Category: Uncategorized

For this, we turn to Galligan’s afternoon panel on cyber crime, where she was accompanied by attorneys in private practice, a law professor, the head of a computer forensics firm, and the chief of the Manhattan District Attorney’s investigations division.

First, as Ed Stroz, of the investigative firm Stroz Friedberg, explained, it’s important to recognize that you could be attacked by different categories of attackers, including state-sponsored actors, organized criminal groups, individual hackers or “hacktivists,” and company insiders. “What happens with the FBI is right now, approximately 60 percent of the time, we are going out and telling a company that they have been intruded upon,” says Galligan. Well, either they’re getting the information from another FBI investigation, “or we’re getting it from our partners in the government,” Galligan says, which includes all 16 of the U.S. intelligence agencies.

Whether you call them or they call you, Galligan and her FBI team are going to hope your company has already contemplated the possibility of a cyber attack, that you have a response plan, and that your general counsel is involved in it.

“Because we say over and over—and I have seen it over and over—that unless the general counsels and/or your outside counsel are involved in these issues from the beginning, are part of your plan, it becomes very, very difficult for the government to help you,” Galligan says,

The bureau also pointed out to the banks that a DDoS can serve as an opportunity for criminal actors to “come in and commit crime in your system.”

“It’s a discussion where we say, ‘We recognize you need to make a business decision,” she says, “and that business decision is going to be a very complicated one.’

“You have to really figure out what exactly you’re going to be willing to do,” says DeVore & DeMarco partner Joseph DeMarco, who specialized in cyber crime as an assistant U.S.

Link: http://www.law.com/corporatecounsel/PubArticleCC.jsp?id=1202601094171&Telling_the_FBI_Your_Company_Has_Been_Hacked

Internet Explorer has been in the press over the years for the number of vulnerabilities that it once had, but nowadays, Java is a prime target for red teams because Java is meant to run on 3 million devices – providing what’s called a large ‘attack surface’.

Attacking the software is getting harder these days, but there’s one component of an organization’s computer system that is always potentially vulnerable – and that’s the people who use the computers. Another technique is to send infected memory sticks to staff, who often plug them in to see what’s on them, and, again, the malware strikes!

Red team members can now use social media to find the names of staff as well as details of their experience, so that e-mails and phone calls from the red team can sound quite legitimate.

The other part of the solution is education of staff so that they don’t insert memory sticks or click on attachments from unknown sources.

The red team could, perhaps, get a piece of malware onto someone’s tablet, which then gets connected to network, which then starts opening security doors all the way to the mainframe.

But most organizations can learn from the types of vulnerability red teams exploit, and take steps to ensure that they are not at risk from them.

Link: http://it.toolbox.com/blogs/mainframe-world/welcome-to-the-red-team-56048

At least one employee entered their credentials, allowing the attackers entrance to their account, from which the SEA sent the same email to more Onion staff. The last attack compromised at least two more accounts, one of which was used to control the Twitter account.

One in particular —Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels — angered the attacker, who began posting edtorial email addresses on the SEA account.

At the end of the day, at least five Onion accounts were compromised; the company forced a password reset on every staff member’s Google Apps account.

Link: http://www.itproportal.com/2013/05/13/the-onion-reveals-how-syrian-electronic-army-hacked-its-twitter/

“Sometimes administrators set up fake user accounts (“honeypot accounts”) so that an alarm can be raised when an adversary who has solved for a password for such an account by inverting a hash from a stolen password file then attempts to login,” they said.

Accordingly, they recommend adding multiple fake passwords to every user account and creating a system that allows only the valid password to work and that alerts administrators whenever someone attempts to use a honeyword. “This approach is not terribly deep, but it should be quite effective, as it puts the adversary at risk of being detected with every attempted login using a password obtained by brute-force solving a hashed password,” they said.

On the other hand, if numerous attempted logins are made using honeywords, or if honeyword login attempts are made to admin accounts, then it’s more likely that the password database has been stolen. But as numerous breaches continue to demonstrate, regardless of the security that businesses have put in place, they often fail to detect when users’ passwords have been compromised. But that approach is insecure, and password-security experts have long recommended that businesses use built-for-purpose password hashing algorithms such as bcrypt, scrypt or PBKDF2, which if properly implemented are much more resistant to brute-force attacks.

That’s why an early warning system such as the use of honeywords might buy breached businesses valuable time to expire passwords after a successful attack, before attackers have time to put the stolen information to use.

Link: http://www.informationweek.com/security/intrusion-prevention/sweet-password-security-strategy-honeywo/240154334

Van der Merwe has headed the information security of the largest diamond company in the world, by value, since its information security team was established.

“Understand who you are dealing with,” said Van der Merwe, “because it is often much more complex than you realise.”

“If someone asks, ‘how much information am I losing really?’, this is a very hard question to answer,” explained Van der Merwe.

“If you have a really strong threat model, the people in your organisation may become a victim of it,” explained Van der Merwe. Know that people within your organisation could be targeted to become a pawn in the enemy’s game, he added.

“You have to be able to integrate all your teams when dealing with a strong targeted threat model,” said Van der Merwe.

“The only way to make sure all your systems are on standard is to have proper management systems in place that understand the objectives and are driven to reach them,” said Van der Merwe.

Link: http://www.itweb.co.za/index.php?option=com_content&view=article&id=63857

This law has undergone numerous revisions since it was first enacted in 1986, but Title 18, Sec. 1030 is clear on the point that using a computer to intrude upon or steal something from another computer is illegal. “There is no law that actually allows you to engage in an attack,” says Ray Aghaian, a partner with McKenna Long & Aldridge, and a former attorney with the Department of Justice’s Cyber & Intellectual Property Crimes Section.“

According to Ahlm, the companies tracking the bad guys collect vast amounts of data on Internet activity and can hone in on specific “actors” who engage in criminal activity. “Without touching or hacking the individual, they can tell you how trustworthy they are, where they are, what kind of systems they use,” says Ahlm.

While private companies cannot take offensive action with any such intelligence, they can use it defensively to thwart suspicious actors if they’re found to be sniffing around company data. “Based off your intelligence of who’s touching you,” says Ahlm, “you can selectively disconnect them or greatly slow them down from network access.”

In the grand scheme of fight-back tricks, this is one that causes relatively little harm but does a lot of good,” says Matthew Prince, co-founder and CEO. This company drew raves—as well as criticism—for creating a way to spam back at spammers, clogging their systems and preventing them from sending out more spam.

Hacking back can also have unintended consequences, such as damaging hijacked computers belonging to otherwise innocent individuals, while real criminals remain hidden several layers back on the Internet.

Link: http://www.pcworld.com/article/2038226/hacking-back-digital-revenge-is-sweet-but-risky.html