A Hacker's Tool Kit: Cyber Security Threats to Financial Firms
It has been said that cyber weapons can be as dangerous as weapons of mass destruction. To emphasize this, at last night’s FBI Citizens Academy seminar on cyber security in financial markets, the speaker noted that if you take out an industry (think financial, teleco) you can cripple an entire country.
But just how would this happen? What’s in a hacker’s tool kit? Quinn Shamblin, executive director of information security at Boston University, provided a glimpse into the cyber security underworld.
Targeting Your Favorite Device
Let’s start with Mobile Device Security. Hackers are shifting their focus and resources to mobile devices. They recognize that a user’s life is virtually encapsulated on his/her mobile device. From contacts and email to documents, passwords and banking apps, mobile devices now hold as much as or more personal information than PCs or laptops. And most devices do not have anti-virus/malware software installed.
Just last Friday, Apple released a critical update to its iOS 7 operating system after a flaw was identified that could give an attacker with a privileged network position the ability to capture or modify data in sessions protected by SSL/TLS (aka public key encryption). Following that announcement, researchers at a cyber security firm (FireEye) published a proof of concept for a surveillance app that, if created and distributed by hackers, could capture every tap on an iPhone’s screen. The information captured, including passwords and credit card numbers, would be accessible to the attacker. These are just two examples of the cyber security threats facing mobile devices. Users need to be aware that these threats exist and practice smart computing on all devices.
DDoS: A Hacker's Version of Leverage
Next let’s talk DDoS (distributed denial-of-service) attacks, a common strategy used by hackers. We are nearing the one-year anniversary of the largest DDoS attack that was dubbed the “DDoS that almost broke the Internet.” As the story goes, Spamhaus (non-profit, anti-spam organization) came under attack by two individuals who were able to harness open DNS resolvers to send incredible amounts of traffic at the Spamhaus website. It is reported that, at one point, 300GB of traffic per second were being pushed.
In a statement on its website, Spamhaus explains that “preventing attacks like these depends on two key technical measures. First, all networks should ensure that they do not allow traffic to leave their network that has 'spoofed' (forged) sending addresses. Without the ability to spoof traffic there would be no reflection attacks possible. Secondly, open DNS resolvers should be locked down and secured. These attacks should be a call-to-action for the Internet community as a whole to address and fix those problems.”
No Update Here
Another vulnerability hackers love to exploit is out of date software. April 9, 2014 will be a big day for the hacker community, because on April 8th, Microsoft officially ends support of Windows XP. This means no more security patches or updates. We can assume that for the last year or so, hackers have been holding Windows XP-related malware just waiting for Microsoft to end support. (Read more on end of life here.)
For the most part, professionals at hedge funds and investment firms have upgraded from Windows XP, but it is not uncommon for a few of these systems to still be on a corporate network and it only takes one highly connected Windows XP device to let hackers into an entire corporate network. So if you haven’t already, now is the time to start planning to have your systems upgraded. At Eze Castle Integration, we are working with clients to set an upgrade timetable for their systems.
As a final thought, the most commonly infected file types are PDF, Flash and Java so make sure you install updates when they are rolled out by the vendors. Also, never open an attachment from a sender you don’t know.