Malware is Coming to the Trusted Software Near to You – Trade in Code Signing Certificates is on the Rise on the Russian Underground

Written by Tanya Koyfman

Instead of spending days and nights coding, crypting and modifying the malware to avoid AV detection, the underground market offers to sign it by a digital certificate issued for a legitimate entity.

While monitoring our Russian-speaking sources, we identified a Russian forum member offering code signing certificates issued by one of the largest CAs for sale.

The forum thread was opened on a Russian password-protected forum that serves as an illegal platform for cybercrime related discussions. On the forum, one can find sales of financial malware, stolen databases and exploits, as well as technical discussions regarding hacking and programming.

The post about the sale of certificates was initially published two months ago, and the topic is still updated regularly. In the first message, the post author offered one certificate for sale in exchange for almost $1000. According to the seller, the certificate can be used to sign exe files. Forum members who are interested in purchasing are requested to connect via Jabber (an instant messaging service based on XMPP protocol, highly popular among Russian cybercriminals).

The next day, the author published another post claiming that the certificate had been sold. He said that he could obtain 1-2 certificates per week, and that if there was a demand he could get his hands on also driver signing certificates.

The thread also included feedback messages from buyers, who testified that the certificates were useful in avoiding AV detection, but only for a specific malware infection. In a case of a mass distribution of malware programs, the certificate would be cancelled within days.

During the forum discussion, the seller mentioned that signing an exe file by certificate helped avoid detection by all AV pro-active detection mechanisms, except for one. He also clarified that the certificates could be used for .exe, .dll, .jar and .doc files, but not for .sys files (drivers).

To date, after almost two months of sales, at least 7-10 certificates have been sold (providing a profit of $10,000 for the seller).

The first message regarding the sale of the certificates
The first message regarding the sale of the certificates

Taking into account that the above forum member has regular access to legitimately issued certificates from one of the top five Certificate Authorities (CA) in the world, the above case is probably only the tip of a slippery slope. We may soon witness an increase in malware distribution attacks based on using genuine code signing certificates. The $1,000 paid for the certificates is an incredibly low price for the hacker to pay, compared to the large sums of money he can earn using these certificates in his attacks. While we do not know the precise origin of the certificates (a breach in an organization that purchases certificates, a breach in a reseller supplying the CA certificates or simply an “illegal” reselling or legally purchased certificates), the volume of certificates that the seller is supplying is reminiscent of the DigiNotar case.

The Case of DigiNotar (July-August 2011)

DigiNotar was a Dutch Certificate Authority company owned by VASCO Data Security International. DigiNotar went bankrupt following a security breach that resulted in the fraudulent issuing of CA certificates on September 3, 2011. DigiNotar hosted a number of CA’s and issued certificates including default SSL certificates, Qualified Certificates and ‘PKIoverheid’ – government accredited certificates.

In August 2011, a rogue certificate for *.google.com signed by DigiNotar was revoked by several Internet user browsers in Iran. Fox-IT conducted an investigation of the events in their report ‘Operation Black Tulip’ and found that a total of 531 fraudulent certificates had been issued. They identified around 300,000 requests to google.com with IPs originating from Iran that used the rogue certificate before it was revoked. The attack lasted nearly six weeks.

The compromised IP users might have had their emails intercepted, and their login cookie could have been intercepted making the attacker able to enter their Gmail accounts and all other services offered by Google. Having access to the e-mail account, the attacker is also able to reset passwords of other services with the lost password button. Fox-IT further examined the hacking tools and found some of them to be amateurish and some very advanced, some were published hacking tools and some specifically developed.

Another Phish in the Sea

The rise in scamming campaigns has become a focal issue for the InfoSec world in recent years. More and more attacks have been targeting everyone from large corporates, by using specific techniques “tailored” for the target, to simple users, by spreading it to anyone available. The platforms from which the malware is spread vary from standard email messages and social networks to more complicated SMS scams.

We will attempt to describe herein the basic steps to take to determine if a suspicious email, text message or Facebook post is actually malicious – in order to stay safe from falling victim, while still being able to keep up with the latest 9GAG spam.

Source Identity

When receiving a new email or text message, check who the sender is. If the message comes from an unknown person – a source you are not expecting contact from or a strange looking email name – do not open it! Browsing social networks like Twitter can also lead you to malicious actors that will try to lure innocents and curious people.

