How ransomware extortionists hide their tracks

Cybercriminals extorted about one billion dollars from ransomware victims last year, according to the FBI. And nearly all of those perpetrators went unprosecuted because of the innovative methods they use to protect their identities and hide their funds. They go to great lengths to keep authorities from seizing or freezing their money. By and large, their efforts have paid off. Here’s how they do it:

Hidden identities, disposable email
Extortionists protect their identities whenever interacting with victims. This generally occurs when they distribute ransomware, and when they collect ransom payments from victims in exchange for decryption keys.

Extortionists use disposable email accounts and when sending out phishing emails that target victims. These accounts have fake names associated with them and no useful contact information. In some cases, the accounts are owned by another individual—a person whose account was compromised, taken over and used to send malicious emails.

Layered like an onion
Extortionists often protect themselves during the collection phase by using so-called “onion routing” tools like Tor, which use multiple layers of encryption to ensure anonymous networking and communications. Tor is a network of computers that exchange encrypted data among themselves to obscure the source of the data. This prevents researchers and law enforcement from identifying where the decryption keys are stored.

Cryptocurrency enables anonymity
The cybercriminals responsible for disseminating ransomware typically demand payment in some form of cryptocurrency. Bitcoin is the most popular cryptocurrency with Litecoin and Dogecoin coming in second and third place, respectively. Bitcoin currency is stored in a digital wallet and bought and sold over bitcoin exchanges, through peer-to-peer marketplaces, and via person-to-person trades using an intermediary. Bitcoin transactions are logged publically but transactions only reference the wallet IDs of each partner in the transaction, not the names of the individuals themselves. Wallet IDs have no identifying information associated with them other than their number.

Cybercriminals typically keep a wallet ID for a short period of time and may only use it for a few transactions before switching to a new wallet ID. This ensures that specific wallet IDs are not identified as major bitcoin traders. They also use bitcoin laundering services or anonymizers like bitmixer.

Gift cards and money mules
Some forms of ransomware accept vouchers for payment. These include gift cards and CashU, MoneyPak, MoneXy, Paysafecard and UKash vouchers. These may be used to purchase goods that “money mules” then sell over the internet for cash. Money mules are also used to liquidate cards by selling them to individuals at less than face value. Cybercriminals prefer cryptocurrency because it allows them to keep a greater percentage of the profits.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

The human brain vs. computers in the identity challenge

The concept of identity is core to the protection of data.  Data and other computing resources exist to be used by individuals, each of whom has an identity that is used to grant of deny access to such resources.  However, identity is not limited to humans.  Computer services also have an identity that allows them to interact with other services and data.

As humans, we understand identity as all the characteristics that are representative and unique of an individual and our method of validating identity comes naturally in the course of interaction.  We recognize and associate these characteristics with a unique person and our ability to associate characteristics with a person increases with our exposure to the individual.  Exposure does not need to be direct, such as spending time with them, but can be gained indirectly through activities such as reading or talking about them or seeing them on TV.  This is why some persons are more easily recognizable than others.  Consider how you recognize the touch of a loved one or the voice of your mother whereas a former acquaintance’s name may be unfamiliar to you, even when encountering them face to face.  Similarly, popular personalities such as actors or politicians are easily recognized by each of us even if we have never met them personally.  Similar methods are used to build trust.  You wouldn’t let a stranger borrow your car, but this might change as strangers become friends.

Computers, likewise, can use a variety of characteristics to validate a claimed identity but the methods of recognizing that identity differ from humans.   Users validate their identity to a computer by claiming an identity and then providing credentials to back up that claim in a process called authentication.  For example, a username claims an identity while the correct corresponding password validates it.

However, there are several important distinctions between the identification that occurs on a computer system and identification between persons.  Computers have an advantage over humans in that they do not forget user identities over time but their methods of identifying a person are much more limited.  Whereas a human can use hundreds of characteristics to make an identity and they can associate a different set of characteristics with different people, a computer system typically only supports a few very structured methods of identification.  The most familiar method of authenticating to a computer system is the traditional username and password, but other methods such as fingerprints, facial recognition, proximity cards and secret questions can also be used.

