Given the more or less constant hacking that goes on these days of banks, corporations and governments that cause damages in the tens of millions to billions of dollars, it's time for a megathread!
http://www.slate.com/articles/technology/safety_net/2015/02/_1_billion_bank_hack_how_to_fight_the_next_one.html
QuoteGood news! A major hack you don't have to worry about! Unless, that is, you happen to be an executive or security employee at one of the hundreds of banks targeted by the group that's come to be known as Carbanak or Anunak. If you are, then you have a problem, because these hackers, and no doubt others to come, aren't targeting banking consumers but the very internals of banks, silently monitoring their systems and subtly defrauding them. Unlike most cybercrime, this wasn't a holdup, but a bank heist—the kind that could ultimately affect both consumers and governments. And that's why we should all be paying attention.
Skill-wise, the attack is on the order of November's Sony Pictures hack. (So much for the FBI's claim that the Sony hack was unprecedentedly scary.) It was a long-term effort, professionally executed, and required a fair amount of organization and coordination to pull off. These aren't just script kiddies stealing people's credit card numbers. The hackers managed to compromise the systems of banks, but rather than immediately grabbing information and alerting their targets to their presence, they would quietly observe the inner workings and transactions for months. They were then in a position to subtly manipulate the system in order to cash out. According to a report from software-security company Kaspersky Lab, the hackers obtained up to $1 billion through dozens of attacks over the past two years.
There are several things worth noticing. First, the initial compromises of the systems were possibly the simplest and dumbest aspects of the attacks. The hackers would enter a system through the tried-and-true method of "phishing"—sending emails to employees that purport to come from a trusted sender inside the company. (This approach, attacking a specific organization, is called "spear phishing.") The employee opens an attachment in the email, which immediately compromises the system. These hacks used Windows and Office document files that, when opened, injected malware into the target's computer, more or less giving the hackers total control.
Advertisement
What they did with this control, however, was more sophisticated. The hackers monitored the keystrokes of the computer and took screenshots every 20 seconds, giving them a very clear picture of the daily internal workings of a bank. And instead of attacking customer accounts, which are more closely monitored for fraud, the hackers went after internal fund mechanisms. First, they inserted fake transactions into the SWIFT transfer network to distribute money to other banks and credit cards. Second, and rather ingeniously, they attacked ATMs directly. Seizing central control of the banks' ATMs, they set the terminals to spit out cash spontaneously, then had their accomplices ("money mules," as Kaspersky terms them) visit the ATMs at the right time to collect the dosh.
The exact scope of the attack is still up for debate. According to Kaspersky, the group targeted banks in 30 countries, though primarily in Russia, and Kaspersky suspects it obtained about $1 billion. A more detailed, earlier report from December from Group-IB and Fox-IT confined the attacks to Russia and placed the damage in the hundreds of millions.
In terms of efficiency, these attacks are vastly more impressive than most hackers can ever hope to achieve. Though the efforts required time, each individual compromise raked in $10 million. Each hack remained undetected for its duration, and some banks were compromised multiple times. Since nearly all of the money wasn't tied to any particular customer's account, the thefts were mostly invisible to consumers, so no individuals raised red flags. And with incidents like a Russian bank threatening a customer who successfully got it to accept his credit card terms, I don't think too many people are shedding tears for the poor financial institutions. Plus, consumers face bigger threats from the more recent Dyre and Dridex banking Trojans, which hijack browsers to obtain user credentials, even managing to defeat two-factor authentication in some cases.
For banks and other institutions, though, Carbanak's sophisticated attacks are scary for two reasons. (Brian Krebs reports that the same group may have also compromised Staples and Bebe to obtain credit card information, so it's not just banks.) Along with the Sony hack, these kinds of breaches entail obtaining long-term and in-depth access to targeted systems in order to cause the most damage (financial or otherwise). That means there are two facets of security that companies need to worry about.
First, there's that primitive initial compromise. It's somewhat embarrassing that a phishing attack can end up compromising more or less the entirety of a bank's systems, but that's exactly what happened here. There was no complicated exploit of some unknown security hole or cracking of passwords; an employee just needed to open an attachment file (usually a Word document) in a phishing email, which then exploited known vulnerabilities in unpatched Office software. These vulnerabilities were patched by Microsoft years ago (most recently in March 2014). At a minimum, banks need to keep their software updated with security fixes, but beyond that, they also need to scan all incoming attachments and clamp down on the ease with which employees open them.