One such example is a reservation email scam that “accidentally” sends a room reservation email to you instead of the hotel manager. The email has an attachment, purportedly containing a list of special requirements for the guests, which turns out to be a malicious element that downloads additional executable malware.

Another Phish in the Sea_1

Content

We have all heard the joke about receiving a scam email from a Nigerian prince, where the victim is asked to provide their bank account details in order to receive a large sum of money, but reality is not so far off. Attackers use sophisticated techniques to capture your attention, be it by intimidation, exploiting the latest trending topic or informing you of a transaction.

The recent iCloud hacking leak scandal has been a hot topic on the Internet, and the phishing attacks soon followed. The tweet, which tries to grab your attention by sharing a link to the alleged nude video of Jennifer Laurence, redirects visitors to a download page for a video converter. Of course, the downloaded file turned out to be adware, not to mention the fact that it forces its victims to share the malicious site on their Facebook profiles.

Another Phish in the Sea_2

Grammar

I believe that the easiest way to observe that something about a message of any kind is wrong is bad grammar. Foreign scammers who are not fluent in target audience languages encounter a barrier that they try to bypass by using online translators or just trying their luck at translating the message on their own. A poorly written letter from a formal organization or a shifty looking website should definitely raise a red flag.

Another Phish in the Sea_3

Links

Apart from the content itself, the message might also contain links. The URL that appears in the text might seem legitimate, but it is important to get a closer look at the domain name, in addition to ‘hovering’ over the link with a mouse to see if the actual web address is compatible with the one presented to you (for other fake-link-finding techniques, see our previous post).

Let’s say you received an email from the human resources department in your company – Sounds like a legitimate item to open. But what if it contains a link to download CryptoWall ransomware? In this particular situation, it is very difficult to distinguish whether this is phishing scam, but by taking a closer look at the shared link, you can notice if it redirects you to a gaming website and forces you to download a suspicious ZIP file that contains the malware.

Another Phish in the Sea_4

Attachments

Some scammers direct you to open files attached to their message. They might appear legitimate because they are Word or ZIP files, but they end up being disguised malware. Be aware of attachments you are not expecting to receive, especially executable files like .EXE, .PIF, .JAR, .BAT and .REG.

Curiosity killed the cat, and apparently also some people’s computers. An innocent-looking email suggesting that you view someone’s new photo contains an attachment called photo.zip, which unfortunately does not contain an attractive person’s selfie, but rather a Zbot Trojan.

And just like the old Japanese saying goes “Attack a man with a phish and you’ll scam him for a day; Teach a man to phish and you keep him safe for a lifetime.”

Another Phish in the Sea_5

After the Russian Yandex and Mail.ru, Gmail Accounts are Leaked. Who will be Tomorrow’s Target?

This morning cyber security sources informed us for the third time this week about email addresses and passwords being leaked from a large mail provider. After the Russian services Yandex.ru (one million leaked emails) and Mail.ru (4.5 million leaked emails), came Gmail’s turn – around five million emails were posted on a Russian platform.

According to publications about the Gmail leak, the data was published on a Russian forum that focuses on bitcoin issues – Bitcoin Security. The forum member who uploaded the database is nicknamed tvskit, and he was the first one to publish the data online in all three of the cases.

A short search on the above nickname on social networks revealed a 34-year old man by the name of Ivan Bragin, from the Perm administrative center in Russia. His VK and Twitter pages contain plenty of information regarding crypto-currencies, in addition to a tweet about the Gmail leak linked to the BTC forum. From his posts, it seems that he did not directly connect himself to the leaks, nor did he take credit for stealing the data. Moreover, the story he tells is about running into these email lists on the web, then deleting the passwords and publishing them ‘for the greater good’. It is a strange coincidence that all three lists were found by the same person.

Based on the fact that tvskit‘s real identity was so easy to find (no attempts to hide it from his side), combined with the fact that initially the account list was published without the passwords (“just in order for people to check if their address was on the list”), makes us doubt that he stole the data.

According to several cyber security sources that analyzed the database, some of the compromised mail accounts were either automatically registered or were not active in the past. Nevertheless, some users of the above providers did confirm the authenticity of the logins and passwords.

Yandex and Mail.ru denied any kind of breach of their databases, so the leading hypothesis of the accounts origin is that all three lists were collected over a long period of time, from different sources, maybe along with other, less “attractive” data, that was later sorted by email providers and published online. In addition, we should also consider that at least some of the addresses are fictitious or not valid. At this moment, it is difficult to specify the exact number of addresses with a valid password.

