Enterprise Applications - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Enterprise Applications


How to Determine Your Organization`s Vulnerability to Crimeware



 By: Markus Jakobsson
2008-04-30
Article Rating:starstarstarstarstar / 6


There are 0 user comments on this Enterprise Applications story.


Rate This Article:
Poor Best
You already know that crimeware is bad, right? Wrong. Crimeware is worse than just bad, it may be worse than you can imagine. And its going to go downhill from there. The story that Markus Jakobsson of the Palo Alto Research Center tells is gloomy indeed. Maybe its even gloomy enough for you to do something about it.

In our recent book, Crimeware: Understanding New Attacks and Defenses, Zulfikar Ramzan and I present a snapshot of the threat that crimeware poses today and a vision of a likely future. While we are both positive and happy people, it is hard to be very optimistic when talking about crimeware. We are, in fact, very concerned.

Short History of Malware

Not long ago, malware was largely a matter of mental exercise for under-stimulated college kids. It has now shed its innocence. These days it is pushed by organized crime, aided by phishing-like deceit tactics and spread via advertisements, social networks and shrink-wrapped electronics. It captures keystrokes of individuals, spies on corporations and politicians and threatens our national security by means of server takeovers, information leakage and a potential deterioration of trust in the infrastructure. We no longer call it malware - that would be to understate the threat it poses. We call it crimeware.

Crimeware: Who Is at Risk?

We are all at risk for crimeware. But is your organization on the frontline? To a large extent, you can find out the answer to that question by scrutinizing your own users.

Resource Library:

First of all, how are machines used? Organizations where users maintain their own computers, or are allowed to use their work computers at home, face higher risks than other organizations. In spite of being careful at work, many users will approach security in a much more relaxed manner when they are at home. They may run socially propagated material such as movies forwarded by friends, and they may access material from infected peer-to-peer sites. Their home access points may be infected and may attempt to affect the connected computers possibly by suppressing updates to the anti-virus system.

When traveling, users may be tempted or tricked into connecting to corrupted access points that steal credentials. Computers that are used both inside and outside the corporate firewall are posing a risk to the internal network. How can you tell what a machine has been exposed to?

How to Recognize Crimeware

Not too long ago, crimeware was a purely technical threat. Nowadays, it is a socio-technical affair. A recent type of crimeware attack starts its lifecycle as an attachment to an e-mail claiming to be from the Better Business Bureau. The e-mail, typically targeted to people dealing with customer feedback, specifies that a complaint has been lodged against the target organization and that a copy of the complaint is attached. The worried recipient opens the attachment maybe even forwards it to legal. The more believable the ruse is, the higher the risk is that the recipient would open the attachment. And, of course, the better targeted the e-mail is, the likelier it is to be believed.

This also goes to show that your exposure to risk depends on what the adversary knows about your organization and its users. An attacker than can spoof an e-mail to appear to come from the manager of the intended victim can take advantage of the hierarchy within the organization. A good example of this would be an e-mail that looks like it is from ones manager and has a subject line of Would you please install and run this application, then tell me if it seems like something we could use? (By the time the recipient responds to his manager, it is too late - the installation has completed and the network has been searched for proprietary files.)

What Does Crimeware Want? 

But crimeware only wants money, right? Wrong. List your valuable resources. Patent information, customer databases, employee information, medical data, next weeks client presentations the list goes on and on. It could be the access rights to other networks. Data of political value. A set of computers that can host phishing pages and send spam. A platform from which criminals can launch an attack without being traced. Anything that has value to anybody can be the target of a crimeware attack.

If we think critically, we realize that almost any resource we can name may be the target of an attack. And remember, it is not only machines that look like computers that can host crimeware. If it has a processor, it is a potential target. MP3 players, consumer access points, phones - how about RFID cards and SIM cards? Yes, them, too.

How Can Crimeware Be Addressed?

What can be done to address this threat? First of all, we have to understand how the threat expresses itself. Then, we have to understand all of the techniques used by the attackers. As new applications and services are introduced, dont think of how they can be used. Think of how they can be abused.

Then turn to the users. What will they do? How can they be tricked? How can you educate and warn them? If you make them too nervous, will the attackers take advantage of their worries and play on their insecurity? Think creatively, and think like the attackers.

In our book, Zulfikar Ramzan and I are sharing our fears in a constructive manner. We are telling the reader how to better understand the threat. Improved security always starts with an understanding of what the vulnerabilities are. We want to promote this understanding among researchers, application developers, system administrators, policy makers, politicians and educators. Crimeware is a problem that affects us all, and all sectors of society will have to join efforts in order to fight it.

