The business model of finding
This week it was released that CyberVor, the Russia based Cyber gang, had stolen over 1.2 billion usernames and passwords, and millions of associated email addresses. The company who discovered the operation, Hold Security, have since said it will charge $120 (£71) a month for a “breach notification service”. This must be a fine case of both sides of a balance sheet, where companies are thriving from the scare factor of their data being released on the wild, as one leaked email address and password can lead to a jump-off point on an organisations network.
In terms of the $120 per month subscription, this must make the service one of the most profitable ever created, as the gathering of data across the involves minimal costs, and although there is a cost in maintaining the software to gather the agents, the toolkits for gathering the information are fairly well developed, and it becomes an integration development, with the support for their clients to add the details that there company is interested in. Hold Security then sit back, and monitor the Internet, and pick off any data which pin-points the company … pweh that is a fantastic business model! In fact, companies doing this, are actually using the same tools and the network distributed network for scanning and probing as the hackers do.
One area that we have covered in relation to the business model is that the data gathered from security monitoring can actually be used in terms of analysing business performance too. So that the security monitor of Web sales on a Web site, can actually be used to determine the dwell time of users between putting an item in the basket to the time that the purchase the goods. More information on using SIEM (Security Incident and Event Management) here.
The race to find new compromises and make the headlines is often key to developing a strong reputation in the industry (while many of the existing players are working under NDAs with their customers so cannot publish the things they find). With OpenSSL, the Finnish security firm Codenomicon discovered the flaw around the same time as it was found by Google, and even registered a vulnerability ID and a domain name, before it they released the information on it. For them, they knew that there was a strong business model in gaining a strong reputation for leaders in the area. The complete timeline of Heartbleed is here:
The flip side is that there are so many vulnerabilities out there, that it is almost trivial for intruders to go out and get information from companies, and to gain footholds on them. We have now created organisations which are built on data, and they kinda forgot that this has become their key asset, and now that some people actually need and have access to this asset. As long as there’s one human involved, there’s a chance for the leakage to happen.
Hackers now have a whole range of tools in their toolbox, where they can command a whole lot of proxy agents – known as a bot and controlled remotely as a botnet agent – who can do the vulnerability probing and data stealing on their behalf. Anyone listen to the network will not be able to find the original source of the probing, as it is done by one of the compromised agents. The creation of the botnet agent is often fairly simple for the hackers, as it normally involves sending a phishing email – such as with the link to an HRMC on-line Web link – and which compromises the system through an unpatched system. Common compromises include Adobe Reader, Adobe Flash and in Oracle Java, and where a backdoor agent is downloaded onto the compromised host, and then listens for events, such as logging into bank systems. They can also be used to send requests to remote sites, such as for the probing for usernames and passwords, and for DDoS (Distributed Denial of Service).
Possibilities for fraud
The profitable side for hackers was shown in July 2014, when RSA announced a large-scale fraud of Boleto Bancário (or Boleto as it is simply known), and which could be the largest electronic theft in history ($3.75bn). Overall with the fraud there were nearly 200,000 infected IP addresses that had the infection on their machine. A boleto is similar to an invoice issued by a bank so that a customer (“sacado”) can pay an exact amount of a merchant (“cedente”). These can be generated in an off-line manner (with a printed copy) or on-line (such as in on-line transactions).
Boleto is one of Brazil’s most popular payment methods, and just last week it was discovered to have been infected, for over two years, by malware. There are no firm figures on the extent of the compromise, but up to 495,753 Boleto transactions were affect, with a possible hit of $3.75bn (£2.18bn).
Boleto is the second most popular payment method in Brazil, after credit cards, and has around 18% of all purchases. It can be used to pay a merchant an exact amount, or, typically to pay for phone and shopping bills. There are many reasons that Boleto is popular in Brazil, including the fact that many Brazilian citizens do not have a credit card, and even when they do have one, they are often not trusted. Along with this the transaction typically has a fixed cost of 2 or 4 US dollars, as opposed to credit rates which is a percentage of the transaction (in Brazil, it can typically be between 4 and 7.5%).
The operation infected PCs using standard spear phishing methods, and managed to infect near 200,000 PCs, and stole over 83,000 user email credentials. It used a man-in-the-browser attack, where the malware sits in the browser, which included Google’s Chrome, Mozilla’s Firefox and Microsoft’s Internet Explorer, and intercepts Boleto transactions. The reason that the impact was so great, is that Boleto is only used in Brazil, thus malware detection software has not targeted Boleto, as it is a limited market.