Relying on the information above, we believe that all three lists were obtained by the same person (not necessarily tvskit), who managed to get hold of some valid logins and passwords and then mixed them with non-valid or automatically created addresses to intensify the scale of the leak.

A forum thread Bitcoin Security forum, which cointians the leaked Gmail database on
A forum thread from Bitcoin Security forum, which cointains the leaked Gmail database
Ivan Bragin's Twit linked to the forum post about Gmail leak
Ivan Bragin’s tweet linked to the forum post about the Gmail leak

How to Spot a Fake LinkedIn Profile in 60 Seconds?

LinkedIn is a terrific platform to cultivate business connections. It is also rife with fraud and deceit. Fraudsters use as a social engineering tool which allows them to connect to professionals, trying to lure them into disclosing their real contact details (work email is the best) and then use this email address to send spam, or worse, deliver malware.
Always check the profile before accepting an invitation, and do so via the LinkedIn message mechanism and not viaemail (fake invitation emails can cause much more harm than fake profiles – see our previous post).

So we have established that it is imperative to be able to identify a fake profile when someone invites you to connect on LinkedIn. But how would you do that? Follow our proprietary (just made up) CID protocol! CID stands for – Connections, Image and Details. By following it, you will be able to spot most fakes in 60 seconds or less. For more elaborate fraud attempts, it will be much longer or maybe even impossible for the non- professional to identify. We will discuss these later.

Connections – while you can fabricate any “fact” on your profile, connections cannot be faked; they have to be “real” LinkedIn users who have agreed to connect with you. So unless the fraudster is willing to create 100 other fake profiles, and connect these with the fake persona he is trying to solidify (something that takes a lot of time and effort to do, and something I hope the LinkedIn algorithm will pick up), the only way for him to have 100 connections is to connect to 100 LinkedIn users. So if you see someone with a puny number of connections, you can start to be more suspicious. So, connections number check – 5 seconds. Moving on.

low connections
Very few connections

Image – by now most people creating a LinkedIn profile realize that it is in their best interest to include a real image of themselves, and usually a professionally looking one (either taken by a professional or in professional attire). So no image or an obscure one is kind of suspicious. Also, any too good-looking images should ring an alarm bell. Since it is almost certain that the fraudster will not use his/hers own image (by that they will make the profile real to a certain extent), they will most likely search for a nice photo to post online. How can you tell if the image they have used is taken from someplace else? There are dedicated websites for reverse image searching, but since we are under serious time constraints here, why not simply right-click the image and ask Google to check the source? Very quickly it will find a compatible image and you can match the profile image to an existing stock image. Another 25 seconds gone. Say these two tests were insufficient and you are still not sure? Check the Details.

image search

Starting Google image search

image search results
Image search results

Details – people know that the more detailed their profile is, the better. Profiles lacking education or occupation details are very unreliable, along with these are any severe discrepancies: How could this guy study at Yale and serve overseas at the same time? lack of skills, recommendations and endorsements are not in favor of any real profile. Taking another 30 seconds of your precious time, you should by now be able to spot a fake profile.
Sure, someone just starting on LinkedIn might have fit our CID protocol while actually just launching his LinkedIn profile, and therefore has few connections. If you know this guy, go ahead and connect. If you do not, it is best to wait until the profile seems more robust.
It is very important to note that accepting the invitation to connect by itself (given it was delivered via a LinkedIn message mechanism or clicked on the user profile) does not create any damage, but it establishes a link between you and a fraudster, which can later be utilized as an attack vector.

Oh, and if you have 30 more seconds, why not do everyone a favor and report the fraudster? LinkedIn allows you to report suspicious profiles for review.

Report profile
Report profile

Simply click the “Block or Report” option, fill the short form and there you go.

Report the profile for review by LinkedIn
Report the profile for review by LinkedIn

P.S.

the profile displayed in this article is an actual fake profile who tried to connect to one of our analysts. Busted!

Did Turkish Hackers Actually Hack the Israeli “Iron Dome”?

Ayyildiz Tim (AYT) is one of the more prominent Turkish hacker groups today. The group was founded in 2002 by Turkish hackers residing outside of Turkey. AYT advocates Turkish state ideology and has declared its intention to fight against “every form of attack on the Turkish Republic”, or attempts to threaten Turkish unity and Islam. Israel, the U.S., Armenia, Syria and the Kurdistan Workers’ Party (PKK) are counted among the group’s main targets.

