2013 - Defence Intelligence Blog

DND Move to Nortel Questioned Again

Nortel Ottawa (Photo credit: Wikipedia)

In 2010, it was announced that the future home of Canada’s Department of National Defence was going to be at the old Nortel Networks complex, in Ottawa. Many voiced a concern over the cost of renovating the Nortel campus, estimated at over $600 million on top of the $200 million purchase of the land. The security of the campus was also a major concern for the new owners according to recent DND briefing documents. Now the location choice has again come into question over recent findings lurking in the building.

A new report by the Ottawa Citizen reveals that electronic listening devices were found at the former Nortel campus. This report also disclosed that Defence Minister Peter MacKay was warned that the DND moving into the complex before it could be properly secured created a major problem. Keith Murphy, CEO of Defence Intelligence said “There are more than enough problems with the proposed move already. Drastic budget increases, questionable benefits, unsubstantiated savings forecasts, and now the inherent security of the location itself. This might just be the final nail in the coffin for the proposal.”

Though it is unknown if the devices are still functioning or even transmitting, this could be the problem that the briefing document was referring to. DND spokeswoman Carole Brown said in response to the recent discovery that “The DND/CAF must maintain a safe and secure environment at all of its facilities, in order to maintain Canada’s security posture at home and abroad” but it hasn’t been stated if the persons who discovered the devices were even from the DND. Another unanswered question is whether the devices were intended to spy on DND or were remnants of espionage against Nortel. “While we don’t know with certainty of any active campaign targeting DND” said Murphy, “we do know that the site was compromised for over a decade while Nortel was the primary tenant.”

Hackers allegedly based in China, using malware and stolen credentials, carried on a decade-long campaign of stealing technical papers, R&D reports, employee e-mails, and other sensitive documents from the network company. Some believe that the former Canadian technology giant went bankrupt because of the Chinese hackers. Brian Shields, the former senior systems security adviser at Nortel, stated in an interview with CBC’s As It Happens that spying by hackers “absolutely” was a “considerable factor.”

What happened to Nortel isn’t an isolated incident in Canada. In January 2011, CBC News ran a story, foreign hackers attack Canadian government. Computer systems at 3 key departments were penetrated, including access to highly classified information at the Finance Department, Treasury Board, and Defence Research and Development Canada. So why take the chance with moving Canada’s Department of National Defence into a site that has already been compromised?

“DND told CTV News it may abandon the move, and sources said it’s unlikely any other department would take over the former Nortel site because of the security risks.”
The full CTV story with the Keith Murphy interview can be found at www.ctvnews.ca.

Cyber Risk No. 3: Direct Loss From Malicious Acts

English: Outside the fence, Menwith Hill Spy Base This photo was taken on the ‘Foil the Base’ demonstration in March 2003. Founded in the 1950s (RAF) Menwith Hill has been operated since 1966 by the United States’ National Security Agency (NSA), and has grown to become the world’s largest intelligence-gathering ground station outside the US. (Photo credit: Wikipedia)

In previous posts, we’ve covered how loss or theft of confidential information and loss of reputation can affect the cyber security of a 21st Century business. Today, we turn our attention to direct loss from malicious acts (i.e. hackers, malware).

So many businesses are open to this risk because they don’t know how to protect their security, leaving them vulnerable to malware threats that can quickly cause advertisers, partners, and customers to abandon ship.

Perhaps scariest of all, is that no business is immune.

Take the recent case of Tor, the encrypted web security browser designed to allow businesses and privacy-concerned users to browse the Internet without fear of reproach. Tor had given so many people peace of mind until a recent malware attack, which many are attributing to the National Security Agency (NSA), toppled user confidence.

Researchers claim that malware responsible for bringing down Freedom Hosting, the biggest service provider on the anonymous Tor network, was hard-coded to send information to the NSA, reported TechWeek europe. In one fell swoop, the product became forever in question.

According to Verizon’s 2012 Data Breach Investigations Report, 69% of data breaches in 2012 were attributed to malware infections. 174 million data records were lost in 855 separate incidents. The rate of infection grows each year. McAfee, in a The State of Malware 2013, reported they cataloged 100,000 new malware samples each day.

So what does data theft malware really cost us? Globally, the cost of a data breach averaged $136 per compromised record, up from $130 the previous year (2013 Cost of a Data Breach: Global Analysis, Ponemon Institute and Symantec). With even 120 million data records (69% of the total) from 2012, that’s over $16 billion in loss from malware data breaches.

