Spear Phishing Attacks in Malaysia

The integrity of Malaysian commercial and government computer systems continues to be threatened by the increase of spear phishing attacks by groups based overseas.

Phishing attacks occur where mass emails are sent out to multiple users enticing them to click on a link or open an attachment – which releases a malware payload to infect the smart phone, computer or IT system. Phishing messages often appear to come from a large and well-known company or website with a broad membership base, such as Google or PayPal; seeking to play on numbers with the larger the audience, the higher the chances of victims being successfully duped.

Spear Phishing Attacks
In the case of spear phishing attacks, the apparent source of the email is likely to be an individual within the recipient’s own professional or social group – generally someone in a position of authority or else from someone the target knows personally. The term `spear’ indicates that the target has been selected and their background researched, to increase the chances of success or else because the target is significant.

The main delivery vector for spear phishing attacks over the past few years has been via email. In Malaysia, email attacks were the most favoured weapon for a wide range of cyber-attacks in the country. During 2016, authorities discovered that one out of every 130 emails sent to users in Malaysia contained a malicious link or attachment. This has been an increase of four times in one year, indicating the growing problem for companies to protect their systems.

Spear Phishing Attack in Malaysia
An example of a successful spear phishing attack occurred in 2014 when around 30 computers at Malaysian law enforcement agencies covering the disappearance of Malaysian Airlines MH370 airplane were reportedly hacked, with perpetrators making off with confidential data on the missing aircraft.

Asia News Network reported in 2014 that the computers of ‘high-ranking officials’ in several Malaysian aviation and security agencies were hacked with classified information removed. The point-of-entry for the compromise was said to be a spear phishing attack, with a malicious executable file in the format of a PDF file. When the attachment was opened, the user’s machine would be infected with malware, allowing the hacker to gain access to their PC from outside and send stolen information back to an IP address in China.

The spear phishing email, with the subject line ‘Over the South China Sea’ and dated on 09 March 2014 – just one day after the Malaysian Airlines MH370 aircraft went missing – contained ‘sophisticated’ malware that was disguised as a news article reporting on the missing Boeing 777.

The timing of the email indicates that the malware was prepared prior to MH370 disappearing and launched by persons unknown to break into Malaysian government systems to extract information. Some Malaysian government agencies reported that their network was congested with email transmitting out of their servers – The emails contained confidential data from the officials’ computers including the minutes of meetings and classified documents. Due to the nature of cyberattacks, it is difficult to be certain who exactly was behind the attack and though the exfiltration IP address was in China, the attackers could be located anywhere around the globe.

Spoofed Email Addresses
Another phase of spear phishing attacks has been users receiving spoofed emails instructing targets to reset their Gmail or other online email password – diverting the target to a spoofed site where they enter their username and password. This information is captured by the attackers, allowing them access to the online email account. This method was used by attackers to access the Gmail account of John Podesta, former chairman of the 2016 Hillary Clinton presidential campaign. The hackers then downloaded emails, attachments, reports etc – details from Podesta’s emails were later leaked online to upset the Clinton campaign.

As the email attack vector is expected to continue to expand, employees and systems administrators should be aware that caution needs to be used before opening attachments or clicking on spurious web links. Effective filters and email security programs for effective Secure Email Gateway such as MailMarshal should be implemented as a first step to prevent users receiving infected emails.

Recent industry surveys in Malaysia have indicated that five out of every six large companies have been targeted with spear-phishing attacks. Small scale businesses also saw an increase with spear phishing attacks – often with attacks seeking access to online bank account details.

Current studies in Malaysia and the USA have noted that attackers were using stolen email account details from one corporate victim to spear-phish other victims within the company – often moving on to access those with higher administration permissions and so access more of the network and databases.

Ongoing Threat
Spear phishing attacks present a real and current danger to company, organisation and government computer systems – only effective filtering tools, education of users to the threats and continued vigilance can prevent these attacks.

Ransomware attacks surge in Malaysia

Ransomware has become a critical threat for small and medium sized businesses in Malaysia and across South East Asia due to the ease with which Bitcoin makes extracting ransoms from their victims.

Ransomware is simple but toxic. Malicious software is inadvertently installed on the victim’s computer by way of hoodwinking the victim into clicking on an unsafe link or attachment to an email. Once downloaded, the software then starts to encrypt files on the computer system – ranging from documents through to data sets. Once the software has encrypted enough files, these files are locked to the user and a message is displayed with instructions demanding a ransom be paid to unlock the files. A failure to pay the ransom means the files remain locked and essentially are useless.