A number of sources and web surfers refer to AYT as “The Turkish Cyber Army”, claiming that the group directly represents the tactical arm of the Turkish government with regard to everything surrounding cyberwarfare.

AYT founder, Mehmet İshak Telli (Cedkan Bir Yafes), was interviewed by the Ihlas News Agency (IHA) – one of the leading video news agencies in the world – on August 7, 2014. In the interview, Telli claimed that Turkish hackers had hacked Israel’s “Iron Dome” air-defense system and that it would be a good answer to Israel aggression. In his statement, Telli claimed that the Arrow 3 anti-ballistic missile software had also been hacked. He further stated that a secret war has been waged between the Turkish and Israeli intelligence units and AYT had proven their cyber superiority.

Following this interview, numerous media outlets published his statements, falsely and mistakenly adding that “BBC editor” Brian Krebs had congratulated AYT and MIT (the Turkish National Intelligence Agency) on their hacking of Israel’s “Iron Dome”. However, the reports about Brian Krebs also misspelled his name “Vrian Krebs.” According to RedHack (another Turkish hacker group), AYT is merely exploiting the media to fool people.

Twit of a Member of Redhack Group
Tweet made by a RedHack member

What Krebs actually wrote on July 28 was: “According to Columbia, Md.-based threat intelligence firm Cyber Engineering Services Inc. (CyberESI), between October 10, 2011 and August 13, 2012, attackers thought to be operating out of China hacked into the corporate networks of three top Israeli defense technology companies…”.

Another investigation undertaken by security expert Reza Rafati also concluded that the information supporting the AYT claim regarding “Iron Dome” was fake.

Cyber Threats to the Insurance Industry

Written by Gal Landesman

In recent years, insurance companies have been finding themselves affected by the rising number of major incidents of cyberattacks. On the one hand, this trend presents a business opportunity for selling cyber insurance to organizations concerned about protecting their sensitive assets. On the other hand, insurance companies are not excluded from the cyber battlefield, as they hold large amounts of sensitive information regarding their clientele and are therefore targeted by cyber criminals. Moreover, data breaches that occur in the insurance industry are more difficult to detect than credit card information theft because clients check their bank accounts more frequently.

(Please note –  this blog post is an excerpt from our report: “Cyber Threats to the Insurance Industry”. If you are interested in receiving the full report please write to: info@sensecy.com).

Cyber Insurance

Cyber insurance is a service much sought-after by many companies today. Most fear the bad PR in the wake of a cyberattack, the cost of dealing with the Data Protection Commissioner and handling affected clients. The financial burden and threat of reputation damage caused by downtime and data leakage are becoming more noticeable. Companies in industries such as healthcare, financial services, telecommunications and online retails now realize that cyber insurance is essential to minimize potential financial impact.

Some insurance companies selling cyber insurance have reported up to 30% increase in sales over the last year. This type of insurances typically covers such things as exposure to regulatory fines, damages and litigation expenses associated with defending claims from third parties, diagnostic of the source of the breach, recovering losses and reconfiguring networks.

The cyber insurance market is fast-growing with a value of EUR one billion annually in the U.S. and EUR 160 million annually in the E.U., where it has been adopted at a slower rate.

Cyber Insurance

Insurance Company Data Breaches

Insurance companies are now selling cyber insurance to organizations – ironically making them more vulnerable to attack as they withhold valuable information about organizations and people.

Lately, regulators have been focusing their efforts on insurance companies that can sometimes hold very sensitive information on their customers, such as PII (Personally Identifiable Information) and PHI (Protected Health Information). The New York State Department of Financial Services sent out a survey in 2013 to insurance companies asking them about their cyber security policy. Insurance companies hold not only information on regular people, but they also hold sensitive and valuable information on their corporate customers. Insurers hold sensitive information on companies across a variety of industries.

The risks are evident in the following examples of reported data breaches of insurance companies:

  • Aviva Insurance company suffered a data leak disclosing information and car details to third party companies, by two of their workers.
  • The Puerto Rican insurance company Triple-S Salud (TSS) suffered a data breach and its management was fined $6.8 million by the Puerto Rico Health Insurance Administration.
  • In October 2012, Nationwide insurance provider was hacked, compromising the personal information of 1.1 million customers.

