THE question is not, “Will my information be accessed or stolen?” It’s, “When will it be accessed or stolen?”
In their presentation, “Easiest Catch: Don’t Be Another Fish in the Dark ‘Net,” Brian Hill and Mark Lanterman of Computer Forensic Services (CFS) provided realistic advice for cyber protection as they discussed recent high-profile cyber-crime events, including website breaches impacting retailers, banks, and government agencies.
Hill, VP of corporate investigative services at CFS, said that when it comes to the Internet of Things—the interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data—it all starts with the user.
“Everything we do today is connected to the Internet,” he said. “While we gain convenience, we give up a lot of security. It’s trying to find that balance. Hey, you’ve got this product that allows you to do your job much easier, but now you have to look at, ‘What repercussions are we going to have?’ ”
He likes to reference cyber security using Without a Paddle, a 2004 movie in which three reunited childhood friends explore a remote river in a bid to find the loot of long-lost airplane hijacker DB Cooper.
They get more adventure than they bargained for. In one of the scenes, they’re running from a bear. One of them starts taking off his shoes and another one looks at him and says, “What are you doing? You’re not going to be able to outrun this bear.” The first one says, “I don’t need to outrun the bear. I just have to outrun you.”
“That’s what cyber security is,” Hill said. “These hackers like Rescator (who provides credit card numbers for a fee) and Zeus malware are going after easy targets—the people who are going to click on those links. It’s about making sure you reinforce your structure to make sure you’re not that weakest target. Make sure your employees aren’t that weakest target. Stay one step ahead.”
Hill, illustrating his presentation with an overhead screen that showed his activity on the Internet, logged into the website of a windmill company. He started clicking to see what he could access. Within seconds, he had accessed a wind turbine and had full control of it.
“Nowhere does it ask me for a user name or password,” he said. “We reached out to tell them they have vulnerabilities.”
Hacking the water tower
He then visited the website of a city, which he said had connected its infrastructure to the Internet. He clicked to enter the waste-water department and said that he—or anyone—could communicate with the water hose.
“I can turn this on, off,” he said. “I can open a water valve and completely drain their water tower. That’s not part of today’s demonstration.”
“There is a full security camera, so now I know when people come and go, and I know when they’re open and closed,” he said. “All these vulnerabilities. Because they’re connected to the Internet, they have IP addresses. They can be geo-located to a specific area, so I’m going to know where this camera is broadcasting from. People have them in their houses. This is one where you can see someone walking through and making breakfast. This is a local residence here in Las Vegas.
“We can go on and on for hours, talking about your tablets, your computers, WiFi security, but we don’t have time. It’s important to take a look at your infrastructure at your business and do an audit, a security assessment. And after you do that, because you fix a vulnerability, you may have created two more. It’s constantly taking a look at your environment to determine what vulnerabilities exist and then making sure you do something about it, versus saying, ‘Ah, this has never happened. It’s not going to happen to me.’ ”
Plunging into darknets
Hill said the Dark Web—content that exists on darknets, or overlay networks that use the public Internet but require specific software, configurations, or authorization to access—is a really hot topic right now.
“They say that Google only indexes anywhere between 15% to 17% of the Internet,” he said. “That doesn’t seem like a whole lot. The rest of that is what’s called the Dark Web. So you and I live up above, where we have Google and Wikipedia. That’s where we do our online shopping: Best Buy, Amazon, you name it.
“But the Dark Web was developed by the US Navy so operatives could communicate in secret. They could set up a website, put a message down there, take it down, and be completely anonymous, all of it using the Tor network. It’s called the Onion Router. An onion has many different layers, just like the Dark Web. So when I go to the Dark Web, I’m peeling several different layers, and all of them are stripping out my identifying information so it makes it very difficult to identity who I am. That’s why criminals love it, and it’s a playground for them to go sell merchandise, sell drugs. Whatever it is, the Dark Web has it. It’s a matter of trying to find it.”
Need a new identity?
Hill took the attendees on a tour of two of his favorite sites on the Dark Web.
At one passport site, “genuine” passports can be purchased. Just send them your height, weight and a photo, paying $400 for the person facilitating the transaction and $400 for the inside officer who actually produced the passport.
“You can get a passport from a different country,” he said. “If I’m trying to hide assets from a spouse whom I’m going to divorce, I’m going to get a UK passport, fly over to the UK, and open up few bank accounts in a different name so when I go through the divorce, I don’t have to give her as much.”
