IS(3)PACE

Identity Theft and the Hacker Economy

Fri, 14 Mar 2008 13:40:00 EST

Why You Should Learn More About Computer Security

I recently read an alarming series of articles in CIO Magazine, in which the author, Scott Berinato, described the evolution of Internet crime into a service-oriented economy centered on identity theft and fraud. Hackers are forming well funded organizations similar to drug cartels, and like the drug cartels, the fundamental principles of their success are ?distributed pain with concentrated gain, and distributed risk? (Berinato, Hacker Economics 2: Conspiracy of Apathy).

The immense size of the market allows these criminals to distribute the pain by stealing a small amount of money from a large number of people. For example, if they steal $20 from 5,000 credit cards, they make $100,000, and no one person noticed or chose to investigate the charge. If those charges are distributed amongst ten different card issuers, no one bank lost more than $10,000, which they simply write off as acceptable loss. If a victim goes to law enforcement, the law enforcement agency cannot justify the resources to investigate the fraud unless they hear from multiple victims and can determine that the incidents are related. (Berinato, Hacker Economics 2: Conspiracy of Apathy)

Even if law enforcement decides to open an investigation, the distributed risk principle hinders the investigation. The hackers themselves barely handle the stolen data, and in many cases they contract out the distribution of their malware. Furthermore, the information is sold to individuals who themselves do not commit fraud, but instead, sell the information to others who actually commit the fraud. The risk is shared by several links in a supply chain, but all of the money flows up to the cartel. Some researchers estimate that these cartels earn their members millions of dollars each month. (Berinato, Hacker Economics 2: Conspiracy of Apathy)

One of the first Trojans used to steal personal information is believed to have operated undetected for as long as nine months, during which it collected millions of personal credentials. Each month, Secure Science, a security research firm, discovers 3 million compromised login credentials for banks, online e-mail accounts and anything else that requires a username and password on the Internet. They also intercept 250,000 stolen credit cards every month, and that is just one company. (Berinato, Hacker Economics 1: Malware as a Service)

?Do you have a credit card? They?ve got it,? states a former hacker turned Internet security researcher. ?I?m not exaggerating. Your numbers will be compromised four or five times, even if they?re not used yet.? (Berinato, Hacker Economics 1: Malware as a Service)

How do they do it? The current distribution method of choice is to use an iFrame to download a form-grabbing Trojan onto the victim?s computer. iFrames are a feature of your web browser that allows websites to deliver content from remote websites in a frame on a page. As an example, think of the current weather conditions streamed from weather.com into a small box on a newspaper?s website. Hackers, on the other hand, build invisible iFrames into webpages. The iFrame contains a tiny piece of software called a downloader which downloads malware onto the user?s computer. (Berinato, Death by iFrame)

iFrames are so effective that a new business has emerged around them. These new companies pay for clickthroughs. If you agree to host their iFrame code on your website, you will receive a payment each week, contingent on 1,000 clickthroughs. They will even sell you malware code if you do not have your own. Research by the anti-virus company Sophos shows 8,000 new webpages each day hosting illicit code or activity, most of which are iFrame exploits. In fact, some 70 percent are found on legitimate websites which contained vulnerabilities that allowed the iFramers to inject their criminal code. Now, with a portfolio of infected sites, these companies sell access to their network at one dollar per infection. (Berinato, Death by iFrame)

iFrames are also advantageous because they separate the distribution network from the malware. The iFrame becomes a service in itself because it remains available for any variant or a new piece of malware. (Berinato, Death by iFrame)

Another group of hackers, who developed a form-grabbing Trojan known as Gozi, subscribed to the iFrame service to infect thousands of computers with their malware. Gozi collects information entered into online forms before it is SSL encrypted, and then sends the information collected to a remote server. With a method in place to distribute their malware, the hackers created a website where they sold projects of Gozi-infected computers in 30-day increments. The price: $1,000 per infected computer. In return for their money, customers receive the data collected from the computers in their project. (Berinato, Hacker Economics 1: Malware as a Service)

In yet another example of hacking as a service, security researchers recently found a website which uses a botnet (infected computers under the control of hackers) of several million computers to infect other vulnerable computers. For 20 cents per successful infection (or load), the customer can pay for loads based on country, IP address or other attributes. Consequently, a user of this service could target a specific company or a university. (Berinato, Internet Researchers Discover New Hacking Service Site)

There are four important points to take away from this.

The potential to earn millions of dollars per month is a strong motivator, especially when there is minimal risk.
You share the responsibility for securing your online transactions. If your computer is compromised by malware, the little yellow lock in your web browser, the one that banks and online merchants tell you indicates your transaction is secure, is not able to secure your transaction, because malware, such as Gozi, grabs the data before the little yellow lock can do its job.
It is much simpler and far less risky to steal confidential information from your computer, than to compromise the security measures of a bank or online merchant, and then steal the information from them.
Anti-virus software, alone, is not sufficient protection. Hackers sell their malware to other hackers who modify the code to create variants or entirely new malware. In effect, the malware evolves, and with each evolution it gets better at avoiding detection and removal. Anti-virus vendors cannot keep pace. On several occasions, WVU has identified virus-infected computers days before anti-virus vendors released definitions capable of detecting and removing the viruses.

How do you protect yourself from these hackers? First, secure your computer. Our top 10 security tips are a good place to start.

Second, protect your identity by reviewing your credit report on an annual basis. The three credit reporting agencies (Equifax, Experian and TransUnion ) must provide, upon request, a copy of your credit report at no charge once a year. You can also place a 90-day security alert on your credit, which also removes you from pre-screened credit solicitation lists for 6 months. You may also wish to consider the use of an identity theft protection service, such as LifeLock.

Unfortunately, properly securing a computer is not a trivial exercise, and hackers take advantage of our naïveté. Each of us should endeavor to learn more about computer security and the methods used by hackers. Make time to browse the security articles posted on the websites of vendors such as McAfee, Microsoft, Symantec and Trend Micro, and be sure to return to those sites periodically for the latest news and information. If you use Microsoft Windows, sign up for Microsoft?s consumer security newsletter. Visit the Federal Trade Commission’s website to learn more about identity theft.

In this new age of Internet crime, our computers and ultimately our very identities are under attack. We must be proactive and vigilant in securing our computers and protecting our identities.

Brice Knotts, Director
Student Affairs Administrative Technology Development

References

Berinato, Scott. (2007). Hacker Economics 2: Conspiracy of Apathy. CIO Magazine, Article 135452, http://www.cio.com/article/135550.

Berinato, Scott. (2007). Hacker Economics 1: Malware as a Service. CIO Magazine, Article 135500, http://www.cio.com/article/135500.

Berinato, Scott. (2007). Death by iFrame. CIO Magazine, Article 135452, http://www.cio.com/article/135452.

Berinato, Scott. (2007). Internet Researchers Discover New Hacking Service Site. CIO Magazine, Article 149600, http://www.cio.com/article/149600.

Password Protect MS Office Files

Fri, 18 Jan 2008 11:16:00 EST

MS Word

Click on ?File?
Click on ?Save As??
Click on ?Tools?
Click on ?Security Options…?
Enter password in ?Password to open:?
Click ?OK?
Reenter password to open:
Click ?OK?
Enter File name:
Click ?Save?

PowerPoint

Click on ?File?
Click on ?Save As??
Click on ?Tools?
Click on ?Security Options...?
Enter password in ?Password to open:?
Click ?OK?
Reenter password
Click ?OK?
Enter File name:
Click ?Save

MS Excel

Click on ?File?
Click on ?Save As??
Click on ?Tools?
Click on ?General Options…?
Enter password in ?Password to open:?
Click ?OK?
Reenter password to open:
Click ?OK?
Enter File name:
Click ?Save

Download a PowerPoint presentation of this information: Password Protect MS Office Files (.ppt)

P2P Filesharing

Tue, 01 Jan 2008 11:56:00 EST

From OnGuard Online:
P2P Filesharing (.pdf)

Test your wireless security knowledge with this quiz

End of Semester Reminder - Protect those WVUIDs

Fri, 07 Dec 2007 13:59:29 EST

It is hard to believe that the fall semester is ending. Faulty members are grading projects, papers, and exams. Students are studying to earn high scores on final exams. Although many of us are a bit tired, we are all excited or anxious about grades. Because you might be rushing around trying to finish semester activities, IS3PACE wants to remind you to be careful when using the WVUID. So, take a few minutes and consider these guidelines when you are posting or communicating grades to others:

(1) Don?t send email messages with a class roster containing WVUIDs and grades to groups of students or to an entire class
(2) Don?t post WVUIDs and grades on your door or on a Web page
(3) Don?t leave papers presenting WVUIDs unattended

Thank you for considering these guidelines. Have a secure holiday!