Commercial Espionage

Not only is the insurance sector suffering from the aforementioned threats, but insurance companies are apparently also facing threats from their competitors in the industry, who are going after their data in commercial espionage, employing hacking techniques. According to a report released by The Independent, SOCA – the British Serious Organized Crime Agency – suppressed reports revealing that law firms, telecom giants and insurance companies routinely hire hackers to steal information from rivals. According to the report, a key hacker admitted that 80% of his clientele were law firms, wealthy individuals and insurance companies.

Selling Insurance Information on the Underground Black Market

PPI (Personally Identifiable Information) and PHI (Protected Health Information) sales on the underground continue to rise.

Several underground marketplaces include the selling of information packages containing “verified” health insurance credentials, bank account numbers/logins, SSN and other PPI. According to Dell SecureWorks, these packages are called “fullz” – an underground term for the electronic dossier on individuals used for identity theft and fraud, and they sell for about $500 each.

Such underground marketplaces can be used as a one-stop shop for identity theft and fraud. Health insurance credentials are sold for about $20 each and their value continues to rise as the cost of health insurance and medical services rise.

Q&A with Ruth Kinzey: The Reputation Impact of a Cyber Breach – What Are the Potential Risks and How Can Organizations Mitigate Them?

Written by Ruth Kinzey

As current events clearly illustrate (Adobe, Target and eBay breaches), there is more to cyber breach than lost data – a massive cyber incident has also the potential to deeply harm the victim /company’s reputation. Today we would like to explore the issue of reputation management with regard to cyber threats.

For this we have invited Ruth Kinzey, who kindly agreed to share herviews on the topic.

Ruth Kinzey, MA, is a reputation strategist with more than 35 years of communications experience. Ruth is a professional speaker, consultant, author, trainer, and adjunct faculty member of Rutgers University. She is founder and president of The Kinzey Company, an organization dedicated to helping clients proactively and strategically enhance and protect their reputations.

Ruth Kinzey

Q: How does strategic reputation management differ from PR or online reputation management?

Both public relations and online reputation are part of the strategic reputation management equation. Being strategic about an organization’s reputation means taking a holistic view by analyzing multiple audiences and communication channels; determining how well aligned the company is within itself; and examining the context in which the business operates. The organizational context takes into account the potential impact local, national and even international events can have on an organization’s reputation in addition to what is happening in the institution’s industry or sector as well as the culture of the firm.

The goals of strategic reputation management are to proactively enhance an organization’s reputation and to help protect it in times of crisis. Consequently, it’s also necessary to understand the organization’s current reputation as well as its reputational goals.

Q: What are the challenges of reputation management in today’s world of cybercrime and cyber warfare?

The cyber world is a bit like the “Wild West.” Laws are not consistent from country to country. Judicial rulings are challenged to keep pace with cyber crime. And while breaches, which impact the privacy of individuals and organizations, can be significant – even catastrophic, the perpetrators must be caught before they can be dealt with aggressively. So, the problem with “cyber lawlessness” is that it financially victimizes the institution and its many stakeholders and can tarnish reputations. This is why every organization should assess and manage its cyber risk.

System vulnerabilities must be identified, prioritized, and mitigated as much as possible. Because hackers are enterprising and highly likely to find weak links in the operating system that an organization may not even realize are present, a crisis plan should be created, too. That way, when a company – or even a nonprofit – is in the midst of dealing with some type of “cyber atrocity,” the organization isn’t trying to make important decisions such as when to notify government agencies, law enforcement, and customers. The institution also isn’t scrambling to determine the best way to contact customers or shareholders or what they should do to help clients or employees best manage the breach.

Without developing cyber risk mitigation measures and carefully constructing a crisis plan, an organization is going to lose more than data. The breach will lead to a reputational disaster, too, because the company will not be prepared on either front. Depending upon the degree of damage that occurs, the business may or may not be able to recover.

Q: Do you think today’s C-suite and upper management understand the impact a cyber incident could have on the organization’s reputation? And, do you believe they are doing anything to mitigate it?

One cannot listen to the news without recognizing the likelihood of a cyber attack. And, there are many businesses – even departments within the government – that have experienced data breaches. Consequently, there are case studies explaining what happened, how the organization managed the crisis, and the resulting reputational impact. So, senior leadership understands cyber crime is a very real threat to an organization’s operation and reputation.

However, is upper management doing anything to mitigate it? That is a very different question. And, the response varies from company to company.

