in such a egorisation of data. For the greatest secu- 9 May 2011 way as to be readily accessible to anyone rity it was decided that all data would be SANS Secure Europe with HR privileges, then the risk that the treated as if it was of the highest level and Amsterdam, Netherlands information will be revealed is increased, stored, or destroyed, with the appropriate Website: www.sans.org/info/70708 with all the consequences for distress and amount of care. One of the issues with employment dispute that such an inci- having wide categories of shared, acces- 9 May 2011 dent might give rise to. sible data, is that often it is treated as if it SANS Brisbane 2011 Access controls. Access to data is a were of the lowest common denominator Brisbane, Australia privilege and it has responsibilities. Good of sensitivity, not the highest. Turning Website: www.sans.org/info/70819 practice in many organisations is to move that around will make operations safer, towards an ‘opt-in’ system of access. This not least because it may lead to some 10 May 2011 means that, over and above the basic of the most sensitive information being Cyber Security Strategies access to system areas that most, if not all, removed from the common areas in order summit staff need, the rest is given as required, is to improve general access. Washington DC, US Website: http://cybersecuritystrategies- reviewed regularly and is monitored in summit.com terms of individual aggregation of access. Conclusion This can be a difficult move as it often 12 May 2011 affects those higher up the hierarchy The aggregation of data is both a good Developing Secure most, but it can be a powerful driver in thing for business, as it gathers informa- Applications for the i-Phone promoting security awareness and a more tion and uses it to paint a clearer picture, Rome, Italy secure culture. Also included in this is and a hazard. The latter, especially as the Website: http://bit.ly/gtsxh7 good communication between HR and risk of unauthorised aggregation, pos- system admin so that new staff don’t have sibly by a rival or discontented insider, 15 May 2011 to ‘borrow’ login passwords and exiting can be difficult to identify. This is a risk SANS Cyber Guardian 2011 staff do not have as much opportunity to that is often accepted without being Baltimore, US remove sensitive data. fully understood until the resulting leak Website: http://www.sans.org/info/70944 Clear desk and discrete behaviour. emerges. There are many ways to deal As there has been a rise in the use of with the problem, but understanding the 16–19 May 2011 open plan office design it has become risk, and building that understanding IFSEC ever more important that documents are into your system design and processes Birmingham, UK not left laying around in plain sight. The would be a very good starting point. Website: www.ifsec.co.uk common solution is the ‘clear desk policy’ whereby documents are stowed at the end About the author 6–10 June 2011 of the working day. This has given rise Wendy Goucher has an approach to infor- OWASP AppSecEU2011 to some concern for the de-personalising mation security that is heavily influenced by Dublin, Ireland effects on the workspace and the conse- her background in social science and man- Website: www.owasp.org/index.php/ quent effects on morale. But Michael Pitt agement. She is researching for a doctorate AppSecEU2011 and James Bennett found that the general in computer science with psychology.
20 Computer Fraud & Security April 2011