 Dr. Markus Jakobsson is a Principal Scientist at Palo Alto Research Center. He is a founder of the security startup RavenWhite, which addresses security problems associated with authentication, malware and click-fraud. He is also one of the founders of SecurityCartoon, an educational approach targeting typical Internet users. 

Previously, he has held positions as Associate Professor at Indiana University, Adjunct Associate Professor at New York University, Principal Research Scientist at RSA Security, and was a member of the Technical Staff at Bell Labs. He is a visiting research fellow of the Anti-Phishing Working Group (APWG), and a consultant to the financial sector.

Dr. Jakobsson teaches on phishing and counter-measures, click-fraud, the human factor in security, cryptography, network security and protocol design. He is an editor of "Phishing and Countermeasures" (Wiley, 2006) and co-author of "Crimeware: Understanding New Attacks and Defenses" (Symantec Press, 2008). He received his PhD in computer science from University of California at San Diego in 1997. He can be reached at markus.jakobsson@parc.com.





  Reader Comments: How to Determine Your Organization`s Vulnerability to Crimeware
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Enterprise Applications Articles          >>> More By Markus Jakobsson
 


x}v89hN;EfّrdK5,ĝ=GK6ErHʗ험?ٗg*BKN&ݶ%, UBP7?Jp4ô c|{֤w>? 1ߙF0B92v;|9|AL=TadF,7|J|O\R_Fܨ`&`1Zm8lRl ۗ#: rWü%~`zN<)Ǣu)p#SP {O|2cַ$>q@ߨV;AùMM}! {:|DJK$!& QbDwг_^/ԡcF4Lߵ#2hj9TE$*cO^3l ְbBP#"Fτ]ͻ`$fPrNWw#205b )vXF2M*5f;ӱc)ux `p*)è67-@GL: fK> Pl:x 3~dnQCYH'l6Xpq?J9bmCϳXc$lǦ"Ouml_j| 5f9 8" z5 wE5b6jۆ@ظ?0$ꎧc"3N9H5#o8 to6 dݺ9Vr jR+j[]δ ηL{qoTyݙB;_HFcKo -';ijQPt;ޠw6$틋7qq p,gYJM~gDrT* P}fӇ, /B.r̀7JQ߹ZVT Z, Ina>E4a™EQ 5dNdؒ-a d>=?wg>ߙekfy3(ժ?TRJg3A~5uWgkew= g>i?vNdO#t>+?_fV'_Z-կ=?߮C"A\tNIN,-{A z훨-4Kۗ9K }1xSyؗ/Rx3oF5 tA%i9" C N~}MJV㭱JG+Ҍj 9BA`¼N49Vϡ8蟙$Wm4@r1XSl؅ RMǯB@N XRU>I"E[fT}O ${3BDȭ`g/3A.r)i  `o8{ØWX*\eS\cͶOCGs>hH2AC66^lzK 4}f>3$a p|gi͇v1 a {>0sN}Sk`I l"]LRmj;>ld$4o)ssLnM9`rנwMXb LTE}vAC ,Zz][ wA,߽9#z[LKx GN w ]x9-R;C/1tK@&X "D% T h4A'EENNmb$w$]KI+\fD8nOu$]8SgڹLX.QY,p[/ ͙JRdIu Q="`&Qea*0pRx5Qn/jc٦By^ y$tp.OYր!