Cyber Crimes Unit

Small businesses are under constant attack from malware, scams and online fraud.

They are not only losing money directly to fraud, but also in costs associated with maintaining security. Small businesses are simply woefully under-prepared to keep their assets safe. Despite reorganisation and redirected priorities, the police can still do little to help.

This all emerges from a report on the threat of online fraud to small UK businesses, released by the FSB. No, not Russia’s slightly cuddlier successor to the KGB; this is the Federation of Small Businesses, a UK pressure group representing the needs of small businesses, and providing a range of services to them, boasting over 200,000 members.

Survey synopsis

The study takes the form of a survey of a subset of that membership, covering their experiences of online fraud, their attitudes to how it affects them, and what actions they’ve taken to protect themselves.

Now, such studies are notoriously biased – asking people with a vested interest and minimal specialist knowledge what they think of a complex technical issues will always give some off-the-wall results.

This report contains some useful data though, both on what small business owners think has happened to them in the past, and on the parlous state of their cyber defences.

Stats

The report kicks off with a third-party figure of £18.9 billion lost to fraud by small-and-medium enterprises. This boils down to an average of just under £4000 per business in their study, although that covers all kinds of fraud. A previous analysis came up with a figure of £2900 for ‘normal’ fraud, hinting that the figure for online losses is over a quarter of the total.

On the plus side, 49% of businesses suffered no fraud losses at all, and only around 7% lost more than £5000. 10% reported incidents of card fraud, including ‘card not present’ problems associated with online trading. Such issues, along with the costs and complexity of PCI-DSS compliance, have apparently discouraged many businesses from operating online at all.

20% report ‘virus’ infections, with a further 8% spotting hacking or other ‘electronic intrusion’, and that’s only those that knew about the issues – 73% claimed they had had no problems.

It would be interesting to see how the list of victims overlaps with those who regularly apply security patches to software (a mere 36%), and those who regularly update their anti-virus software (a much higher, but still rather depressing, 59%). 17% claimed they took no actions to counter cyber-attack, from a lengthy list of options.

The figures contrast rather oddly with another survey published just a month ago, produced by the Department for Business, Innovation and Skills (BIS), who also partnered with the FSB on this report. That survey does cover all types of data breach and all associated costs though, rather than just the direct costs of fraud.

Police action

A lot of businesses have gripes about the banks, how little they do to help and how much they cost. They also claim the police don’t help much either.

Indeed, among the study’s headline recommendations are a need to ‘manage expectations around the police response to fraud and online crime by highlighting the benefits of reporting in terms of feeding into a wider intelligence picture’ and ‘Inform businesses what the police do not have the capacity to deal with so they can take preventative measures to help themselves more’.

This is basically admitting that if your businesses is robbed online, the police may provide you with a pat on the hand and a sympathetic “there, there”, but that’s about it – you should be dealing with this stuff on your own.

At least there is that encouragement to keep reporting issues so their levels can be monitored, which gives some hope that one day even the police will begin to sit up and take notice. The police’s centralised, outsourced Action Fraud reporting system is referenced.

Top tips

The FSB study also provides a good, clear ‘ten top tips’ to help business owners protect themselves.

It includes the basics of running up-to-date security software, applying patches and using at least reasonably strong passwords.

Here is the FSB top ten tips:

• Implement a combination of security protection solutions (anti-virus, anti-spam, firewall(s))
• Carry out regular security updates on all software and devices
• Implement a resilient password policy (min eight characters, change regularly)
• Secure your wireless network
• Implement clear and concise procedures for email, internet and mobile devices
• Train staff in good security practices and consider employee background checks
• Implement and test backup plans, information disposal and disaster recovery procedures
• Carry out regular security risk assessments to identify important information and systems
• Carry out regular security testing on the business website
• Check provider credentials and contracts when using cloud services

This is a good start, but business owners clearly need a lot more help. In the UK at least, they may not be so at risk from the POS malware targeting their US cousins, but they face some serious issues.

Many of these problems are based on a simple lack of know-how and IT security illiteracy.

Sadly, even the best defenses can get breached, and there needs to be a stronger deterrent in the criminal system. With the internet involved, this means global action, which remains a rather distant dream.

Follow @VirusBTN
Follow @NakedSecurity

Image of small businesses and small business crushed by foot courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vZ1uRTQviTg/

Twitter has announced the availability of two factor authentication (2FA) for its service, meaning that users can opt-in to something stronger than just a username and password to protect their accounts.

In a blog post, Twitter explains how the new security measure works.

If you decide to turn 2FA on for your Twitter account, every time you try to log into the site you will be prompted to enter a six-digit code that Twitter sends to your phone via SMS.

