Hacking the Hackers
A few years ago, the fact that people were able to ‘hack’ into computer systems from afar was the stuff of science fiction movies. Unfortunately fiction has become reality and it’s not just the general consumer who suffers – banks, huge corporations and governments are falling foul of the ever-ruthless hackers. Cyber crime has reached huge proportions.
Massimo Cotrozzi, who heads up the IT security division of KCS Group, a Knightsbridge-based security intelligence and risk management company, goes a step further: ‘We’re not so much in their grip,’ he says. ‘We are effectively being controlled by cyber fraudsters and everyone has to exercise extreme caution when working on computers, sending text messages or even speaking on mobile phones.’
Keeping ahead of the hackers is one of the greatest headaches that specialists like Cotrozzi face all the time. Every day there is another threat hitting the market which can effectively close down computer systems or send them into disarray.
The world reeled in autumn 2010 when media headlines went into overdrive reporting a virus called Zeus. A ‘botnet’ – slang for robot network – Zeus was first discovered in 2007 when it was used to steal information from the US Department of Transportation. Since then it has grown, affecting and infecting organisations and banks – but knowledge of its existence was not as widespread as it has become since October last year.
A botnet is a network of computers which are controlled through a command and control centre (C&C), usually resident on a hacked server which infiltrators access through anonymous network connections or virtual private networks (VPNs).
Botnet attacks are becoming the common way that fraudsters gather credentials for stealing money from bank accounts and lately a way for criminals to attack specifically targeted infrastructures.
When Zeus began its alarming journey through millions of computers in October, it spread through the systems of individuals, businesses and municipalities around the world. The virus was disseminated in an email and, when those targeted opened up their emails, the Zeus software installed itself, secretly capturing passwords, account numbers and other data used to log in to online banking accounts.
The devastating effect was that unauthorised transfers of thousands of dollars were extracted from bank accounts at a time. It even had the ability to route the funds to other accounts controlled by a network of ‘money mules’.
These mules – many recruited from outside the UK and especially from Eastern Europe – created bank accounts using fake documents and false names. The money didn’t rest in these false accounts: it was either wired on to the mules’ bosses in Eastern Europe or smuggled in cash out of the US. An estimated $70 million is believed to have been extracted in this way. The FBI reacted and arrested over 90 people in the US and a number of others in the UK and Ukraine.
One would imagine that once the botnet was discovered by authorities, all would get back to normal. Wrong. Zeus continues to infect computer systems while cyber security specialists like Cotrozzi continue their attempts to keep one step ahead of its spread.
Zeus has generated what is known in the business as ‘forks’ or variants which use the same infection method in order to steal credentials. SpyEye and Ares (the son of Zeus in Greek mythology) are rewritten codes and promise buyers – because, yes, these systems can be bought via the internet – advanced technologies in infection, new modules and application programming interfaces (APIs) which users can utilise to develop new variants of the viruses and perform a string of other actions including stealing.
While security specialists continue to work behind the scenes to ‘hack into the hackers’, there are steps that individuals and organisations can take to police their own systems and avoid disaster.
Gathering intelligence on new viruses which are about to infiltrate our systems is no easy task, but security analysts are constantly monitoring underground groups and C&C centres to glean information about who is attacking what. ‘Sometimes our intelligence sources feed us information about companies’ servers which are hacked, or workstations which are infected and we usually report this to hacked companies and government agencies,’ says Cotrozzi. ‘But it’s a never-ending battle. Governments are implementing data security and privacy laws which are useful, but they don’t tick all the boxes, and there is little funding for enforcement let alone for retaining security specialists.’
Taking more responsibility to safeguard procedures and systems within organisations can go a long way towards protecting against cyber fraud. ‘It’s simply not enough to suppose that a computer technician can do the job of a properly trained cyber security specialist. But all too often, and especially in times of recession, organisations cut back on expenditure. While marketing budgets are often the first to be pared, second on the list is computer policing. This is false economy,’ warns Cotrozzi.
Antivirus (AV) programs are essential to protect against infection from a million viruses, but they are no protection against the unknown. Other methods must be used in addition to AV programs to protect sensitive information and ultimately a company’s business.