=rAWg]6ŝ,|ӆ)t쉧A_zM/X Gx}ljt8d8Ƿ'S7axҜhyA5&3Lar ?nfaAz &2轉l&[:LIPLAuϙ3h jd7`Wr&edң!C?p*JNC_kVzqrjY r>5mVAL  |U=kb$`~f =DyBfOx7;rkkF3UʝW.NrB@-T᧒, H@gmdz7Ҍ[Oq)29sf$9,4tOWݡ~L?ͦzkT݈^u 9r@^֥P M2W}a DA n:\\3,# l,>D4~hNa2*)%Ϳ;nFSsbR6`bVTȅ7Ȕeyt~;,zaTJ6Y`aPe)fHirij1>u>NȃX`iwi[f: ?&نdpܙDhQ+mneDI*fg`m1Jx=e\48L XbOF\F Kzf//,+Y{uMٓ.BlN&d>ۄ!0(|pT30`NLji=l";Osg=)W暽a\(*JL$P/#[յ /Q +gXsMt]Q[ X1L`_mpf^ FR."~~i~R`d[s6/o>:F}~AܕVR5󀻬sglZlrCx8SJr\],* K1kM8vهE>{E; &7a/Sd"X @ 4À>BOJ2b*[ U) jI9/nabIoXL+*9a@pϟ  sFWyUFH~VjLqrE)WKJZ9 _VpTG"MTN_ᬯ=p̻30?GQo>j#zMhe8{]wK\iμ+ ;1E<&{HeX*~g}JZYXIb+ģcYV TEetXܘ 0(E{耰⢉!h;34hý23URZSKu;OP,;Ђ#?iQYf0`%5-**5P6>*0nG,<WK$X]&j}u:â¾_YN+^t m(5#3 #2pgrh)-f5[ g[Eh+,s Jb+ʹV(EcݚUzzujFYd^yę *W)wY|3 RXD4Watx}'QZJ噷`G)&ϛ /jݾȣ*]WToKƗDÜb+>A֌M:+ln?`,vX+a'oQ*\ LУ''~7 Wnbm{2~&:iN0-aZ`' ٸnAjAy̧`[d3ⵚZd|l6Sթ4D6 v V{Rq#Z7pY(*"X@"!f. _5u_&ny*-*JaDG`dW)ЬV#ig=uMDowiŏh(n=CQjQKKud*ŪR.$ ~U;*6X+(#t+^۹qm.E<[ 17ʨTIV+Gs;"ʌg b|s{q>'F{lj+jBgEr`2O[IfYyڤiD@kXJ3dFVTXI0Z<,J$|p`F U2qyh7(jM_L7 x4Hđ ;wk}#Nrb,UJZVJ/{siG\0R+{EO"p?lR)T* rF2R@BRF$d1~N ПBQ`nо(&w,I@ ~5} +f[I)7+uu5]1\$1aJ`'1=yywyңu4*$EF>m48nTMF" z֏5CuWΰ vH!PRj_zVϙC9I.Dz=$*\N3dn,*~ͣۯޚ'q̚_f$ÃC:?> Bp, ,׀zB: .i%D[( 1tJ1(_RJMQ6=#ijVorKl}AN&_(v[JӷoHW蘧KwOtEdW(hLUfsF;HzdNlp j_tESr4/K_"Tcz}DfaP;DZ3pu*hhw<)~[ħ{, /䎉R!GL$0m2겨u]$L<3GN)tJȓ(E=)I28IUF4A2uIH?Md4XPWl Hق '59ܻ8^]۹m|d<Cp0S`0#9+|)}~XUժ۽mH@{q?Kl82U( Xsw{eB sȦw'9$st7&A0ng=w6E{7mhoG(V=~4qj\Ɣ99Xn8: ˳1q1~,?4f?ސ4/>i^~&'m_ |0$?[С[#|$~>x؜_GMyuS棏G ڭ9k3rĸ~win ˘,`4tͥZ<_Gi{iNii[nUzyB J}~l/t>D(yWe[{cWȊ̅S.r!FpZx>2M#owlǵwD ZdO>^j[Cx82/> Ac^ؖrbLd<J;lmVpN Ϧv_ O%FJM-c-ێ!e_Ц õcV: wIH$|+؊woO_Oo+N֊ v™)[ꈧ g/5VS M[k!/1 %CKh3[aG0^ތ="t(ı߂KCƧsӆUe[[hE)(BM e> wEa̒{'x̩ TҜSԵ _.nT!"vx}KM5;ִq. xxs4}xYx_(- xPUih:ۜ ,_#Sߟ,,7f* T@ra7:o/ ;XE(1qw}VMhf0fӨŸLDx,SȒs p?L`y&j9Ys$&YV':~/n!2 +<+fEA JCg:jB}.fex4t9NS^>ȥHvRcXfj9iOzVEciF܋I&*qSJI3d&%%KR$G]q"qG/b D)<0مʇE'ZZH <ךp UGd%9<s2%>OtɔSbI^>`e͢^02=Sk. eB4j91j3^BfqyCXG =1Y WDWP7OJMLbW& ke6BEŴR0%r^ٌ¬]lP1569˃3L/]:wlTR5B(؝hM%! RD{b)/_Xc 7^HJAR+G2x@}:)2>a Y*TRR(@Iioq%M8_GUB<'+)5_߮gf@ϵ@”u>.,]@3fHj3x.