Here are two things to consider as you attempt to bring security to your business.

There are many types of malware that can threaten your system’s security, and they’re constantly evolving. You must invest your cyber security dollars with a company that is constantly aware of the changing landscape. Defence Intelligence’s Nemesis 2.0 uses advanced network behaviour analysis in conjunction with real time intelligence to prevent and detect system compromise on your network.
Attacks are inevitable. Security experts like to say that there are now only two types of companies left in the United States: those that have been hacked and those that don’t know they’ve been hacked. The news is full of stories of large and small companies that are compromised. Don’t be one of them.

Cyber Risk No. 2: Loss of Reputation

facebook (Photo credit: sitmonkeysupreme)

Reputation is a business’s most valuable asset. It is what keeps the customers we have and gives us new opportunities in the marketplace. Any negative event can damage that reputation, putting a business temporarily on the sidelines or even eject them from the game.

Since whistle blower Edward Snowden revealed the NSA had overstepped boundaries in collecting metadata on millions of Americans, companies like Microsoft, Google and Facebook have been questioned about their involvement. According to The Guardian (June 2013), the “world’s largest Internet brands claimed to be part of the information-sharing program since its introduction in 2007.” This includes Skype, YouTube, AOL and Apple. It leaves us to question how this information is being used, whether is it for government surveillance or part of their business model, but the exposure of this secret and suggested misuse of data and betrayal of trust may damage the public opinion of these giants.

These mega companies, however, can easily recover from suspicion and character damage. Their brands are a household name and the luxury of being a giant is that you are hard to topple. But what about smaller companies and their ability to recover from an unintentional data breach? Most companies collect information on their customers for no other purpose than to run their business and develop products and services. What happens when that private information involuntarily becomes public as a result of a malicious attack, whether via a former employee or malicious software controlling entities?

InformationWeek stated, while commenting on the Ponemon Institute study on the Cost of a Data Breach, “Customers, it seems, lose faith in organizations that can’t keep data safe, and take their business elsewhere.” Negative press and public mistrust are the natural consequences for loss of data, exposure to data misuse, or poor data security. These consequences are far more detrimental to the little guy. One in five small businesses falls victim to cybercrime each year and 60 percent of them go out of business within six months after the attack (National Cyber Security Alliance).

That’s why protecting your business from cyber risks — especially those placing your customers in jeopardy — will be one of the most important business moves you make.

Is Anybody Listening? The Struggle for More Security

Communication (Photo credit: P Shanks)

You might know the immense value of IT security, but you probably know at least a few professionals who don’t. Apparently, communicating the importance of security is a difficult task for many people, so you’re not alone if you find this hard to do.

It can be tempting for some senior executives to only look at the cost of security programs, while others are ambivalent toward their effectiveness. But either way, the true value of IT security is not getting across, and that’s a breakdown in communication. In fact, according to Infosecurity Magazine, the authors of a study done by the Ponemon Institute for Tripwire claim, “As business leaders are required to disclose more about their organization’s security risks, those business-oriented security executives with good communication skills will be in even greater demand.”

The study – which involved IT professionals from both the US and Britain – found that approximately half of those surveyed admitted they were ineffective at letting management know about security risks. Many say it’s because the security metrics are too complex for their bosses to understand. The result is that companies are allowing security threats to stick around because management simply doesn’t know about their severity.

But with increasing dependence on technology, security risks are not going away any time soon. In fact, there are more now than ever, which means it is increasingly important for security professionals to properly communicate the risks to senior executives. Getting the point across might require the use of graphs or even the ever-popular infographics, but getting management to comprehend the value of IT security is worth the extra effort.

Cybersecurity as Investment.

Information Security Wordle: RFC2196 – Site Security Handbook (Photo credit: purpleslog)

Many companies have experienced a threat to their cybersecurity at some point. It’s very likely that your own company has been breached, whether you are aware of it or not. Cybersecurity is an investment in protection for your company network but it can also be a money making investment as well. Money Morning has been explaining to investors why it is among the top investments available these days.

Hackers currently steal about $250 billion annually in intellectual property. Experts have estimated that corporations will spend more than $65 billion in information security by the end of 2013. That amount is set to increase to more than $90 billion by 2017. It’s no wonder that General Keith Alexander, Director of the NSA, has described cyber threats as “the greatest wealth transfer in history.”