But AV programs are only effective with what they know – the better the researchers’ team behind them, the faster the update. Nowadays AVs tend to do everything from firewall and cryptography to data loss prevention. But they are only effective as the configuration that’s running on them and, more importantly, providing they are not abused.
Network firewalls suffer from what Cotrozzi refers to as ‘the CEO syndrome’. Elaborating, he explains: ‘Installing a firewall/AV is all very well, but don’t expect it to be the answer to everything if the man at the top insists on downloading items for his personal use like movies or music. The messages which pop up requesting “grant privileges this time only?” are not placed there to annoy – they serve a purpose to make you stop and think. “Of course I want this or that installed” you say, but in so doing you are by-passing the protection of the firewall and potentially leaving the system wide open to cyber attacks.’
In the home environment, and again in times of recession, it is tempting to buy software which is ‘going cheap’ – in other words, pirated,’ he continues. ‘Avoid at all costs.’
Throughout his career, Cotrozzi has experienced a number of horror stories – the result of botnets. He recalls a situation with a European bank who called him in when they discovered that their computer system had been hijacked.
A botnet had been installed which infected online customers’ computers. Many accounts were stolen and huge amounts of money diverted before the alarm bells started ringing.
‘Clients quickly changed to other banks and then began the long process of claiming back their lost money. It was an expensive wake-up call for the bank and its management soon learnt that you can’t compromise on computer security,’ he explains.
Cotrozzi also cites a hacking situation which affected the diplomatic community. ‘A Swedish hacker gathered lots of usernames and passwords of diplomats from different countries using the TOR network (a web browser encryptor and anonymiser),’ he says. ‘The hacker did this by installing a so-called “endpoint” on the network – this is the point where the communication is not encrypted any more – and was able to monitor the traffic which came out in clear text.’
TORs were created to allow private communications to happen through insecure networks such as wireless or internal – where one would think that monitoring was in place – and create an encrypted path between the computer and the endpoint. TORs are also used to bypass website censorship in countries which block political and human rights’ sites, or by people who want to transmit sensitive information in an ‘anonymous’ way.
‘Unfortunately even the diplomatic community is not immune from their confidential and sensitive emails being randomly intercepted which is why it is so important to ensure that policing policies are stringent,’ Cotrozzi says.
‘In our business there are, literally, horror stories every day and unfortunately they are all the result of companies or individuals not having sufficient and updated protection,’ adds Cotrozzi. ‘There was a conspiracy circulating in the early days of AVs that viruses were written by the AV companies themselves to sell their product! Not true! Most viruses in the early days were written with the intent of destroying systems. Today they are written with the goal of obtaining access to sensitive information and they are becoming more and more dangerous.’
To counteract the vulnerabilities of organisations, including government departments, KCS has developed a service which effectively ‘sweeps’ computer systems. The procedure is designed to find digital bugs present within a company’s IT environment, verifying how they could have been installed, who is responsible and where information is being sent.
Companies who could require this service would include those who want to protect against unauthorised disclosure of strategic corporate information and data, as well as those who want to protect against employee internet abuse or who could be exposed to potential fraud.
But while safeguarding vulnerable computer systems within the home or office environment, there are other ways to ensure that data is not compromised illicitly. ‘It never fails to amaze me how negligent people are – I see people sitting on trains working on their laptops, seemingly ignorant of the fact that anyone could be looking on and absorbing the information on the screen,’ says Cotrozzi.
‘Unfortunately in this mobile age people have forgotten privacy protection. We can be overheard when speaking on mobiles in public, spied on when working on laptops and even listened in on when having a conversation about work in a pub or restaurant. Everyone should exercise diligence outside the office environment, as a means of safeguarding company business – and even personal information,’ advises Cotrozzi.
It’s essential to purchase software – including AV programs – from recognised and legitimate vendors, police computer systems diligently and avoid talking in public spaces about company or personal business. Common sense, perhaps, but sadly we are all guilty of not following these simple rules – a move that could have serious consequences.