Archives For Cybercrime

sonySecurity Professionals Are Not In One Accord When it Comes to Sony,

But We Can All Be Sure, They’re Part of The Nation State Threat

The First Nation-State Backed Bank Robbery?

From the Wall Street Journal, “Investigators believe they’ve found the culprit behind cyberattacks on banks in Asia: Kim Jong Un. Having long used counterfeiting, drug trafficking, gun running and slave labor to gain hard currency, North Korea’s dictator may have pulled off the first state-backed digital bank robbery in history.

Symantec Says North Korea….

Symantec recently pointed to Jong Un as the brains that took $81 million from Bangladesh’s central bank earlier this year, and hit two commercial banks in the Philippines and Vietnam.

The funny thing is, the code used in these attacks looks just like the code used to attack Sony…and as far as Symantec can tell, it’s not code being used anywhere else. Suddenly the link between Sony and North Korea is stronger.

In an SVLC Insider’s Circle interview I conducted  late last year with Former NSA Agent Summer Worden, she warned us of this. In her comments she names China, Russia, and North Korea, saying, “They are cooperating with each other for economic reasons, and going after U.S. companies.”

The two banks mentioned above are not U.S., but we can be certain there will be more of this, and the U.S. will be a target.

Some Sound Bites to Note From a Recent WSJ Report:

“The attackers sought to transfer nearly $1 billion out of Bangladesh’s central bank.”

“$81 Million was taken.” – Note, the bank was able to detect the breach before the $1 Billion amount was taken – Detection, Response.  Still, this is reportedly one of the largest bank heists ever.

“This attack compromised the bank’s SWIFT money transfer system – however it was compromised on the bank’s side, not the SWIFT Society’s system.”  SWIFT transactions total about $5 Trillion each day! (Note: a SWIFT patch has been issued!)

It used to be thought that North Korea did have the technology to do this type of thing. The WSJ report corrects our thinking, stating, “Don’t underestimate Pyongyang’s technological capabilities. The same regime that starves its people also produced counterfeit $100 bills so hard to detect that U.S. officials dubbed them “supernotes.” (note: Pyongyang also has enough nuclear material to make more than 10 bombs.)

Expect This To Grow!

Will they continue this type of thing? My sources say yes.  Like with Sony, the U.S. threatened to do something, but nothing was ever done. Expect more of this until someone steps up to take action.

© 2016, David Stelzl

 

TALC100% Signed Up To See If Their Data Is Safe!

Yesterday’s event in Las Vegas was a great success. We had representatives from the local cybercrime enforcement unit of the Las Vegas Police Department, as well as Fire Department, along with just over 20 business leaders.  Delon Lukow, President of ProStar offered an assessment to each attendee as a thanks for attending.  This initial assessment will help business leaders determine if there are in fact symptoms of data theft, or major holes in their security strategy. Every person there agreed to take this first step.

After the meeting I had the opportunity to meet with Lukow to review the most important elements of small business risk, and what risks small businesses are most likely to face. It is ProStar’s mission to help educate business leaders in this region, to take a more proactive stance against cybercrime.  My hope is that more SMB focused technology companies will sponsor these types of events.

© 2015, David Stelzl

Thanks again to our sponsors including Cox Communications and Nuvestack!

dollardataCredit Card Data Is A Commodity…It’s The Company Secrets That Profit

How Secure Is Your Data – What About China?

The big companies have had their share of horror stories with credit card theft this year, but are you and your customers watching the trends in Espionage?  Earlier this month I interviewed a couple of former NSA agents to give technology providers some insights into cybercrime trends and a war we are all involved in.  Summer Worden, one of my guests on the SVLC Insider’s Circle Program talked about Russian and China, revealing some of the hidden agendas and what to expect in the future.  Much of this is driven by Economics according to Worden.  China’s economy needs more innovation, and what better way to get it than to take it from the United States?

