If you’ve been involved in computer security for more than five minutes, you know that the endless cat and mouse game played between criminals and security professionals is in a state of constant flux. As a result, we are forced to innovate and develop new ways to protect data.
The goal for attackers, however, remains the same. Find the easiest way to steal without getting caught.
From the perspective of the security professional, the playing field is starting to look quite advantageous for the opposition. Bad guys still have their eye on the prize but have come up with a clever new approach to reaching it. The problem is that security professionals are going to be hard pressed to defend this new vector, as you’ll see below.
Many large enterprise networks are fortified with a variety of devices designed to alert us to the slightest anomaly. We’ve gone to great lengths to protect valuable intellectual property and information that falls under our custodial responsibility. When the bad guys found that navigating this hostile environment was next to impossible, they adapted by going after the corporate desktop. Soon after, security professionals defended this weak link by deploying a variety of host-based intrusion prevention systems (HIPS) or whatever personal firewall could be shoehorned into the budget.
Once again, the bad guys have found that it is becoming increasingly difficult to attack this weak point. With HIPS, even if an end user is tricked into installing malware, the HIPS will most likely pick it up and take care of the issue without the end user even realizing that something foul was afoot.
So where have the bad guys set their sights now?
Most corporations have VPN technologies in place to support road warriors, teleworkers, business partners and all those performing their duties outside the physical walls of organization. The office now extends to homes, hotel rooms, bars, beaches and wherever else one can grab an internet connection. With the ever-growing remote worker trend, criminals have turned their attention to a potentially lucrative new front line of attack.
Criminals are honing their new methods under the assumption that personal PCs are not protected and maintained nearly as well as those in the corporate in-house inventory. This theory played out over the last year against a set of executives who work for the Royal Bank of Scotland.
Using the well established craft of phishing, the criminals queue up a very enticing e-mail designed to drop malware on the home PCs of the identified targets.
The approach was particularly sinister, according to a Guardian Unlimited article that detailed the attacks.
The hackers are employing increasingly sophisticated techniques. Each email they send is meticulously built to make it attractive to its target, which the criminals have carefully researched by trawling the internet for information. Once the email is composed, the malware is just as carefully designed: it is often modified to avoid detection by security software.
The keylogger contained in the email installs itself automatically and then collects details of logins and passwords from the unsuspecting user. This means that hackers can, using the usernames and passwords stolen by the keyloggers, connect to VPNs, or Virtual Private Networks, which many companies use to create an encrypted pathway into their networks.
Once inside a bank’s network, the hackers can communicate directly with computers holding account information and manipulate funds.
Are banks alone? Hardly.
This framework is being used against retail giants, governments, research groups and educational institutions. As more and more opt for the convenience of teleworking, the criminals will be right there looking to steal from what they now see as the new, exploitable gap in the armor.
But who are these people and how are they doing this?
The majority of these crime groups are scattered across Asia, Russia and Brazil. They utilize a wealth of legitimate, free and largely anonymous information services to mine data that is fed into their own custom databases.
They have even leveraged social sites to root out key personnel during their data harvesting efforts. A site like LinkedIn.com, a myspace.com of sorts for professionals, is one example of a quick way to start building information on professional targets.
While exciting from a social networking and career-building angle, the web of personal connections encouraged by these sites are particularly valuable to criminals from an intelligence-gathering point of view.
From the LinkedIn site:
When you join, you create a profile that summarizes your professional accomplishments. Your profile helps you find and be found by former colleagues, clients, and partners. You can add more connections by inviting trusted contacts to join LinkedIn and connect to you.
Your network consists of your connections, your connections’ connections, and the people they know, linking you to thousands of qualified professionals.
So now what?
Like it’s been said time and time again, the responsibility to secure home PCs lies with the end user. Increased diligence, now that targeting has become much more personal and precise, is of prime importance.
You can’t just install a personal firewall and an antivirus scanner and assume that you’re safe from threats. Amazingly, you’re going to have to rely on common sense, much like you used to before cyber crime ever became an issue.
Article courtesy of Enterprise IT Planet