There are further distinctions between computers and humans in terms of trust.  Humans trust an individual based on their experience, knowledge and interactions with the individual, but computers trust an individual only as far as the user’s permissions dictate.  Permissions determine how an identity can interface with data including viewing, modifying, creating or deleting it.  Other permissions might allow a user to issue commands to a computer system, run a program, or utilize a service.

Mitigating computer-based identity weaknesses

Both human and computer identification systems suffer from inherent weaknesses.  A computer’s limited methods of identification and the structured method used to evaluate identity make it relatively straightforward for an individual to programmatically exploit these methods and fraudulently authenticate.  These characteristics are also an advantage since a computer will always stick to the rules and enforce the identity requirements for an individual when identity systems are implemented properly.  Computer weaknesses are commonly exploited through credential cracking, credential theft, and the exploitation of authentication system vulnerabilities.

The overly simplistic solution to the problem would be to combine the advantages of both systems together.  However, this does not work well in practice.  Multi-factor authentication — utilizing multiple methods for validating a claimed identity — is a well-accepted method for improving authentication over single-factor authentication, but this is often limited to a small handful of identifying characteristics.  This limitation primarily lies in resistance from users of computing systems who resent the time required to present multiple credentials or the need to carry items on their person in order to authenticate.  Some of the most effective systems utilize a combination of user provided credentials and data the computer system can collect on its own such as the location, device initiating the connection, and time and date, but still fall short of what can be utilized by a human in identification.  Furthermore, these credentials can still be faked or fraudulently obtained.

Human interaction typically detects a change in identity or behavior naturally in the course of interaction, but computers validate identity once and then trust the identity has not changed between a user’s logon to a system and their logoff, also known as a session.  This presents a problem for enterprise security since malware, shared sessions, or idle sessions that have not been locked, allow for misuse by others.  The computer system cannot differentiate between activities taken by a coworker on another user’s computer or malware running in a user’s session and legitimate activities performed by the user.  This risk is somewhat mitigated by automatically logging off idle sessions and by locking out computers at specific intervals, but this still leaves a lot of room for session compromise.

Some systems are beginning to revalidate credentials periodically to protect against a compromised session.  The most basic systems simply revalidate at predefined intervals while more advanced systems utilize a variety of variables and complex algorithms to evaluate the level of assurance they have in the identity.  For example, user interaction may be abnormal which could trigger reauthentication or the user could change location, or login in two locations simultaneously, also prompting reauthentication.

A variety of systems under the umbrella of Identity and Access Management (IAM) have been created to handle computer identity based on the scope and complexity of the need.

Mitigating human-based identity weaknesses

Humans are not as disciplined in validating identity and humans can become distracted.  A pretty smile or a few friendly words will not be enough to get past a computer, but they work just fine and quite often with humans.  Other techniques such as making oneself appear to be an authority figure, playing on emotions, or asking for help, exploit general human characteristics.  I refrain from calling them weaknesses because they are vital to positive social interaction but they can present a threat when exploited by a malicious individual such as a social engineer.

Human weaknesses are the targets of social engineering, cyber persuasion schemes that entice users to divulge their credentials or perform actions on the social engineer’s behalf.  This threat is reduced through security awareness training, documentation and enforcement of policies and procedures, and a culture of security.

The threats to identity compromise, both with computers and humans, have been the force behind many of the security controls in place today.  Humans and computers handle identity very differently but both access and interface with organizational data and both are potential targets for identity compromise when they are protected independently. However, when humans and computers are integrated into a human-centric security strategy, their strengths and weaknesses can reinforce one another.  When humans lack consistency, a computer assists and when computers have difficulty validating, humans add context and experience.  As a result of this increased understanding of human-computer strengths and weaknesses, the security controls that comprise a human-centric strategy are easier and more intuitive for users.  This results in fewer mistakes or security workarounds and it increases productivity by reducing security complexity.  Simply put, humans and computers combined are a winning combination.