Over the past year, Ransomware has emerged as one of the most significant attacks in the hacker arsenal to small and medium sized businesses. Unlike other forms of cyber theft, which often involve stolen credit card numbers or healthcare information, Ransomware acts directly on the victim, locking down their system or data hostage until a ransom payment is made.

Recent Ransomware Attacks
The Hollywood Presbyterian Medical Centre in Los Angeles paid around $17,000 to unlock files in February 2016, following an attack that paralysed a large amount of the hospital’s computer systems. This attack was sophisticated; cybercriminals broke into a hospital server the month before. After two weeks of reconnaissance of the system, the hackers struck on a Friday night, when the hospital’s IT staff was off for the weekend, encrypting data on 800 computers and 130 servers; rendering documents and data unreadable, ranging from patient records through to prescriptions.

In Canada, the University of Calgary paid a demanded $20,000 after a Ransomware cyberattack on its computer systems. The University IT team noticed certain files had become encrypted and managed to quarantine other files and systems from the attack. However, certain valuable files containing research data had already been locked down and so the University opted to pay the ransom to recover the files.

Ransomware Figures
According to Symantec Corporation, Malaysia ranks as 47th globally, and 12th in the Asia Pacific, for Ransomware attacks. In 2015, Malaysians experienced around 5,000 ransomware attacks – or 14 attacks per day.

Recent research conducted by a Cyber Security Research Centre indicated that around half of the victims infected with Cyptolocker agreed to pay the ransom demanded. Though it is understandable that they wanted to retrieve their locked down data files, the payment of such ransoms spurs other hackers to jump in to the activity and create new forms of Ransomware.

Once considered a consumer problem, Ransomware has morphed to target entire networks of computers at hospitals, universities and businesses. That has made it a far more serious and costly threat.

Different Types of Ransomware
Cyptolocker was the first successful Ransomware – able to be used by hackers with medium capability but managed to fleece victims of millions of dollars in 2013 and 2014.

Newer versions of Ransomware include CryZip, Locky, Zepto, Cerber and CryptXXX and UltraCrypter

Many Ransomware attacks exploit known `zero day’ errors in software on computer systems. These holes and vulnerabilities can be found in operating systems or else individual programs, such as web browsers.

The software companies often release updates and patches to close these holes but the hackers depend on owners not installing updates – so the Ransomware can squeeze through and infect the system

Common ways of Ransomware Infection
The traditional and most effective way for a hacker to infect a computer system is by way of email attachments with malware contained inside. Often these attachments are apparently benign Microsoft Office files such as Word or Excel but can include photos or PDFs.

Effective hackers spend some time researching their victim to create emails from spoofed addresses they may trust or else name documents which use a project name or location the victim is familiar with. The victim is then tricked in to opening the document as the name of the document appears real or else they trust the sender, not knowing the sending email address has been faked.

Other hackers may try to infect a computer system by way exploit kits on infected webpages which the victim may use – often on pornographic sites or other sites which pop up and attract visitors.

Once the attachment is unzipped and run or the exploit kit runs, the infection process follows these steps:

1. During the encryption process, the malware generates the public key based on the encrypted private key
2. The malicious software begins encrypting accessible files [often the targeted extensions such as .docx or .xls
3. Once enough files have been processed, the malicious software locks all encrypted files with a private key
4. The computer system still works but cannot access these locked files
5. A ransom note is presented in three formats: text, image, and web page informing the victim of the attack and the need to make a Bitcoin transfer to obtain the encryption key to unlick the targeted files

Use of Bitcoin
The utilisation of Bitcoin has also fuelled the spread of Ransomware. Bitcoin is now the preferred payment method of most Ransomware infections because it allows users to send and receive money from anywhere in the world, often anonymously.

What Can You Do If You’re Infected by Ransomware?
Unfortunately, there is little you can do to recover your files once your system is infected with a Ransomware attack and the files are encrypted. The best defence is to have a full back up stored on a separate drive so that you can reinstall the data. However, make sure to isolate your backup to prevent these files also being encrypted and locked down.
1. Isolate the infected machine
It’s important that the system is taken offline, as the hackers essentially control your computer and could use it to gain access to other systems on the network.

2. Weigh up the pros and cons of paying a ransom
As with any form of ransom, you are not guaranteed to obtain cooperation from the hackers – they may demand further payment or else you may be the target of a repeat (and potentially more costly) ransom attack in the future.

