Week 6: Why cyber-crimes are severely under reported.

Why cyber-crimes are severely under reported. 

I was looking for some light reading last week when I came across an article at CBS.com titled “These Cybercrime Statistics Will Make You Think Twice About Your Password: Where’s the CSI Cyber team when you need them?”.  The author describes cyber-crime statistics that will make someone not in the know, jaw drop.  Me? I just shake my head and wonder what can be done to avoid becoming a statistic. 

 (The author also provides a link to IBM’s 2015 Cost of Data Breach Study).

As we advance in technology, we also increase the number of vulnerabilities that can be present simply because there are so many new avenues into the system or device that haven’t been realized, therefore tested. This means we can all expect a visit of some kind from Mr. Hacker.... 

“With 1.5 million annual cyber-attacks, online crime is a real threat to anyone on the Internet. That number means there are over 4,000 cyber-attacks every day, 170 attacks every hour, or nearly three attacks every minute” (CBS.com, 2015).

Because cyber-crimes are occurring at such a rapid pace, some of them if not more… are not even being reported to law enforcement.  Why? Would it do any good? I believe there are many reasons why this occurs and it depends on the type and severity of the crime that has occurred.  Lesser crimes such as, someone hacking into a personal device isn’t that big of an issue for law enforcement.  What I mean is this, yes, it is a crime but it isn’t such a big crime where law enforcement wants to spend many man hours working on it to solve.   They just don’t have the man power to put towards it. 

“80% or more of cyber-crimes go unreported due to lack of awareness of the crime or the ability to report it, embarrassment on the part of individuals, or fear of consumer backlash on the part of businesses”.

I can see this point, if a bank or Health care Co. got hacked, they may not want the bad publicity that comes with the hack.  They may try and keep it under wraps until they can perform as many security checks and audits as they can in order to determine the who, what, where and how much, before going public.

One thing is for sure, death is inevitable, those who pay taxes must pay them and you and I will become a victim of online theft in some fashion or another… OK, that’s three things.

Be prepared.. Get educated and lock your systems down.

More statistics to digest:

On a slightly smaller scale, cyber-crime reported to the FBI in 2013 totaled losses of over $781 million, with an average loss of nearly $3,000 per complaint. 

That includes:

$81 million taken by romance scammers, who target people on online dating sites, feigning love and then asking for money — averaging more than $12,000 per victim.

$51 million taken by auto scammers, who convince their targets to pay for cars that don't exist — raking in an average of $3,600 per victim.

$18 million in real estate rental scams which, like auto scams, attempt to convince buyers to pay for property that doesn't exist — to the tune of nearly $1,800 per victim.

$6 million taken by FBI scammers, who pretend to be government officials to intimidate and extort money — averaging nearly $700 per victim.

(CBS.com) 

Week 5. Hey Uncle Sam... Step back a bit.

An issue has arisen that I hope does NOT become a trend.  Eduard Kovacs (Securityweek.com) wrote the following article, “Grey Hat Hackers Helped FBI Hack iPhone”, the title says it all in my opinion.  This is a troubling concept in a lot of ways in that the Government of the United States is (allegedly) actively soliciting the help of hackers to break into an American company’s product in order to gain access into the device.  Not just one device, but all of them.   “At least one of the people who helped the FBI access the information on the San Bernardino shooter’s phone without triggering Apple’s protections is a grey hat hacker who provided the law enforcement agency a previously undisclosed software vulnerability”, says Kovacs.   I believe we all know the scenario, terrorists attack innocent Americans, Police and FBI find terrorist phone, FBI demands that Apple give them a back door into the product, Apple balks and a whole host of opinions, both pro and con, start to flow across the news wire.  The FBI said they paid “Researchers” to find the solution for them but a known hacker is not a researcher.  Sorry I am running off the rails here.  I understand the national security issues and the ramifications concerning this case, but isn’t there a legal process set up in this country to follow?

It seems that Uncle Sam feels they have a right to this back door and they use scare tactics and bullying under the guise of, “Keeping you safe” in order to justify their actions.  Here Uncle Sam, take a little bit more of my freedom from me so I can feel a little safer.  How about playing by the rules and abiding by the laws you have passed and not pretending that you are only looking out for our best interests.  No Uncle Sammy, you are looking out for your best interests and American industry be damned.

                                                                                  (Play.google.com and me)

I ranted today because I feel that it is important for all of us who care about National Security, Cyber-Security and about personal freedoms, to voice our concerns, we should be outraged that our government would demand such access then pay someone to come up with a solution and NOT give the solution to the company who is in charge of the vulnerability so they can fix it.  Keeping intellectual property secure and out of the hands of someone who will exploit it for gain is a major concern for every company in existence today or at least it should be.  Apple and thousands of other companies spend millions if not billions of dollars on Research and Development to perfect and supply a product to the masses and enlist the best and brightest minds to make sure those products meet strict security standards, so to have the government (Our government) knowingly compromise Apples intellectual property is mind boggling to me.

The Federal government could have gotten the data they desired and I even bet that Apple would have supplied it to them if the proper legal channels had been followed.  Put the Feds wanted more than the data, they wanted CONTROL!!.

That is not what our country stands for.

Week 4. Do security threats change over time?

Do Security threats change over time? 

The answer to the question is yes, threats change constantly.  Every new application, device, OS etc. will have some sort of vulnerability associated with it, known and unknown, so the sooner you accept this premise the happier you will be.

Vulnerabilities, such as, a security hole that wasn’t tested or even thought about, to back doors intentionally made in the device or system, to security issues that were intentionally created by nefarious actors, will be present to some degree.   With these holes in security come avenues in which attackers can gain access and compromise your organization, once inside, the attacker can exploit Elevation of Privilege (EoP) flaws or plant whatever time bombs he or she wants.  These bombs may prove disastrous and may even cripple your network if not addressed. 

