News

More than 30 IDM realisations in Czech Republic and abroad

AMI Praha Security news 27/8/2018
Security news 27/8/2018

Security news 27/8/2018

I attended another one of the consultations based on the idea of cyber attackers created on the basis of Hollywood movies with young geniuses in hoodies tapping away at a keyboard in the corner of a mad room to “hack” into a carefully selected target with the intention of stealing a few billion or starting a world war. Unfortunately, getting an idea of computer security from these scenes is about as off the mark as getting an idea of prostitution from the plot of Pretty Woman.

The greatest danger of such an idea is that its practical improbability gives its bearer a subconscious sense of security stemming from a sense of his own anonymity and insignificance. But it is just the opposite – computers unlock the possibility of doing evil on a scale never seen before, precisely against those who have been able to rely on their crowd anonymity. This has been happening even since their earliest days  https://www.root.cz/serialy/derne-stitky-a-holocaust/.

By now, cyberattacks are a well-established industry, commercialized on all sides to such an extent that a devastating campaign against you will occasionally be launched by a semi-demented illiterate with a few dollars on his credit card who has never heard your name, your company’s name, and often your country’s name. Since this statement is too inconceivable for most people, I would like to illustrate in detail who, why and how they want to attack on the Internet, so that it becomes clear how banal and common this activity is.

  • Do you feel that a cyber-attack requires extensive knowledge and computer expertise for an attacker to be able to find a flaw in your system? No, an attacker will go to https://cve.mitre.org/, where (as a perfectly legitimate public service) 0-day vulnerabilities are published, and pick the few most recent ones that will have the best chance of success.
  • Do you feel that launching a cyberattack requires extensive preparation and a lot of specialized software? No, completely legal and commercially available all-in-one tools such as https://www.metasploit.com/, are used to launch an attack, where you simply select an exploit from the above list (and many others), enter the target and hit enter.
  • Do you feel that your server or device doesn’t stand out in the clutter of things connected to the Internet, and therefore the possibility of it being targeted by an attacker is minimal? No, virtually the entire Internet is perfectly mapped and indexed by services like https://www.shodan.io/, where an attacker can find all connected devices with software versions vulnerable to the vulnerabilities selected above with a simple query. If you haven’t patched your servers fast enough then tough luck, they will be among them.
  • Do you feel like there is no valuable data on your devices and therefore no one cares? No, the first step is about quantity. As many controlled devices as possible are first roughly sorted by basic characteristics and sold to other processors “by the kilo”. Only in the next step is the monetization of the haul devised and a use is found for each device:
    • Any device can be sold into a DoS attack pool (sold quite legally under the name and purpose of “network stress testing”).
    • Keyloggers are run on personal computers to collect passwords, card numbers, etc., and prepare them to be pooled for later running malware campaigns in which new banking trojan-type malware needs to be distributed to as many devices as possible as quickly as possible in order to collect as much money as possible before the affected entities can defend themselves against the malware.
    • Servers can be used to collect passwords from end customers of their services and further disseminate malware to their visitors.
    • Personal computers and servers can serve as nodes of an opaque VPN like https://www.torproject.org/ to hide other criminal activity.
    • If nothing else, any electronics can be used to mine cryptocurrencies. And that’s still just the tip of the iceberg.
  • Do you feel that in the event of an attack you will simply reinstall your computer, which can be a pain but not really a problem? No, you won’t know an attack without a lot of competence. From the above it is clear that attackers have a fundamental interest NOT to directly harm the device owner and instead to keep his device within OK limits as long as they can sell it, which leads to absurd situations where quality malware cleans the infected computers of the more annoying ones so as not to give cause for more detailed investment.

No, no one on the internet is attacking Franta Vomáčka because they’ve been following him for weeks after he got an inheritance from his grandmother to find out when he’s on vacation and won’t be applying updates. No, no one on the internet is attacking Kristýna Nováková because he likes her and would like a naked selfie of her.

If they do, it’s because the people in question were attacked long ago, and the databases were just waiting for an end customer to find a super-simple retail interface to them for a few dollars.

Would you like a credit card number? They’re sold in packs of hundreds, so there’s always at least a couple dozen working ones, and at least a couple of them are always properly fat. Would you like a list of your object of interest’s favorite passwords? Find an illegal variant of https://haveibeenpwned.com/ that displays those compromised passwords in addition to the list of compromises. No technical skill required, it’s the output of a completely indifferent, automated, mass business process that, like any other predator, waits patiently for any weaker piece to fall a little behind the herd.

Defence against this threat, like vaccination, cannot be seen from the perspective of the individual. It is our industry responsibility not to offer customers a cheaper version of a project with truncated security and use their decision as an alibi. If we don’t do it ourselves, sooner or later regulation will come.

Author: František Řezáč