Uncategorized Archive

Cyber attacks like hacking put not only sensitive information but also huge sums of money at risk. Not far from home, the hacking of the Bangladeshi central bank’s account from the Federal Reserve Bank of New York in February led to $81 million in stolen money getting laundered in Philippine casinos after entering the country through the financial system.

Banks are on their toes, and are now working to beef up online security measures to protect themselves and their customers.

“Online security is a continuing effort. Banks constantly exert efforts to update their security software and protocols. On the other hand, cyber-criminals also exert efforts to overcome bank security. So banks redouble efforts in reaction,” East West Banking Corp. president and chief executive Antonio C. Moncupa Jr. said.

“Banks are also careful that they have competent and trustworthy people to man their IT (information technology) systems,” Moncupa added.

In a recent interview, Etay Maor, senior fraud prevention strategist at IBM Security, said security threats in banking could be minimized by a very simple solution—data sharing among peers.

While he noted that banks, in nature, tend to be protective and secretive with data and information, Maor noted it was only through information exchange could they better combat cybercriminals together.

He said one of the products of IBM—one of the fastest-growing security companies in the world— allowed thousands of firms to share information and opened collaboration to shield themselves from attacks.

“For example, if a criminal uses an IP address, users of our product share such information to warn others. We have no other way to beat criminals,” Maor said.

“You don’t have to shoot bombs today. You just have to shut down several banks and their infrastructure, and that’s it. Organized groups have capabilities to do cyber attacks. It has become easy to do phishing attacks … It’s very easy today to be a criminal—you can go just go to online forums and ask questions, people will help you,” Maor pointed out.

Maor said cyber attacks on banks had become a global problem, such that billions of dollars were being lost to cybercriminals each year.

In a recent statement, cloud services provider and ePLDT affiliate IP Converge Data Services Inc. (IPC) said the banks’ cyber security measures at present were not enough.


IPC hence urged financial institutions “to safeguard their systems by deploying up-to-date security measures to ensure data and network protection” while also checking on their current data security setup as “even the most secure institutions are not exempt from the alarming increase in crimes perpetrated online.”

“This is a reality that has caused the loss of significant revenue for many businesses. The global recorded cost of cyber attacks is at $400 billion to $500 billion per year—about 50 percent of which is from Distributed Denial of Service (DDoS) attacks,” IPC president Rene Huergas said, citing data from its DDoS mitigation partner Nexusguard.

“Unless executives take stock of this as a serious issue at hand, companies are most likely to lose more,” Huergas warned.

Citing that “some institutions may have inadequate system and network security layers to protect them from cyber attack,” Huergas said not only the financial institution but also the customers faced greater danger.

“As data and network security is a commodity in this day and age, now is the best time to recognize that the threats are real and can make businesses vulnerable and susceptible to attacks, banks and financial institutions being the most inclined to this kind of attack,” Huergas said.

World’s most costly

According to IPC, “while DDoS attacks are considered the world’s most costly cyber crime, cyber attacks that involve malware, phishing, password attacks, MITM (man-in-the-middle), drive-by downloads, malvertising and rogue software are also widespread.”

“In fact, it was found that the Philippines’ vulnerability to cyber crimes has statistically doubled. A large percentage of computers in the country have been invaded by malware, the same intrusive software initially found to have allowed the illegal electronic transfer of funds in the Bangladesh case,” IPC added.

“This condition poses a real and imminent threat as records from the Bangko Sentral ng Pilipinas (BSP) show that around 22 million people use electronic banking services and channels and that the volume and value of e-money transactions keep growing over the years. The figure continues to increase each year as more and more people join the workforce and make use of a bank’s facilities. This translates to the overwhelming amount of data that is at risk,” according to IPC.

“Depending on the needs of the institution, additional security measures have to be in place. It is also as important to regularly review and assess whether these security measures are being implemented and are functioning well,” said Niño Valmonte, IPC director for product management and marketing.

IPC said “businesses that do not have a core competency on data and network security may leave it to experts … to conduct rigid vulnerability assessments to ensure that all bases are covered.”

Even the BSP has long been aware of risks from cyber crime.

At the first Cybersecurity Summit for the Financial Services Industry held last November, BSP Governor Amando M. Tetangco opened the event reminding industry players: “It is a fact: Cyber crimes are being committed and financial institutions and financial consumers are being targeted.”

Citing the transformative power of technology in many aspects of human lives, Tetangco noted that technology had likewise revolutionized banking and the manner it was providing services and products such that financial customers could now perform banking transactions anytime, anywhere at their convenience.

“Based on our records as of December 2014, about 22 million users of electronic banking services and channels were being serviced by more than one hundred banks across the country.  Indeed, we have seen the volume and the value of transactions using e-money and e-banking channels grow steadily over the years,” Tetangco said.