The Web-based control panel for the operation shows that fraudsters had stolen $250,000 from hijacked 383 boleto transactions from February 2014 until the end of June 2014 (Figure 2). Of the statistics received, all the infected machines where running Microsoft Windows, with the majority running Microsoft Windows 7 (78.3%), with Microsoft Windows XP being the second most popular (17.2%). Of the browsers detected the most popular was Internet Explorer (48.7%), followed by Chrome (34%) and Firefox (17.3%), and the most popular email domain used to steal user credentials was hotmail.com (94%).
Bad code on Web sites
The reasons that this gathering information by the CyberVor gang worked so well points to three things: bad coding practice on Web sites (where the user input is not checked, and goes straight through to the database), the usage of proxy agents (bots) to both probe and gather the usernames and passwords, and phishing emails (which are used to compromise a host so that it becomes a bot. These three things make it so easy for intruders to target the collection of data, and then press the button, and wait. They then have a whole army of data harvesters, which are basically infected computers around the Internet. As long as there’s an unpatched system somewhere on the Internet, there’s the potential for bot to work on behalf of someone. As said previously in this blog, the three main targets are Adobe Reader, Adobe Flash and Oracle Java [Blog].
Unfortunately all three of the problems point to two things: humans producing bad code (not checking their code) and humans being silly (not patching their systems). So, as we will see, the root of many of the currently vulnerabilities is around XSS (Cross-site scripting) and SQL Injection, which are caused by human coders not understanding that there might be people that want to compromise their system. Developers are often under pressure in rolling-out their code, and only test their code for valid inputs, along with this they will often disable security controls when operating issues occur, and then forget to put them back in-place. A current target, though, is the copy-and-pasting of PHP code, which often is left unmodified and without any security checking. Often the figure of 100:1 is used in terms of defining the ratio of hours/effort spent developing the system (dev ops) against the hours spend operating and evaluating the system (sys ops). It is obviously that this needs to change, and in the post we’ll see some of the pointers towards this.
The Heartbleed vulnerability focused on a human coding error within the OpenSSL encryption library, and which highlighted that it is humans who often cause most of the serious security vulnerability. Often these vulnerabilities can be traced to poor software development methods or practices. For example, the Adobe hack which exposed nearly 150 million passwords, had several pointers to poor security practice, including the fact that users could select extremely weak passwords, and which could be easily cracked. Another standard process which Adobe missed was to add salt to the encrypted version of the password. This method of salting makes it much more difficult to crack passwords on a database, even when weak passwords have been used. n the Adobe Hack there were nearly 2 million users selected “123456” as their password, and once one password is cracked, every single other one with the same password is also cracked (note: a salted system does not reveal others which have the same source password).
One of the easiest methods to steal data from an intruder, and will often result in a success is to use either XSS (Cross-site scripting) or SQL Injection. With XSS, the intruder forces some script into the page to make it act incorrectly, and with SQL the page sends through an SQL command to the database, and which can reveal its content. If the developer does not check their code, or if they do not undertake a penetration test, the Web site can be a risk.
Computer Security is becoming the new darling industry, especially as data is becoming one of the key assets for organisations. There’s value in the data, and if there’s value, there will be people out there trying to get it, and create their own business model in use it. Like it, or not, we are all being monitored on the Internet, as companies want to find out everything about us.Just look at your Web browsing, where something you should a bit of interest on Amazon, actually starts to propogate itself through into other Web sites that you access. Everytime a company monitors you, your data is stored someone, and the cookie on your machine is only a touch point for this tracking.
Intruders can then build business models at scale, and use agents, running at fractions of a dollar in costs, in the Cloud to act as the paid data gathers, creating the profit models that could never have been conceived before the Information Age. At one time gangs would employ spies to go and photograph or steal documents, now it’s a little agent running in the Cloud, who becomes alive when an innocent person’s machine has been infected, or an instance spun-op in the Cloud for a short time and then gone. The trials to the controller are almost impossible to find, especially if they have used the Tor network for their access to the harvested data. As the potentials for this increase by the day, and the access to tools becomes so easy, so there are a whole lot of companies, small and large, gaining excellent business models. The one benefit for companies, though, is that the investment in security monitoring infrastructures, can actually payback many times over, as it becomes the key analytic engine for the company, providing real-time information on its operation.