The manipulation of the system that followed was on a whole other level. Until banks and other institutions can reliably keep their employees from opening bad links and files inside of phishing emails, they must simply assume they are quite vulnerable to attack. Since Carbanak/Anunak's attacks required weeks of monitoring before it could perform its high-stakes thefts, institutions need better internal auditing mechanisms to make sure their transactions are actually being performed by their employees, rather than by skillful remote hackers. It's better to assume your system is already compromised and look for evidence of unwanted manipulation than to have faith in a bulletproof outer shell, because let's face it, if you're getting compromised by phishing emails, you are a long way from bulletproof. This may even require setting up fake internal honeypots for thieves and other creative mechanisms, so banks can detect intrusions. Since hackers sometimes look to exploit existing latent malware already present on a network, injecting fake malware into bank networks could help catch hackers on first contact, like a reverse Trojan horse.
Banks have every incentive to keep these attacks quiet, given that they aren't keen on losing the confidence of their customers or of their investors. The comparative quiet around them should not be met with complacency. The potential upside for thieves is so great that a lot of evident skill is going into these hacks, resulting in what appears to be a growing arms race between institutions and hackers with increasingly sophisticated arrays of malware and botnets, not to mention tons of time and energy. From the looks of it, the banks are pretty far behind.
Lenovo users are at risk:
Lenovo installs adware on customers laptops and compromises all SSL (http://marcrogers.org/2015/02/19/lenovo-installs-adware-on-customer-laptops-and-compromises-all-ssl/)
Superfish: stop using your Lenovo laptop now (http://www.zdnet.com/article/superfish-stop-using-your-lenovo-laptop-now/)
QuoteA pretty shocking thing came to light this evening – Lenovo is installing adware that uses a "man-in-the-middle" attack to break secure connections on affected laptops in order to access sensitive data and inject advertising. As if that wasn't bad enough, they installed a weak certificate into the system in a way that means affected users cannot trust any secure connections they make – TO ANY SITE.
[...]
Superfish Features:
Hijacks legitimate connections.
Monitors user activity.
Collects personal information and uploads it to it's servers
Injects advertising in legitimate pages.
Displays popups with advertising software
Uses man-in-the-middle attack techniques to crack open secure connections.
Presents users with its own fake certificate instead of the legitimate site's certificate.
Even if you don't have a Lenovo laptop bought between September 2014 and January 2015, you might want to check it for the presence of Superfish:
https://lastpass.com/superfish/
Quote from: jimmy olsen on February 18, 2015, 01:23:38 PM
Given the more or less constant hacking that goes on these days of banks, corporations and governments that cause damages in the tens of millions to billions of dollars, it's time for a megathread!
Do we talk about it enough to keep the thread near the front page so people bump it instead of starting new threads though? Doubtful.
Since when Tim can start megathreads?
Quote from: Martinus on February 20, 2015, 01:56:09 AM
Since when Tim can start megathreads?
Since Poland cannot into space.
Fire bad.
Quote from: Peter Wiggin on February 20, 2015, 12:02:10 AM
Quote from: jimmy olsen on February 18, 2015, 01:23:38 PM
Given the more or less constant hacking that goes on these days of banks, corporations and governments that cause damages in the tens of millions to billions of dollars, it's time for a megathread!
Do we talk about it enough to keep the thread near the front page so people bump it instead of starting new threads though? Doubtful.
The Austria and Hive megathreads aren't that active, yet they remain.
I met with Lenovo sales reps yesterday. They had a lot of nothing to say about it. That Superfish thing is one of the most heinous things I've seen in a while. Fake root certs???!
Never trust chinese computer makers.
Quote from: Darth Wagtaros on February 21, 2015, 09:11:08 PM
I met with Lenovo sales reps yesterday. They had a lot of nothing to say about it. That Superfish thing is one of the most heinous things I've seen in a while. Fake root certs???!
Brings back unpleasant memories of the Sony rootkit-based DRM from around 2000.
Quote from: DontSayBanana on February 21, 2015, 10:23:47 PM
Quote from: Darth Wagtaros on February 21, 2015, 09:11:08 PM
I met with Lenovo sales reps yesterday. They had a lot of nothing to say about it. That Superfish thing is one of the most heinous things I've seen in a while. Fake root certs???!
Brings back unpleasant memories of the Sony rootkit-based DRM from around 2000.
Sony managed to got back from it, I'm curious about Lenovo.