According to MSN Money, threats to cybersecurity are not going away in the near future, which is why investing in this industry is a wise idea. One reason these threats will likely remain is an increased number of network vulnerabilities. Other factors that make companies vulnerable to cyber attacks include the increased use of the cloud for storage, the prevalence of mobile apps, and the trend for employees to use smartphones for work. As the stakes get higher and there is more money to be made on each deal, hackers are more willing to customize attacks to their targets, increasing their effectiveness.

According to research firm Gartner, about 80% of the 2,000 biggest companies in the world will soon begin strengthening cybersecurity efforts. Even the U.S. government plans to spend more on security measures. All of this means more money going around in the cybersecurity game and a chance for making two kinds of investments, both of which will serve to secure your future.

Defence Intelligence is a growing information security firm looking for investors to fund new cybersecurity research and launch new security tools and services. Contact us to discuss investment opportunities or for a free trial of our Nemesis or Harbinger services.

Cyber Risk No. 1: Loss Or Theft Of Confidential Information

Image via CrunchBase

Cyber risks are a growing concern for every company, no matter the industry. The storage and transfer of data have become necessary parts of doing business, and “putting it out there,” so to speak, increases the chance of a hack-attack.

File sharing in particular is a major concern for organizations concerned about their sensitive or proprietary data. With services like Dropbox, Google Drive and Microsoft’s SkyDrive gaining traction daily, IT professionals need an effective way to manage and monitor the flow of their data. It’s for this reason that both our Harbinger and Nemesis services include a dedicated file sharing category, giving you the ability to control the transfer and integrity of your data.

This month we’ll be looking at three cyber risks most often identified by companies open to disclosure. The first risk is loss or theft of confidential information, which has become even more of a concern for companies and individuals in this post-NSA PRISM world.

Each year, security threats continue to be more costly and require greater vigilance as evidenced in a recent settlement that cost Sony more than $383,000 in UK-based fines for a 2011 breach of its PlayStation Network. Nintendo also faced similar issues in June of this year with more than 15 million hacking attempts resulting in 24,000 breaches in a single month, according to CBR Online.

The average cost of a breach lasting 3-5 days for a small company is $35,000 – $65,000. For a large company, that number grows to a staggering $400,000 – $840,000. If at first glance those figures seem high, consider the cost of the following: time spent responding to incident, lost business, lost assets, reputational damage, and that’s before any compliance issues or fines.

The more your business grows, the more likely it will attract the interest of cyber-attacks. So what can you do to protect yourself?

1. Pinpoint the associated risks for the types of data that are important to your business.

2. Define your security policy.

3. Implement.

4. Review and revise.

Final word of warning: don’t think this is one-size-fits-all. Prevention is dependent on your company’s needs, and could involve establishing Internet use protection or safeguards against intrusion or remote access safety measures for backing up and accessing data.

Know what you need, and make sure you get it. For more information about our Harbinger and Nemesis services, visit us at defintel.com

Defence Intelligence celebrates 100% client retention rate.

It’s been just over two years since we relaunched Defence Intelligence and I took over as CEO. In that time, we’ve shifted our focus from discovering and identifying malware in the wild to the prevention and detection of malware for medium sized business to large enterprises. It’s been challenging in a number of ways. As with any small business, we’ve seen our share of bumps in the road. We’ve made mistakes, but we’ve grown and we’ve gotten better.

In the past two years we’ve seen our core product Nemesis, go from a great concept to a great solution. We’ve added all of the great tools and techniques that we had been talking about for so long. Nemesis has transformed from a product to a true security service.

The best evidence of this I can provide is the fact that every single one of our clients who have joined us in the past two years has chosen to renew their service with us. While we always knew that we had a great service, it’s reassuring to know that our clients agree with us. The fact that they continue to see value for their money and continue to rely on us to protect their data and their reputation is heartening.

Despite all the improvements to our service though, I think the greatest progress we’ve made has been in our focus and dedication to our clients. Finding new malware and new exploits is fun. Going after the bad guys is fun. Getting all kinds of media attention a la Mariposa is fun. The question we now focus on though, is does it help our clients?

We discover botnets on a regular basis; frankly there’s enough of them out there that you can’t help but trip over them. But now before we go running down the rabbit hole, we ask ourselves one simple question: “how much does this benefit our clients?”.