Burton Group "Identity Blog" a useful resource

Thu, 06 Dec 2007 16:02:00 EST

The Burton Group maintains a fantastic blog about Identity Management that WVU faculty, staff and students might want to check out. Here is the link:

[Snippet Error: Invalid ID. Try editing the snippet again.]http://identityblog.burtongroup.com/

Computer Viruses: An ounce of prevention....

Sun, 28 Oct 2007 08:00:00 EST

October is National Cyber Security Awareness Month.

Computer Viruses: An ounce of prevention…is worth a pound of cure!

Take a break from the games and challenges. Sit back and watch a short video to learn about computer viruses and how to avoid them.

Watch the Computer Virus Video

Spam Spam Spam Spam

Sun, 21 Oct 2007 08:00:00 EST

October is National Cyber Security Awareness Month!

Spam Spam Spam Spam

Does it seem like your mailbox is constantly flooded with spam??

Spam messages are unsolicited e-mails, generally sent in bulk, and are the equivalent of electronic junk mail. Most spam is deceptive commercial advertising, trying to interest the recipient in what are often fraudulent products or services.

Play ?Slam the Slammers? to learn some tips to avoiding spam.

The WVU Office of Information Technology employs extensive measures to reduce the volume of spam targeting our systems. Additionally, users can follow best practices to minimize the amount of spam they receive.

P2P: Peer to Peer File Sharing - Is it worth the risk?

Sun, 14 Oct 2007 08:00:00 EST

October is National Cyber Security Awareness Month!

P2P: Peer to Peer File-Sharing – Is it worth the risk?

Peer-to-peer (P2P) file-sharing connects millions of computer users online and allows them to easily share files. This may be anything from television programs, movies, music, games, software, documents, etc. By simply downloading a program, your computer can be connected to an informal network of other computers running the same software. The software often is free, easily accessible and can connect millions of people at the same time.

Unfortunately, P2P file-sharing may also allow random individuals to access information that you never intended to share. Downloading copyright-protected material also opens you up to legal action that can result in costly legal fees and court costs – not to mention fines or even jail time. You may also accidentally download viruses, worms, bots that can hijack your computer.

Play the Peer-to-Peer (P2P) “Three Play” game to learn about P2P risk.

Download more Information Here: P2P Filesharing (.pdf)

WVU Information Security Posters win 2007 SIGUCCS Communications Award of Excellence

Mon, 08 Oct 2007 12:54:00 EST

We are very pleased to announce that the four posters we entered in the 2007 SIGUCCS Communications Awards for General Service Campaign Materials won an Award of Excellence this year. These posters have allowed us to communicate to the campus community about the importance of information security and in a way that students can relate to.

The 4 winning posters for 2007 are:

Missing Files – Download the PDF: Missing Files.pdf

Passwords – Download the PDF: Passwords.pdf

Spyware – Download the PDF: Spyware.pdf

Email Attachments – Download the PDF: Email Attachments.pdf

Protecting Your Identity - Are YOU Taking the Proper Steps?

Sun, 07 Oct 2007 08:00:00 EST

October is National Cyber Security Awareness Month!

Protecting Your Identity – Are YOU Taking the Proper Steps?

Do you know how to protect your identity? Sadly, most WVU students probably do not. It is very important to remember to exercise caution when submitting sensitive information online.

For example, NEVER enter sensitive information such as your Social Security Number (SSN), your WVU ID Number (your 700 number), usernames and passwords, etc. in email, instant messages or text messages.

Doing so unnecessarily opens you up to security risks that can easily be avoided.

Play the Identity Theft “Face-off” game to determine if you are taking the proper steps to protect your identity.

Take the Identity Theft challenge!