Dealing with cyber crime requires vigilance and money, particularly as hackers become more and more sophisticated in their techniques. Senior leadership and the government are recognizing the importance of collaboration and information sharing. Industry and professional organizations are realizing they have a role in bringing together members to focus on the cyber crime issue and to help tackle this worldwide problem as well.

Q: Which is more harmful: insufficient security of corporate information or customers’ information? What could lead to greater reputational damage?

Both are harmful and both have the potential of damaging reputations. Depending upon the amount and type of data compromised, an individual could experience financial devastation and significant reputational damage. The actions of a business – before, during and after a cyber attack – could result in catastrophic financial implications as well as a severely damaged reputation.

People want to know the company has taken appropriate measures to protect data and that the business is doing all it can to keep personal information safe. In addition, the public wants a trustworthy business partner that keeps them informed about security issues and is willing to help them during the aftermath. A company not perceived as behaving in a proactive and trustworthy manner will experience even greater reputational damage.

Q: How can reputational damage be contained?

It is impossible to entirely contain reputational damage because an organization’s reputation is ultimately in “the eye of its beholder.” Having said this, there are steps a business can take to help reduce the severity of reputational damage.

First, it is important for the company to proactively enhance its reputation through actions such as exemplary customer service, ethical and transparent conduct, and environmentally and socially responsible behaviors. Model performance builds trust and goodwill. This positive reputation helps the public believe in the good intentions of the organization, which causes a more favorable opinion and generates support during times of trouble.

Having a crisis management plan, which includes communication, will help an organization better protect its reputation when in the midst of a cyber attack. Minutes count in any crisis, so having protocols and procedures established improves an organization’s responsiveness to the situation and enables the firm to respond to its many stakeholders in a more thoughtful, strategic manner – both during and after the cyber crime.

Q: Can reputational data be measured?

Yes. But the methodology can vary, depending upon what is being measured.

Insurance companies are paying closer attention to the impact a negative reputation has on a company’s success. Some insurers even offer public relations or media relations assistance when they become aware of potential crises being faced by clients. Other agencies offer reputation insurance because they are keenly aware of the financial impact involved when reputational loss occurs.

If publicly owned, the investor relations department may judge the degree of reputational capital the organization has by factors such as the stock price or number of investors; whereas, the marketing department may measure the number of lost customers, customer feedback, and overall lagging sales. On the other hand, the media relations department may judge the status of the company’s reputation by the types of media inquiries, the tone of articles, the frequency of references to the company in relation to a security breach, or other even more sophisticated parameters. And, there are many online agencies that examine the social profile of a business and offer reputational insights in conjunction with this.

So, reputation – both positive and negative – can be measured. But, it is important to know exactly what you are trying to measure and to have objectives clearly in mind before selecting the best form of measurement to capture this information.

Q: Can an organization’s reputation recover after a cyber attack?

It is possible for an organization to recover after a cyber attack. However, this is primarily dependent upon the company’s actions before, during and after the occurrence of this crime.

The public wants to know the firm took appropriate precautionary steps. Were systems in place to help mitigate such attacks? Was management vigilant and issues escalated upon detection?

Also, were victims – and potential victims – notified quickly about the compromise in security and kept abreast as to how their data was affected? Even if a firm doesn’t know the full implications of the breach, it’s a good idea to offer general information and to provide suggestions for protecting personal data.

Not only is a company’s conduct important prior to and during the unfolding of a cyber attack, but people judge a business on its behavior after such an incident. Does the firm demonstrate its understanding of the gravity of the situation? What actions will it implement to try to protect against the same type of situation from occurring again? Are people within the institution being held accountable, particularly if the event was preventable or could have been better contained? Is the organization trying to help victims by taking steps such as offering free credit monitoring?

Overall, the public can be amazingly forgiving, if a business has a good reputation and demonstrates exemplary conduct in how it manages a cyber attack. If this is the case, even if there is a dip in stock performance or lower sales in the short term, people will return. However, if the business has not been proactive in trying to protect its data, lacked transparency in its reporting, or failed to demonstrate its genuine regret for what happened, it will be much more difficult to regain customer, investor, government and public trust.

Why Scaring Is NOT an Effective Technique for Increasing Cyber Security?

