Translate

петък, 23 октомври 2015 г.

Една от "къщичките" на кибер престъпниците - The Dark Web


A tour of the Dark Web: home of the cyber-criminal

Every information security professional who touches healthcare data needs to become intimately familiar with

October 5, 2015
Healthcare IT News
Rick Kam - president and co-founder of ID Experts.


In its 2015 U.S. State of Cybercrime Survey, Pricewaterhouse Coopers calls 2015 "a watershed year for cybercrime." This conclusion is echoed in many studies, which have found that cybercrime has now outpaced insider theft, mishandling of records, and other sources of data breach in healthcare. The PwC study showed that hackers, hacktivists, organized crime, and foreign nation-states accounted for 61 percent of data security threats in 2014.

Every information security, risk, privacy, and compliance professional who touches healthcare data needs to become intimately familiar with emerging threats and threat actors. In the first part of this three-part series on cyber-crime, I wrote about how cyber-criminals are monetizing stolen healthcare data. In this article, I'll look at the Dark Web, the information superhighway of illicit commerce.

What is the Dark Web?
Most people navigate the World Wide Web via well-known search engines such as Google or Bing. Underneath the publicly accessible web, however, is the "Deep Web," the part of the web that is not indexed by common search engines. The Deep Web hosts the "Dark Web," a series of networks called "darknets" that overlay the public Internet but require specific software or authorization to access.

Darknets were created to allow users to operate anonymously, so it's no surprise that a lot of the Dark Web is devoted to criminal activities. In fact, the Dark Web hosts a worldwide marketplace of illicit goods and services, most of which are paid for in Bitcoin, the preferred currency of the black market. A recent study by Dr. Gareth Owen, "Tor: Hidden Services and Deanonymisation," found that the most common requested information on one of the top darknets, Tor (an acronym for "The Onion Router"), is child pornography, followed by black markets for drugs, stolen information, weapons, counterfeit currency, and more.

A Dark Web lexicon
If you read Deepdotweb, the Dark Web's equivalent of the New York Times and Wall Street Journal, rolled into one, you quickly realize that the Dark Web has a language of its own. Here are just a few of the Dark Web practices that could be targeting your business right now:
·         Carding schemes are whole programs for monetizing stolen credit card information. Dark Web users can join carding forums where they learn how to steal card numbers and clone cards, how to cash out the card's credit limit, how to sell card numbers, how to get personal information to fully exploit a card, and how to set up as a vendor of stolen card information.
·         Doxxing is stealing and publishing private or personal information about someone, usually with malicious intent. The information is often obtained through social media or social engineering, and the tactic is often used by "hacktivists" to shame public figures or companies, although the threat of exposing information can also be used for coercion or extortion.
·         Dumping is the practice of posting large sets of private information on the Dark Web. For example, after the recent Office of Personnel Management breach, databases containing personal information and email addresses of thousands of federal employees were dumped. Data dumps may be put up for sale or exposed publicly to embarrass or damage the organization that was breached.
Darknet vendors use exit scams to get out of a black market business, for example, if law enforcement gets too close, while still pocketing money from customers. Sellers simply continue to advertise and accept payment while not delivering product. When the online customer reviews turn negative, the vendor simply posts that he or she has been scamming and has skipped town, so sorry, better luck next time.

Stay informed and see them coming
The first step to defend against all these threats is to know what they are and where they're coming from. For example, social engineering attacks are often the first step in wholesale attacks on an organization's internal systems. By tracking new social engineering scams, your information security/privacy team can warn employees and patients about phishing attacks ahead of time and help keep them from revealing information that could lead to the introduction of malware and massive breaches.

Some good sources are Brian Krebs' excellent column on cyber-security, the Norse Dark Matters newsletter, andDeepDotWeb for the buzz in the cyber-crime community. My next article in this series will be about one of the newest and most surprising cyber-threats against businesses: the methods and motivations behind cyber-espionage and cyber-attacks by nation-states.


четвъртък, 22 октомври 2015 г.

