// archives

Digital Crime

This tag is associated with 6 posts

Targeted Attacks Video Series

Cybersecurity is currently on the top of the mind of many organizations trying to protect their intellectual property, research, customer and employee databases and other valuable information. In almost every discussion that I have on cybersecurity the topic of targeted attacks is put into the center. This is now even encreasing as we see such attacks being used much more commonly than usually assumed and only a small number of organizations have the resources to limit or even detect them.

The question is then often what a targeted attack really is and to answer that we have created the Targeted Attacks Video Series  on Advanced Persistent Threats (APTs), or what we at Microsoft call Targeted Attacks by Determined Human Adversaries. These five short informational videos summarizes three security whitepapers, Determined Adversaries and Targeted Attacks, Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques, and Best Practices for Securing Active Directory.

Take the time to look at them below – it is well worth it:

  • Introduction to Determined Adversaries and Targeted Attacks: Tim Rains, Director, Microsoft Trustworthy Computing, provides background information on these types of attacks and set the context for the rest of the video series.

  • Mitigating Pass-the-Hash Attacks: Patrick Jungles, Security Program Manager, Trustworthy Computing, explains what a Pass-the-Hash attack is and some tested mitigations to help manage the risk associated with credential theft attacks.

  • Anatomy of a Cyber-attack Part 1: Sean Finnegan, CTO of the Microsoft Consulting Services Cybersecurity Practice, walks through a typical targeted attack, step by step, describing how attackers perpetrate these attacks.

  • Anatomy of a Cyber-attack Part 2: Sean Finnegan finishes his briefing on how determined adversaries commit targeted attacks.

  • Importance of Securing Active Directory: Bret Arsenault, Microsoft CISO, discusses the importance of protecting your Active Directory in the context of target attacks.

 

I hope this helps for the next discussion on the topic of targeted attacks – and if you work for an organization that has information with commercial value then that discussion that discussion should start sooner rather than later.

Less Spam today? Good news – I will tell you why

Microsoft Digital Crimes Unit

Did you notice that you got fewer spam e-mails today? All in all there were about 3.8 Billion fewer spam mails sent out. Why? Because there is one less Botnet in operation. Today Microsoft annaounced that we have taken down the Kelihos botnet in an action codenamed “Operation b79”.  This is the third botnet takedown in Microsoft’s Project MARS (Microsoft Active Response for Security), a program driven by the Microsoft Digital Crimes Unit in close collaboration with the Microsoft Malware Protection Center (MMPC) and the Trustworthy Computing team to annihilate botnets and advance the security of the Internet for everyone. Why does it matter? Because it is one step further in making cybercrime more expensive and it is the first time Microsoft has named a defendant in its fight against botnets making suddenly cybercrime much less anonymous.

Microsoft has a very interesting unit in the fight against Cybercrime – the Digital Crimes Unit. I had the opportunity to spend last week at their premise in Redmond, to have interesting discussions and get our efforts in regard to child abuse and digital crimes aligned. With our ever increased dependance on our computers, smartphones and networks at home, on the road and at work, it becomes more and more crucial to keep this infrastructure safe, secure and private. To achieve this we are working in close cooperation with local law enforcement agencies, government CERTs, Internet Providers and other organizations and agencies. From a personal perspective it is highly interesting to have the opportunity to work at national level as a facilitator and sponsor between these Swiss entities and the different units of Microsoft Redmond and to be able to participate in the fight against child abuse and cybercrime.

The fight against botnets will continue. There are still tens of thousands of computers infected that regularely try to connect to the three botnets Microsoft took down. The following video gives an impression of the state of two botnets as of 21. September 2011.

What now needs to be done is to clean up the infected computers. To aid in this I started working together with Government, Internet Service Providers and Community Emergency Response Teams so that we can also take advantage in Switzerland of the work that is done in Redmond. More on that in a later post once the initiative has advanced and all partners are on board. In the meantime – please keep your computers safe and private. With that you are participate in the global fight against cybercrime and you keep your privacy protected. You can find information on “how-to” in this earlier blogpost.

Interested to know more about the botnet takedown? Read here the official Microsoft Blog.

Follow the Microsoft Digital Crimes Unit on Facebook and Twitter.

 

Microsoft support does not call you – fraud alert!

We are receiving currently increased feedback from Microsoft customers about calls they receive from – supposedly – Microsoft support. The callers claims to be a Microsoft representative or working for a Microsoft partner. The usual call goes about the following:

  • The caller calls from either the UK or the US and informs the Microsoft customer that there is supposedly a problem with some software on the computer or that they have indications that the customer has had recently some security problems.
  • The caller claims to be from either a Microsoft Partner or a “Windows Service Center”.
  • The caller speaks English but often with an accent.
  • The caller will try to gain remote access to the computer e.g. by asking the customer to go to a – fraudulent – support website and download software or then send something by e-mail.
  • Usually, if the customer is suspicious and starts asking questions, the caller hangs up.
You might guess already – the person calling is neither from a Microsoft Partner nor from a Microsoft Service Center. The trick is old but still widely in use and currently there seems to be an increase in these calls. They go to private numbers as well as business numbers.
I recommend that if you receive such a call that you just hang up and if a notice arrives by e-mail to immediately delete it. The following points may help you determining if you are talking to a real Microsoft representative or not and cover some additional aspects in addition to fraudulent support calls:
  • Microsoft does not send unsolicited e-mail or make unsolicited phone calls to request personal or financial information.
  • Microsoft does not make unsolicited phone calls to help you fix your computer.
  • Communications claiming that you have won the “Microsoft Lottery” are fraudulent because there is no Microsoft Lottery.
  • Microsoft does not request credit card information to validate your copy of Windows, Office etc.
  • Microsoft does not send unsolicited communication about security updates.
I hope that this information helps you in avoiding being a target in one of these scams. If you are no concerned that your computer was actually victim of a security incident you can read my blog post on securing your computer.
Update: I also added some recommendations on what actions I advice if somebody has had access to your computer (in german).