Research is always going to be a big part of what we do as a security firm. We need to stay on top of what’s happening, and we need to stay a step ahead of both the bad guys and our competitors. What’s changed for us is that we now focus our research on things that will have the greatest impact on our clients.

I am truly grateful to all of our clients. They are why we’re here. We want to be the best security company in the world. Not by having the most complex solution available, not by getting our names in the press daily, but by consistently coming through for our clients. Protecting them, working with them, helping them do their jobs better. That’s what we continue to focus on.

I couldn’t be more proud of our team for the hard work and dedication they’ve shown over the last couple of years. I can think of no better acknowledgement than every one of our clients choosing to continue working with us. I promise that we will do our best to earn their trust every day and to be worthy of the faith they’ve placed in us.

Sincerely,

Keith Murphy

CEO

LinkedIn Spam Leading to Exploits

“Join my network on LinkedIn” This was the subject of recent spam emails we received at the Defintel office, and the same subject we have legitimately seen many times before. However, Hussein Matar (skimpinesstul131@rrtrr.net) and Chip Eubank (lucindad0@novamaterialsllc.com) don’t actually share any connections with us. What they wanted to share was malware.

The messages themselves are formed fairly well and not entirely shady looking if you don’t quickly recall what a true LinkedIn request email looks like. Below is the fake:

Every link from Chip takes me to www.rezagroup.net/templates/beez/wps.php?c002, which then directs to hourlydesk.org/closest/209tuj2dsljdglsgjwrigslgkjskga.php.

The first domain www.rezagroup.net appears to be a compromised site with a normally benign intent. just like many of the others used for the initial hosting of the “/templates/beez/wps.php?c002” and “/templates/beez/wps.php?pprec” links used in the spam campaign. Other sites include:

www.mediasoftbd.com

www.polirovka.lv

grhterceirizacoes.com.br

www.debtconnect.com

www.tempus-giessen.de

The second location at hourlydesk.org is hosting blackhole exploit kits and ZeroAccess malware. This domain is currently pointed to 46.4.150.114 which it shares with autorevertpartitionmanagement.biz, another site with the same exploits and malware. The destination URLs for the exploits part of this campaign vary some but commonly fall under the “closest” location:

/closest/209tuj2dsljdglsgjwrigslgkjskga.php
/closest/df7guhoijewpgkegwegko.php

/closest/98y7y432ufh49gj23sldkkqowpsskfnv.php

Some malicious domains sharing these files:

3isjhieuegnirng.mywww.biz

3rtyjjdxgn.ns02.us

3thtyjtyjcc.ns02.us

209wugoirgor.mymom.info

7whwjvlwd.ikwb.com

Be wary of odd looking invitations and use your instincts. If it feels strange, then don’t click. Real LinkedIn invites come from (member@linkedin.com) and include personal information. LinkedIn addresses this very thing in their help center:

In our messages to you, we include a security footer message with your name and professional headline to help you distinguish authentic LinkedIn emails from “phishing” email messages. “Phishing” emails often look very similar to legitimate ones, but they likely wouldn’t have this personalized information and may also contain links that direct you to malicious sites instead of LinkedIn.

-Matt Sully

Additional info and sources:

http://blog.dynamoo.com/2013/02/follow-this-link-spam.html

http://malwaremustdie.blogspot.ca/2013/02/blackhole-of-closest-version-with.html

http://urlquery.net/report.php?id=1186819

http://pastebin.com/UPm0s8r0

Google scam – Part 2

Image representing Google as depicted in Crunc...

Image via CrunchBase

Those of us who deal in IT security have the
luxury of being able to ignore the typical scam unless it impacts our network,
family member or close friend. These scams are generally not all that
technically interesting and frankly, it’s easy to feel like such scams are
beneath us somehow.

Many of us have been using computers since before
the rise of the internet, and being computer and internet literate we are more
than capable of distinguishing a scam with ease, unfortunately there are also many
who aren’t.

To a large segment of the population, the
internet is just as mystifying as a good magic show. They can see the set pieces and the effects,
but can’t quite grasp what goes on in the background. They’re not idiots for being conned, they are
victims; victims because they didn’t have the knowledge to see through the scam.

Recently my friend, a fellow entrepreneur who
I’ll refer to as Jocelyn, found she faced a high pressure telemarketing scam
based on Google listings.