The cyber landscape, however, has its downside, and also poses a threat to the financial sector.

“As in other fields, there is a downside that comes with innovations in technology—criminal elements have likewise evolved. While it is far from widespread, cyber crimes exploit advances in technology to expand, conceal and perpetrate their criminal activities from the real world to the cyber realm,” Tetangco noted.

He cited how authorities had arrested foreigners belonging to cyber syndicate who had been involved in ATM skimming, credit card fraud and phishing.

While Tetangco conceded that cyber attacks and crimes against the financial industry would likely go on, the sector could manage the risks.

In 2013, the BSP issued Circular No. 808 which, Tetangco noted, “provides the framework for technology risk management which takes into account robust and multilayered security controls for cyber-risk prevention, detection and response.”

Under Circular 808, all banks and BSP-supervised institutions have an obligation to report to the BSP any breach in information security, especially incidents involving the use of electronic channels.

“The BSP has also introduced various initiatives and supervisory enhancements for a more proactive approach to cyber security supervision and oversight,” Tetangco added.

Source: http://business.inquirer.net/209848/banks-beef-online-security-measures

But today — a full five days before the ransom demand came due — the company struck back, going public with the demand and promising to withstand any attack criminals attempted. “We apologize for any disruption as a result of these attacks; please know that we will do everything in our power to thwart them,” the company wrote in a blog post today. “But let us reiterate: no matter what happens, we simply will not pay these garden-variety thugs.” (The line was later removed.)

It’s a common scheme for web criminals, who often see small services as more likely to comply with the demands. In recent years, similar attacks have targeted Meetup, Feedly, Fastmail, and even Greek banks, often demanding higher and higher sums the longer sites wait to pay. There are a number of paid and open-source protections against denial-of-service attacks, but unpatched servers and other devices have made it easy for criminals to keep pace, ever larger attacks in recent years.



Right now, security professionals are scrambling to fix a security flaw some are calling Shellshock. It’s a major vulnerability related to Bash, a computer program that’s installed on millions of computers around the world. There’s been a lot of confusion in mainstream media accounts about how the bug works, who’s vulnerable, and what users can do about it.

In this explainer, I’ll first give a high-level explanation of who is vulnerable and what they can do about it. Then, for those who are interested, I’ll give a more technical explanation of exactly how the Bash bug works.

Who is vulnerable?

Bash (which we’ll discuss more below) is installed on many computers running operating systems derived from an ancient operating system called Unix. That includes Macs and iOS devices, as well as a lot of web servers running operating systems such as Linux.

Whether these computers are actually vulnerable depends on whether they invoke Bash in an unsafe way. We already know that this is true of many web servers, and it’s believed that other types of network services could also be vulnerable. But it’ll take a while for security experts to audit various pieces of software to check for vulnerabilities.

For the most part, consumer devices such as MacBooks and iPhones phones don’t seem to be running services that use Bash in an unsafe way. That means they are probably not vulnerable to hacks from across the internet. But we won’t know that for sure until security experts have had time for a careful audit.

Most Microsoft software doesn’t use Bash, so users running Windows PCs, people with Windows phones, as well as websites built using Microsoft software, are probably safe from these attacks. Also, it looks like most Android phones are not vulnerable because they use a Bash alternative.

What should I do to protect myself?

Unfortunately, there isn’t a ton you can do in the short run. Presumably, Apple will release updated versions of their software soon. So keep an eye out for that on your platform’s software update service, and install it as soon as it’s available.

There has also been some speculation that a service called DHCP might be vulnerable, though this is uncertain. This is a service that allows laptops, tablets, and smartphones to automatically configure themselves when they log into a wifi network. A malicious wifi router could use the bug to hack into users’ laptops and mobile devices. So if you’re a Mac or iPhone user, it might be prudent to avoid logging into untrusted wifi networks — for example, at coffee shops — until Apple has released a security update.

But for the most part, the vulnerability affects servers more than users’ own computers. So most of the heavy lifting needs to be done by security professionals, not the rest of us.

What could attackers do with this vulnerability?

The bug can be used to hack into vulnerable servers. Once inside, attackers could deface websites, steal user data, and engage in other forms of mischief.

There’s a good chance that hackers will use the vulnerability to create a worm that automatically spreads from vulnerable machine to vulnerable machine. The result would be a botnet, a network of thousands of compromised machines that operate under the control of a single hacker. These botnets — which are often created in the wake of major vulnerabilities — can be used to send spam, participate in denial-of-service attacks on websites or to steal confidential data.

As I write this, security professionals are racing to update their server software before the bad guys have time to attack it.

How hard will it be to fix the problem?

From a technical perspective, the fix shouldn’t be too difficult. A partial fix has already been made available, and a full fix should be released soon.

The tricky thing will be that, as with the Heartbleed vulnerability earlier this year, Bash is embedded in a huge number of different devices, and it will take a long time to find and fix them all.