Can you be sure that the Ransomware will indeed be unlocked? If it is unlocked, can you be sure that it hasn’t been pre-programmed to repeat its encryption and demand a higher ransom?

[However, anecdotal information indicates that the hackers want their business model to work and thus do release the data upon payment].

3. Recovery
Run endpoint security software to discover and remove the Ransomware software. If it cannot detect the threat, wipe the machine and remove the operating system.

4. Restore
Review your recent data backups and restore files and operating systems with the most recent back-up.

5. Alert Law Enforcement
In Malaysia the agency is CyberSecurity Malaysia and can be contacted via website www.cybersecurity.my

In Singapore the agency is the Cyber Security Agency of Singapore – see
https://www.csa.gov.sg/singcert/about-us/faqs for details

Though they probably won’t be able to provide immediate assistance, such attacks need to be reported in an effort to track the hackers.

Do you need to know more about our services and how Regents can assist you with preventing information loss? Simply go to our Cyber Threats page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

Mobile Phone Thefts

Ever since mobile phones became an essential tool for businesspeople, their theft and resale has posed a security problem for companies. The latest smart phones are not only costly, they can also contain crucial data relating to the company and the personnel working there.

Other than taking the obvious security steps such as not leaving a phone on the table or checking pockets for the mobile phone on exiting taxi [a common way to lose a phone], there a number of technical actions that can be taken:

1.    Ensure that the phone has a security PIN plus a locked SIM
2.    Install tracking software that can be activated remotely should the phone go missing
3.    Have all data backed up to the cloud
4.    Where possible, have critical data encrypted

Once one of your personnel discovers that a mobile phone has been stolen or gone missing, have your IT people start to track the phone using the installed software. Alert the telecom provider so that the phone can be deactivated and prevented from making costly calls or downloads – often the telecom provider can locate the phone quicker. If you suspect that the phone has been stolen, make a Police report so that they can identify the thief with the help of the tracking process.

It should be noted that to counter thefts of mobile phones and their reuse / sale, some telecom providers have now created a registry of reported missing or stolen phones via the serial number or IMEI embedded in the phone. Therefore, should a missing or stolen mobile phone be placed on such a register, a telecom provider checking this phone before signing up a new client would flag this problem.

This cooperation between telecom providers in the USA has made it much harder, if not impossible, to reactivate a flagged phone. That’s the good news. Here’s the bad: the database only applies to the USA and other countries are slow on implementing a similar program.

This means that for those phone owners living outside the USA, there is little protection with recovering or cancelling their missing phones. And savvy iPhone thieves have realized that the way to get around these restrictions is by selling phones overseas.

There is already a steady trade of second hand mobile phones being traded in when users want a new phone. These old phones may then be reconditioned and shipped overseas where customers will buy them at a discounted price. Some dishonest players use these channels to sell found or stolen phones for instant cash.

Whether the phone was lost by accident or stolen by a thief, the process of re-sale and use by a third party exposes the data on your missing or stolen mobile phone to being downloaded and used as part of an identity theft attack. A locked and secure mobile phone is essential – make sure you have a six figure PIN installed.

This is a threat that will only increase as we store more and more data on our mobile phones. To give some idea on the scale of the problem today; take note that in the USA it is estimated that the loss and theft of mobile phones cost consumers over $30 billion in 2012, while around 110 smartphones are said to be lost or stolen each minute in the USA.

Now, where did I put my phone……..

Do you need to know more about our services and how Regents can assist you with theft or IT security issues? Simply go to our Contact Us page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once. Visit our Fraud Investigations webpage for more information.

Theft of military data drive exposes security flaws

 

Top secret defence documents belonging to the commander of Australian operations in the Middle East stored on a USB drive went missing from the backpack of a military aide travelling on a commercial flight from Dubai to Pakistan.

It is believed the USB went missing after the flight arrived in Kuwait for a scheduled stop over. When the flight arrived in Islamabad it was disclosed by the commercial that a number of the checked in bags had been lost and it took several days for them to be all located.

The loss of the material was considered to be a major security incident by defence authorities and highly likely to be the product of a deliberate theft operation by undisclosed foreign agencies. The incident highlights the risks of transporting sensitive information stored on a USB drive without proper risk assessments or security protocols in place and being undertaken.