They will, I'm sure. If only because a lot of people won't realize how fucked a fake root cert can leave you.
Chicoms are behind this. No doubt.
Minorthread?
What the eff is going on here?
Quote from: Siege on February 23, 2015, 12:25:00 PM
Minorthread?
What the eff is going on here?
People are finally listening to your complaints about threads with misleading titles.
Yeah, it's got nothing to do with minors or menorahs, so Siegy just goes into Reset Mode.
Quote from: Darth Wagtaros on February 22, 2015, 08:59:08 AM
Chicoms are behind this. No doubt.
Superfish is an American company from Palo Alto, founded in Israël. Doubtful the Chicoms are involved, Lenovo clearly had no clue what they were doing.
Quote from: viper37 on February 24, 2015, 01:26:55 PM
Superfish is an American company from Palo Alto, founded in Israël. Doubtful the Chicoms are involved, Lenovo clearly had no clue what they were doing.
Israel is just a proxy for Chinese espionage. Everybody on Languish knows this.
The Jew is muscle for Chinese carry out.
Why are you so fuckin racist?
Israel has always been an staunch American ally.
So go and fuck yourself.
And you too, Valmy.
Quote from: Siege on February 24, 2015, 02:59:49 PM
Israel has always relied on American aid to survive, and then backstabbed the USA by selling secrets to the PRC.
FTP.
Quote from: Siege on February 24, 2015, 02:59:49 PM
And you too, Valmy.
Sorry, I was just going along with the meme.
I am not sure what Israel does for us short of not openly calling for our deaths, which I guess in the Middle East is about as much as we can expect.
They field test some weapons for us.
The Jews are the shock troops of the global Islamasist jihad?
Quote from: Siege on February 24, 2015, 02:59:49 PM
Israel has always been an staunch American ally.
Israel flagged as top spy threat to the US (http://www.newsweek.com/israel-flagged-top-spy-threat-us-new-snowdennsa-document-262991)
Quote
Israel was singled out in 2007 as a top espionage threat against the U.S. government, including its intelligence services, in a newly published National Security Agency (NSA) document obtained by fugitive leaker Edward Snowden, according to a news report Monday.
The document also identified Israel, along with North Korea, Cuba and India, as a "leading threat" to the infrastructure of U.S. financial and banking institutions.
The threats were listed in the NSA's 2007 Strategic Mission List, according to the document obtained by journalist/activist Glenn Greenwald, a founding editor of The Intercept, an online magazine that has a close relationship with Snowden, a former NSA and CIA contractor who fled the U.S. with thousands of top-secret documents last year.
I suppose a little friendly spying on an ally can't hurt every now and then :)
I hope Jonathan Pollard takes it up the ass every night in Prison.
Quote from: viper37 on February 24, 2015, 11:37:39 PM
Quote from: Siege on February 24, 2015, 02:59:49 PM
Israel has always been an staunch American ally.
Israel flagged as top spy threat to the US (http://www.newsweek.com/israel-flagged-top-spy-threat-us-new-snowdennsa-document-262991)
Quote
Israel was singled out in 2007 as a top espionage threat against the U.S. government, including its intelligence services, in a newly published National Security Agency (NSA) document obtained by fugitive leaker Edward Snowden, according to a news report Monday.
The document also identified Israel, along with North Korea, Cuba and India, as a "leading threat" to the infrastructure of U.S. financial and banking institutions.
The threats were listed in the NSA's 2007 Strategic Mission List, according to the document obtained by journalist/activist Glenn Greenwald, a founding editor of The Intercept, an online magazine that has a close relationship with Snowden, a former NSA and CIA contractor who fled the U.S. with thousands of top-secret documents last year.
I suppose a little friendly spying on an ally can't hurt every now and then :)
Looks like America doesn't
need Israel to be a security threat - they are doing just fine on their own. :lol:
Israel is the only fucking country in the middle east that is a fucking democracy with values aligned with the US.
I am getting fucking tire of this fucking bullshit here in Languish while ignoring all the crap the real enemies of the US do.
Who's the real enemy of America? ISIS?
Quote from: Grey Fox on February 25, 2015, 01:08:13 PM
Who's the real enemy of America? ISIS?
The Imperial President who wants to fundamentally transform America into a 3rd world country.
Quote from: Siege on February 25, 2015, 01:43:53 PM
Quote from: Grey Fox on February 25, 2015, 01:08:13 PM
Who's the real enemy of America? ISIS?