New prime cybercrime target – small and medium businesses (KMU)

“Der Bund” – a Swiss newspaper has an article about a Verizon study that should be published today. The study analyzed 1700 cases of data/identity theft and came to the conclusion that small and medium businesses are the new prime target for cybercrime. That lead me to think about how to change this and one solution – and in my view the most sustainable one – is to delegate the defense of your digital information to a professional organization. Too expensive you think? On the contrary – my guess would be that IT cost will actually be (much) lower than running systems yourself and it will even have a positive impact on the environment. How? The answer to this is to move your IT to the cloud.

The cloud to improve security – but…  Yes – this then leads to the question that I am probably asked most in my job. How is security and privacy is in the cloud? There are lengthy answers for that but for many organizations the answer can be quite simple. How is your security today and is it better or worse if a professional enterprise takes care of it? While cases for identiy and data theft are abundent – have you ever heard that (for example) Microsoft’s system have been breached? Looking behind the scenes (perks of my job) I see huge efforts going into security that someone that focuses on running a business and uses IT to enable it has probably not the resources to do. That is the difference. For Microsoft running IT services is the core business process while for a customer IT is (most of the time) a supporting process and therefore resources are allocated different.

With that – the newspaper article coincides with Microsoft’s announcement of the public beta for Office365. With this you can sign up and test the mail/calendar/online Office/collaboration etc with a guaranteed uptime of 99.9%. It comes in an edition for small and medium businesses and one for large enterprises. Why not see for yourself?

Fighting malicious software – congratulations SWITCH


SWITCH
, the internet registrar for the .ch and the .li domain and also a service provider for Swiss universities and a CERT, has been blocking Swiss websites if they are spreading malicious software and infecting computers of the internet users accessing them. They released today a statistic, that they have been cleaning more than 700 websites since the end of November 2010. This comes to an average of about 150 websites per month although, as they started the process slowly, the average might not be representing the actual work completely.

I am happy to hear about this success of SWITCH making internet users safer by disabling malware disseminating sites. If one takes the relative small numbers of .ch and .li domains and looks at how many domains exist worldwide the amount of infected sites is hard to grasp. The process itself is pretty straightforward. Once an infected site is known the holder of the manipulated website is contacted. SWITCH describes the process as follow “After receiving notification, holders and operators have one working day to clean up the website. If this deadline elapses without a cleanup, SWITCH temporarily blocks the domain in question to protect visitors to the website and informs the Reporting and Analysis Centre for Information Assurance – MELANI. As soon as the problem has been solved, SWITCH reactivates the domain. Combating malware in this way is proving to be effective: in 680 cases, the holders and operators reacted and cleaned up the website within one working day. On 55 occasions, a website was blocked before being cleaned. In 68 cases, it proved impossible to find a definitive solution, because the blocking period permitted by law had expired.”

While the process is clearly not perfect it is definitely a first step and it could be a model for other registrars to adapt. It needs a legal basis and a close cooperation with the government. Maybe this goes in the direction of the need of an internet governance I described earlier? Whatever could be improved – for today it is “congratulations SWITCH”!

Do we need an Internet Governance?

Microsoft has today taken down a large and complex botnet known as Rustock. This botnet is estimated to have approximately a million infected computers operating under its control. It had the capability of sending billions of spam mails every day and was responsible for a significant amount of the total spam that was sent on every given day and that clogs up our inboxes.

While the news was reported widely and our inboxes are cleaner (for now) I was thinking about the effort involved. Microsoft and US federal law enforcement agents seized computer equipment based based upon a civil lawsuit filed in federal court in Seattle. While it obviously worked it strikes me as very inefficient and probably restricted to computer that are on US soil. As botnets are an upcoming trend, and looking at how cheap it is to rent one for a day, I expect that more botnets will be brought to live again and that their command and control infrastructure is not on US ground and therefore safer. Do we need a stronger Internet Governance where botnets and similar critters can be taken down even remotely if they are in countries that do not support such actions? Do we need a Geneva convention for the Internet with a legal framework where governments and possibly corporate actors can act upon? Looking at the development rate of technology and the speed of legislation – we might want to start today rather than tomorrow.

About the Author

I am Microsoft's Chief Security Officer and Advisor for Western Europe and have over 15 years work experience in an information security and risk focused IT environment as program manager, technical director, Chief Risk Officer and group CIO.

more about me and contact info

Translate

Chinese (Simplified)EnglishFrenchGermanItalianPortugueseRussianSpanish