Australian Defence has declined to reveal what exactly what was on the drive but it appears that it did contain the emails of Major-General Cantwell and the aide, downloaded from the Defence Secret Computer Network. An intelligence source said the increasing use of powerful electronic storage devices to contain classified material has become a particular concern for governments worldwide.

Though your organisation may not have military secrets stored on devices or laptops, it is fair to state that they do contain information that would be of use to a competitor and the inadvertent leaking of information would harm your company. Some of the data may be commercially sensitive whilst others you are obligated to store securely such as names and addresses of clients, credit card numbers, financial information, medical information etc.

Prevention is far better than cure in this situation; in fact, once the data is loose on the web or being sold to other parties there is no real cure. Loss of client confidence and crippling costs to remedy the situation such as offering free credit check updates and cancelling accounts means that if this situation can be avoided, it should.

Therefore, it is recommended that a company or organisation should take at least the following steps in regards to information security for transported data:

  1. Conduct a risk review as to what type of company or organisation data is likely to be transported on a drive or laptop
  2. Draw up a security policy determining who should be authorised to transport sensitive data and what precautions must be taken
  3. Identify the individuals [salesmen, executives, managers] whom are most likely to be transporting the data – decide whether benefits outweigh risks of data loss
  4. Ensure that these individuals have been full briefed as to company security policies including complex password protection on all devices
  5. Prevent unauthorised personnel from being able to copy or duplicate sensitive data onto drives via IT protocols
  6. Consider having all  data stored on external drives being encrypted using standard software such as True Crypt
  7. Consider having all laptops and smart phones link to servers via Citrix or VPN so that minimal data is stored on the device
  8. Create an emergency system to track any stolen or missing devices with a regular asset review to ensure all data is being maintained
  9. Implement a data clean up system so that all drives are sterilised when are no longer needed

Data loss can occur due to bad luck through to being the victim of a targeted operation by a third party. At best there is severe embarrassment but worst case scenario can lead to loss of clients and hefty fines from regulators. Creating an atmosphere of data protection among the organisation can go a long way to preventing such losses.

Do you need to know more about our services and how Regents can assist you with preventing information loss? Simply go to our Cyber Threats page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

 

Hacking of White House Gmail accounts

The recent announcement by Google that a number of users Gmail accounts have been hacked into has ratchet up the debate on cyber war between China and the US. The importance of this report relates to the fact that these Gmail accounts were held and sued by senior US and South Korean government officials as well as Chinese political activists.

Google claims that it had discovered and alerted hundreds of users who had been duped by a carefully targeted “phishing” scam. The method used – called spear phishing – is not new but can be particularly successful when targeted properly.

A spear phishing attack occurs when a victim receives an email from a familiar address of a close associate or a collaborating organisation/agency. However, the address has been spoofed [falsely generated] and the email comes from the hackers. Usually the email has some form of attachment which needs a viewer – when clicked on, the user is directed to a fake Gmail login page for harvesting login details of the user.

Once the hackers had the password details of the user, the hacker would log into the Gmail account and create rules to forward all incoming mail to another account without the user’s knowledge. Often the other Gmail account ID is made to closely resemble the victim’s ID so as to reduce suspicion. From that point on, the spurious Gmail account is frequently accessed remotely and all incoming emails downloaded to a central location and the emails deleted from the Gmail account.

By this method, the hacker(s) can begin to create a patchwork of communications between various users and organisations. It has been indicated that these hacking attempts originated from Jinan, the capital of Shandong province. While there is no direct evidence that the hackers are located in Jinan or are in the pay of the Chinese government, the dedication of the attacks and their highly targeted nature eliminates direct financial gain as a motive. Technology watchers haven’t ruled out the possibility of the attack being state-sponsored.

However, it should be noted that the main reason that the Gmail accounts were selected in the first place is that they were thought to have contained some useful information related to the users work. Though we don’t know the identity of the users, it has been suggested that elements within the White House and Senate have been users plus South Korean government officials.

It is a fact that many White house officials choose to use external email accounts rather than the government approved ones for certain emails. The users are aware that government emails are archived and my be the subject of later legal actions, investigations or being placed in public archives. For this reason, they have chosen to use Gmail addresses for certain subjects or contacts. This happened during the Bush presidency too so that many subjects are absent from official correspondence.

What does this mean for your business or organisation? We are all prone to hacking attempts though mainly for commercial gain for scammers seeking bank account numbers, credit cards, passwords etc.