Espionage Is Hitting Businesses Right Now

This week in the Wall Street Journal, FRANK J. CILLUFFO AND SHARON L. CARDASH gave us more on this. Here’s a sound bite that should shock us; “The FBI reports a significant spike in its number of economic espionage cases: a 53% increase just this past year.”  Where is this coming from and what’s driving it?

According to the article, “Randall Coleman, the head of the FBI’s counterintelligence division, told the Wall Street Journal in July that much of the suspicious activity is performed by Chinese companies against U.S. firms and that the Chinese government plays “a significant role” in the attempted theft of trade secrets.”  Espionage, as pictured in movies is generally dealing with government data – like the recent OPM hack I wrote on a few weeks ago.  But this is about business. These are companies, targeting companies that have new ideas, strategies, and innovations that the competition in China will benefit from.

In Kevin Mitnick’s book, The Art of Deception, he shares the tale of a businessman entering a small business responsible for developing high tech manufacturing equipment. The man approaches the front desk asking to see the president of the company. The receptionist informs him that the president is out of the country and unavailable. At that point the businessman begins to fumble through his planner, double checking his meeting.  He’s flown in from out of town, and is supposed to be meeting the president to discuss a joint venture. There must be a mistake!

In a last ditch effort, he asks if the development team is in – perhaps he can take them out to lunch to review the plan he and the president have come up with.  They agree, and into the development area he goes. They spend several hours discussing the latest drawings and plans – the company’s latest top secret innovations. The businessman takes a few pictures, and heads out, promising to reconnect next week when the president returns.

You probably guessed – but when the president returns, and the team reviews their recent meeting, the president has no idea who they are talking about. This is a case of economic espionage, and chances are the business guy is now back in his own lab building a “Copy-Cat” product with only a few months of R&D vs. the decade the first company spent developing these ideas.

No Need to Go Onsite

Like your evolving managed services program (if you are an MSP), you no longer have to go onsite to do your work…the same is true when it comes to stealing company secrets. As the WSJ article states, “If you place yourself in the shoes of those playing economic catch-up, why invest millions in R&D if you can simply steal it at a fraction of the cost, especially with just a few clicks of a mouse?”. Now that everything is connected and online, stealing information is simple.

Cilluffo and Cardash rightly point at that,  “The theft of intellectual property and trade secrets destroys jobs in this country, and undermines the nation’s economic competitiveness by striking at the heart of U.S. innovation.” And in this case, nation states are behind these acts of war!  Years ago I read in another WSJ article, “This is a slow sifting of the American Economy,…and because it lacks the alarming explosions and bodybags, no one is really paying attention.”  At some point we will find our bank accounts empty, and our businesses collapsed.

No One Is Claiming Responsibility, But Who’s Investigating This?

Terrorists claim responsibility when they blow things up. They want us to be afraid. In a war, the opposing country generally announces their demands and threats of invasion. In this case, the thief is not interested in being known – they have no demands. They are looking for a competitive advantage. It’s to their benefit that no one know what they are up to. If they can silently get away with strategic information, they can recreate a product in their own lab, with a fraction of the required investments in time and money. With their copy-cat product in hand, they are now able to sell it at a fraction of the cost. Recovering their investment is easy – they didn’t spend their own money on this invention.

What to Do About It

In the WSJ Article, the writers tell us, “Recent reporting suggests that the Administration is striving to craft an innovative and calibrated response to the OPM hack in light of its scale. This is a significant development in the ongoing match of Spy vs. Spy on steroids. An equally compelling answer is needed to China’s economic espionage against the United States. Time is money in this context — but more importantly, it is national security.”

It’s true, our government needs to get on this. In a recent Presidential speech I heard Obama say that our greatest threat right now is environmental…I have to respectfully disagree.  Without a doubt, I believe it’s cybercrime – Hacktivists, Nation States, and Cybercriminals.  All three are attacking everything from your personal data, to company innovation, to our nation’s intelligence.  As a technology provider I want to encourage you to start educating your clients – everything must be secure, and it can’t wait for the next budget cycle or a government mandate.  Like a doctor sharing the diagnosis of cancer with a patient, it’s up to us to convince them to begin treatment. This is not about insurance, it’s about preservation.

