The development of cyber attacks and data protection

November 15, 2015 |

Cyber attacks are occurring and being reported at such a regular basis that the coverage has been less breathless and dramatic than it was several years ago. That is not to say there is no reportage.  It is more that the stories, such as the Ashley Maddison or Sony hacks either tend to have a sensational tinge to them or, like the OPM attack, are on a massive scale. 

The Economist in What lies behind the JPMorgan Chase cyber-attack provides an insight on how the theft of personal information can be used to enhance old frauds, such as pump and dump schemes.  Interestingly the perpetrators of the JP Morgan breach were not expert IT hackers but rather criminals who bought the hacking tools on line which they then used to get access to personal information.  This phenomenom is also covered by itnews in Hired-gun hacking played key role in world’s biggest cyber fraud.

Cybercrime is becoming more democratic.   The Fairfax press in Australia vulnerable to a cyber-attack disaster  highlights the breadth and scale of the cyber attacks and the woeful preparedness of government agencies and, especially, organisations to meet those challenges.  It is a worldwide problem but it is exacerbated in Australia by the illogical response to the problem.  The Australian Government has responded with the Australian Cybercrime Online Reporting Network and notifications from Safety on Line and published standards for use in Government agencies.  Against those positives has been the ineffective regulation and timid enforcement of the Privacy Act.  The net result is generally inadequate levels compliance regime and a poor understanding of what privacy protections are prudent.

One option that businesses have adopted is hearing white hat hackers to test their defences.  This is reported in Why tech firms pay hackers to hack them.

The Economist article provides:

The criminal economy is developing faster than the lawful one can defend itself

AMERICAN prosecutors may struggle to bring all the perpetrators of one of the biggest cybercrimes in history to justice, let alone recover the stolen money. But they have already given a unique glimpse into the way that the dark economy operates.

The criminal charges outlined in New York and other places on November 10th against three men said to be behind a huge hacking and fraud operation give details of how they allegedly attacked at least 12 companies, including banks, media outlets and a software firm. The proceeds, since the scams started in 2007, amount to hundreds of millions of dollars. They stole personal data relating to more than 100m people, 83m of them customers of JPMorgan Chase.

The men charged—Joshua Samuel Aaron, Ziv Orenstein and Gery Shalon—are all from Israel. Mr Aaron, who is also an American, is believed to be in Russia. The other two are under arrest in Israel. Other alleged conspirators are as yet unidentified. The charges involve many crimes, including running illegal internet casinos, handling the proceeds of other criminal activity, hacking into the computers of business rivals, and manipulating stock prices.

The simplest scam was using the stolen data as a source of victims. The alleged fraudsters would cold-call these people and pressure them to buy near-worthless shares. The price of these thinly traded securities would then rise, enabling the fraudsters (who bought them first) to make an easy profit. Mr Shalon, according to the indictment, told an accomplice that getting the customers of the hacked companies to buy the dodgy shares was “like drinking vodka in Russia”. Such “pump and dump” scams are as old as securities exchanges themselves. But the internet enables criminals to carry out such crimes at a scale and speed never before seen. It also makes cross-border crime far easier. The alleged fraudsters used, among other computers, a server in Egypt, rented under a pseudonym, plus computers in South Africa and Brazil. They laundered money in Cyprus, and processed illegal credit-card payments in Azerbaijan.

Law enforcement struggles against such operations. But it is not helpless. The first clues came thanks to information provided by JPMorgan Chase itself. Prosecutors were also able to find two accomplices willing to co-operate, whose role was to find companies with cheap, thinly traded shares suitable for sale to suckers. Such tactics could work against other criminals too.

But perhaps the biggest point is that the three men were allegedly expert criminals, but not expert computer hackers. They bought the hacking tools they needed—such as the ability to send e-mails with a toxic payload to infect the computer of anyone who opens them—on the black market. Just as bank robbers do not need to make their own guns, cyber-criminals do not need to write their own malevolent software.

That ought to prompt worry. If mighty companies such as JPMorgan Chase can fall victim to such off-the-shelf attacks, it is worth pondering what might happen if criminals—or for that matter terrorists or hostile foreign governments—used more sophisticated means. 

The Fairfax article provides:

Australian government agencies and organisations are increasingly vulnerable to a major cyber attack yet security has not evolved in more than 20 years, according to an international cybercrime expert.

Chris Pogue, a member of the US Secret Service Electronic Crimes Task Force, will conduct high-level security briefings with government departments and security agencies in Canberra next week to urge better collaboration and intelligence sharing in the face of an “inevitable” cyber disaster.

With the trade of stolen data booming on the multi billion-dollar dark web, Mr Pogue said “data is the new oil” yet Australia, like most countries, still has a “head-in-the-sand approach”.

“It will get worse before it gets better,” he told Fairfax Media. “The sooner decision makers understand that there are only three types of organisations – those that have been breached, those that are currently breached (and likely don’t know it) and those that are about to the breached – the better.”
Advertisement

Mr Pogue, a former US Army officer who has trained thousands of federal agents in cyber investigations, said security had not “truly evolved” in 20 years.

The approach is “reactive and knee jerky” and most organisations are still getting the basics – like passwords and firewalls – wrong.

“Prevention is not working,” he said. “It’s not that people don’t know they have to protect their data, they just don’t do a good job at it. Even US government departments, they have the money, they can buy the resources … and it’s still not working.”

In its 2015 report on organised crime, the Australian Crime Commission said cybercrime affected five million Australians in 2013 and cost $1.06 billion although that figure is likely to be an underestimation because it based on the cost to individuals only, not industry and government.

In the first quarter of this year, more than $234 million worth of financial loss was self-reported by individuals and small companies to the new Australian Cybercrime Online Reporting Network.

One particularly persistent hack, a malware called ZeroAccess, was compromising 4000 Australian devices each day between October and December last year, the ACC said.

The malware infiltrated payment systems in 60 Pizza Hut stores in Australian across 12 months last year. Europol, the FBI and Microsoft have unsuccessfully tried to disrupt the ZeroAccess botnet.

Australia was also reportedly targeted in recent months by Chinese and Russian spies attempting to hack top-secret details of Australia’s future submarines.

Mr Pogue, senior vice-president of cyber threat analysis with Australian data investigation company Nuix, said hackers were becoming more creative and more aggressive.

Most advertise their skills in hidden Russian-language forums. The stolen data is sold on encrypted “dark net” sites, with stolen credit card details fetching an average of $100.

The money is then funding other crimes, such as terrorism and people smuggling.

One dark-net site identified by Australian police recently was selling credit cards for 8¢, CCVs for $8 and other card details, such as billing addresses, for $80. At one point, 14,000 users were accessing the site.

Last month, former ASIO head David Irvine conceded it was only a matter of time until jihadists launched online attacks in Australia.

The Australian Strategic Policy Institute found Australia had slipped from second to fifth place in the Asia-Pacific region for cyber policies and practices.

An urgent round table on cyber security was convened earlier this year and the federal government will soon consider the outcomes of its overdue cyber security review.

Efforts will focus on developing a new public Cyber Security Strategy with practical initiatives, the Department of Prime Minister and Cabinet said.

One Response to “The development of cyber attacks and data protection”

  1. The development of cyber attacks and data protection | Australian Law Blogs

    […] The development of cyber attacks and data protection […]

Leave a Reply