A recent forum made it clear that cyber crime does not discriminate – we are all vulnerable , writes GORDON SMITH
YOU MIGHT expect paranoia to be in plentiful supply at an IT security get-together but the need for co-operation in addressing online risks was one of the major themes at the annual cyber crime conference in Dublin – even if, appropriately, nobody wore name badges.
The conference, now in its second year, is organised by the Irish Reporting and Information Security Service (IRISS).
Det Insp Paul Gillen, head of the Computer Crime Investigation Unit at the Garda, called for a pooling of information to tackle the problem of cyber crime. “Ireland, being small, is a good thing – we have an opportunity to develop a community approach to cyber crime and the guards have an important role to play,” he said.
This could be in helping entire sectors such as financial services or retail or critical national infrastructure develop incident response plans after a cyber attack, he added.
IRISS, run on a voluntary basis for the community, acts as an informal Computer Emergency Response Team (Cert) for Ireland. About 5 per cent of the alerts it issues to members are specific to the Irish internet community, said IRISS founder and security consultant Brian Honan.
“Since we started in November 2008, we have had to deal with 135 incidents. At this stage, we now deal with between two to five incidents a day,” he said. Most of these involve Irish websites being compromised by criminals to host phishing sites or malware to infect unsuspecting visitors. In most cases, the owners of the website are not even aware their system is being used by criminals, said Honan.
Gillen said his office had seen evidence in other jurisdictions of organised crime gangs targeting employees in companies to take data out, and then using that information to commit fraud or identity theft, to compromise bank accounts or to launder money.
Other threats include distributed denial of service attacks against various organisations. Small firms may also be vulnerable to ransomware attacks, where the computer holding the company’s data is compromised, and the owners are coerced into paying a fee to get their information back. Gillen says it is important to encourage companies to report these cases to the Garda and he said concerns about brand damage are overplayed. “There’s nobody in any sector more vulnerable to fraud than anyone else – everyone is equally susceptible,” he said.
Howard Schmidt, the White House cyber crime co-ordinator, echoed the calls for a community response to online crime. “The internet is a shared resource and our securing it is a shared responsibility,” he said in a video presentation.
Unfortunately, all the talk of co-operation isn’t restricted to stopping cyber crime; those on the other side of the fence see the advantages of collaboration. Robert McArdle, manager of Trend Micro’s European threat research team, showed how online scams aren’t a simple transfer of money from victim to attacker but a much more complex criminal ecosystem.
He used the example of fake antivirus programs which trick people into believing their PCs are infected and into buying software that supposedly fixes the problem. McArdle said the $90 price is divided between several individuals or groups, each taking a cut.
The group that sends the program is not the same as the individual that develops it. Someone else in turn “poisons” web searches to direct people to fake websites, while another provides “bulletproof” hosting services so those sites can evade detection. Another party scans the fake files to ensure they won’t be immediately spotted by legitimate anti-virus software.
“It’s not any one individual criminal gang, it’s a group of them working together and this is why it’s so difficult to stop them,” said McArdle.
He has personally investigated the gangs and has spoken with gang members online. The sums involved show the internet’s attraction for criminals.
“Most gangs make €1-€2 million per year but the more organised gangs are making that per month,” McArdle said.
Tackling this problem, at least in part, could be Ireland’s opportunity: the conference also heard how a cluster of export-focused indigenous companies have formed Infosecurity Ireland. Backed by Enterprise Ireland, the group hopes to promote Ireland as a centre of excellence for computer security.
Another thread from the event was that, despite advances in security technology, the human factor is still the Achilles heel in many organisations. Schmidt, the White House cybercrime co-ordinator, said educating people was essential to getting across “repeated, consistent messages” about staying safe online. “Like putting on your seatbelt when getting into a car or looking both ways when crossing the street . . . simply put, cybersecurity must be ingrained into our day-to-day life,” he said.
“People can not understand the value of cybersecurity without first understanding how much is at risk.”
The education principle was true in organisations holding personal information about people, said Billy Hawkes, the Data Protection Commissioner. These firms must train their staff about taking correct security measures.
Hawkes said firms must use appropriate steps to protect personally identifiable data from being lost or stolen. A data breach is not just a stolen laptop but “any kind of loss of control by an organisation over its data”.
“The human factor is often the reason why breaches happen, even in organisations that have a lot of security procedures,” he said.
Peter Wood, chief executive of First Base Technologies, warned that security software alone won’t solve the problem. “It’s not enough just to put in a product. The industry likes silver bullets but the only thing they’re good at is killing werewolves.”
Improving security: inexpensive anti-crime tips
FOR MANY small businesses, information security isn’t a high-priority right now but Peter Wood, chief executive of First Base Technologies, offered five tips to improve security easily and inexpensively – in some cases, at no cost at all.
UPDATE ALL SOFTWARE
“People think a machine is running slowly because it’s old,” said Wood. “We’ve seen so many machines infected with banking Trojans, for example, and it’s really only because people don’t keep their systems patched and up to date.” That should cover not just the computer’s operating system but also important applications, by downloading and installing the latest versions.
DON’T CLICK SUSPICIOUS E-MAIL LINKS
This prevents phishing attacks where weblinks are made to look like legitimate addresses and people don’t realise they’re being redirected to potentially harmful sites. “Make people launch their browser software and type in the address by hand, so they know where they’re going for sure,” said Wood.
USE UPDATE ANTI-VIRUS SOFTWARE
New security threats are constantly being developed, so the best practice is to update the company’s anti-virus systems every hour (this can be set up to happen automatically).
INSTALL PERSONAL FIREWALLS
“Personal firewalls are not expensive,” said Wood, “and you get an alarm if something naughty happens.”
Microsoft Windows comes with a firewall but this will only protect you if your PC is being attacked; it won’t tell you if a rogue piece of software is trying to dial out from your computer, said Wood.
DON’T RUN AS “ADMINISTRATOR”
This function is disabled on Windows 7 but earlier versions give people full privileges on their computer to add, remove or change programs. “If something nasty is running on your machine, it has the same permissions you do. If you don’t run as an administrator, it won’t change system files or get under the radar,” Wood advised.