You need to brief email users as to the perils of `spear phishing’ attacks and the spoofing of addresses. One negligent click on a smart phone could expose company details to the outside world.

And what are your corporate policies on people using Gmail, Yahoo etc accounts for business or organisation communications? Is this acceptable? What happens when a smart phone is lost or the user leaves the business? Those email may be lost with no auditable trace of what was agreed with clients, customers etc

It’s not just the White House that needs to review policy and security – these hackers may be targeting you.

Do you need to know more about our services and how Regents can assist you with computer forensics and data recovery? Simply go to our Contact Us page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

l

Securing smartphones data

Recent sales figures indicating that worldwide sales for smartphones will increase by 60% and top half a billion units in 2011 confirms what most people already knew; smartphones are no longer just for top executives or city hopping businesspeople.

Smartphones – notably the iPhone and those running the Android OS – allow a user to check multiple email accounts, browse the web, track appointments, record video and voice, use the GPS function, online banking, tinker with a host of free Aps and, oh, make phone calls.

This means that smartphones now hold intricate data about the user of the phone; details of their emails, web surfing history, calls made to and from the phone, SMS messages sent and received, where the phone may have travelled just for starters. Most of this information may be unique to the user but much of it belongs to the company or organisation that the phone belongs to. In the event that the phone is lost or stolen, this creates a serious security issue should it fall into the wrong hands.

In an effort to reduce the risk to the data of the company organisation, the IT Department issuing the smart phones should co-operate with senior management and the risk / security officer to address the basics of smart phone security:

  • Anti-virus response – This should be the same for as for emails received on a PC – If you don’t recognise the sender, or there is a suspicious attachment, don’t open / download it.
  • Bluetooth – this can be an open door with a welcome mat! Select disable unless highly conversant with password / encryption settings
  • Run frequent asset checks to ensure that all smart phones are being used properly – they haven’t been passed to a spouse / partner for their use to watch movies
  • Solicit information from similar sized companies who have already implemented smartphones for feedback on security issues
  • Look to selecting only a handful of models of smartphones so as to avoid excessive efforts on support and updating for the fleet of phones
  • Prefer to select smart phones which can support key features like encryption, remote wipe, and password locking
  • Develop a written security policy and procedure items for smartphone that governs acceptable use, monitoring, responsibilities of user (e.g. what to do if device is lost or stolen)
  • Actively monitor security vulnerability for the smartphones and any reported new attacks on these types of devices
  • Ensure that the devices in the field can be updated quickly to fix security issues once discovered

Do you need to know more about our services and how Regents can assist you with preventing information loss? Simply go to our Cyber Threats page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

Better password protection by `Naked Password’

Most people are lazy when it comes to using computers properly. People are even lazier when to comes to selecting a password for accessing their computer or web service. Computer security seems to be a keyboard type too far.

The more complex a password is by incorporating the use of upper and lower case letters, numbers and symbols the better. This will protect the password from a brute force or dictionary attack by a hacker or unauthorised use. Alas, most people either don’t realise the importance of choosing a complex password or are just not motivated enough to come up with a suitably complex password.

Enter a useful little plug-in called “Naked Password” which could make choosing a password a whole lot more interesting.

“Naked Password” rewards the selection of more secure passwords with images of an attractive, sexy woman named `Sally’. As the user types in each irregular character such as an upper case letter, `Sally’ removes one more item of clothing. It will certainly work with some of the people I know working in our office. “Naked Password” is a jQuery plug-in with a racy 8-bit striptease,

Of course, an image of a stripping model may not motivate everyone, women for example. With some tweaking to offer a different image, such a handsome male or else something like a seal doing tricks, may make “Naked Password” a viable offering for all genders and age types.

“Naked Password” is certainly onto something and if by adding some fun by viewing a reward image and generating some proper excitement to lessen the chore of entering long and variable passwords then it should be welcomed.

Do you need to know more about our services and how Regents can assist you with preventing information loss? Simply go to our Cyber Threats page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

Vodafone Australia hit by privacy breach

VODAFONE Australia launched an internal investigation into a security breach that has put invoicing and call records on a publicly accessible website protected only by passwords that are changed monthly. Allegedly, anyone with a Vodafone login could view sensitive personal data.

A Vodafone spokesperson claimed that customer details were not available on the internet. “Customer information is stored on Vodafone’s internal systems and accessed through a secure web portal, accessible to authorised employees and dealers via a secure login and password”.