Here is a video Twitter released, demonstrating the feature:

So, the big question is this… is this going to help media organisations such as The Guardian, NPR, the Financial Times, and others who have found their Twitter accounts hijacked by the likes of the Syrian Electronic Army?

Sadly, I don’t think it’s going to help them at all.

Media organisations who share breaking news via social media typically have many staff, around the globe, who share the same Twitter accounts.

2FA isn’t going to help these companies, because they can’t all access the same phone at the same time.

Either those people will have to leave themselves permanently logged into Twitter (which is itself unwise from the security perspective), or one central trusted person will have to “own” the phone – and share the six-digit code with journalists as they try to log in to share breaking news stories.

It’s a complex problem to fix, and for that reason many media organisations may choose not to enable Twitter’s additional security at this time.

Of course, *another* solution would be to have an intermediary service, acting as a proxy, to which journalists could post their Twitter updates (using appropriate authentication) and then have *that* service feed the official Twitter account.

If you take that approach, just ensure that you have proper security systems in place for that proxy service – to keep out hackers and mischief-makers.

Corporations with “shared accounts” on Twitter would be wise to keep their defences updated, educate their staff on security and best practice, and learn the lessons of how Twitter accounts have been hacked in the past.

If you do enable Twitter two-factor authentication, whether you are Joe Public or a multinational corporation, realise that the technology isn’t going to help if you have users who are easily phished.

Determined online criminals could use “man-in-the-middle” techniques to grab the six digit passcode alongside your password and username if they are determined.

So, even if you do turn on Twitter’s 2FA, you still need to double-check that when you enter your username and password, or your six digit code, that you are *really* on Twitter’s https website.

Otherwise, the crooks can just use all three items to log in as you…

In time, Twitter will surely mature and offer appropriate security, and mechanisms which recognise how many corporate brands and news organisations are using Twitter today.

Maybe they will one day adopt a system like Facebook has, where multiple users can have access to an account – all with different levels of authority, all with different usernames and passwords.

Right now Twitter’s 2FA is more likely to be welcomed by individuals who own personal accounts, and small companies with a Twitter presence, than embraced by the high profile victims attacked by the Syrian Electronic Army in the past.

Follow @gcluley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/20Nyxx9Fma8/

Episode #109 of our popular Chet Chat podcast series is out.

Chet and Duck (Chester Wisniewski and Paul Ducklin) are back with their almost entirely reverent opinions on the latest computer security issues.

If this is your first time listening to the Chet Chat: episodes come out every two weeks, and usually last about a quarter of an hour.

That makes the Chet Chat podcast ideal for your daily commute or for a spot of lunchtime listening.

(You can keep up with our podcasts via RSS or iTunes, and catch up on previous Chet Chats and other Sophos podcasts by browsing our podcast archive.)

Listen now:

(20 May 2013, duration 15’23″, size 9.3 MBytes)

Download now:

Sophos Security Chet Chat #109 (MP3)

Chet Chat episode 109 shownotes:

• Laptop theft

Duck wrote about a video of a chap in London whose laptop was stolen in under a second, live on CCTV.

Was he using full-disk encryption? Both Chet and Duck sincerely hope so.

Duck poses the question, “Does the modern-day fence [handler of stolen goods] treat the data as valuable as well as the laptop?” Chester advises us to assume that the answer is, “Yes!”

• Casher crews

Chet and Duck discuss the recent casher crew busts in New York, and talk about how people end up as money mules [processors of cash payments] for cybercrooks.

• LulzSec busts

Chester suggests that the prison sentences dished out to Lulzseccers in the UK were probably long enough to satisfy people who thought the UK was a bit soft on cybercrime, but not so long as to be unreasonable.

He also mentions the interview he recorded back in February with Parmy Olson, who wrote a book about what makes these guys tick. It’s now available on podcasts.sophos.com.

• Patch Tuesday

Chester points out that MS fixed not only its PWN2OWN hole that was discovered a couple of months back, but also the “Dept of Labor” zero-day from just ten days before the update. He thinks that is pretty swift.

Duck agrees, admitting, “These are not words that naturally come billowing out of my mouth, but, ‘Well done, Microsoft!’”

• Name.com breach (and others)

Chet reels off a list of recent breach-ees, of which name.com is a recent example. At least they only lost password hashes.

Duck remarks on the addition of another newspea kword to go with Advanced Persistent Threat: AoC. “Abundance of caution.”

He argues that that’s better than complete denial, but worries that it might mean the cure ends up worse than the disease.

• Signing off

Chet and Duck sign off by inviting you to enter for a prize in the latest #sophospuzzle, now live on nakedsecurity.sophos.com

Follow @NakedSecurity

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ebHkEYPc_Rg/

Did you open your email inbox this morning to find an email like the following?