Нови разкрития в областта на криптографията !


How is NSA breaking so much crypto?
There have been rumors for years that the NSA can decrypt a significant fraction of encrypted Internet traffic. In 2012, James Bamford published an article quoting anonymous former NSA officials stating that the agency had achieved a “computing breakthrough” that gave them “the ability to crack current public encryption.” The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand.
However, the documents do not explain how these breakthroughs work, and speculation about possible backdoors or broken algorithms has been rampant in the technical community. Yesterday at ACM CCS, one of the leading security research venues, we and twelve coauthors presented a paper that we think solves this technical mystery.
The key is, somewhat ironically, Diffie-Hellman key exchange, an algorithm that we and many others have advocated as a defense against mass surveillance. Diffie-Hellman is a cornerstone of modern cryptography used for VPNs, HTTPS websites, email, and many other protocols. Our paper shows that, through a confluence of number theory and bad implementation choices, many real-world users of Diffie-Hellman are likely vulnerable to state-level attackers.
For the nerds in the audience, here’s what’s wrong: If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn’t just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.
How enormous a computation, you ask? Possibly a technical feat on a scale (relative to the state of computing at the time) not seen since the Enigma cryptanalysis during World War II. Even estimating the difficulty is tricky, due to the complexity of the algorithm involved, but our paper gives some conservative estimates. For the most common strength of Diffie-Hellman (1024 bits), it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.
Would this be worth it for an intelligence agency? Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous. Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.
NSA could afford such an investment. The 2013 “black budget” request, leaked as part of the Snowden cache, states that NSA has prioritized “investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic.” It shows that the agency’s budget is on the order of $10 billion a year, with over $1 billion dedicated to computer network exploitation, and several subprograms in the hundreds of millions a year.
Based on the evidence we have, we can’t prove for certain that NSA is doing this. However, our proposed Diffie-Hellman break fits the known technical details about their large-scale decryption capabilities better than any competing explanation. For instance, the Snowden documents show that NSA’s VPN decryption infrastructure involves intercepting encrypted connections and passing certain data to supercomputers, which return the key. The design of the system goes to great lengths to collect particular data that would be necessary for an attack on Diffie-Hellman but not for alternative explanations, like a break in AES or other symmetric crypto. While the documents make it clear that NSA uses other attack techniques, like software and hardware “implants,” to break crypto on specific targets, these don’t explain the ability to passively eavesdrop on VPN traffic at a large scale.
Since weak use of Diffie-Hellman is widespread in standards and implementations, it will be many years before the problems go away, even given existing security recommendations and our new findings. In the meantime, other large governments potentially can implement similar attacks, if they haven’t already.
Our findings illuminate the tension between NSA’s two missions, gathering intelligence and defending U.S. computer security. If our hypothesis is correct, the agency has been vigorously exploiting weak Diffie-Hellman, while taking only small steps to help fix the problem. On the defensive side, NSA has recommended that implementors should transition to elliptic curve cryptography, which isn’t known to suffer from this loophole, but such recommendations tend to go unheeded absent explicit justifications or demonstrations. This problem is compounded because the security community is hesitant to take NSA recommendations at face value, following apparent efforts to backdoor cryptographic standards.
This state of affairs puts everyone’s security at risk. Vulnerability on this scale is indiscriminate—it impacts everybody’s security, including American citizens and companies—but we hope that a clearer technical understanding of the cryptanalytic machinery behind government surveillance will be an important step towards better security for everyone.
For more details, see our research paper: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. (Update:We just received the Best Paper Award at CCS 2015!)
J. Alex Halderman is an associate professor of Computer Science and Engineering at the University of Michigan and director of Michigan’s Center for Computer Security and Society.
Nadia Heninger is an assistant professor of Computer and Information Science at the University of Pennsylvania.

сряда, 21 октомври 2015 г.

Как се "осребряват" откраднати, персонални медицински данни,

How cyber criminals use the Dark Web to monetize stolen healthcare data ?

