Online Battlefield: Cyber Attack Vectors

/

SPECIAL TO THE WEB

Robert Tie
Contributing Writer, Fraud Magazine

"Israel, all your base are belong to us," tweeted hacker group Anonymous when, in support of Gaza militants, it launched millions of cyber attacks against Israeli government and corporate websites in November. According to media coverage, the hacktivist offensive brought down more than 600 Israeli websites, deleted the databases of the country's Ministry of Foreign Affairs and the Bank of Jerusalem, and exposed more than 2,000 email addresses and passwords.

"With cyber-attack losses on the front page yet again, CFEs should reiterate to clients that tomorrow's headlines might report the theft or disclosure of their most valuable and confidential information," said Jim Butterworth, CFE, an ACFE faculty member and chief security officer at HBGary, a cyber security firm in Sacramento, Calif.

"Such losses often have reputational, political or strategic consequences," he said. "But if management isn't equally mindful of a successful cyber attack's negative financial impact, information security will seem like a cost. In fact, it's an essential investment in organizational survival. Treating it as anything else is negligent."

An introduction to Butterworth's proactive recommendations on this subject appeared in Fraud-Magazine.com's November 2012 Special to the Web article, "Cyber-Attack Vector? Who, Me?" This article continues that discussion.

FAMOUS LAST WORDS

"It's just WordPress," a company's overconfident system administrator recently told Butterworth after bringing him in to perform a routine security audit of the HBGary client's corporate system. (WordPress is a free and open-source blogging tool and content management system.) Butterworth had drawn the admin's attention to PHP blogging software files on the company's Web-connected server — an apparently harmless presence that in fact was cleverly concealing the means through which hackers were surreptitiously accessing proprietary corporate information. Unfortunately, by the time the client engaged Butterworth, its server had already been infected and its data stolen.

Coined in the 1990s, the acronym PHP is short for Personal Home Page — the versatile open-source scripting language whose English-like syntax non-programmers use to automate commands in their WordPress blogs and other web applications. Savvy hackers now hide powerful malware in WordPress PHP files — where only trend-aware security professionals would think to look for it.

"Blog-embedded malware is a new weapon in the hacker arsenal," Butterworth said. "But note that WordPress is not innately an attack vector. The vulnerability occurs when a company that has WordPress on its server doesn't properly configure it to resist hacker intrusions. Every organization should employ IT professionals who know how to detect and prevent such attacks. A company will get more than its money's worth; those staff members will be very busy."

Recent history bears this out. A media report quoted analysts from Kapersky Lab, a global IT security consultancy headquartered in Moscow, as saying that as many as 100,000 WordPress installations were infected early in 2012 — 85 percent of them in the U.S.

Hackers reportedly loaded onto these blog sites programming code that silently redirected visitors to the hackers' servers, which detected the operating systems on victims' PCs and sent customized malware to do the hackers' bidding. Many of the infected computers were Macs. 

Read the full article at Fraud-Magazine.com.

TMI: The Blurry Line Between Professional and Personal Data

/

SPECIAL TO THE WEB

Robert Tie, CFE, CFP
Contributing Editor, Fraud Magazine

Some of us complain about the blurring boundaries between our work and personal lives, but fraudsters love it. Why? Because the way many of us use personal email accounts and social media sites influences our approaches to working on corporate systems. However, the relatively indiscriminate sharing of personal data that so many consumer websites encourage is antithetical to the safe use of corporate information resources.

"Users are the predominant vector for cyber attacks on corporate systems," said Jim Butterworth, CFE, an ACFE faculty member and chief security officer at HBGary, a cyber-security consultancy in Sacramento, Calif. "Fraudsters know that the user is the weak link in system security."

Recent research shows how serious and widespread this problem is. In September, Symantec Corp., a maker of anti-virus software, released its 2012 Norton Cybercrime Report, which found that in the prior 12 months an estimated 556 million people around the world fell prey to cybercrime.