Vodafone also faces the prospect of privacy concerns being investigated by the Office of the Privacy Commissioner. The commissioner has the power to conduct an investigation on behalf of affected customers and direct that compensation be paid to those affected. However, it appears that Commissioner doesn’t have the power to fine Vodafone directly for any data breach.

The main issue from preliminary reports is the fact that Vodafone allowed details of their customers including names, addresses, calls records and charges to be accessible via a public website. This data could be accessed by the use of passwords. It is unclear whether separate individuals were issued with the same log in details and password. This would cause difficulties in back tracking as to who exactly accessed which data and whether they had reasonable cause to do so.

A further issue is the extent of the records for the activity of those logging in to the system. Without a robust record to perform audits on, Vodafone will be unsure as to how many records have been accessed without authority and complicate any possible compensation issues. Vodafone declined to specify what logs are maintained, stating that they did not want to hand out information that could help hackers.

This incident came at a difficult time for Vodafone as it faces several possible lawsuits relating to alleged quality of service issues for customers in Australia, outages supposedly as a result of Vodafone’s 3G network upgrade.

System logs & Auditing
Keeping track of what your IT system is actually doing is one of the most important, but tedious, processes of good IT security management. Without sufficient logs as to the activity on your system [log-ins, activity, accessing files & DBs, downloads, change of data, emails etc], an effective and meaningful audit is not possible.

A suitable depth of logs is also a priority – if the logs are kept for just four weeks but the suspicious activity occurred two months ago, then again no useful audit can be undertaken. As the cost and physical size of storage media continues to drop dramatically, any security process should include a suitable catchment and depth of log activity.

The need for an audit is usually triggered by the following:

  • A reported security lapse from an investigation, physical inspection or alert from a third party, as was the case for Vodafone being tipped off by a journalist
  • Activity hits a specified event trigger – such as spike in activity for certain usernames or accessing areas which are not normally permitted
  • As required by the CIO or else an external audit team reviewing the system in line with procedures

Whenever a data breach is alleged or detected, one of the first steps for investigators is to review the logs for access to the system and data. Matching event logs to suspicious log-ins and activity is part and parcel of an audit. Other information such as physical access to buildings or certain offices, originating IP addresses and MAC addresses for machines may also be cross referenced as part of the audit to determine the nature and extent of the security breach.

Other important security steps for being able to mount an effective audit include:

  1. Passwords – all passwords should be changed periodically and previous passwords cannot be recycled
  2. Usernames – all usernames should be unique and utilise letters and numbers e.g. ANART22 or 25-IPIO to discourage guessing by hackers
  3. Usernames – they should also avoid being obvious, such as a users’ first or last name or else the name of the town or branch – e.g. David or Auburn.
  4. Log access errors – all incidents of unsuccessful log-ins should be conveyed to the user and administrator for review and detection of attempted hacking
  5. IP address – recording all originating IP addresses for log-ins and plot them geographically [though they may be spoofed]
  6. Account management – indicates when user accounts are added, modified or deleted in any way
  7. Object access – responds when certain sensitive files, folders and other system objects are opened, closed or otherwise “touched”
  8. Privilege use- records when users exercise privileges assigned to them beyond regular activity

Do you need to know more about our services and how Regents can assist you with preventing information loss and investigations into security breaches? Simply go to our Cyber Threats page or else our Contact Us for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

When does unauthorised access to email become hacking?

In late December 2010 in the US state of Michigan, a man has been charged by Police under anti-hacking laws intended to combat the unlawful accessing and copying of data such as Intellectual Property, personal data or financial related information. However, the man is accused instead of logging into his wife’s email account without her permission and viewing her emails.

The man, Leon Walker, instead learned from the emails in his wife’s Gmail account that she was having an affair with her second husband. Walker decided to inform his wife’s first husband [this gets complicated] as there was an issue regarding the son of the first husband and Walker feared for the boy’s safety. When the first husband took action based on these emails, the wife reported Walker to the Police and he was arrested.

Walker’s arrest raises considerable queries over evidence obtained in relation to divorce and family court matters. Around half of US divorce cases centre on the disclosure of some form of electronic data such as emails, text messages or social networking posts. If the other side’s legal team can object to this data claiming that it was collected in an underhand way, then the evidence may be thrown out by the court. This could result in many family court and other civil matters being unable to proceed.

