Report: Criminals Put a Bull’s-eye on Web Infrastructure

Cybercriminals have begun focusing their malicious endeavors on the sinew of the Internet to reap greater rewards.

For months now, Net bandits have targeted key infrastructure elements — from the domain-naming service to certificate-issuing authorities to hosting services — in order to spread cash-producing malware.

“They’re going after the infrastructure of the Internet,” Dave Jevans, chairman and CTO of Marble Security and a founder of the Anti-Phishing Work Group (APWG) told TechNewsWorld. “It’s serious. It’s insidious. It’s carefully planned.”

By compromising hosting services, which can contain thousands of websites, or email service providers, which send out millions of messages daily, digital desperadoes can vastly multiply their malicious reach. “If I target an ESP, I can now send email from hundreds of companies to millions of users,” Jevans said.

In a report last week, the APWG said that cybercrooks were breaking into hosting providers with unprecedented success and using those services to launch mass phishing attacks.

“This activity is part of a larger trend,” Internet IdentityPresident and CTO Rod Rasmussen said in the APWG report. “We also see criminals hacking into shared hosting and using those servers for other malicious activities, such as launching denial-of-service attacks, infecting the computers of the legitimate website visitors via exploit code, and creating botnets.”

Deep Analysis

Cybercriminals are figuring out the underpinnings of the Internet economy, Jevans said.

“They’re figuring out how email outsourcing works, how DNS works and what subdomain providers do,” he said. “They’re really digging into the deep pebbles of the economy of the Internet. They’re getting very clever in deep analysis of how the Net is really functioning — not just at technical packet level, but more at the level of the business infrastructure.”

The fact that they’re targeting the infrastructure is disturbing, Jevans added. “You could secure the Internet for US$200 billion, but who has $200 billion to do it?”

Poisoning Big Data

Before Big Data was a buzzword, Wall Street knew all about it. Last week, though, traders learned a Big Data lesson.

It began with a common event — a Twitter account was hacked. This time, though, the account belonged to the Associated Press, which happens to be a key input for Wall Street’s Big Data machine.

Before they were stopped, the hackers managed to push out a fake tweet about the White House being bombed and the president injured.

The stock market dropped like a rock — 143 points — because the tweet spurred lots of automated trading fueled by Wall Street’s fondness for Big Data.

The market corrected itself quickly, but the incident raises an unsettling issue about the security of Big Data.

In this case, Wall Street’s data train was derailed by a small piece of poisoned fruit from Twitter. However, the risk is there for any organization with a Big Data deployment.

There’s always a risk that hackers will corrupt a data source with fraudulent data, noted David Wells, a principal consultant with Axis Technology.

“This is already being done with social media sites where hackers are selling things like fraudulent Facebook Likes and tweets,” he told TechNewsWorld.

“Where there is money to be made falsifying Big Data feeds, there will be hackers attempting to do so,” he said.

Cloud Security

Many companies race into the cloud without giving a lot of thought about security there. As with purchasing any service, asking the right questions can go a long way in avoiding unsettling surprises in the future.

When considering the security of a cloud provider, it’s important to consider three elements: people, process and technology.

Since a cloud provider’s people will have substantial control of your data, you need some insight into who those people are and why you should trust them.

Process is connected to access. What does the provider do to control access to your data and to their facilities? In addition, what happens when there’s a breach? Will you be notified immediately?

Cloud provider shoppers typically concentrate on technology. It involves how your data is secured and where it is stored.

For example, a Canadian firm was recently concerned about its data being stored on servers in the U.S., said Ron Arden, vice president at Fasoo USA.

“Providers have redundancies and backups that could be anywhere,” he told TechNewsWorld, “so this company we talked to in Canada was worried about data in the U.S. because it might be subject to the Patriot Act.”

Security standards for cloud providers remains inconsistent, Arden added. “There are emerging standards for everything from security to access control. Some organizations implement them, some don’t, but we’re not in the Wild West or anything like that.”

Breach Diary

  • April 23. Verizon releases annual data breach investigations report. Among its findings were that 19 percent of data breach attacks on the 19 global companies included in the report were connected to state-sponsored organizations.
  • April 23. Experian Data Breach Resolution and the Ponemon Institute release survey where 76 percent of privacy professionals said they have had or expect to have a data breach that will cost them customers, and 66 percent of them said they have suffered or will suffer serious financial consequences due to a data breach.
  • April 23. Hamburg, Germany, privacy regulator fines Google $189,700 for violating privacy of its citizens with its Street View service.
  • April 25. Based on information obtained through a Freedom of Information request, The Register reports that from 2011-2013 more than $4 million in data breach fines were collected by the UK’s Information Commissioner’s Office.

Upcoming Security Events

  • April 30. How to Ensure Your Workforce Is Secure When It Is On-The-Go. 7:15 a.m.-3:45 p.m. Washington D.C. Convention Center, 801 Mount Vernon Place NW Washington, D.C. Spring Town Hall Meeting of Mobile Work Exchange. Government: free. Non-government: $495, April 29; $595, April 30.
  • May 1. Current State of Cyber Crime. 3 p.m. ET. Webinar sponsored by RSA. Free with registration.
  • May 8. Securing the Mobile Workforce from BYOD to Teleworking. 1 p.m. ET Government Security News Webinar. Free.
  • May 15-16. NFC Solutions Summit. Hyatt Regency San Francisco Airport. Registration $760-$1020.
  • May 19-22. 13th annual Computer and Enterprise Investigations Conference (CEIC). Orlando, Fla. Registration: $1095 (up to April 30).
  • June 11. Cyber Security Brainstorm. 8 a.m.-2:30 p.m ET. Newseum, Washington, D.C. Registration for Non-government attendees: Before Jun. 10, $495; Onsite, $595.
  • June 14-22. SANSfire 2013. Washington Hilton, 1919 Connecticut Ave. NW,Washington, D.C. Course tracks range from $1800-$4845.
  • July 24. Cyber Security Brainstorm. 8 a.m.-2:30 p.m. Newseum, Washington, D.C. Registration: government, free; non-government, $395 before July 23; $595 July 24.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels