UK citizens hit hard by cybercrime says Government

computer FRAUD & SECURITY ISSN 1361-3723 November 2014

www.computerfraudandsecurity.com

Featured in this issue: The dark side of advertising

A

dvertising is pervasive on the Internet these days. It’s usually the primary income stream for many of the services, such as Facebook and Google, that we take for granted. But it’s also a source of serious threats to our security.

Malicious advertising – or ‘malvertis-

ing’ – is an increasingly common way for cyber-criminals to either spread malware or lure victims to sites where malware and other scams lurk. Steve Mansfield-Devine examines the nature of the problem and the (so far) limited responses to it. Full story on page 5…

Embedding dependability attributes into component-based software development

M

any industries have turned to reusing software components during development because this makes applications cheaper, faster and more reliable. However, it also makes them hard to secure.

Hasan Kahtan, Nordin Abu Bakar, Rosmawati Nordin and Mansoor

Abdullateef Abdulgabber of Universiti Teknologi MARA discuss an implementation process that overcomes the lack of security during component-based software development and show how it’s implemented via an industrial software application case study. Full story on page 8…

The quantified self: a threat to enterprise security?

W

earable technology is getting smarter and pundits predict that the launch of the Apple Watch will propel wearable technology into the mainstream in 2015.

The ‘quantified self ’ trend has already driven massive uptake of personal devices that measure heart rate and activity and link to health and fitness

apps, which in turn link with entire communities of people comparing and contrasting their activity. This sector is likely to grow much bigger very fast and will have an impact beyond the strictly personal, as it has the potential to threaten enterprise security. Tracey Caldwell reports. Full story on page 16…

UK citizens hit hard by cybercrime says Government

H

alf of the UK’s citizens have fallen victim to cybercrime, and half of those victims were traumatised by the experience, according to research by the Government.

As part of Get Safe Online Week in late October 2014, the Cabinet Office issued the results of two surveys. The first, by Vision Critical, which was

undertaken specifically to tie in with the event, found that of those people who had been victims of cybercrime – defined as: online fraud or cases resulting in economic loss; ID theft; hacking or deliberate distribution of viruses; and online abuse – half felt they were ‘very’ or ‘extremely violated’ by the experience. Continued on page 3…

Contents NEWS UK citizens hit hard by cybercrime says Government 1 Retailers under sustained attack

3

FEATURES The dark side of advertising 5 Most commercial web-based services and many mobile applications rely on advertising for their main sources of income. But while we’re all accustomed to seeing ads embedded in web pages and apps, this constant stream of advertising has also become a source of serious threats to our security. Malicious advertising – or ‘malvertising’ – is an increasingly common way for cyber-criminals to either spread malware or lure victims to sites where malware and other scams lurk. Steve Mansfield-Devine examines the nature of the problem and the (so far) limited responses to it. Embedding dependability attributes into component-based software development 8 In order to save costs, increase speed of development and improve reliability, many organisations have turned to reusing software components. However, this approach also makes it hard to be confident about the security of the resulting software. Hasan Kahtan, Nordin Abu Bakar, Rosmawati Nordin and Mansoor Abdullateef Abdulgabber of Universiti Teknologi MARA discuss an implementation process that overcomes the lack of security during component-based software development and show how it’s implemented via a case study involving an industrial software application. The quantified self: a threat to enterprise security? 16 Soon a large proportion of the population will be wearing computing devices in the workplace, if the pundits are to be believed. Wearable technology is getting smarter and has been given a boost in popularity following the launch of the Apple Watch. The ‘quantified self’ trend has already driven massive uptake of personal devices that measure heart rate and activity and connect to health and fitness apps, which in turn link with entire communities of people comparing and contrasting their activity. This sector is likely to grow much bigger very fast and will have an impact beyond the strictly personal, as it has the potential to threaten enterprise security. Tracey Caldwell reports. FEATURES Editorial

2

News in brief

4

Calendar



20

Come and visit us at:

www.computerfraudandsecurity.com

ISSN 1361-3723/14 © 2014 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.

