« August 2010 | Main | October 2010 »

September 2010

Thursday, 30 September 2010

Standards and laws affecting security at IISC 2010

I was invited to participate in a panel at INTERPOL's first Information Security Conference (IISC). The panel topic  was "standards and laws affecting security". Each panelist gave a short, formal presentation of a panel topic .I spoke about public-private partnerships and policies that affect security. This seems off-topic unless you are familiar with how policies developed by the ICANN community affect law enforcment efforts to combat electronic crime. My presentation considers two public-private partnerships - the Internet and ICANN - and the challenges these partnerships face. I then discuss I how ICANN's multi-stakeholder policy development process and resulting policies affects law enforcement, and how law enforcement can influence policy. 

Dave_at_iisc

The hot topics at IISC were information sharing, expanding communications channels, and creating or reinforcing relationships not only among law enforcement but between LE and the private sector. Kudos to INTERPOL and the host Hong Kong Police for adding yet another venue where folks who are struggling to find ways to improve security and reduce crime can collaborate.

Posted at 10:33 AM in Domain names and DNS | | Comments (0)

Tags: ecrime, ICANN, INTERPOL

Friday, 24 September 2010

Turn your old laptop into a personal bank teller

Malware - especially the drive-by trojan download kind exemplified by Zeus - causes widespread anxiety among users who want to bank online but fear identity theft. Criminals infect dozens, hundreds, perhaps thousands of web pages each day with malware, then wait for that one fateful mouse click that costs you your identity or empties your checking account. They morph malware frequently enough that antivirus software are hard pressed to protect you and your computer from threat.

The most common recommendation you'll find to protect yourself from identity theft is the tired mantra, "don't click on suspicious hyperlinks". That's great advice, but for the simple problem of knowing how to distinguish a suspicious link from a legitimate one. The smart criminals make such distinctions hard for the average user in phishing emails or malicious links they inject into web sites they've compromised or host.

What measures can you take to bank safely online when antimalware and antivirus measures can't keep pace and the criminals set their traps so cleverly that it's a only a matter of time before you make that fatal wrong step?

For now, never use a mobile phone or device to bank online

2013 begins on the tail - or possibly, the onset - of what dozens of hysterical security vendors claim as the era of mobile malware (1, 2, 3...). A 12 year old could fill a hundred blog posts with tales of mobile malware. Immunity's Dave Aitel warned, DO NOT use your phone to bank online or to deposit checks to your account" but in the same column, several security experts suggest ways that you can safely bank online from your mobile device.

Banking Others may be comfortable with recommending that the risk of banking from a mobile device is low enough given the convenience. Given the stakes, not only for personal banking but for situations where employees or government officials (think in terms of tax collectors for small municipalities) might choose convenience over risk, a prudent course is to assume that virtually any device that is used for general Internet or web use is unacceptable.  

Here's what I suggest.

Hire a personal bank teller

More accurately, create a personal teller using a PC/laptop that's collecting dust in the corner of your home office. Any lappie that can connect to your home network, run Windows XP and a browser will do because you are going to configure this system to do one and only one task: open a browser window to your online banking web site so you can bank safely. By configuring this laptop so that it is exclusively for banking, you greatly reduce the likelihood you'll fall prey to a thief.

Begin by erasing and reformatting the hard drive [1,2]. Reinstall the Windows operating system from the media that came with your PC/laptop. Connect to the Internet to update your version of Windows and Internet Explorer so that you are "patch current", but do nothing else while connected. Seriously: nothing!

Open Internet Explorer. From the Tools menu, choose Internet Options. Set your online banking web page as the home page. You should then never submit or click on a URL in this  browser on this laptop again. If you want to use Firefox, then open IE and type (don't search or click) " http://www.mozilla.org/en-US/firefox/new/". While this is perhaps overly cautious, but it will help you establish the mindset for online banking: Trust No URL.

(If you have other computers on your home network, disable sharing and enable Windows Firewall. This isn't a full-blown mitigation strategy for hardening Windows XP; for this, you'd need to invest a bit more time. Whether your "came with" Windows OS version was XP or 7 will affect the additional effort you require but this is a "one time" effort.)

The configuration of your personal bank teller is complete. When you launch IE, you will automatically connect to your online banking web page. Hello, personal bank teller!

Use this PC/laptop for online banking... and nothing else!

Do not install any software on this PC/laptop. Do not add this PC/laptop to a domain or workgroup. Never, ever visit any other site from this PC/laptop. Never check mail or run any other application from this laptop. If you follow these guidelines, you can bank with greater confidence that you've kept the criminals at bay.

If you don't have the OEM disks or a spare copy of Windows to install, try a Linux OS and use Firefox [3,4]. The installation for most Linux OSs is straightforward. More importantly, if you are familiar with Firefo, you really don't have to know anything about Linux, as you are only going to use a browser that's familiar to you. The icon's the same, the UI is very similar, and seriously, this alternative is not nearly as intimidating as you imagine.

Before you scoff at this suggestion, weigh the cost of investing 30 minutes to create a personal bank teller from deprecated hardware against the threat of identity theft. As a side benefit, by using the lappie rather than junking it, you're thinking green.

[Note that while focus on Windows here, Mac users are not impervious to phishing and identity theft and can build a personal teller in a similar manner.]

Posted at 08:16 AM in Anti-Malware and Anti-phishing, Stop Think Connect | | Comments (1)

Tags: identity theft, malware

Next »
Find me on Mastodon and Facebook

Spotlight Posts

  • Interisle Study Reveals Alarming Rise in Online Abuse and Identifies Exploitable Links in Cybercriminal Supply Chains
    My Interisle colleagues and I today published our 2024 Cybercrime Suppy Chain study. We analyzed 16 million cybercrime events to expose a dramatic rise in criminal exploitation of name, address, hosting, and financial supply chains. Our year-over-year findings show that cybercriminals exploit lax policies to easily and cheaply obtain resources for phishing, malware, and spam campaigns. In our report, we provide actionable insights for those aiming to curb cybercrime. Among the major findings in the study, Interisle reports that: The total number of malware, phishing, and spam attacks grew year-over-year by nearly 54%, to nearly 16.3 million attacks. Spam doubled,...
  • Malware quarterly reports for July-September
    Malware quarterly reports for July-September 2024 is now posted at the Cybercrime Information Center. For the period... Malware identified as targeting endpoint devices increased 277% over the prior period. WordPress blog sites used for malware accounted for nearly all the malicious documents reported for this period. We continue to see an uptick in malicious scripts. IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors increased 38% to just under 1 million. ASNs in China and India again have the most IPv4 addresses reported for hosting malware. More malware trends for the period at https://www.cybercrimeinfocenter.org/malware-trends-july-september-2024. For historical reporting of...
  • Interisle's Phishing Landscape 2024 is here
    Our Interisle team today announced the publication of an industry report, Phishing Landscape 2024, A Study of the Scope and Distribution of Phishing. Interisle’s fourth annual study examines nearly four million phishing reports collected from May 2023 to April 2024 and provides historical measurements using over 15 million phishing reports collected at the Cybercrime Information Center over a four year period. Findings from the study: • The total number of phishing attacks grew to ~1.9 million incidents worldwide. • Phishing attacks hosted at subdomain providers increased by 450,000+ reported names, representing 24% of all phishing attacks. • The use of...
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....

Search

My Photo

Categories