For example, many home wifi routers run web servers to enable users to configure them using a web browser. Some of these devices may be vulnerable to a Bash-related attack. And unfortunately, these devices may not have an automatic or straightforward mechanism for upgrading their software. So old IT devices might have lingering vulnerabilities for many years.

OK, let’s get technical. What’s Bash?

Bash stands for Bourne-Again SHell. It’s a computer program that allows users to type commands and executes them. If you’re a Mac OS X user, you can check it out out yourself. Go to the Finder, open the Applications folder (from the “Go” menu), then the Utilities folder, and then open “Terminal.” It looks like this:

You can see in the menu bar that it says “bash,” indicating that the program running inside this terminal window is the Bash shell. The Bash shell understands a wide variety of commands. For example, “cd” stands for “change directory,” and tells the Bash shell to navigate to a new folder on your hard drive. Typing “ls” lists the contents of the current directory, while “echo” prints out text to the screen.

Bash has been around since the 1980s, and it has become an industry standard. To this day, it’s one of the most popular ways for systems administrators, computer programmers, and other tech-savvy users to execute complex commands on computers.

Because the Bash shell is entirely text-based, it’s particularly useful for administering a computer remotely. Running a Bash shell on a server halfway across the world feels exactly the same as running the Bash shell on your local computer. IT professionals use remote shells like Bash extensively to configure, diagnose, repair, and upgrade servers without having to physically travel to their location. As a result, Bash is a standard feature on almost all servers that run an operating system not made by Microsoft.

What’s the bug in Bash that people discovered this week?

Bash has a feature where users can set “environment variables” and retrieve them later. It works like this:

That’s a trivial example, but environment variables turn out to be an extremely useful feature when executing complex commands.

So what’s the bug? Here’s a slight variation on the previous example:

The “env” command sets an environment variable (in this case COLOR=red), and then executes a command based on that environment. Here, it’s executing a second Bash shell which in turn echoes the string “My favorite color is $COLOR.” Because the shell was running in an environment where COLOR=red, it prints out “My favorite color is red.”

The exploit works like this:

Notice that the command “echo I hate colors” doesn’t use the $COLOR variable at all. So if Bash were working correctly, the command “echo vulnerable” should be ignored — it’s just random text in a variable that never gets used. So the word “vulnerable” shouldn’t be in the output.

But the malicious string ‘() { :;}; echo vulnerable” takes advantage of a bug in the way Bash handles environment variables to trick it into treating the string “echo vulnerable” as a command rather than just a string of letters. Even worse, it does this automatically, even if it’s evaluating a command (like “echo I hate colors”) that doesn’t use the $COLOR variable at all!

Of course, in a real attack, the bad guys would do something a lot scarier than printing out the word “vulnerable.” They’d use this same mechanism to tell your computer to run spyware, send your private files to a remote server, send out spam, or do other bad stuff.

Wait, doesn’t an attacker need to have physical access to my computer to pull this off? That doesn’t sound very scary.

If Bash were only a mechanism for accepting commands from human users, this wouldn’t be such a big problem. The problem is that Bash has also become a popular way for computer programs to invoke other computer programs.

For example, when you load a website with dynamic content on it, the server handling the request may be using Bash commands to access the information you requested. So while most people never use Bash directly, we’re all using it constantly — indirectly — as we’re browsing the web.

Even worse, when a computer program uses Bash to invoke another computer program, it often uses environment variables to pass along user inputs. For example, when you visit a website, your browser sends the server a variable known as the “User Agent,” which tells the server something about which browser you’re running. (In my case, I’m running Chrome.)

Web servers often set this user-agent string as an environment variable before using Bash to execute code that generates the web page the user asked for. That allows the server to generate a different website for mobile and desktop browsers, for example.

But malicious parties can manually change their user-agent variable to contain, not a textual description of their browser, but a snippet of malicious code. And if they then visit a server that invokes a vulnerable version of Bash, the server will automatically execute this code, allowing the attacker to hack into the server.

Is anyone actually taking advantage of this bug?

Yes. Malicious software exploiting the vulnerability has already begun to appear online.

Correction: I originally stated that Android is vulnerable to the Bash vulnerability, but most Android phones ship with a competitor that, so far, does not appear to be vulnerable. I’ve updated the article accordingly. Also, I stated that a software patch to Bash would fix the problem, but it has since been discovered that the fix is incomplete.

Source: http://www.vox.com/2014/9/25/6843949/the-bash-bug-explained

For tiny First Landmark Bank in Marietta, Ga., cybersecurity is a priority, even though smaller financial institutions have not yet been prime targets for recent distributed-denial-of-service attacks against banking institutions.

Because the community bank’s leaders fear the institution could eventually be a target for a cyber-attack, they are taking a proactive approach to mitigate potential risks – an approach that others should emulate.