Continue reading

An elegy for privacy

In childhood I dreamed of a world quite grand
Where my name and face were far from mystery
A life far removed from one boring and bland
Popular, famous, in fact, pure fantasy

How could I know that my dream would become real
My name and identity are known far and wide
Governments, stores, and thieves don’t need to steal
I’ve given it freely, when asked, I provide

Now everything is different, complex, distorted
Reportedly the data on me is vast
All that I do is electronically recorded
Much of it collected to chronicle my past

I’m lacking in answers but mired in questions
How do you know data collectors will be honest?
If they’re not tracking me, explain ad suggestions
Is this the future that technology promised?

Oh give me the life that was simple and understood
When I was myself as no other could be
Alas it is gone and lamenting is no good
All that I want is a little privacy

What to expect in 2015 in security and technology

As hard as it is to believe, 2014 is almost at a close. While some think about Holiday gatherings and gifts, I ponder what the next year will bring. What will security, technology, mobile and the cloud look like in 2015?

Security is primed for change and we will see pressure both internally and externally. External pressure will come from compliance and consumers. It takes time for security practices, even those specified by governing bodies, to be widely accepted and practiced. However, we have reached the point where the expectation is for compliance and best practices rather than best effort. Customers are also exerting pressure on organizations to better protect their data and privacy. 2014 was full of significant breaches by major companies and this has shaken consumer confidence.

Internal pressures will be seen in the need for more integrated security technologies that help improve the way they do their job without being so invasive. This will result in a greater push for security architectures to closely conform to operational objectives. Adoption of IDM and MDM will increase along with “software defined” systems, placing the focus on the purpose rather than the process.

I anticipate a growth in the use of analytics and supporting systems such as databases and storage. The Internet of Things is creating more and more data that corporations can use to gain more information on customers and operations. Existing tools and many custom developed tools will be harnessed to take advantage of this data. The cloud will play a big role in allowing companies to scale and to utilize powerful online analytical capabilities of cloud providers.

Lastly, companies will integrate more business operations into mobile apps and employ technologies to create seamless experiences for users no matter where and on which device they connect. Again, the cloud and virtualization technologies will fuel this capability.

I see 2015 as an exciting time for those in security and technology but even more so for those companies and individuals who will be empowered through more effective and secure systems.

Continue reading

Security and Compliance Synergies with DLP, SIEM, and IAM

Data Loss Prevention (DLP) is a technology that keeps an inventory of data on organizational devices, it tracks when that data moves and applies rule sets to prevent data from moving to unauthorized locations such as a thumb drive, cloud server, or an email recipient outside the company. DLP can significantly help organizations understand and control the data that is used, stored, and transmitted and it is seeing increasing use in by internal compliance groups as they try to meet strict regulatory requirements.

Another technology, Security Information and Event Management (SIEM), collects and analyzes data in real-time from multiple sources including server logs, network devices, firewalls and intrusion detection systems. It then correlates that information to identify relevant patterns and alert on high priority events or event sequences. SIEM systems retain the data separately from the collection source so it is protected from tampering, deletion, or corruption. They also summarize the data in dashboards for easy reporting and analysis.

The third technology, Identity Access Management (IAM), allows an organization to manage credentials across the enterprise, including over a diverse set of equipment and devices. IAM manages information about users and what they are authorized to access and the actions they are authorized to perform.

The combination of SIEM, DLP, and IAM can improve the security and compliance of a corporation. Taken together SIEM, DLP, and IAM can work so that data flow within an organization is transparent, therefore, affording more control to the business and less ability to misuse that information.

What are SIEM, DLP, and IAM

As stated earlier, DLP is a conscious effort to prevent the loss of data due to undesirable individuals, groups, or circumstances. DLP systems figure out which pieces of information are more important than others, therefore, creating a prioritized list. DLP is a comprehensive set of methodologies and technologies that can look at more information across departments, better than localized isolated searches. SIEM is technology that can take and interpret information coming in from network security devices and server logs allowing greater visibility into the use, transmission, and storage of data. SIEM allows a company to consolidate security information from many different areas so that the organization can better understand and prioritize how to protect its data and IAM allows the logs of activity from heterogeneous devices to be tied to an identity of an individual for better auditing and intelligence.