There is a big hole in the Internet and it’s bleeding passwords. Or at least that is what one would understand from following various media reports about “Heartbleed”, that ominous flaw in the design of the Internet’s basic encryption method, the SSL. Just by reading (and listening to and watching) the media, one could be excused of thinking that the Internet as we know it has come to an end. Slogans like “Internet safety is gone” and “Replace all your passwords now!” were being shouted repeatedly (didn’t they tell us that passwords were useless anyway? and didn’t they say that 99.9% of the passwords are 123456 anyway?)

Regardless of the actual severity of this flaw, two things come to mind when analyzing the public and media’s behavior regarding Heartbleed. The first is that the media is thirsty for cyber-related stories, and is willing to blow any story out of proportion just to make the headlines – especially if it can be said to be “relevant to everyone” and “puts us all in danger.” But this is not surprising – there is a very unhealthy relationship between the media, the Cybersec industry and the public – each doing its share to evoke panic and misinformation.

What I find more disconcerting is that some people and organizations use such incidents to increase awareness of cyber threats and turn this into a call for action. While there is nothing wrong with raising awareness, I do believe that using it too much – i.e scaring people – achieves the opposite effect. Want an easy way of verifying this? Just ask the people around you (normal folk, not industry techies) if they have heard of Heartbleed. Many of them (especially in the U.S.) will probably say yes. Then ask how many of them have changed their passwords as a result of this being made public. I can almost guarantee that the answer will be zero. The explanation for this is simple – when people are presented with a catastrophe, they tend to do absolutely nothing. If nothing is safe anymore, than why bother doing something?

And that is exactly the problem. By creating panic, we also create apathy, when we should evoke emotion and move people to act – seek professional advice, check their systems for breaches, whatever. We should be stating very clearly the REAL threats and the REAL remedies, even if they make less appealing headlines. Only then do we stand the slightest chance that the “Average Joe” will stop, listen and act differently than before. “Make them aware, not scared” should be our motto.

heatbleed stop

Where Does All the Data Go?

Written by Gal Landesman

We have recently learned of numerous data breaches targeting the healthcare industry that have exposed electronic personal healthcare information (ePHI). Just this month, a Chicago doctor’s email account, holding information on 1,200 patients, was accessed; a stolen laptop and flash drive jeopardized 2,500 patients’ data in Michigan; the investigation of the California Sutherland Healthcare Services data breach revealed that data pertaining to 338,700 individuals has been compromised; and La Palma Inter-community Hospital announced an old case of data breach involving one of their employees who accessed personal information without permission.

We are hearing about such incidents on an almost daily basis. Symantec even named 2013 the year of “Mega Breach”, with more than 552 million identities exposed this year. According to Symantec, the healthcare sector suffered the largest number of disclosed data breaches in 2013. They blame it on the large amount of personal information that healthcare organizations store and the high regulation standards requiring them to disclose data breaches. Still, the healthcare industry is one of the most impacted by data breaches this year.

Targeted data includes health insurance information, personal details and social security numbers. What could really happen if a patient’s personal data falls into the wrong hands?

Such breaches can cost their victims dearly – putting their health coverage at risk, causing legal problems or leading to inaccurate medical records. Attackers could make fraudulent insurance claims, obtain free medical treatment or addictive prescription drugs for personal use or resale.

Cyber criminals are definitely eyeing medical records. These records can fetch about $60 apiece on the black market, according to Norse-Sans that published a detailed report on the issue this February, claiming that such records are even more valuable than credit card information because they present criminals with greater opportunities for exploitation, such as insurance and prescription fraud. Norse-Sans identified a large volume of malicious traffic in their analysis of healthcare organization traffic.

Another example of interest was published by the Wall Street Journal, days before the Norse-Sans report, featuring valuable network information of healthcare facilities that was dumped on 4shared.com (a file-sharing site), including firewall brand, networking switch, Internet addresses of wireless access points, blueprints of the facilities, locations of PCs and printers and encryption keys, usernames and passwords that could be used for network access.

Here at SenseCy, we successfully traced the usage of breached medical information on Underground forums and the DarkNet. The following are some examples of prescription drugs for sale on the Underground:

Someone is offering Clonazepam (Klonopin), which affects chemicals in the brain, for sale:

Clonazepam

Another vendor offers different drugs, including ADDERALL-IR, a psychostimulant pharmaceutical drug, and Percocet, a narcotic pain reliever (containing opioid):

ADDERALL-IR

Information for sale:

Info_for_Sale

Info_for_Sale_2

Original prescriptions for sale:

Prescriptions

Prescriptions_2