Editor's note

Recommendations

Info

SOLUTIONS Why is Cyber Security Important? Cyber Security – Who is Responsible? Martha, the branch manager of a small private bank, while casually checking some bank statements noticed a large number of unusual transactions on a number of savings accounts belonging to pensioners. It appeared as though a number of pensioners had suddenly decided to transfer a portion of their pension money into a couple of accounts belonging to a Mr. A and Mrs. C, who had then withdrawn all the money from various ATMS. One of the pensioners was her own uncle. A puzzled Martha decided to contact her uncle who denied having made any such payments to anyone. Besides, he was not tech savvy to operate a computer and transfer money into other accounts. The bank had recently computerized their systems and implemented a basic version of online banking and had enrolled a number of customers to transact online. But the bank had no qualified IT manager and Martha also doubled up as a tech manager in charge of babysitting the systems. Only Martha had the admin rights to conduct the end to end steps needed to complete the money transfers, and she had definitely not done those transactions. And the time stamps of the transactions were all on weekends and late nights when she and no one else were available in the bank to do any hanky panky. Martha could not decipher what could have gone wrong. Suspecting something bigger she immediately notified the bank head, who then called the police. The police brought their techie who immediately discovered that many accounts have been hacked by someone who had systematically siphoned off thousands of dollars remotely using the loopholes of the basic online system. However, the police could do nothing because the bank’s computer systems were not capable of providing the necessary logs and other details needed to track the thieves. After a brainstorming internal discussion the bank starterkit 02/2011(2) management decided to absorb the losses to avoid bad publicity and media attention. And the thieves who did this act were never caught and were probably enjoying a holiday somewhere. In other words, the bank had been robbed. Until a decade ago if you had to rob a bank it was necessary to indulge in an armed invasion, take hostages, spill blood, use getaway cars, etc., along with all the associated risks of botching up the operation. Or you had to indulge in excellent forgery and duplicate paperwork to siphon off funds. But today it is not necessary for you to even visit a bank to loot it without raising any alarms for weeks. So how is it now easy for criminals to loot a bank? The simple answer is the Internet. Today, many aspects of our life like banking, purchases, communications, etc., and even the militaries depend on the internet and worldwide connectivity. While the internet offers several conveniences, it can also ruin your life in an instant with threats like identity thefts, online scams and other threats. For example, a tech savvy thief can simply sit in his home comfortably and leisurely hack into the bank’s computer system using some nasty software to swindle hundreds of customers of their money. While this is an example of plain theft, the internet can also be used for much bigger crimes. For example, rogue countries can launch a mega cyber attack on another country and cripple its websites, banking systems, communications, Page 40 http://pentestmag.com
etc., and create mayhem. And all of these nefarious activities can be done anonymously sitting anywhere in the world. Worldwide hundreds of companies get hacked into and many do not even realize they have been hacked because they will not have the required expertise to detect it. Sometimes the hacking can be harmless and sometimes it can be deadly and can even ruin an organization. For example, the recent hacking of Sony Play station network caused a great amount of damage and annoyance to millions of users. The breach also led to the theft of the data of more than 70 million users and took Sony several days to restore and fix the system. Sony is not alone. Unknown to most people and business managers there have been scores of computer attacks, network intrusions, or data breaches over the last few years. Every time we make a purchase online, visit a website, carry out an online banking transaction, we are exposing ourselves to risk. Here is a small list of major hackings that happened over the last few years. • Citibank: A Russian computer geek called Vladimir Levin was the first person to hack into a bank to extract money. As early as 1995, he hacked into Citibank and robbed $10 million. Interpol arrested him in the UK in 1995, after he had transferred money to his accounts in the US, Finland, Holland, Germany and Israel. • A US hacker called Timothy Lloyd planted a few lines of malicious code in the computer network of Omega Engineering, which was a prime supplier of components for NASA and the US Navy. The code was actually a logic bomb designed to delete software running Omega’s manufacturing operations. Omega lost $10 million due to the attack. • The Melissa virus was the first of its kind to wreak damage on a global scale. Written by one David Smith, Melissa spread itself to thousands of companies worldwide destroying and destabilizing their computer networks. Damages reported amounted to nearly $400 million. Smith was arrested and sentenced to five years in prison. • Google gmail: Chinese hackers were able to take over hundreds of gmail accounts, including those of some US defence personnel, political activists and many others. • NASA: Many servers in NASA were penetrated by hackers who were able to steal confidential data related to satellites and imagery. And the list can go on and on. Some of the common ways computers can get hacked or disabled will be as follows. starterkit 02/2011(2) Password Stealing A password is just a string of keyboard characters, which a person must remember and type into a computer terminal when required. There are several methods for cracking a password. Specialized password cracking softwares are now available that can crack your password using dictionary attacks, brute force attacks, and hybrid attacks. Trojan Horses A Trojan horse is a malicious software surreptitiously delivered inside a computer. The malicious Trojan horse can be programs that destroy hard drives, corrupt files, record keystrokes, monitor network traffic, track Web usage, allow remote control, transmit data files to others, launch attacks against other targets, and more. All a Trojan horse attack needs to be successful is a single user to execute the program. Once that is accomplished, the malicious software is automatically launched often without any symptoms of unwanted activity. A Trojan horse could be delivered via e-mail as an attachment, or it could be presented on a Web site as a download, etc. In any case, your protection lies in malicious code detection tools, modern anti-virus protection, other forms of malware scanners, and user education. Denial of Service Sometimes a hacker uses a network of computers to sabotage a specific Web site or server. The idea is to make all the computers to contact a specific server or Web site repeatedly. The sudden increase in traffic can cause the site to become very slow or just collapse. Sometimes the traffic is enough to shut the site down completely. This is called Denial of Service (DoS) attack. Exploiting Settings Attacking a target network or computer is easier when that target is using the defaults set by the manufacturer. Many attack tools and scripts assume that the target is configured using the default settings. Hence, one of the effective security precautions is simply to change the defaults. It is your responsibility to know about the defaults of the hardware and software products you use and change those defaults to custom settings. The more you customize your configurations and settings, the more your system will be incompatible with attack tools and exploitation scripts. Defacing Websites A fairly common form of external attack is web site defacing. Your company websites can be defaced Page 41 http://pentestmag.com
Page 3 and 4: EDITOR’S NOTE Starter Kit 02/2011
Page 5 and 6: SOCIAL FRAUD 24 Social Engineering
Page 7 and 8: QRjacking A malicious sticker can b
Page 9 and 10: Figure 4. Botnet operator screen on
Page 11 and 12: Figure 6. Citadel consulting web si
Page 13 and 14: understanding why testing mobile ap
Page 15 and 16: AndroidManifest.xml file. This cent
Page 17 and 18: you need to get stuck in at the tec
Page 19 and 20: password and then end up having to
Page 21 and 22: user has an increased opportunity o
Page 23 and 24: WHAT IS A GOOD FUZZING TOOL? Fuzz t
Page 25 and 26: people into breaking normal securit
Page 27 and 28: that not only are easier, but yield
Page 29 and 30: Preventing deer -in-headlights Get
Page 31 and 32: who are responsible for IT service
Page 33 and 34: analysis that should not be made by
Page 35 and 36: If we have made an in-depth risk an
Page 37 and 38: several security standards in wides
Page 39: Resource • http://www.iso.org/iso
Page 43 and 44: your business managers do not appro

Editor's note

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?