|VҐ DjoK(h<'p-'Ή阰xݾwZ>:x(FΨ-06jó, f. *^c/Z/ᰯ=kl.{#(2BUF&L]X\Rs,7eXXDJxaEGx|\}[牴ɰc[նe3 Ci:Ö&Nҕ&':-0rVEgGm×-405[0'TI:X, ]QY9\)K_!4ú#"-LfOAm;زKNv,c׻) CKB HoƖKnC((Bo-}1+wg30(>}?kI@ )9/Bpcۚaaސv֡ pw}~X]rap,F3uFZ+Sr,Cş-oL=rTSsc\,t[" )KЄ_|y 5OG1Hꀙ7<e5sh~_vNokd6.{}m_Ps6` l[VXmEQz򝧹. n~[~{ܹ+^gt^ -gAc ~ P2fph6_fHlHh$8&w{pƊ8g[[S@wM  #%]̓^:=_}t*|MuLUG|O_ּ"x[ qsd˼ tkhO;8i-*b1D+b@/]j 3ݐ}Ly~#0&sMYȝ1iT1PG?A@=<(X67g+h4sO| ZLE3* I31~bþŝԧ+et'ҩa3@a]$,SL'vʲͦ^00}QCpw8`exG5p«Fp>;|:nK] =9baP>ℂF!CƄވUWAz׉ҢLkFww_ 6e!'OH'b )L>xwts_]/KnqDbG1G_I/-Cab+pD #3.=Cװ,$o)NHiY!FrE~9Ѿn#?4;}=hoaCp|D&8 $z`xsMܹXsN >'vQ]Q f6}9i0ssXc+Wj ō6w Cqvt>3\1Zqjld ^-pV#tDZ0u yLlb^Ԑ0<KIB uXRFB(6Up ֊F&7K:{S0#(-ŌCZ(OBOG"3+HcE)' _7)^WeYQH,c[/a+i5$5G&lKL:[)ISp7 m^]]|"g>i~MNNo}elk nW(;sk}:]}:\aqfz0(lB[dL]$]V9lvNYPʹvoQ{ʵ,% EC" /f8lxXDagxD(/pYQJ_MÀ3O!~5Zq-3Y/N|AeItɩcdh7>`/G.M窜4V08 ᧈEtHz\#4[EEF{(Q?g (Ay/9}4h3Ots,>w6wrN+2N~\f rOPisȀ]1>]7]͂fз fЧ f .g7?QF/3?fCyFߡ](f^f%e\]f_e?=/ rqWU}~ 7\C}YпAk(*kh:k Ku1Ay3CΚWpz~;9(/'Rz UK˳gJ3Vڍ^V`{AJ1GF+@AW~bܹ: aq)z^U^xo4viAF۸/6J^c/K^ؤ={O npKxEGMJ 4tk 7b[y@Yp&}:+iDLw<ߔ[nNJ>XE)!w0sXsJ[}霑d&A0% Ӯ@D1K.A0_ Gz‰nQt?|ka[G,[1 =P7.v9)s 9 qL| ~iMnڧM/wpyk;ُ;ءƚ ~3O߆zC&sH" ݟ#ߥ:#*k6WXB-ʊLi_-Ӿ0׀zcm2׃>`YqzPg~o^Lvy1jkb^/Oq29w8y$XO㬰L{1<%3@ Ez:}K=ޔ]2Ҍn;R'9w1*%U-)UTj%w=on|Äq@DP3x׭JA.I0jP+PPफ़h[vLJRj5Csm4< b84dKbL"׏ ѩwF]Re<,0 unQK;Dt8coRkx;R(q X 7X i- RgW1+B\b⛑ɮ-W v;*m {{[d7:lq$7;w9X!DӸ&m 466[v AƊr2t :a~3Σs˩̤~ srA'ӽc* F }]pz5sڱ Eݸ3E>LICœj@@rvsoL]„%kT1"Č~1?\v # }2#woz^Dl,+- )IRq1^RDI]qXVAMjS<" Twǯ#j )2gx5CcS% ?y;.BM"Kod7-YݨmˊLsӃ[G3RVs+K-tfP0;t73*w{ ߠ6|D,kwl5c!0`t9լ`&sˠv3l]@_vDksF)f'NFp)hNüyKׂQ-v7scgk_2ҳe>vį-'yvJ^S O3й?-{,de;;J,{QAbA#q, v7"aa3vY7KVl@swSa Yv9E=bꛆtE]khT[)**3o79/ߙnވ﹨]e PLΰ1igNb :*φŀps{~kC'>f kL~sx:Y:}#s!?"Lnl^^kte(n aaɗXx.av9zbRr癰W`0Mnƀ 92lt* X*1KŬ"D0H'Z:tsh{h۟Z THهl*~&Pd-'S";xڱs^޳h|'/bA-r*r*]ၘ7OI"cXM1}aE|iOSCo gs7*OР~kQWԊZMGv-b$- U.äV(`ᷮ[{-vmJXQ&s)#KM\ Z)Mjs9Q/kE_)|idllU¹Z`'l/Z6exڊ