Elevation of Privilege (EoP) occurs when an attacker is granted more authority or permissions within a network system.  An example may be; an attacker gains access into a device or system and only has “Guest” (read only) access, but by manipulating the system in some manner, he or she is able to “Elevate” the permissions to a “Standard” (read-some write) account or even worse, an “Administrative” account (Full Read-Write), thus giving themselves the ability to perform actions that can compromise the software, device or network.  What the attacker is looking for is a way to manipulate the system in some manner to gain full access, or just enough to perform nefarious deeds.  Check out Testing for Privilege escalation (OTG-AUTHZ-003) at owasp.org, good data for your security toolkit…

As technology changes, so do the vulnerabilities and threats, some are benign and do not pose a big problem while others present an enormous risk to the bottom line of any organization.  Devices we use every day that were once thought of being impermeable to threats, or to some degree, have their flaws too.  In an article in Trendmicro.com (March 22, 2016) titled, Researchers Uncover iMessage Encryption Flaw,  it’s stated that Researchers at John’s Hopkins University have allegedly found a security flaw in Apples encryption techniques with iMessages.  “The Baltimore-based institution shared details of a flaw in iOS and OSX in transmitting messages via the instant messaging application, iMessage—one that could allow an attacker to decrypt sent photos, videos, and messages”.  It’s a good read, check it out.

How a business looks at threats will determine how successful they will be going into this new Cyber Security threat future we are heading full steam ahead into.  Gone are the days where you can do just enough to get by, or even worse, nothing at all because the “capital can be used more efficiently elsewhere”. These old school mindsets must be stopped and these people fully educated about what business (Security) life has evolved into.   

 “Cyber-security threats have become much more organized and industrialized. There’s been an entire ecosystem that’s been established around the industrialization of cyber threats. It’s almost become a service offering and, as the real and perceived value of cyber targets increases, we’re seeing a corresponding increase in the investment being made in new and innovative cyber threats”.  Bill Ross, Director, Cyber Mission Assurance Systems,
General Dynamics C4 Systems. (2015).

Week 3 - How do you explain Internet Safety to your 12 year old child? Can you?

Last week I had the opportunity to discuss Internet safety with my daughter… and 97 of her closest friends, I’ll explain… Last term I had an assignment in my White Collar Crime class that discussed Child Internet Safety concerns, you know, the DO’s and DON’TS of using the Internet.  The assignment was to create a Power Point presentation about this topic that a child could understand and not fall asleep through.  I finished and submitted the assignment and received a very good grade… I was pleased, so much so that I thought I would actually present it to my daughters 7^th grade class, that is of course, if they would have me.  To my joy (dismay?) The school agreed, then asked if the 6^th and 8^th grades and their parents could join too. I smiled, took a big gulp and said, “Absolutely”… My daughter said “I’m going to die, dad!”

I practiced my Preso for a few weeks in front of a mirror, in my car (pretending to talk to someone on a Bluetooth) and finally the day came.  It went great … for me.. My daughter? She is still recovering.  Teachers and parents alike praised the information I discussed and the kids didn’t seem too glossy eyed.  Ahhh, sweet success.  

My topics were:

1. Importance of creating and using strong passwords.  
2. How to create a strong password.
3. Wait! Don’t click that link or attachment!
4. Keeping your reputation intact.  The importance of being a good online citizen.
5. “The Internet is forever”, what to post and what not to post.
6. THINK before you post…
7. Cyber-bullying. How to protect yourself and what you should do if you are a victim.
8. Pitfalls of an active Social Media life.  (Refer to points 4, 5, 6, 8, 9 and 10).
9. Friending. NEVER friend anyone you do not know! Period.
10. Online predators.  The Boogeyman exists.

Talking to kids about this stuff can be painful sometimes, if not a chore.  I hope that my daughter understands how important this info is, she said she does, time will tell….  I hope her schoolmates get it too. 

Now to work on the boy. he'll be the real challenge, I can fell it.

A synopsis of my presentation material.  Some, not all:

Creating a sound password, two different techniques:

•       Create a phrase like "I hope the Giants will win the World Series in 2016" Then, take the initials of each word and add numbers and symbols to create your password.

•       The password might result in this: IhtGwwtWS!16.

BTW.. It is an even year… GO Gigantes!!

Combining two words:

•       Fish + Shoe = F1$hsH0e - Unique and not a word from the dictionary. 

Useful website: 

Microsoft Passwords...

Your reputation is everything!

•       Never post anything online that will embarrass yourself or others.  This includes..

•       Risky pictures…

•       Rude or disparaging words about someone or something.

•       Negative content, like off color jokes… Rumors about classmates.

•       Never post anything you would never tell someone in person!!

•       Rule of thumb: Would your Grandmother approve?

Useful website: 

FBI - Kids Safety

Cyberbullying.

•       Cyberbullying occurs when a child or teen harasses, torments, or humiliates another using an online method.

•       Cyberbullying is bullying that takes place using electronic technology such as computers, tablets and cell phones.

•       Can harm the reputation of another.

•       Is intended to hurt another person.

•       It’s used to control someone..

Useful website: 

Stop Bullying...

Online predators… THE BOOGEYMAN EXISTS!!

•        Virtual Strangers.  Friending people you DON’T know.

•       Assume these people want to do you harm.

•       They try to friend you in social media sites like, chat rooms or online gaming sites.

•       They will tell you anything you want to hear.

•       They are bad people trying to do bad things.

•       They pretend to be someone they are not.

•       They target teens and young adults.

Useful website: 

FBI - Child Predators