NEWS …Continued from front page Figures issued by the National Fraud Intelligence Bureau (NFIB) to tie in with Get Safe Online Week put the amount lost to the top 10 Internet-enabled frauds at more than £670m for the year ending 31 Aug 2014. This includes all fraud where the initial contact was via an online function. However, the NFIB pointed out that a high percentage of Internet frauds probably go unreported, so the real figure is likely to be much higher. The research suggests that only around a third (32%) of victims actually report the crime. More than half (53%) of the people surveyed now regard cybercrime to be as serious as ‘physical world’ crimes, and many are now adapting their behaviour accordingly. For example, 45% say they have adopted stronger passwords and 42% claim to be ‘extra vigilant’ when shopping online. However, not all changes are for the better. When it comes to protecting their personal devices with a PIN or password, more than half have failed to do this with their mobile phones (54%) or PCs (59%), and two-thirds (67%) haven’t done this with their tablets. Laptop owners are slightly better – only 37% have failed to use a password. “It’s sad but not surprising that 53% of British people have fallen victim to cybercrime,” said George Anderson, director of product marketing at Webroot. “The Internet has become assimilated into our daily lives, from banking to retail, to the point where it’s easy to forget how hazardous it is if the proper security measures aren’t taken. They key to making the UK a safe Internet user zone is education. As a country, as communities and as individuals we should be actively promoting awareness of Internet safety and security issues. The government’s research should not scare people away from online activities, but rather start serious and continuous conversations whereby we evaluate the online precautions we take both at home and at work. Education should start young, with parents and education bodies working to ensure security savvy future generations.” However, the rise in security awareness might have less to do with fraud than with other high-profile incidents, said Chris Boyd, malware intelligence analyst

November 2014

at Malwarebytes: “While there have been many notable attempts to place the threat of hacking and data breaches in the public eye, it’s possible that the recent celebrity iCloud hacks have had more of an impact on public perception than any cybersecurity awareness week ever could. There is a significant amount of apathy among the average person when it comes to protecting themselves online, which is compounded by the ever-evolving complexity and success of cybercrime; so while education is important, it’s also difficult.” The Get Safe Online public-private initiative has guidelines that individuals can follow to protect themselves. There’s more information here: www.getsafeonline.org.

Retailers under sustained attack

T

he publicity surrounding the high-profile breach of US retailer Target’s point of sale (PoS) systems has done nothing to prevent the rise of such attacks, according to research by security firm Damballa.

Infections involving the Backoff malware used to breach Target’s systems – and those of other big-name victims such as Supervalu and UPS – are still rising. Damballa says it recorded a 57% rise in Backoff detections in August 2014, and according to US Secret Service estimates, this has resulted in 1,000 US firms being hit. Damballa also saw another 27% rise in September. Typically, infections are achieved by brute-forcing weak passwords on remote desktop (RDP) applications in order to drop the malware onto the PoS systems. “In many cases, the PoS systems are free-standing from the corporate network,” said Brian Foster, CTO at Damballa. “They connect to local networks, which have limited security. Without this visibility, it’s impossible to discover the device is communicating with criminal command and control.” Any business that uses RDP protocols to enable remote support on PoS solutions needs to implement much stronger security now, according to Curt Wilson, senior research analyst for Arbor Networks’ ASERT team. “If a PoS provider is compromised, the attackers typically obtain access to all their customer deployments

via remote access capabilities, leading to complex, distributed compromise,” he said. “Strong authentication may provide an extra layer of defence in such a case, unless the strong authentication process is also compromised. Organisations, especially smaller to mid-sized organisations, should be aware of the potential of remote support being compromised.” Meanwhile, researcher Brian Krebs has reported that there are continuing repercussions of the Home Depot breach. US banks have logged a large number of fraudulent transactions related to payment card details stolen from the firm. Most of these fraudulent transactions are coming from Brazil. An interesting twist is that the transactions claim to be chip-based ones, even though the affected banks have only just started rolling out EMV cards to their customers. It’s currently not clear how the fraudsters have managed to make the transactions appear as though they are EMV-based payments. One theory is that they have a payment terminal and are using encrypted data from a genuine EMV card and injecting other data using stolen card details into the data stream. There is more information here: http:// krebsonsecurity.com/2014/10/replayattacks-spoof-chip-card-charges/. One consequence of this is that the banks are probably liable for the fraudulent payments: if they weren’t EMVbased, the liability would more likely have fallen on their insurers. According to Luther Martin, chief security architect at Voltage Security: “The possibility of fraud resulting from hackers exploiting a flaw in the implementation of the EMV protocol demonstrates a few interesting points,” he said. “First, it was a flaw in the implementation of cryptography that was apparently exploited by hackers, not the cryptography itself. Cryptography can provide essentially unbreakable security for sensitive information, but it’s very hard to implement correctly. Even a fairly simple flaw in an otherwise-secure implementation can provide hackers all that they need to exploit a system.” He added: “Next, it demonstrates that EMV is not proof against all payment fraud. While it may reduce card-present fraud by a considerable amount, EMV is not a ‘silver bullet’.”

Computer Fraud & Security

3