The Imperial President who wants to fundamentally transform America into a 3rd world country.
Don't worry Siege. We will stop Putin and his gang.
Glenn Greenwald? :yeahright:
Quote from: Siege on February 25, 2015, 01:01:37 PM
Israel is the only fucking country in the middle east that is a fucking democracy with values aligned with the US.
Well I used to think that was good until I realized what sorts of parties other democracies in the Middle East would vote for.
Quote from: Valmy on February 25, 2015, 01:47:04 PM
Quote from: Siege on February 25, 2015, 01:01:37 PM
Israel is the only fucking country in the middle east that is a fucking democracy with values aligned with the US.
Well I used to think that was good until I realized what sorts of parties other democracies in the Middle East would vote for.
Hence the "values aligned with the US" qualifier. Now, to what extent that is true... /shrug
Quote from: Peter Wiggin on February 25, 2015, 01:52:05 PM
Quote from: Valmy on February 25, 2015, 01:47:04 PM
Quote from: Siege on February 25, 2015, 01:01:37 PM
Israel is the only fucking country in the middle east that is a fucking democracy with values aligned with the US.
Well I used to think that was good until I realized what sorts of parties other democracies in the Middle East would vote for.
Hence the "values aligned with the US" qualifier. Now, to what extent that is true... /shrug
Why do you shrug?
Israel is a western democracy.
Do you really doubt it?
Quote from: Siege on February 25, 2015, 04:36:32 PM
Why do you shrug?
Israel is a western democracy.
Do you really doubt it?
In what sense? Most people in Israel are not westerners. It is certainly a functional democracy.
Quote from: Siege on February 25, 2015, 04:36:32 PM
Why do you shrug?
Israel is a western democracy.
Do you really doubt it?
They're not as secular as we are, for one.
They're the "Judeo" in "our common Judeo-Christian heritage", dammit. Don't start getting all anti-semitic on me even though Siegy is a dick, people.
Quote from: CountDeMoney on February 25, 2015, 06:16:17 PM
They're the "Judeo" in "our common Judeo-Christian heritage", dammit. Don't start getting all anti-semitic on me even though Siegy is a dick, people.
Plenty of the "Christians" are not Western either.
Quote from: Valmy on February 25, 2015, 01:47:04 PM
Quote from: Siege on February 25, 2015, 01:01:37 PM
Israel is the only fucking country in the middle east that is a fucking democracy with values aligned with the US.
Well I used to think that was good until I realized what sorts of parties other democracies in the Middle East would vote for.
:unsure:
Quote from: Valmy on February 26, 2015, 01:32:33 PM
Quote from: CountDeMoney on February 25, 2015, 06:16:17 PM
They're the "Judeo" in "our common Judeo-Christian heritage", dammit. Don't start getting all anti-semitic on me even though Siegy is a dick, people.
Plenty of the "Christians" are not Western either.
But we love them anyway. So what's your point?
OK, an actual article on Cybersecurity I found very intriguing, and wanted to see what the Groundlings thought of it, particularly the five premises in bold--
Quote
Networking Nuggets and Security Snippets
By Jon Oltsik
Opinion
0% Cybersecurity Job Unemployment in Washington
A microcosm that demonstrates the consequences of the global cybersecurity skills shortage
Network World | Feb 26, 2015 7:11 AM PT
I've written a lot about the global cybersecurity skills shortage over the past few years. Here's some recent ESG data that illustrates this problem (note: I am an ESG employee):
Of those organizations hiring additional IT staff in 2015, 43% plan to hire IT security professionals – the highest percentage of all types of IT skills.
At the same time, 28% of organizations say they have a "problematic shortage" of IT security skills – the highest problematic shortage of all types of IT skills.
This data indicates strong demand and weak supply of IT security skills across mid-market and enterprise organizations around the world.
This week, I attended an event sponsored by Hexis Cyber Solutions. As part of his presentation, Hexis's CTO, Steve Donald, provided yet another metric about the cybersecurity skills shortage when he mentioned that there is 0% unemployment for cybersecurity professionals in the Washington DC area.
Now this may sound like an ideal situation where supply and demand are balanced but the opposite is actually true. In fact, economists tend to believe that the economy is most healthy when unemployment rates hover around 3%. So what happens at 0% unemployment? The Hexis CTO stated that 0% cybersecurity unemployment in DC has led to:
Salary inflation as everyone is competing for the same pool of potential applicants.
Productivity issues as cybersecurity professionals are barraged by headhunters and recruiters.