“Those who say they have it covered are either ignorant or lying to you.” – A quote from my most recent book, The House & The Cloud 2nd Edition.

HC Image

© 2015, David Stelzl

P.S. If you want more on how to convince your customers they need better security, this book explains how to do it…(click to see it on Amazon.com).

Despite Hacks…People Still Don’t Take Action.

Earlier this week, CBS correspondent Candice Leigh Helfand interviewed me for an article,

Despite Hacks: Info Leaks, Americans Still Lax On Digital Security.

In the wake of Target and Snapchat news just a month ago – CBS-DC wanted to know what to expect in the coming year, and where companies need to refocus.

Target Hacked!

The Target case is interesting because it’s not an online hack!  Just around the holiday peak shopping season, “Target disclosed that encrypted debit-card PINs, credit and debit card numbers, card expiration dates and other bits of sensitive information were stolen from millions of customers (around 40 million) who shopped at the retailer between Nov. 27 and Dec. 15 of last year.”  Wow! How did that happen?  They got it all – PINS too.  By Tampering with credit card swipe machines.

Snapchat Hacked!

The Snapchat hack is another story – only “4.6 million of its users”.  But the news here is that it happened right after, “Security experts warned the company at least twice about a vulnerability in its system.”  In an earlier post I mentioned that I’m speaking on these topics in Chicago next week…but I know several of the executives invited responded back (as they always do), “I don’t get involved in that stuff”…that’s exactly the problem.

When business leaders don’t have any involvement – or take the time to understand, you end up with a Snapchat.  In fact, just after TJX was hacked, losing around 100 million credit cards, I met with several security teams that had called on TJX companies – getting the same response.  Even worse, one of them tried to tell TJX that their wireless networks were accessible from outside the building!  Did they take action?  No.

In the linked news report, Candice writes, “Security experts say it’s the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.”  In other words, this is a big one and it will be costly.

The need is there – the problem is getting through to the right people to educate them on the need.  The impact vs. likelihood model I present in the House & the Cloud has been the most effective means of doing this.

© 2014, David Stelzl

Irvine CA. Sunrise

Irvine CA. Sunrise

Irvine CA….

Are Your Secrets Still Secret?

Hackers target startups that secure early-stage funding. Some startups are detecting heightened cyberattacks just after they raise Series A funding.” According to recent reports from the Wall Street Journal.

Business leaders tend to disregard this kind of news because their IT people are telling them, “We’ve got it covered.”  This afternoon I will be speaking to a group of CIOs in Irvine California, hosted by Accuvant and sponsored by McAfee.  This is a message every business leader needs to hear – before it’s too late.

The criminals aren’t sitting around worrying about new technologies that thwart their mischievous deeds.  They’re researching, testing, and collaborating.  The amount of money that goes into R&D on the enemy’s side hasn’t been published like it often is with security technology companies.  For instance, Cisco is proud of the fact that they spend around 300 million on security R&D annually (last I heard).  But innovation is happening on both sides, and the attacker is usually ahead (if not always ahead.)  There is no telling how much effort goes into their side, but based on the attacks we’ve seen, it’s significant, and should be scary.

A New Target: Start Up companies

“In March 2012, when cybersecurity startup Skyhigh Networks received $6.5 million in funding, the company noticed a marked increase in outsiders looking for vulnerabilities in its network.”  Nation State sponsored attacks, as well as competition, may be the instigators here.  Recent Patent Law changes encourage the theft of intellectual property when it deals with innovation.  The person who files first has an advantage over the patent rights…that means that as your clients are inventing, others are watching online to see when a development is ready, but not yet filed in the patent office.  This would be a good time to strike.  Notice that the security risks are suddenly higher at this point.  The measurement of impact goes up, but so does the likelihood of attack (an important model covered in my book, The House & the Cloud).  Understanding this is key to building a solid security architecture – it is also critical for the security provider if you want to better understand the sales cycle and how to justify a change in security spending.