Responses to Norton's survey of more than 13,000 adults in 24 countries revealed that even though users were aware of the security risks they face online, many still didn't take steps to mitigate those dangers. While 75 percent of users said they believed cyber criminals focus on social networks, only 44 percent took advantage of applications that can protect them at such sites and only 49 percent use those sites' privacy settings to limit how much and with whom they share information.

When such computing habits persist at work, they can threaten the safety of corporate systems and hurt the bottom line. Another study, released in October, paints a clear, worrisome picture of how badly organizations need — but often don't have — effective cyber security programs.

The 2012 Cost of Cybercrime Study conducted by the Ponemon Institute, a privacy and security think tank, under the sponsorship of tech giant HP, found that the average annualized cost of cybercrime incurred by a sample of U.S. organizations was $8.9 million — 6 percent more than in 2011 and 38 percent more than in 2010. The 2012 report also found that the average corporation experienced 102 successful cyber attacks a week, up from 72 attacks a week in 2011 and 50 attacks a week in 2010.

It's clear that organizations — and the CFEs who serve them as employees or consultants — need to come up with effective countermeasures quickly. Sometimes, though, that's easier said than done.

HUMAN FRAILTY

Case in point: In October, a client of Butterworth's firm requested a routine assessment of its system security. During its analysis, HBGary discovered that five of the client's PCs were infected with a remote administration tool (RAT), a form of malware that surreptitiously executed commands the hackers sent it while the PC was connected to the Internet. HBGary also found that the hackers' software had been in place for more than two years, secretly monitoring the client's system and transmitting confidential information to a group that Butterworth's firm determined is located in China's Shandong province — the same region to which Google traced hackers who broke into its system in 2011.

Read more about Butterworth's case in the full article on Fraud-Magazine.com.

Digital Artifacts the Keys to Making or Breaking a Fraud Case

/
philip-rodokanakis.jpg

GUEST BLOGGER

Phillip Rodokanakis, CFE, EnCE, ACE, DFCP

U.S. Data Forensics, LLC

Herndon, Va.

In my last two blog posts, Follow the Digital Tracks to Uncover Fraud and Unearthing Digital Artifacts to Uncover Fraud, I presented a couple of case studies and addressed how digital artifacts can assist anti-fraud professionals in an examination or white-collar crime investigation. Digital artifacts allow us to quickly build a profile of the user, including family details, financial details, personal habits and associations.

Digital artifacts can be used to track events such as the timing of when an external drive was connected to the computer. This may be no big deal under ordinary circumstances, but if a fraud examiner is investigating the theft of intellectual property stored in digital files, knowing when and who connected external storage devices to the computers in an organization can make or break the case.

A computer user may insist that he did not read or open a particular file, but the digital artifacts left behind can easily prove if he is wrong or intentionally lying. These sorts of digital artifacts are logged in various Windows system files and logs, as well as the Windows registry hives.

Rumor has it that the Windows registry files are referred to as hives because the original developers of Windows NT hated bees. So the developer who was responsible for the registry snuck in as many bee references as he could.  A registry file is called a "hive," and registry data are stored in "cells," which are what honeycombs are made of.

The registry hives are files loaded into the Windows environment every time the computer boots into the operating system. They contain all kind of data, from tracking logins and installed software to personalized details, like what wallpaper image is displayed on the user’s desktop, where on the screen a particular window opens, what were the last files a user worked with and the time and date different apps were run. 

If you’re involved in a fraud examination, I am sure you see the value of knowing what files the user accessed, what programs he ran, what network share drives were accessed, what external storage devices were used, what files were deleted, what software was installed or whether an application was used to intentionally delete and wipe (e.g., overwrite) certain files. These sorts of details can easily be provided to the investigative team by a competent digital forensic examiner who has been engaged to examine the trove of digital information that exists in today’s computer networks.

You can find Phil at the 23rd Annual ACFE Fraud Conference & Exhibition next week when he presents on "Digital Forensics & eDiscovery for Fraud Examiners."

Unearthing Digital Artifacts to Uncover Fraud

/

GUEST BLOGGER

Phillip Rodokanakis, CFE, EnCE, ACE, DFCP
U.S. Data Forensics, LLC
Herndon, Va.