Kindly open to see export License and payment invoice attached, meanwhiole we sent the balance payment yesterday.
Please confirm if it has settled in your account or you can call if there is any problem.

Thanks
Karen parker

Whatever you do, don’t open the file attached to the email.

Contained inside the file invoice copy.zip is a malicious Trojan horse, designed to compromise your computer.

Sophos products detect the malware proactively as Mal/BredoZp-B, but users of other vendors’ products should check that their software is fully up-to-date and defending against the threat.

Curiously, samples of the malware campaign intecepted by SophosLabs claim to come from the world-famous jewellers Tiffany Co.

This may be a deliberate ploy on the part of the criminals behind the attack to tempt more people into opening the attachment.

Of course, it’s child’s play to forge email header information, and there is no suggestion that the messages were really sent by Tiffany’s. If anything, they are also victims of this campaign.

Little blue boxes from Tiffany Co. are the stuff of dreams for many. Don’t let an unexpected email delivery – apparently from the company – make you so giddy with an excitement that you end up with a computer nightmare.

Follow @gcluley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/sKjAGJdlAW8/

New York City police have arrested a NYPD detective for hiring an email hacking service to pinch the login details for at least 43 personal email accounts and one cell phone belonging to at least 30 individuals.

Edwin Vargas, 42, of Bronxville (a part of New York City), is accused of having paid $4,050 via PayPal to an illicit hacking service between March 2011 and October 2012.

According to a statement from Preet Bharara, the US Attorney for the Southern District of New York, Federal Bureau of Investigations (FBI) agents arrested Vargas outside his home on Tuesday.

Officials said that 19 of Vargas’ alleged targets are current NYPD officers, one is retired from the NYPD, and another is an administrative staff member of the NYPD.

Vargas allegedly used the login credentials to peek into at least one personal email account belonging to a current NYPD officer. He also allegedly accessed another victim’s online cellular telephone account.

Law enforcement officials said that when they checked out the hard drive on Vargas’ NYPD computer, they also found that his Gmail account Contacts section included a list of at least 20 email addresses, along with what looks like telephone numbers, home addresses, and vehicle information corresponding to those email addresses.

The list also contained what seem to be passwords for the email addresses.

Vargas also allegedly accessed the federal National Crime Information Center (NCIC) database to get information about at least two NYPD officers and then paid email hacking services to filch their logins.

The detective has been charged with one count of conspiracy to commit computer hacking and one count of computer hacking. Each count carries a maximum sentence of one year in prison.

US Attorney Bharara said in the statement that it’s pretty darn bad when the cops themselves are the ones breaking the laws they’re paid to enforce:

As alleged, Detective Edwin Vargas paid thousands of dollars for the ability to illegally invade the privacy of his fellow officers and others.

He is also alleged to have illegally obtained information about two officers from a federal database to which he had access based on his status as an NYPD detective.

When law enforcement officers break the laws they are sworn to uphold, they do a disservice to their fellow officers, to the Department, and to the public they serve, and it will not be tolerated.

FBI Assistant Director-in-Charge George Venizelos also said in the statement that gosh, you’d think you’d be able to trust your coworkers if your workplace is a police department:

As alleged, the defendant illegally acquired log-in information for the email accounts of dozens of people, including police department co-workers.

Of all places, the police department is not a workplace where one should have to be concerned about an unscrupulous fellow employee.

Unlike the email accounts, the defendant didn’t need to pay anyone to gain access to the NCIC database. But access is not authorization, and he had no authorization.

Let’s assume that Naked Security readers won’t fall for pitches from such email hacking services, such as this charmingly misspelled/garbled one:

If you want to know someone’s email password than get it right now. How to hack? No, you don’t have to do that, let our experts to hack your requested password in less than 48 hrs and you will be charged with $100

How do these services work?

Some of them, in their marketing materials, put up lists of techniques that include brute-force attack, keylogger installation, dictionary attacks, sniffing (if the hacker and the victim share the same wireless network, such as in a workplace or cyber cafe), and/or social engineering techniques.

Unfortunately, if the allegations prove true, it sounds as though the NYPD not only harbored one bad apple; it also has plenty of staff who might well have fallen for one or more of the email hacking services’ techniques.

As far as protecting ourselves from having our accounts breached, the tried and true advice holds: keep on top of patches; don’t click on phishy links or open phishy email; make sure you’re using a password management program to generate convoluted, hard-to-guess passwords; and/or read Graham Cluley’s piece about cooking up your own.

_{(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)}

Better still, follow the advice I saw on a cartoon on Wednesday:

Sorry, your password must contain a capital letter, two numbers, a symbol, an inspiring message, a spell, a gang sign, a hieroglyph and the blood of a virgin.

Bravo!

Follow @LisaVaas
Follow @NakedSecurity

Image of login screen courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tgPgDlqpJFE/