High turnover since cybersecurity professionals are constantly job hopping.
Inefficiencies as marginally-qualified cybersecurity professionals are getting jobs that they otherwise wouldn't be offered.
High costs as organizations are forced to pour money into training the inexperienced cybersecurity professionals they have to hire.
Aside from the overall situation in DC, these issues are most acute in the federal government itself – mostly for civilian agencies but defense and intelligence is also feeling the pain. Cybersecurity pros who cut their teeth in defense and intelligence can make 2x to 3x in the private sector – especially when they are offered jobs in the financial services industry. And with job offers coming from all directions, few experienced cybersecurity professionals have the patience for time-consuming federal recruiting/hiring processes.
So in addition to the organizational woes described above, 0% unemployment in DC touches all US citizens. Government agencies remain understaffed and under-skilled putting us all at risk.
While Washington DC is somewhat unique it is also represents a microcosm of a global problem. The same thing is happening in London, New York, Ottawa, and Tokyo, albeit at a slower pace.
I truly believe that the cybersecurity skills shortage represents one of the biggest challenges we face and it deserves a lot more public/private sector attention. We need to invest in STEM programs and cybersecurity education on a more strategic basis before we face 0% cybersecurity unemployment – and the associated ramifications – everywhere.
Jon Oltsik is a principal analyst at Enterprise Strategy Group ESG and has been quoted in the Wall Street Journal, Business Week, and the New York Times.
Back on Lenovo and Superfish, the threat was not just theoritical and has been used against real people by similar softwares:
Researchers unearth evidence of superfish style attacks in the wild (http://arstechnica.com/security/2015/02/researchers-unearth-evidence-of-superfish-style-attacks-in-the-wild/)
Of note:
Quote
The common thread among all the titles was a code library provided by an Israel-based company called Komodia.
So, is Israel the biggest threat to world peace now? In front of the US? ;)
Quote from: CountDeMoney on February 26, 2015, 08:03:28 PM
OK, an actual article on Cybersecurity I found very intriguing, and wanted to see what the Groundlings thought of it, particularly the five premises in bold--
Salary inflation as everyone is competing for the same pool of potential applicants.
Productivity issues as cybersecurity professionals are barraged by headhunters and recruiters.
High turnover since cybersecurity professionals are constantly job hopping.
Inefficiencies as marginally-qualified cybersecurity professionals are getting jobs that they otherwise wouldn't be offered.
High costs as organizations are forced to pour money into training the inexperienced cybersecurity professionals they have to hire.
these are the consequences of manpower shortage, it happens everywhere there's a shortage, either naturally (market) or legally (govn't) induced.
You take unskilled people and your train them on spot because you can't afford to not have people working. We've been living with this for years now, we get used to it.
Quote from: viper37 on February 27, 2015, 10:39:21 AM
Quote from: CountDeMoney on February 26, 2015, 08:03:28 PM
OK, an actual article on Cybersecurity I found very intriguing, and wanted to see what the Groundlings thought of it, particularly the five premises in bold--
Salary inflation as everyone is competing for the same pool of potential applicants.
Productivity issues as cybersecurity professionals are barraged by headhunters and recruiters.
High turnover since cybersecurity professionals are constantly job hopping.
Inefficiencies as marginally-qualified cybersecurity professionals are getting jobs that they otherwise wouldn't be offered.
High costs as organizations are forced to pour money into training the inexperienced cybersecurity professionals they have to hire.
these are the consequences of manpower shortage, it happens everywhere there's a shortage, either naturally (market) or legally (govn't) induced.
You take unskilled people and your train them on spot because you can't afford to not have people working. We've been living with this for years now, we get used to it.
Yep. The old saying applies: "If a job is worth doing, it is worth doing poorly." Sometimes there just aren't the resources to do it well.
The idea that "we need to invest in STEM programs and cybersecurity education on a more strategic basis" is part of the reason why we have shortages: strategic decisions are wrong far more often than right. As pay rises, people will seek the training and the shortages will therefor ease. If we wait until "we" come up with a strategic "investment" plan, get it approved, get funding for it through the budgeting and procurement process, and write and promulgate all the regulations, the problem will never end, because the strategic plan will be solving the problems of ten years past.
Ohhh, that's a nice one:
http://tinyurl.com/pmz85y7
Panda Anti-virus detects its own files as virus, quarantines them. The fun begins when you restart the computer. You have no more internet access and the system is unstable.