Chinese Government – Are They Really Hacking?

There have been numerous hacker reports about Chinese Government over the past year.  Are they really hacking into US companies?  I have not personally experienced this – however the news is certainly saying, “Yes”.

“The disclosure early this year of a secretive Chinese military unit believed to be behind a series of hacking attacks has failed to halt the cyber intrusions,” according to Reuters’s Deborah Charles and Paul Eckert report.  Wall Street published this earlier in November, pointing to the People’s Liberation Army’s Shanghai-based Unit 61398 – the primary suspect. This sounds pretty specific.  What are they after?

According to the above mentioned article, this effort involves “cyber espionage to steal proprietary economic and trade information,” from the US.  In other words, they are after US innovation – taking what has taken years to develop, with a plan to develop the same innovations without the cost of R&D. Expect these new products to come on the market for much less, competing with the inventor on price.  This is called a copycat product, and often puts the inventor out of business.

If your clients are still thinking they are safe, have avoided attacks, and have it covered when it comes to keeping their innovation secrets under cover, they’re likely out of touch with the real world.  IT has often said, “We have it covered,” only to later find out that hackers have been inside for years.  The FBI says it takes 14 months, on average, to realize you’re under attack, but many companies will never figure it out – soon it will be too late.

© 2013, David Stelzl

 

Cyber criminals are winning!  This should be no surprise, but here it is again in the headlines – straight from the RSA conference…companies are losing the war and admitting it.

  • Huffington Post – Straight from RSA 2012:  “Some 70 percent of employees in one survey cited admitted to subverting corporate rules in order to use social networks or smartphones or get access to other resources, making security that much harder.”
  • RSA was hacked last year shortly after the RSA 2011 conference using a simple “email with a poisoned attachment – which had been opened by an employee.” – this in turn gave hackers, “access to the corporate network and they emerged with information about how RSA calculates the numbers displayed on SecurID tokens, which was in turn used in an attack on Lockheed Martin that the defense contractor said it foiled.”
  • Speakers at RSA called 2011 “the worst year for corporate security in history”  pointing to “the rise of activist hacks by Anonymous, numerous breaches at Sony Corp, and attacks on Nasdaq software used by corporate boards”
  • Most importantly – they all agree, “there is more to come.”

While all of this is bad for anyone running a company that relies on securing information to keep going (and that would be all of us), it also represents a huge opportunity like any major unsolvable problem does.  Just like doctors and pharmaceutical companies working on heart disease, diabetes, cancer, and other major health issues that plague our world, security professionals will profit from this as they rise to the occasion.  I am amazed to see companies missing this opportunity after such a long track record of growth.  It’s not over – not even close.  If you are not in this business, it’s time to join the war against cybercrime.  Your clients need it, and they are willing to pay.

Now, you might think I am wrong on that last comment.  I just got off the phone with a VAR owner yesterday who questioned if his clients are really willing to pay.  It has everything to do with your approach…people don’t see it, so they don’t believe it.

I have a client in the Northwest setting up his first executive-facing marketing event.  After just a few days of advertising we have 18 business owners signed up (all asset owners – qualified buyers, and new prospects)!  We haven’t even made calls yet – this is just the response to the marketing letter we mailed last week!  The point is, we designed our marketing campaign correctly – this is not a product driven event, although it is absolutely sponsored by the product manufacturers.  (That’s right – we did get JMF for this even though everyone keeps saying there is no money available for this type of event).

Working with another client on the east coast yesterday, we just completed our first webinar event. Again, the event was designed from the start to appeal to the asset owner.  We had a strong call to action, and 90% of our attendees signed up to have their security assessed!  This was just a webinar – it cost my client almost nothing to do it, other than time and some upfront education to do it right.  His team attended the Making Money with Security event and applied the principles…not a bad return.

2012 looks like a strong year to me – for those focused on the right technologies.  Join the war – it’s time.

© 2012, David Stelzl