Having just opened her business last summer, every
day she faces a long list of calls to make, bills to pay, appointments to keep and
the last thing she has time for is to know all the details of how Google
listings and SEO work.

Here’s a breakdown of how the scam unfolded:

September

Business Registry Center (BRC) contacts
Jocelyn and she explains she’s not interested.

Being telemarketers they’re very persistent
and advanced their tactics detailing Jocelyn’s business who suffer and close if
she doesn’t accept their offer to ensure her business is registered and promoted on Google Local
Business listings. BRC keeps calling to pressure with more stats and ‘facts’ to validate their claims.

October

Jocelyn checks out the BRC website at businessregisterycenter.com
and is taken in by initial appearances that seem legitimate. The text is well
written and they seem to know what they are talking about.

Jocelyn decides to accept the offer to
receive the BRC information package and take more time to review their offering.

Business Registry issues the information
package with an invoice.

The BRC package arrives that includes a cardstock
folder with Shutterstock images on it, a one-page letter explaining how important Google Local Business Listing is and
the invoice.

Jocelyn immediately called Business Registry
Center to ask about the invoice and explaining there must be some
misunderstanding as she only requested the information package and did not agree to the services. The agent advises Jocelyn that when she agreed to send
her the package it was her verbal agreement to the service package and that
they had the conversation recorded.

November to January

For two months Business Call Registry
calls non-stop. Almost every day and escalating at the end to eight or 10 times a day, often while Jocelyn was with a
client. The calls became progressively aggressive threatening to send her to debt collector
and destroying her credit rating. Believing the lies Jocelyn sends in her credit card
number with the invoice.

January

Jocelyn consults friends and immediately
calls her credit card company to cancel the transaction.

February

Following up with due diligence the credit
card company contacts BRC about the cancellation of the transaction. RBC does not respond to the inquiry by the
credit card company. Jocelyn is completely reimbursed by her credit card company.

Jocelyn details the scam to me and I then
investigate you can see details from my findings on my earlier blog here.

Wanting to protect others I work with
Jocelyn to contact Montreal Police Department, because the physical location of RBC is in Montreal, Quebec. Montreal police
advise that this must be followed up with Ottawa Police Department.

Ottawa Police Department informs us that
because the money was reimbursed there is no fraud and no charges can be laid.

Concerned that others might fall victim we
contact local news teams and work with the media and social media to make others aware of this scam.

These people are preying on those who lack specialized knowledge, nothing else. They are thieves, and should be dealt with as such. They may as well have skimmed her debit card or grabbed the cash from her register.

We can’t stop the scammers from ripping people off. Like cockroaches, they will scurry off and set up elsewhere as soon as they can. That doesn’t mean that we shouldn’t stop them at every opportunity.

I welcome your thoughts and comments on how we can resolve these annoying scam artists.

Google Places for Business Scam

Business Registry Center, with a post office box in Montreal, is calling businesses and non-profits offering to list them with Google Local Business Listings, now known as Google Places Business. For the listing that is free with Google, they are charging $499. A rip-off perhaps, but maybe not too bad? It gets worse.

CBC News Story
CBC News Video

www.businessregistrycenter.com
Telephone: +1-888-416-7472

Address:

6228 Saint Jacques,

Suite 417,

Montreal, QC H4B 1T6

From the user agreement found on their site:

Although never mentioned in any of the phone calls, the user agreement states that you are signing up for two years of service at the spectacular rate of over $5, 500.00. The user agreement is apparently binding, even if you’ve never been to their site to read it.

You authorize them to charge any card that “they are aware or become aware of”.

In case you don’t follow their terms or even threaten to do so:

So what do you get for your $5,500.00? Well, pretty much what you get for free with Google.

The earliest activity I can find dates back to September of 2012. Here is one of the dozens of complaints on 800notes.com. It seems they finally moved from disks to the cloud. http://800notes.com/Phone.aspx/1-888-774-9902

And finally, what I can only assume is a sister site at www.onlineregistrycenter.com. Different theme, but the content is identical.

This “office” is located at a UPS store in MN.

Telephone: +1-888-311-0262

Fax: +1-866-929-0748

Address:

1043 Grand Avenue,

Suite 145,

Saint Paul, MN 55105.

Related articles

Related articles

Related articles

Related articles

Related articles