First Landmark Bank, which has only $182 million in assets, is working with its core processor, Fiserv, and third-party service providers, such as CSI, to ensure its online-banking channel is secure. The bank is leaning on numerous vendors because relying solely on Fiserv alone would not meet its needs, says Leigh Pharr, senior vice president.

More community banking institutions should embrace this approach. Too many of them lean too heavily on their core processors alone for security, technical support and intrusion testing services. Doing so invariably leaves gaps.

Small banking institutions have to depend on third parties to keep them abreast of emerging fraud schemes and attack trends, such as DDoS. Without that open communication, banks like First Landmark would be in the dark.

DDoS: Every Institution’s Worry

Federal banking regulators have warned community institutions they have obligations to take emerging cyber-risks seriously. And the National Credit Union Administration issued its own DDoS warning for credit unions in February.

But many community banks and credit unions don’t know where to start.

First Landmark, however, knew from its founding in 2008 that it had to outsource most of its information technology and security management, says Leigh Pharr, the bank’s senior vice president.

“As we were organizing the group, there were only five of us, and none of us had true IT or technology experience,” she says. “We knew the best thing we could do was go out and hire vendors that are on bleeding edge.”

First Landmark’s management has, from the beginning, understood the need for strong security, Pharr says. And this understanding has helped propel the bank ahead of other similarly-sized institutions in its dedication to security.

“We are very fortunate in that senior management here and our president are very in-tune with DDoS attacks, and we keep all of our employees well-educated on what might happen, what can happen,” Pharr says.

If more community banks had that kind of buy-in from management, then security investment challenges would be less of an issue. But many smaller institutions have their leadership spread too thin to make cybersecurity a priority.

Core Processor’s Role

Fiserv provides First Landmark with bulletins and alerts about emerging risks and DDoS attacks, Pharr acknowledges. “They tell us what to be on the lookout for. They give us the information about the attacks that they identified – and one recently was DDoS.”

But the bank is turning to others for technical support on data security issues.

“While we do rely on our core processor to provide us with all of the technical, online banking products, we are not satisfied that is all we need to ensure we are secure and that our accounts are protected,” Pharr says. “That’s why we have hired other third party providers [such as CSI] to come in and test our systems – try to break us. Because of that, I feel comfortable that our network is secure and monitored.”

Cyber-attacks are not going away. Phishing schemes and DDoS strikes are only going to become more prevalent and complex. And community banks need all of the support they can get, from numerous sources – especially core processors.

As the managers of online-banking platforms for the majority of small and mid-tier banking institutions throughout the U.S., core processors have a responsibility to ensure their institution customers are protected and are investing in up-to-date solutions.

The DDoS attacks that major U.S. banking institutions are now battling are continuing to evolve. Smaller banking institutions should follow First Landmark’s example and take proactive steps today to ensure they are adequately mitigating their DDoS risks.

For protection against your eCommerce site click here.

Source: http://www.bankinfosecurity.com/blogs/small-banks-prepping-for-ddos-attacks-p-1449


The Koobface botnet, popularly known for using pay-per install and pay-per click mechanisms yearning huge amount for its masterminds has recently been upgraded with a classy traffic direction system (TDS). The TDS controls all the traffic that are related to affiliated websites, reports security researchers at security firm, Trend Micro.

The TDS feature forwards the traffic into various other locations and proves to be helpful in gaining hefty amount for the crooks through access into specific sites.

With Google going stricter with their creation of botnets that combats creation of fake e-mail accounts by spammers, cyber criminals are taking privilege of Yahoo mail for the accomplishment of their task.

Immediately, once the creation of the e-mail accounts is over, innumerable other accounts are created on social networking sites, such as FC2, Tumblr, FriendFeed, Twitter, livedoor, So-net, and Blogger.

As the process continues, images are gathered through a novel binary component, which collects pictures of celebrities, cars and any other images that might attract innocent users.

In the last stage, the botnet generates blog posts that are conducted through a malware component creating blog accounts, whereas the others recover matters or blog posts that are stored in the proxy command-and-control (C&C) server.

These posts are uploaded automatically to the intended platforms. The posts are comprised of links, images, and keywords, which aids in increasing the sites’ search engine optimization (SEO) ranking, together with an obfuscated JavaScript code that conceals the references of TDS domain of the botnet.

As a result, the TDS can easily follow the visits to each of the blog post and redirect the visitors to the sites that are affiliated by the botnets. The botnet helps in earning money through the clicks made by victims while they are reading blog posts and also from the traffic that the TDS directs to the chosen final landing sites.

However, for increasing the traffic to the nasty blog posts further, the Koobface gang also circulates keywords on the Web that are inter-related and promotes the posts through various social networking websites. These are undertaken with the assistance of numerous binary components that are catered by each site, as reported by security researchers at Trend Micro.