Protecting the company’s data is a primary responsibility for information security. With increased complexity and interoperability of systems, this task becomes much more challenging, especially on a localized basis. With the help of DLP, the job of protecting information becomes much clearer. Using SIEM in conjunction with DLP and IAM can further ease the task of the information security department in protecting organizational data, preventing breaches and in meeting regulatory requirements by restricting data from being exfiltrated and ensuring that authorized use is monitored and audited.

The correlation between real threats in real time and how and where the most sensitive pieces of information are stored and dealt with falls squarely within the realm of SIEM, DLP, and IAM. Furthermore, allowing a combination of SIEM, DLP, and IAM, a company can see its security in one program, not several, thus making the process more efficient. Efficiency is an essential part of making a good business great. This sentiment can be translated into the world of protecting documents. SIEM can be tuned to focus on where the data is found, thus helping the DLP team protect the information at the source, in transit, and at its destination. In addition, SIEM can refine the way that DLP identifies sensitive information, alerts DLP to new resources, and new threats to organizational information.

Combining these three methods of protection, SIEM, DLP, and IAM, can give the organization more insight on where additional security controls should be placed, and it allows for a faster incident response. This combination of insight and coordination allows for a more efficient strategy against potential threats. DLP can prevent malicious or accidental users from abusing the system by only allowing authorized access to certain accounts, as well as, informing the company when these documents have been retrieved. Simultaneously, SIEM is working to sharpen controls by monitoring the retrieval of the information, thus making the retrieval alerts as streamlined, efficient, and quick as possible. These two devices provide what information security offices need, visibility and control.

Internal Threats

Companies sometimes have information but cannot act on it because it is buried in a server log or a database. For example, in 2008 Verizon Business had breach information on 82% of cases but they were unable to use this information. SIEM, DLP, and IAM could have enabled Verizon to understand better and prevent these breaches.

The reality of the world is employees often change positions. Without proper employee termination procedures and security controls, terminated employees could transfer customer documents or steal intellectual property and other sensitive information. The use of SIEM, DLP, and IAM provides real-time information in data access and can flag inappropriate or out of the norm activity.

External Threats

Take a company that deals with the regular transfer of credit card information and is Payment Card Industry (PCI) Data Security Standard (PCI DSS) compliant. PCI-DSS compliance can help protect the organization and mitigate a variety of attacks, but DLP and SIEM can give the organization knowledge on where attacks might be focused. Fingerprinting and other prerequisite external threats can herald the onset of a larger attack, and SIEM, DLP, and IAM would highlight these requirements so that the organization could respond and protect itself and its data.

SIEM, DLP, and IAM in a distributed mobile world

SIEM, DLP, and IAM are particularly valuable to organizations that are increasingly mobile. More and more workers access corporate data from mobile devices, the cloud, or machines connected to a VPN and BYOD is prevalent in many organizations. It is important to tie this activity back to a unique identity and to track patterns across devices and organizational boundaries. Protecting information was already difficult when it was limited to one network and a few select locations. However, that time is well in the past. New facets of current employment widen the gap that information security needs to cover. With the help of DLP, threats can be prioritized according to the importance, and with SIEM the data transfer and storage can be transparent, easing the burden on the information technology and security department in protecting a larger set of assets.

The use of SIEM, DLP, and IAM can significantly enhance the capabilities of information security departments. SIEM allows a company to make the access, transfer, and reception of data within the company more apparent and can further improve DLP initiatives in protecting and controlling data within the organization. The advantage of using SIEM, DLP, and IAM within an individual company streamlines the process of protecting vital information and makes the company more efficient.

This article is sponsored by JURINNOV, a TCDI company specializing in cybersecurity and computer forensic consulting services.