Criminals have become incredibly adept at monetizing stolen identities on a massive scale

September 15, 2015
Healthcare IT News
Rick Kam - president and co-founder of ID Experts.


According to Paul Kocher, one of the leading U.S. cryptography experts, there has been a 10,000-fold increase in the number of new digital security threats in the last twelve years. So it's no real surprise there have been a lot more data breaches in the news lately, particularly in healthcare. In fact, criminal attacks are now the leading cause of healthcare data breaches, according to the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data by Ponemon Institute.

If you're concerned with data security or privacy these days – and who isn't? – you need to understand the fast-changing world of cyber-crime, cyber-terrorism, and cyber-espionage. In this first article of a three-part series, I'll dig into the motivations and methods of cyber-criminals.

Follow the money
How could there be, as Kocher says, a 10,000-fold increase in threats in twelve short years? The answer is simple: money. Criminals have become incredibly adept at monetizing stolen identities on a massive scale.

Two factors have provided the growing conditions for this problem. First, large-scale cyber-crime is a natural consequence of the massive digitization and integration that has been going on since the 1990s. Simply put, there are massive amounts of information connected to or traveling across the Internet. The second factor is the "Dark Web," the web content that exists on so-called darknets, limited-access sites that overlay the public Internet and are often used for illegal or criminal activity. The Dark Web offers cyber-criminals multiple global marketplaces in which to sell stolen personal information. The abilities to steal and easily sell massive amounts of personal information have transformed the economics of information theft.

Best practices in a bad business
One interesting shift over the last decade is that identity fraud is now a multi-tier business. According to Ken Westin, senior security analyst at Tripwire, many people underestimate the complexity of these transactions. For example, credit card numbers are typically sold in bulk to brokers, who then sell the numbers to individual buyers. Top sellers can even give away personal records as free samples so buyers can see the quality of their wares. This chain of distribution lets cyber-thieves concentrate on stealing information without the effort of exploiting it, and it makes it harder for law enforcement to trace the theft back to the source.

Because stolen information has a "shelf life," just like groceries and other perishable goods, buyers have a limited time to exploit it. At some point, the theft will be discovered, either because the business discovers their systems were compromised or because the victim becomes aware the information is being misused. Unfortunately, it's usually the latter, and the damage is done long before a breach is discovered.

There are a number of different schemes for monetizing it in a timely way. Medical identity fraud either takes the form of fraudulent billing by unethical providers or misuse of another person's medical records to obtain care. This kind of fraud may not be discovered for months or years, making stolen medical identities among the most valuable. Bank fraud is also less time-sensitive. If a buyer can get fairly complete bank information, they can clear out accounts before the account holder realizes it, and bank accounts don't have as strong protection as credit cards.

The black market: Where stolen information is commoditized
Cyber-criminals sell stolen information on black markets either individually or in lots, and the price varies depending on how much value the buyer can get from the information. For example, easily obtainable information such as birthdates will go for a few dollars, since it can't be monetized by itself. More valuable information such as a medical record can sell for $50. Business Insider reports that ready-to-use counterfeit Social Security cards can sell for $250 to $400, and bank account information sells for $1,000 and up, averaging 6 percent of the money in the account.

So how much can cyber-criminals make? In its 2014 report, the Center for Strategic and International Studies estimated that cyber-crime extracts 15 to 20 percent of the $2 to $3 trillion dollars generated annually by the Internet economy. That's between $300 and $600 billion a year. Clearly, cyber-crime is paying off big-time.

A strategic defense
In Nicole Perlroth's New York Times article, Scott Borg, the head of the non-profit United States Cyber Consequences Unit, sums up the state of cyber-security: "People are still dealing with this problem in a technical way, not a strategic way. People are not thinking about who would attack us, what their motives would be, what they would try to do. The focus on the technology is allowing these people to be blindsided." The last few years have certainly proven that cyber-criminals can outrun technology, and it's also not financially feasible to defend your data on all fronts. To mount a strategic defense, you have to understand where the next attacks are likely to be coming from.