Walker has claimed that he and his wife shared the computer and that he merely looked at the emails and didn’t need consent. The wife claims that this isn’t so and that Walker had no right to look at the emails. It will be interesting to see how the court rules and whether any appeals will make precedence for future cases. Other cases have turned on whether an individual had actual or implied permission to view certain information on a computer, website or mobile phone.

Walker’s legal counsel stated that the prosecutor was using a law that was aimed at computer hackers attempting to steal data or compromise systems and instead applying it to a divorce matter. The main

This case has some similarities to that of a famous case involving the unofficial viewing of emails; that of former Governor of Alaska Sarah Palin’s Yahoo emails in 2008. In May 2010, David C Kernell was found guilty of obstruction of justice and unauthorised access to a computer. Kernell was alleged to have broken into the personal Yahoo email account of Sarah Palin by guessing her password reminder. Kernell had no relationship to Palin that could explain why he may have a reason to access her emails.

After accessing the yahoo account, Kernel then went on to post copies of Palin’s emails, addresses of her contacts, and family photos on Wikileaks. As Palin was running for Vice President at the time, this simple breach of security had serious ramifications for her campaign.

The obstruction of justice conviction related to the fact that Kernell had deleted evidence from his computer hard drive after investigations commenced in to identifying the person responsible for hacking into the Yahoo account.

When conducting an investigation that involves the viewing of electronic files and data, it is imperative that the provenance of the data be established. Does the investigator have the right or permission to copy, recover, analyse or view these files – from the owner or via a court order? Legal privilege issues should also be considered and legal advise should be sought if anything appears to uncertain. Failure to follow proper forensic computer procedures could result with the evidence being invalidated and the matter being dismissed by a court.

Do you need to know more about our services and how Regents can assist you with computer forensics? Simply go to our Computer Forensics page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.

Discarding computer hard drives can be dangerous

During a computer upgrade or computer replacement, many are tempted to toss the old hard drive on the curbside, sell them on eBay or else donate them to a local school or charity group. But if the data contained on those old drives has not been properly erased before discarding, it might be safer to smash them with a hammer.

If proper steps are not taken to sanitize the data on the hard drives, the data could end up in the wrong hands and lead to numerous damaging events including industrial espionage, cyber attack, identity theft, embarrassing leaks of information [think Wikileaks] or else contravention of sensitive data laws such as patient privacy or stock exchange disclosures.

There have been numerous studies by University IT departments whereby they buy discarded hard drives online, pick them from the trash or else find them up at garage sales or used computer stores. These drives are then examined using computer forensic tools to ascertain what data is still contained on these old hard drives.

The results in the past have been startling. Old files located on the hard drives have included credit card information, personal medical details, business plans with trade secrets, personal finance calculations and business emails. One hard drive was found to have been taken from a bank ATM and contained details of thousands of banking transaction!

A notable pioneer of this process has been Simson Garfinkel, a postdoctoral fellow at the Center for Research on Computation and Society at Harvard University. Garfinkel, a computer forensic expert, has been obtaining old hard drives since 1998 and examining them for residual information since 1998.

Garfinkel has followed up by contacting some of the organisations and inquiring as to how their data came to be left on these discarded hard drives. One organisation revealed that they had a upgraded some hundreds of computers and had let go of the old drives to be sold as spare parts. They had mistakenly assumed / presumed that the contractor would take steps to sanitize the data for them.

Another issue has been that employees weren’t properly trained or directed in data destruction techniques
. Therefore, the employees overseeing the disposal of hard drives had no guide lines as how to act or steps to take to completely delete the data held on the old hard drive. The disposal of hard drive issue is just one example of why organizations need to formalize and audit their security controls. Organizations need to understand these issues and track their data flows from beginning to end so as to preserve their security.

Data protection and security can be enhanced by following these useful tips:

  • Have the IT and Security departments formulate a suitable approach to data handling and data destruction
  • Incorporate these steps and approaches in a set of guidelines and instructions for all IT personnel and other employees to adhere to
  • Set up an audit trail tracking all hardware containing data as well as data moving across network boundaries
  • Make the general employees and management aware of data protection and the issue of leaks – apply this to mobile devices including laptops, iPhones and smart phones
  • Regularly review these guidelines and instructions along with spot checks to ensure that they are being understood and followed

Do you need to know more about our services and how Regents can assist you with preventing information loss and securing your computer network? Simply go to our Computer Forensics page for our phone numbers or else send an email to contactus@regentsriskadvisory.com with your contact details and we will respond at once.