In my last blog post, “Follow the Digital Tracks to Uncover Fraud,” I discussed how following the digital tracks has replaced the old technique of “follow the money” in uncovering and solving fraud schemes. The post included case examples where digital data left behind on a computer was instrumental in solving complex fraud investigations.

The operating system (OS) keeps track of digital data in allocated clusters (e.g., the used space on the drive) which are occupied by active files (e.g., files that are actively tracked by the OS). Data no longer tracked by the OS resides in unallocated clusters (e.g., the free space on the drive). 

The data in unallocated clusters can include complete files no longer tracked by the OS (e.g., deleted or temporary files) or file fragments (e.g., partial files or remnants from files that were previously stored on the drive). Digital forensic examiners usually refer to these remnants as file artifacts.

In addition to file artifacts, OS generate many logs and system files that can contain artifacts of interest in a digital examination. For example, a user’s Internet surfing history is usually captured in system databases that record a plethora of details about the user’s surfing activity. Additionally, as different websites are visited, the pages are downloaded to the browser’s cache, which consists of system generated files and folders that temporarily store the information accessed online.

With today’s gargantuan hard disk drives, temporary or deleted files, or their file fragments can reside on a drive for a long, long time. For example, it’s not unusual to be able to retrieve Internet browsing history going back a year or longer.

These sorts of digital artifacts may enable a fraud examiner to follow the money. For example, the browsing history may include visits to financial institutions that may disclose the existence of bank or investment accounts. Better yet, if the user accessed online items like cancelled checks or account statements, they may have been downloaded and left behind in the browser’s cache.

Another fruitful area in fraud examinations may be the type of file remnants left behind from webmail sessions. Webmail describes online email services like Gmail, Hotmail, Yahoo, etc. Usually these services are accessed through an Internet browser, meaning that file artifacts from online webmail sessions can be found and retrieved from hard disk drives. Computer users frequently use webmail for their private communications, particularly when using a computer at work. Such webmail artifacts can and often do contain information of great use to fraud examiners. 

My next post will examine other digital artifacts that can come in handy in fraud examinations and white-collar crime investigations.

#2: Fraud Magazine Dons New Look and Expands Focus

/

GUEST BLOGGER

Dick Carozza
Editor in chief, Fraud Magazine

Since we began Fraud Magazine’s predecessor, The White Paper, in 1988, we’ve worked to give down-in-the-trenches information fraud fighters can apply to their jobs and career development. In 1996, we changed to a four-color magazine format and then later broadened our audience beyond the ACFE with the debut of Fraud Magazine in 2004.

In 2010, we introduced the new Fraud-Magazine.com, which gives readers everything in the print version plus exclusive material found only on the website.

According to a recent reader survey, the ACFE membership is becoming younger, and more globally diverse and technologically savvy. And our flagship publication, Fraud Magazine, is changing along with you.

#2: Fraud Magazine dons new look and expands focus

Beginning with the March/April issue, Fraud Magazine will take on a cleaner, more attractive look designed to help you, the practitioner, learn more. As we work through 2012 and beyond, you’ll see more concise articles and columns from new subject-matter experts. And we’ll emphasize cases, practical pointers and transferable lessons learned in the investigative process.

We’ll still highlight newsmakers, but we’ll also concentrate on nuts-and-bolts fraud examination topics.  The magazine will include more articles on career development, investigation techniques, law, law enforcement, criminology and digital forensic methods. And we’ll also focus on risk management, money laundering and recovery of assets.

Our Fraud Magazine survey also found that 90 percent of readers agree that the magazine contains original information that can’t be found anywhere else. That continues to be our goal for this major member benefit as we move into 2012. Thanks so much for reading Fraud Magazine through the years. The publication has helped spread our message around the globe as we’ve solidified the CFE as the preeminent anti-fraud credential. Now we build on this history as we endeavor to give you even more targeted information that you can use today.

You can help shape the magazine by contributing your articles and columns. Share your expertise with the anti-fraud community, and you’ll not only receive deserved recognition, but you’ll help your colleagues crack their cases and accelerate the fight against fraud. Our editors will help organize your thoughts and polish your copy. Go here to get started.