Your online drug dealership
Then there’s the People’s Drug Store.
“They believe in customer service,” he said. “This looks like any other website. ‘Satisfaction guaranteed. Here’s the information you want to know. You want heroin, cocaine, ecstasy?’ Doesn’t that sound like a normal commercial you would hear? ‘Cut out the middle man. Buy directly from me. It’s cheaper.’ That’s exactly what they’re doing. What’s the difference between Heroin #3 and Heroin #4? #4 is the purest.
“We’ve been giving this presentation for quite some time now, but this guy has always had a ‘grand opening special.’ So I’m wondering if the Better Business Bureau has downgraded him because it’s a constant sale.
“The stuff on the Dark Web is truly scary stuff. This is where a lot of your stolen merchandise ends up. From hiring hit men to selling drugs, it’s out there and it’s prevalent.”
The Amazon of ID theft
Lanterman, chief technology officer at CFS, said Rescator’s stolen credit card site is “Amazon.com for criminals.”
He took the attendees on a live shopping trip in the site, with this introduction: “We’re in the marketplace. So you are criminals in the market to buy stolen credit cards? Welcome to my storefront. I hope you have a pleasant shopping experience.
“ ‘As my customers, you get to choose stolen credit cards based on country of origin. If you want to buy stolen credit cards from Bermuda, from Canada, from Colombia, from Greece, Ireland, Great Britain, it doesn’t matter. We have inventory from around the world, with one exception: Russia. Because we don’t offend our host nation. As my customer, you get to choose what kind of stolen credit card.’ It’s kind of like buying a pickup truck. You get to choose based on make and model. I want to buy a gold Visa. I want to buy a corporate Mastercard. I want to buy a platinum American Express card. You get to choose where to buy a stolen debit or credit card. And you get to choose a stolen credit card based on the bank that issued the stolen card. I stopped counting at 16,000 banks and credit unions. I’ll tell you every bank and credit union I looked for, including the Pentagon Federal Credit Union and the White House Credit Union.
Don’t steal home without it
“You also get to choose stolen credit cards based on city and state of the billing address. So what? Who cares? Big deal. Well, it actually is a big deal, and here’s why: Let’s say you live in Las Vegas and let’s say I’m the criminal in Minneapolis, and I just bought your stolen credit card. You don’t even know it’s gone. Well, as a criminal, I’m going to buy a high-definition TV, because research out of the University of Michigan has proven all criminals love high–definition TVs. Now, the problem for me as a criminal is your bank, because your bank is pretty good at fraud detection. And your bank noticed that last night you bought dinner at Las Vegas, breakfast this morning in Las Vegas, paid for hotel charges in Las Vegas, and now all of a sudden out of the blue, you pop up in Minneapolis buying a high-definition TV. So your bank says, ‘We’re going to call the customer. Are you buying this high-definition TV? Thanks, customer. Decline that charge.’ Now I don’t get my TV set.
“As a criminal, that doesn’t really work for me. So the workaround that Rescator gives his customers is you can buy stolen credit cards based on the city and state. So if I’m a criminal in Las Vegas, I want credit cards stolen here. If I’m a crook in Minneapolis, I want credit cards stolen there. If I’m a crook in New Hampshire, I want credit cards stolen there.”
Be careful what you phish for
Phishing is another big problem—sending fraudulent emails disguised as being from reputable companies, in order to convince the recipient to reveal personal information, such as passwords and credit card numbers.
“It’s not what it appears,” Lanterman said. “In this example, it purports to come from Google: ‘Someone has your password. They just used your password to sign into your Google account. We stopped the sign-in attempt, but you should change your password. Click here.’ By clicking there, that’s actually the hacker. This is very interesting email because of who clicked on the link: John Podesta (former chairman of the 2016 Hillary Clinton presidential campaign and former chief of staff to President Bill Clinton and counselor to President Obama).
He said all hackers everywhere have three traits in common:
• Every hacker, regardless of nationality, is 17 years old.
• They all drink Red Bull.
• They are all allergic to spellcheck.
“I could go on and on about the dark web,” Hill said. “It truly is scary stuff. But this is where a great deal of what is stolen from you ends up. It’s out there, and it’s criminal.” ♦